"Fossies" - the Fresh Open Source Software Archive

Member "nmap-7.91/CHANGELOG" (9 Oct 2020, 756783 Bytes) of package /linux/misc/nmap-7.91.tgz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "CHANGELOG": 7.90_vs_7.91.

    1 #Nmap Changelog ($Id: CHANGELOG 38101 2020-10-09 22:43:50Z dmiller $); -*-text-*-
    3 Nmap 7.91 [2020-10-09]
    5 o [GH#2148][Zenmap] Fix a crash in the profile editor due to a missing import.
    7 o [GH#2139][Nsock][Windows] Demote the IOCP Nsock engine because of some known
    8   issues that will take longer to resolve. The previous default "poll" engine
    9   will be used instead.
   11 o [GH#2138][Nsock][Windows] Fix a crash in service scan due to a previously-unknown
   12   error being returned from the IOCP Nsock engine. [Daniel Miller]
   14 o [NSE][GH#2136][GH#2137] Fix several places where Lua's os.time was being used
   15   to represent dates prior to January 1, 1970, which fails on Windows. Notably,
   16   NSE refused to run in UTC+X timezones with the error "time result cannot be
   17   represented in this installation" [Clément Notin, nnposter, Daniel Miller]
   19 o [NSE][GH#2128] MySQL library was not properly parsing server responses,
   20   resulting in script crashes. [nnposter]
   22 o [GH#2135] Silence the irrelevant warning, "Your ports include 'T:' but you
   23   haven't specified any TCP scan type" when running nmap -sUV
   25 Nmap 7.90 [2020-10-02]
   27 o [Windows] Upgraded Npcap, our Windows packet capturing (and sending)
   28   library to the milestone 1.00 release! It's the culmination of 7 years of
   29   development with 170 public pre-releases. This includes dozens of
   30   performance improvements, bug fixes, and feature enhancements described
   31   at https://npcap.org/changelog.
   33 o Integrated over 800 service/version detection fingerprints submitted since
   34   August 2017. The signature count went up 1.8% to 11,878, including 17 new
   35   softmatches.  We now detect 1237 protocols from airmedia-audio, banner-ivu,
   36   and control-m to insteon-plm, pi-hole-stats, and ums-webviewer.  A
   37   significant number of submissions remain to be integrated in the next
   38   release.
   40 o Integrated over 330 of the most-frequently-submitted IPv4 OS fingerprints
   41   since August 2017. Added 26 fingerprints, bringing the new total to 5,678.
   42   Additions include iOS 12 & 13, macOS Catalina & Mojave, Linux 5.4, FreeBSD
   43   13, and more.
   45 o Integrated all 67 of your IPv6 OS fingerprint submissions from August 2017 to
   46   September 2020. Added new groups for FreeBSD 12, Linux 5.4, and Windows 10,
   47   and consolidated several weak groups to improve classification accuracy.
   49 o [NSE] Added 3 NSE scripts, from 2 authors, bringing the total up to 601!
   50   They are all listed at https://nmap.org/nsedoc/, and the summaries are
   51   below:
   53   + dicom-brute attempts to brute force the called Application Entity Title
   54     of DICOM servers. [Paulino Calderon]
   56   + dicom-ping discovers DICOM servers and determines if any Application
   57     Entity Title is allowed to connect. [Paulino Calderon]
   59   + uptime-agent-info collects system information from an Idera Uptime
   60     Infrastructure Monitor agent. [Daniel Miller]
   62 o [GH#1834] Addressed over 250 code quality issues identified by LGTM.com,
   63   improving our code quality score from "C" to "A+"
   65 o Released Npcap OEM Edition. For more than 20 years, the Nmap Project has
   66   been funded by selling licenses for companies to distribute Nmap with
   67   their products, along with commercial support. Hundreds of commercial
   68   products now use Nmap for network discovery tasks like port scanning,
   69   host discovery, OS detection, service/version detection, and of course
   70   the Nmap Scripting Engine (NSE). Until now they have just used standard
   71   Nmap, but this new OEM Edition is customized for use within other Windows
   72   software. Nmap OEM contains the OEM version of our Npcap driver, which
   73   allows for silent installation. It also removes the Zenmap GUI, which
   74   cuts the installer size by more than half. And it reports itself as Nmap
   75   OEM so customers know it's a properly licensed Nmap. See
   76   https://nmap.org/oem for more details. We will be reaching out to all
   77   existing licensees with Nmap OEM access credentials, but any licensees
   78   who wants it quicker should see https://nmap.org/oem.
   80 o Upgraded the Nmap license form a sort of hacked-up version of GPLv2 to a
   81   cleaner and better organized version (still based on GPLv2) now called the
   82   Nmap Public Source License to avoid confusion. See https://nmap.org/npsl/
   83   for more details and annotated license text. This NPSL project was started
   84   in 2006 (community discussion here:
   85   https://seclists.org/nmap-dev/2006/q4/126) and then it lost momentum for 7
   86   years until it was restarted in 2013
   87   (https://seclists.org/nmap-dev/2013/q1/399) and then we got distracted by
   88   development again. We still have some ideas for improving the NPSL, but
   89   it's already much better than the current license, so we're applying NPSL
   90   Version 0.92 to the code now and can make improvements later if
   91   needed. This does not change the license of previous Nmap releases.
   93 o Removed nmap-update. This program was intended to provide a way to update
   94   data files and NSE scripts, but the infrastructure was never fielded. It
   95   depended on Subversion version control and would have required maintaining
   96   separate versions of NSE scripts for compatibility.
   98 o Removed the silent-install command-line option (/S) from the Windows
   99   installer. It causes several problems and there were no objections when we
  100   proposed removing it in 2016 (https://seclists.org/nmap-dev/2016/q4/168).
  101   It will remain in Nmap OEM since its main use was for customers who
  102   redistribute Nmap with other software. If anyone else has a strong need
  103   for an Nmap silent installer, please contact sales@nmap.com and we'll see
  104   what we can do.
  106 o [GH#1860] 23 new UDP payloads and dozens more default ports for existing
  107   payloads developed for Rapid7's InsightVM scan engine. These speed up and
  108   ensure detection of open UDP services. [Paul Miseiko, Rapid7]
  110 o Added a UDP payload for STUN (Session Traversal Utilities for NAT).
  111   [David Fifield]
  113 o [NSE] Fixed an off-by-one bug in the stun.lua library that prevented
  114   parsing a server response. [David Fifield]
  116 o [GH#2051] Restrict Nmap's search path for scripts and data files.
  117   NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
  118   searched on Windows, where it was previously defined as C:\Nmap .
  119   Additionally, the --script option will not interpret names as directory names
  120   unless they are followed by a '/'. [Daniel Miller]
  122 o [GH#1764] Fix an assertion failure when unsolicited ARP response is received:
  123     nmap: Target.cc:503: void Target::stopTimeOutClock(const timeval*): Assertion `htn.toclock_running == true' failed.
  125 o [NSE] New outlib library consolidates functions related to NSE output,
  126   both string formatting conventions and structured output. [Daniel Miller]
  128 o [NSE] New dicom library implements the DICOM protocol used for
  129   storing and transfering medical images. [Paulino Calderon]
  131 o [GH#92] Fix a regression in ARP host discovery left over from the move from
  132   massping to ultra_scan in Nmap 4.22SOC8 (2007) that sometimes resulted in
  133   missing ARP responses from targets near the end of a scan. Accuracy and speed
  134   are both improved. [Daniel Miller]
  136 o [GH#2051] Restrict Nmap's search path for scripts and data files.
  137   NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
  138   searched on Windows, where it was previously defined as C:\Nmap .
  139   Additionally, the --script option will not interpret names as directory names
  140   unless they are followed by a '/'. [Daniel Miller]
  142 o [GH#2126] Fix the "iocp" Nsock engine for Windows to be able to correctly
  143   handle PCAP read events. This engine is now the default for Windows, which
  144   should greatly improve performance over the previous default, the "poll"
  145   engine. [Daniel Miller]
  147 o [GH#2050] Reduced CPU usage of OS scan by 50% by avoiding string copy
  148   operations and removing undocumented fingerprint syntax unused in nmap-os-db
  149   ('&' and '+' in expressions). [Daniel Miller]
  151 o [GH#1859] Allow multiple UDP payloads to be specified for a port in
  152   nmap-payloads. If the first payload does not get a response, the remaining
  153   payloads are tried round-robin. [Paul Miseiko, Rapid7]
  155 o [GH#1616] New option --discovery-ignore-rst tells Nmap to ignore TCP RST
  156   responses when determining if a target is up. Useful when firewalls are
  157   spoofing RST packets. [Tom Sellers, Rapid7]
  159 o [Ncat][GH#2087][GH#1927][GH#1928][GH#1974] It is now possible to override
  160   the value of TLS SNI via --ssl-servername [Hank Leininger, nnposter]
  162 o [GH#2104] Fixed parsing of TCP options which would hang (infinite loop) if an
  163   option had an explicit length of 0. Affects Nmap 7.80 only.
  164   [Daniel Miller, Imed Mnif]
  166 o [NSE][GH#1460] Script ssh2-enum-algos would fail if the server initiated
  167   the key exchange before completing the protocol version exchange
  168   [Scott Ellis, nnposter]
  170 o [NSE][GH#2105] Fetching of SSH2 keys might fail because of key exchange
  171   confusion [nnposter]
  173 o [NSE][GH#2098] Performance of script afp-ls has been dramatically improved
  174   [nnposter]
  176 o [NSE][GH#2091] Parsing of AFP FPGetFileDirParms and
  177   FPEnumerateExt2FPEnumerateExt2 responses was not working correctly [nnposter]
  179 o [NSE][GH#2089] Eliminated false positives in script http-shellshock caused by
  180   simple reflection of HTTP request data [Anders Kaseorg]
  182 o [NSE][GH#1473] SNMP scripts are now enabled on non-standard ports where SNMP
  183   has been detected [usd-markus, nnposter]
  185 o [NSE][GH#2084] MQTT library was using incorrect position when parsing
  186   received responses [tatulea]
  188 o [NSE][GH#2086] IPMI library was using incorrect position when parsing
  189   received responses [Star Salzman]
  191 o [NSE][GH#2086] Scripts ipmi-brute and deluge-rpc-brute were not capturing
  192   successfully brute-forced credentials [Star Salzman]
  194 o Allow resuming IPv6 scans with --resume. The address parsing was assuming IPv4
  195   addresses, leading to "Unable to parse ip" error. In a related fix, MAC addresses
  196   will not be parsed as IP addresses when resuming from XML. [Daniel Miller]
  198 o [GH#1622][GH#2068] Fix reverse-DNS handling of PTR records that are not lowercase.
  199   Nmap was failing to identify reverse-DNS names when the DNS server delivered
  200   them like ".IN-ADDR.ARPA". [Lucas Nussbaum, Richard Schütz, Daniel Miller]
  202 o [NSE][GH#1999][GH#2005] IKE library was not properly populating the protocol
  203   number in aggressive mode requests. [luc-x41]
  205 o [GH#1963] Added service fingerprinting for MySQL 8.x, Microsoft SQL
  206   Server 2019, MariaDB, and Crate.io CrateDB. Updated PostreSQL coverage and
  207   added specific detection of recent versions running in Docker. [Tom Sellers]
  209 o New XML output "hosthint" tag emitted during host discovery when a target is
  210   found to be up. This gives earlier notification than waiting for the
  211   hostgroup to finish all scan phases. [Paul Miseiko]
  213 o [GH#917] New UDP payloads for GPRS Tunneling Protocol (GTP) on ports 2123,
  214   2152, and 3386. [Guillaume Teissier]
  216 o [NSE][GH#1825] SSH scripts now run on several ports likely to be SSH based on
  217   empirical data from Shodan.io, as well as the netconf-ssh service.
  218   [Lim Shi Min Jonathan, Daniel Miller]
  220 o [Zenmap][GH#1777] Stop creating a debugging output file 'tmp.txt' on the
  221   desktop in macOS. [Roland Linder]
  223 o [Nping] Address build failure under libc++ due to "using namespace std;" in
  224   several headers, resulting in conflicting definitions of bind(). Reported by
  225   StormBytePP and Rosen Penev. [Daniel Miller]
  227 o [Ncat][GH#1868] Fix a fatal error when connecting to a Linux VM socket with
  228   verbose output enabled. [Stefano Garzarella]
  230 o [Ncat][GH#2060] Proxy credentials can be alternatively passed onto Ncat by
  231   setting environment variable NCAT_PROXY_AUTH, which reduces the risk of the
  232   credentials getting captured in process logs. [nnposter]
  234 o [NSE][GH#1723] Fixed a crash on Windows when processing a GZIP-encoded HTTP
  235   body. [Daniel Miller]
  237 o Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities.
  239 o Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API.
  241 o [GH#1717][GH#1718] Processing of IP address CIDR blocks was not working
  242   correctly on ppc64, ppc64le, and s390x architectures. [rfrohl, nnposter]
  244 o [Windows] Add support for the new loopback behavior in Npcap 0.9983 and
  245   later. This enables Nmap to scan localhost on Windows without needing the
  246   Npcap Loopback Adapter to be installed, which was a source of problems for
  247   some users.  [Daniel Miller]
  249 o [NSE] MS SQL library has improved version resolution, from service pack level
  250   to individual cumulative updates [nnposter]
  252 o [NSE][GH#2077] With increased verbosity, script http-default-accounts now
  253   reports matched target fingerprints even if no default credentials were found
  254   [nnposter]
  256 o [NSE][GH#2063] IPP request object conversion to string was not working
  257   correctly [nnposter]
  259 o [NSE][GH#2063] IPP response parser was not correctly processing
  260   end-of-attributes-tag [nnposter]
  262 o [NSE] Script cups-info was failing due to erroneous double-decoding
  263   of the IPP printer status [nnposter]
  265 o [NSE][GH#2010] Oracle TNS parser was incorrectly unmarshalling DALC byte
  266   arrays [nnposter]
  268 o [NSE] The password hashing function for Oracle 10g was not working correctly
  269   for non-alphanumeric characters [nnposter]
  271 o [NSE] Virtual host probing list, vhosts-full.lst, was missing numerous
  272   entries present in vhosts-default.lst [nnposter]
  274 o [NSE][GH#1931][GH#1932] Script http-grep was not correctly calculating Luhn
  275   checksum [Colleen Li, nnposter]
  277 o [NSE][GH#1838] Scripts dhcp-discover and broadcast-dhcp-discover now support
  278   new argument "mac" to force a specific client MAC address [nnposter]
  280 o [NSE] Code improvements in RPC Dump, benefitting NFS-related scripts
  281   [nnposter]
  283 o [NSE] RPC code was using incorrect port range, which was causing some calls,
  284   such as NFS mountd, to fail intermittently [nnposter]
  286 o [NSE][GH#1876] XML output from script ssl-cert now includes RSA key modulus
  287   and exponent [nnposter]
  289 o [NSE][GH#1837] Nmap no longer crashes when SMB scripts, such as smb-ls, call
  290   smb.find_files [nnposter]
  292 o [NSE][GH#1802] The MongoDB library was causing errors when assembling protocol
  293   payloads. [nnposter]
  295 o [NSE][GH#1781][GH#1796] The RTSP library was not correctly generating request
  296   strings. [nnposter]
  298 o [NSE][GH#1706] VNC handshakes were failing with insert position out of bounds
  299   error. [nnposter]
  301 o [NSE][GH#1720] Function marshall_dom_sid2 in library msrpctypes was not
  302   correctly populating ID Authority. [nnposter]
  304 o [NSE][GH#1720] Unmarshalling functions in library msrpctypes were attempting
  305   arithmetic on a nil argument. [Ivan Ivanov, nnposter]
  307 o [NSE][GH#1720] Functions lsa_lookupnames2 and lsa_lookupsids2 in library
  308   msrpc were incorrectly referencing function strjoin when called with debug
  309   level 2 or higher. [Ivan Ivanov]
  311 o [NSE][GH#1755][GH#2096] Added HTTP default account fingerprints for Tomcat
  312   Host Manager and Dell iDRAC9. [Clément Notin]
  314 o [NSE][GH#1476][GH#1707] A MS-SMB spec non-compliance in Samba was causing
  315   protocol negotiation to fail with data string too short error.
  316   [Clément Notin, nnposter]
  318 o [NSE][GH#1480][GH#1713][GH#1714] A bug in SMB library was causing scripts to
  319   fail with bad format argument error. [Ivan Ivanov]
  321 o [NSE][GH#1665] The HTTP library no longer crashes when code requests digest
  322   authentication but the server does not provide the necessary authentication
  323   header. [nnposter]
  325 o [NSE] Fixed a bug in http-wordpress-users.nse that could cause
  326   extraneous output to be captured as part of a username. [Duarte Silva]
  328 Nmap 7.80 [2019-08-10]
  330 o [Windows] The Npcap Windows packet capturing library (https://npcap.org/)
  331   is faster and more stable than ever. Nmap 7.80 updates the bundled Npcap
  332   from version 0.99-r2 to 0.9982, including all of these changes from the
  333   last 15 Npcap releases: https://nmap.org/npcap/changelog
  335 o [NSE] Added 11 NSE scripts, from 8 authors, bringing the total up to 598!
  336   They are all listed at https://nmap.org/nsedoc/, and the summaries are
  337   below:
  339   + [GH#1232] broadcast-hid-discoveryd discovers HID devices on a LAN by
  340     sending a discoveryd network broadcast probe. [Brendan Coles]
  342   + [GH#1236] broadcast-jenkins-discover discovers Jenkins servers on a LAN
  343     by sending a discovery broadcast probe. [Brendan Coles]
  345   + [GH#1016][GH#1082] http-hp-ilo-info extracts information from HP
  346     Integrated Lights-Out (iLO) servers. [rajeevrmenon97]
  348   + [GH#1243] http-sap-netweaver-leak detects SAP Netweaver Portal with the
  349     Knowledge Management Unit enabled with anonymous access. [ArphanetX]
  351   + https-redirect detects HTTP servers that redirect to the same port, but
  352     with HTTPS. Some nginx servers do this, which made ssl-* scripts not run
  353     properly. [Daniel Miller]
  355   + [GH#1504] lu-enum enumerates Logical Units (LU) of TN3270E servers.
  356     [Soldier of Fortran]
  358   + [GH#1633] rdp-ntlm-info extracts Windows domain information from RDP
  359     services. [Tom Sellers]
  361   + smb-vuln-webexec checks whether the WebExService is installed and allows
  362     code execution. [Ron Bowes]
  364   + smb-webexec-exploit exploits the WebExService to run arbitrary commands
  365     with SYSTEM privileges. [Ron Bowes]
  367   + [GH#1457] ubiquiti-discovery extracts information from the Ubiquiti
  368     Discovery service and assists version detection. [Tom Sellers]
  370   + [GH#1126] vulners queries the Vulners CVE database API using CPE
  371     information from Nmap's service and application version detection.
  372     [GMedian, Daniel Miller]
  374 o [GH#1371] The macOS installer is now built for x86_64 architecture, not i386.
  376 o [GH#1396] Fixed the Windows installer, which would replace the entire PATH
  377   system variable with the path for Nmap if it exceeded 1024 bytes. This was
  378   fixed by using the "large strings" build of NSIS to build the new installer.
  379   [Daniel Miller]
  381 o Replaced the addrset matching code that is used by --exclude and
  382   --excludefile with a much faster implementation using a radix tree (trie).
  383   https://seclists.org/nmap-dev/2018/q4/13
  385 o [GH#1291][GH#34][GH#1339] Use pcap_create instead of pcap_live_open in
  386   Nmap, and set immediate mode on the pcap descriptor. This solves packet
  387   loss problems on Linux and may improve performance on other platforms.
  388   [Daniel Cater, Mike Pontillo, Daniel Miller]
  390 o [NSE][GH#1330] Fixed an infinite loop in tls-alpn when the server forces a
  391   particular protocol. [Daniel Miller]
  393 o [NSE] Collected utility functions for string processing into a new
  394   library, stringaux.lua. [Daniel Miller]
  396 o [NSE] New rand.lua library uses the best sources of random available on
  397   the system to generate random strings. [Daniel Miller]
  399 o [NSE] New library, oops.lua, makes reporting errors easy, with plenty of
  400   debugging detail when needed, and no clutter when not. [Daniel Miller]
  402 o [NSE] Collected utility functions for manipulating and searching tables
  403   into a new library, tableaux.lua. [Daniel Miller]
  405 o [NSE] New knx.lua library holds common functions and definitions for
  406   communicating with KNX/Konnex devices. [Daniel Miller]
  408 o [NSE][GH#1571] The HTTP library now provides transparent support for gzip-
  409   encoded response body. (See https://github.com/nmap/nmap/pull/1571 for an
  410   overview.) [nnposter]
  412 o [Nsock][Ncat][GH#1075] Add AF_VSOCK (Linux VM sockets) functionality to
  413   Nsock and Ncat. VM sockets are used for communication between virtual
  414   machines and the hypervisor. [Stefan Hajnoczi]
  416 o [Security][Windows] Address CVE-2019-1552 in OpenSSL by building with the
  417   prefix "C:\Program Files (x86)\Nmap\OpenSSL". This should prevent
  418   unauthorized users from modifying OpenSSL defaults by writing
  419   configuration to this directory.
  421 o [Security][GH#1147][GH#1108] Reduced LibPCRE resource limits so that
  422   version detection can't use as much of the stack. Previously Nmap could
  423   crash when run on low-memory systems against target services which are
  424   intentionally or accidentally difficult to match. Someone assigned
  425   CVE-2018-15173 for this issue. [Daniel Miller]
  427 o [GH#1361] Deprecate and disable the -PR (ARP ping) host discovery
  428   option. ARP ping is already used whenever possible, and the -PR option
  429   would not force it to be used in any other case. [Daniel Miller]
  431 o [NSE] bin.lua is officially deprecated. Lua 5.3, added 2 years ago in Nmap
  432   7.25BETA2, has native support for binary data packing via string.pack and
  433   string.unpack. All existing scripts and libraries have been updated.
  434   [Daniel Miller]
  436 o [NSE] Completely removed the bit.lua NSE library. All of its functions are
  437   replaced by native Lua bitwise operations, except for `arshift`
  438   (arithmetic shift) which has been moved to the bits.lua library. [Daniel
  439   Miller]
  441 o [NSE][GH#1571] The HTTP library is now enforcing a size limit on the
  442   received response body. The default limit can be adjusted with a script
  443   argument, which applies to all scripts, and can be overridden case-by-case
  444   with an HTTP request option. (See https://github.com/nmap/nmap/pull/1571
  445   for details.)  [nnposter]
  447 o [NSE][GH#1648] CR characters are no longer treated as illegal in script
  448   XML output. [nnposter]
  450 o [GH#1659] Allow resuming nmap scan with lengthy command line [Clément
  451   Notin]
  453 o [NSE][GH#1614] Add TLS support to rdp-enum-encryption. Enables determining
  454   protocol version against servers that require TLS and lays ground work for
  455   some NLA/CredSSP information collection. [Tom Sellers]
  457 o [NSE][GH#1611] Address two protocol parsing issues in rdp-enum-encryption
  458   and the RDP nse library which broke scanning of Windows XP. Clarify
  459   protocol types [Tom Sellers]
  461 o [NSE][GH#1608] Script http-fileupload-exploiter failed to locate its
  462   resource file unless executed from a specific working
  463   directory. [nnposter]
  465 o [NSE][GH#1467] Avoid clobbering the "severity" and "ignore_404" values of
  466   fingerprints in http-enum. None of the standard fingerprints uses these
  467   fields. [Kostas Milonas]
  469 o [NSE][GH#1077] Fix a crash caused by a double-free of libssh2 session data
  470   when running SSH NSE scripts against non-SSH services. [Seth Randall]
  472 o [NSE][GH#1565] Updates the execution rule of the mongodb scripts to be
  473   able to run on alternate ports. [Paulino Calderon]
  475 o [Ncat][GH#1560] Allow Ncat to connect to servers on port 0, provided that
  476   the socket implementation allows this. [Daniel Miller]
  478 o Update the included libpcap to 1.9.0. [Daniel Miller]
  480 o [NSE][GH#1544] Fix a logic error that resulted in scripts not honoring the
  481   smbdomain script-arg when the target provided a domain in the NTLM
  482   challenge.  [Daniel Miller]
  484 o [Nsock][GH#1543] Avoid a crash (Protocol not supported) caused by trying
  485   to reconnect with SSLv2 when an error occurs during DTLS connect. [Daniel
  486   Miller]
  488 o [NSE][GH#1534] Removed OSVDB references from scripts and replaced them
  489   with BID references where possible. [nnposter]
  491 o [NSE][GH#1504] Updates TN3270.lua and adds argument to disable TN3270E
  492   [Soldier of Fortran]
  494 o [GH#1504] RMI parser could crash when encountering invalid input [Clément
  495   Notin]
  497 o [GH#863] Avoid reporting negative latencies due to matching an ARP or ND
  498   response to a probe sent after it was recieved. [Daniel Miller]
  500 o [Ncat][GH#1441] To avoid confusion and to support non-default proxy ports,
  501   option --proxy now requires a literal IPv6 address to be specified using
  502   square-bracket notation, such as --proxy [2001:db8::123]:456. [nnposter]
  504 o [Ncat][GH#1214][GH#1230][GH#1439] New ncat option provides control over
  505   whether proxy destinations are resolved by the remote proxy server or
  506   locally, by Ncat itself. See option --proxy-dns. [nnposter]
  508 o [NSE][GH#1478] Updated script ftp-syst to prevent potential endless
  509   looping.  [nnposter]
  511 o [GH#1454] New service probes and match lines for v1 and v2 of the Ubiquiti
  512   Discovery protocol. Devices often leave the related service open and it
  513   exposes significant amounts of information as well as the risk of being
  514   used as part of a DDoS. New nmap-payload entry for v1 of the
  515   protocol. [Tom Sellers]
  517 o [NSE] Removed hostmap-ip2hosts.nse as the API has been broken for a while
  518   and the service was completely shutdown on Feb 17th, 2019. [Paulino
  519   Calderon]
  521 o [NSE][GH#1318] Adds TN3270E support and additional improvements to
  522   tn3270.lua and updates tn3270-screen.nse to display the new
  523   setting. [mainframed]
  525 o [NSE][GH#1346] Updates product codes and adds a check for response length
  526   in enip-info.nse. The script now uses string.unpack. [NothinRandom]
  528 o [Ncat][GH#1310][GH#1409] Temporary RSA keys are now 2048-bit to resolve a
  529   compatibility issue with OpenSSL library configured with security level 2,
  530   as seen on current Debian or Kali.  [Adrian Vollmer, nnposter]
  532 o [NSE][GH#1227] Fix a crash (double-free) when using SSH scripts against
  533   non-SSH services. [Daniel Miller]
  535 o [Zenmap] Fix a crash when Nmap executable cannot be found and the system
  536   PATH contains non-UTF-8 bytes, such as on Windows. [Daniel Miller]
  538 o [Zenmap] Fix a crash in results search when using the dir: operator:
  539     AttributeError: 'SearchDB' object has no attribute 'match_dir' [Daniel
  540     Miller]
  542 o [Ncat][GH#1372] Fixed an issue with Ncat -e on Windows that caused early
  543   termination of connections. [Alberto Garcia Illera]
  545 o [NSE][GH#1359] Fix a false-positive in http-phpmyadmin-dir-traversal when
  546   the server responds with 200 status to a POST request to any
  547   URI. [Francesco Soncina]
  549 o [NSE] New vulnerability state in vulns.lua, UNKNOWN, is used to indicate
  550   that testing could not rule out vulnerability. [Daniel Miller]
  552 o [GH#1355] When searching for Lua header files, actually use them where
  553   they are found instead of forcing /usr/include. [Fabrice Fontaine, Daniel
  554   Miller]
  556 o [NSE][GH#1331] Script traceroute-geolocation no longer crashes when
  557   www.GeoPlugin.net returns null coordinates [Michal Kubenka, nnposter]
  559 o Limit verbose -v and debugging -d levels to a maximum of 10. Nmap does not
  560   use higher levels internally. [Daniel Miller]
  562 o [NSE] tls.lua when creating a client_hello message will now only use a
  563   SSLv3 record layer if the protocol version is SSLv3. Some TLS
  564   implementations will not handshake with a client offering less than
  565   TLSv1.0. Scripts will have to manually fall back to SSLv3 to talk to
  566   SSLv3-only servers. [Daniel Miller]
  568 o [NSE][GH#1322] Fix a few false-positive conditions in
  569   ssl-ccs-injection. TLS implementations that responded with fatal alerts
  570   other than "unexpected message" had been falsely marked as
  571   vulnerable. [Daniel Miller]
  573 o Emergency fix to Nmap's birthday announcement so Nmap wishes itself a
  574   "Happy 21st Birthday" rather than "Happy 21th" in verbose mode (-v) on
  575   September 1, 2018. [Daniel Miller]
  577 o [GH#1150] Start host timeout clocks when the first probe is sent to a
  578   host, not when the hostgroup is started. Sometimes a host doesn't get
  579   probes until late in the hostgroup, increasing the chance it will time
  580   out. [jsiembida]
  582 o [NSE] Support for edns-client-subnet (ECS) in dns.lua has been improved by:
  583   - [GH#1271] Using ECS code compliant with RFC 7871 [John Bond]
  584   - Properly trimming ECS address, as mandated by RFC 7871 [nnposter]
  585   - Fixing a bug that prevented using the same ECS option table more than
  586     once [nnposter]
  588 o [Ncat][GH#1267] Fixed communication with commands launched with -e or -c
  589   on Windows, especially when --ssl is used. [Daniel Miller]
  591 o [NSE] Script http-default-accounts can now select more than one
  592   fingerprint category. It now also possible to select fingerprints by name
  593   to support very specific scanning. [nnposter]
  595 o [NSE] Script http-default-accounts was not able to run against more than
  596   one target host/port. [nnposter]
  598 o [NSE][GH#1251] New script-arg `http.host` allows users to force a
  599   particular value for the Host header in all HTTP requests.
  601 o [NSE][GH#1258] Use smtp.domain script arg or target's domain name instead
  602   of "example.com" in EHLO command used for STARTTLS. [gwire]
  604 o [NSE][GH#1233] Fix brute.lua's BruteSocket wrapper, which was crashing
  605   Nmap with an assertion failure due to socket mixup [Daniel Miller]: nmap:
  606   nse_nsock.cc:672: int receive_buf(lua_State*, int, lua_KContext):
  607   Assertion `lua_gettop(L) == 7' failed.
  609 o [NSE][GH#1254] Handle an error condition in smb-vuln-ms17-010 caused by
  610   IPS closing the connection. [Clément Notin]
  612 o [Ncat][GH#1237] Fixed literal IPv6 URL format for connecting through HTTP
  613   proxies. [Phil Dibowitz]
  615 o [NSE][GH#1212] Updates vendors from ODVA list for enip-info. [NothinRandom]
  617 o [NSE][GH#1191] Add two common error strings that improve MySQL detection
  618   by the script http-sql-injection. [Robert Taylor, Paulino Calderon]
  620 o [NSE][GH#1220] Fix bug in http-vuln-cve2006-3392 that prevented the script
  621   to generate the vulnerability report correctly. [rewardone]
  623 o [NSE][GH#1218] Fix bug related to screen rendering in NSE library
  624   tn3270. This patch also improves the brute force script
  625   tso-brute. [mainframed]
  627 o [NSE][GH#1209] Fix SIP, SASL, and HTTP Digest authentication when the
  628   algorithm contains lowercase characters. [Jeswin Mathai]
  630 o [GH#1204] Nmap could be fooled into ignoring TCP response packets if they
  631   used an unknown TCP Option, which would misalign the validation, causing
  632   it to fail. [Clément Notin, Daniel Miller]
  634 o [NSE]The HTTP response parser now tolerates status lines without a reason
  635   phrase, which improves compatibility with some HTTP servers. [nnposter]
  637 o [NSE][GH#1169][GH#1170][GH#1171]][GH#1198] Parser for HTTP Set-Cookie header
  638   is now more compliant with RFC 6265:
  639   - empty attributes are tolerated
  640   - double quotes in cookie and/or attribute values are treated literally
  641   - attributes with empty values and value-less attributes are parsed equally
  642   - attributes named "name" or "value" are ignored
  643   [nnposter]
  645 o [NSE][GH#1158] Fix parsing http-grep.match script-arg. [Hans van den
  646   Bogert]
  648 o [Zenmap][GH#1177] Avoid a crash when recent_scans.txt cannot be written
  649   to.  [Daniel Miller]
  651 o Fixed --resume when the path to Nmap contains spaces. Reported on Windows
  652   by Adriel Desautels. [Daniel Miller]
  654 o New service probe and match lines for adb, the Android Debug Bridge, which
  655   allows remote code execution and is left enabled by default on many
  656   devices. [Daniel Miller]
  658 Nmap 7.70 [2018-03-20]
  660 o [Windows] We made a ton of improvements to our Npcap Windows packet
  661   capturing library (https://nmap.org/npcap/) for greater performance and
  662   stability, as well as smoother installer and better 802.11 raw frame
  663   capturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to
  664   0.99-r2, including all these changes from the last seven Npcap releases:
  665   https://nmap.org/npcap/changelog
  667 o Integrated all of your service/version detection fingerprints submitted from
  668   March 2017 to August 2017 (728 of them). The signature count went up 1.02%
  669   to 11,672, including 26 new softmatches.  We now detect 1224 protocols from
  670   filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and
  671   watchguard.  We will try to integrate the remaining submissions in the next
  672   release.
  674 o Integrated all of your IPv4 OS fingerprint submissions from September 2016
  675   to August 2017 (667 of them). Added 298 fingerprints, bringing the new total
  676   to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and
  677   more.
  679 o Integrated all 33 of your IPv6 OS fingerprint submissions from September
  680   2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added,
  681   as well as strengthened groups for Linux and OS X.
  683 o Added the --resolve-all option to resolve and scan all IP addresses of a
  684   host.  This essentially replaces the resolveall NSE script. [Daniel Miller]
  686 o [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory
  687   traversal vulnerability) in the way the non-default http-fetch script
  688   sanitized URLs. If a user manualy ran this NSE script against a malicious
  689   web server, the server could potentially (depending on NSE arguments used)
  690   cause files to be saved outside the intended destination directory. Existing
  691   files couldn't be overwritten.  We fixed http-fetch, audited our other
  692   scripts to ensure they didn't make this mistake, and updated the httpspider
  693   library API to protect against this by default. [nnposter, Daniel Miller]
  695 o [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!
  696   They are all listed at https://nmap.org/nsedoc/, and the summaries are
  697   below:
  699   + deluge-rpc-brute performs brute-force credential testing against Deluge
  700     BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
  702   + hostmap-crtsh lists subdomains by querying Google's Certificate
  703     Transparency logs. [Paulino Calderon]
  705   + [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and
  706     reports back the IP address and port of the actual server behind the
  707     load-balancer. [Seth Jackson]
  709   + http-jsonp-detection Attempts to discover JSONP endpoints in web servers.
  710     JSONP endpoints can be used to bypass Same-origin Policy restrictions in
  711     web browsers. [Vinamra Bhatia]
  713   + http-trane-info obtains information from Trane Tracer SC controllers and
  714     connected HVAC devices. [Pedro Joaquin]
  716   + [GH#609] nbd-info uses the new nbd.lua library to query Network Block
  717     Devices for protocol and file export information. [Mak Kolybabi]
  719   + rsa-vuln-roca checks for RSA keys generated by Infineon TPMs
  720     vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks
  721     SSH and TLS services. [Daniel Miller]
  723   + [GH#987] smb-enum-services retrieves the list of services running on a
  724     remote Windows machine. Modern Windows systems requires a privileged domain
  725     account in order to list the services. [Rewanth Cool]
  727   + tls-alpn checks TLS servers for Application Layer Protocol Negotiation
  728     (ALPN) support and reports supported protocols. ALPN largely replaces NPN,
  729     which tls-nextprotoneg was written for. [Daniel Miller]
  731 o [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN. This
  732   was causing Ncat 7.60 in connect mode to quit with error: libnsock
  733   select_loop(): nsock_loop error 10038: An operation was attempted on
  734   something that is not a socket.  [nnposter]
  736 o [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on
  737   renegotiation, the same issue that was partially fixed for server mode in
  738   [GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel
  739   Miller]
  741 o [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle
  742   misbehaving or rate-limiting services. Most significantly,
  743   brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for
  744   reporing infinite loops and proposing changes.
  746 o [NSE] VNC scripts now support Apple Remote Desktop authentication (auth type
  747   30) [Daniel Miller]
  749 o [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed out.
  750   [Aniket Pandey]
  752 o [NSE][GH#1114] Update bitcoin-getaddr to receive more than one response
  753   message, since the first message usually only has one address in it. [h43z]
  755 o [Ncat][GH#1139] Ncat now selects the correct default port for a given proxy
  756   type. [Pavel Zhukov]
  758 o [NSE] memcached-info can now gather information from the UDP memcached
  759   service in addition to the TCP service. The UDP service is frequently used as
  760   a DDoS reflector and amplifier. [Daniel Miller]
  762 o [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and
  763   dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]
  765 o Removed deprecated and undocumented aliases for several long options that
  766   used underscores instead of hyphens, such as --max_retries. [Daniel Miller]
  768 o Improved service scan's treatment of soft matches in two ways. First of all,
  769   any probes that could result in a full match with the soft matched service
  770   will now be sent, regardless of rarity.  This improves the chances of
  771   matching unusual services on non-standard ports.  Second, probes are now
  772   skipped if they don't contain any signatures for the soft matched service.
  773   Previously the probes would still be run as long as the target port number
  774   matched the probe's specification.  Together, these changes should make
  775   service/version detection faster and more accurate.  For more details on how
  776   it works, see https://nmap.org/book/vscan.html. [Daniel Miller]
  778 o --version-all now turns off the soft match optimization, ensuring that all
  779   probes really are sent, even if there aren't any existing match lines for
  780   the softmatched service. This is slower, but gives the most comprehensive
  781   results and produces better fingerprints for submission. [Daniel Miller]
  783 o [NSE][GH#1083] New set of Telnet softmatches for version detection based on
  784   Telnet DO/DON'T options offered, covering a wide variety of devices and
  785   operating systems. [D Roberson]
  787 o [GH#1112] Resolved crash opportunities caused by unexpected libpcap version
  788   string format. [Gisle Vanem, nnposter]
  790 o [NSE][GH#1090] Fix false positives in rexec-brute by checking responses for
  791   indications of login failure. [Daniel Miller]
  793 o [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
  794   destination directories. [Aniket Pandey]
  796 o [NSE] Added new fingerprints to http-default-accounts:
  797   - Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
  798   - [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob Fitzpatrick, Paulino Calderon]
  800 o Added a new service detection match for WatchGuard Authentication Gateway.
  801   [Paulino Calderon]
  803 o [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays
  804   (parameter qscan.delay). [nnposter]
  806 o [NSE][GH#1046] Script http-headers now fails properly if the target does not
  807   return a valid HTTP response. [spacewander]
  809 o [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by
  810   default, in accordance with RFC 7465. [Codarren Velvindron]
  812 o [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused by
  813   not checking the error code in responses. Implementations which return an
  814   error are not vulnerable. [Juho Jokelainen]
  816 o [NSE][GH#958] Two new libraries for NSE.
  817   - idna - Support for internationalized domain names in applications (IDNA)
  818   - punycode (a transfer encoding syntax used in IDNA)
  819   [Rewanth Cool]
  821 o [NSE] New fingerprints for http-enum:
  822   - [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
  823   - [GH#767] Many WordPress version detections [Rewanth Cool]
  825 o [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues:
  826   - Usernames and/or passwords could not be empty
  827   - Passwords could not contain colons
  828   - SOCKS5 authentication was not properly documented
  829   - SOCKS5 authentication had a memory leak
  830   [nnposter]
  832 o [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to be
  833   run. [Lukas Schwaighofer]
  835 o [GH#977] Improved DNS service version detection coverage and consistency
  836   by using data from a Project Sonar Internet wide survey. Numerouse false
  837   positives were removed and reliable softmatches added. Match lines for
  838   version.bind responses were also conslidated using the technique below.
  839   [Tom Sellers]
  841 o [GH#977] Changed version probe fallbacks so as to work cross protocol
  842   (TCP/UDP). This enables consolidating match lines for services where the
  843   responses on TCP and UDP are similar. [Tom Sellers]
  845 o [NSE][GH#532] Added the zlib library for NSE so scripts can easily
  846   handle compression. This work started during GSOC 2014, so we're
  847   particularly pleased to finally integrate it! [Claudiu Perta, Daniel
  848   Miller]
  850 o [NSE][GH#1004] Fixed handling of brute.retries variable. It was being treated
  851   as the number of tries, not retries, and a value of 0 would result in
  852   infinite retries. Instead, it is now the number of retries, defaulting to 2
  853   (3 total tries), with no option for infinite retries.
  855 o [NSE] http-devframework-fingerprints.lua supports Jenkins server detection
  856   and returns extra information when Jenkins is detected [Vinamra Bhatia]
  858 o [GH#926] The rarity level of MS SQL's service detection probe was decreased.
  859   Now we can find MS SQL in odd ports without increasing version intensity.
  860   [Paulino Calderon]
  862 o [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We
  863   were always reporting the version number of the included source, even when a
  864   different version was actually linked. [Pavel Zhukov]
  866 o Add a new helper function for nmap-service-probes match lines: $I(1,">") will
  867   unpack an unsigned big-endian integer value up to 8 bytes wide from capture
  868   1. The second option can be "<" for little-endian. [Daniel Miller]
  870 Nmap 7.60 [2017-07-31]
  872 o [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several issues
  873   with installation and compatibility with the Windows 10 Creators Update.
  875 o [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
  876   including password brute-forcing and running remote commands, thanks to the
  877   combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
  878   Khegay, Evangelos Deirmentzoglou]
  880 o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
  881   They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
  883   + ftp-syst sends SYST and STAT commands to FTP servers to get system version
  884     and connection information. [Daniel Miller]
  886   + [GH#916] http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting
  887     Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
  889   + iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
  890     Timorin, Daniel Miller]
  892   + [GH#915] openwebnet-discovery retrieves device identifying information and
  893     number of connected devices running on openwebnet protocol. [Rewanth Cool]
  895   + puppet-naivesigning checks for a misconfiguration in the Puppet CA where
  896     naive signing is enabled, allowing for any CSR to be automatically signed.
  897     [Wong Wai Tuck]
  899   + [GH#943] smb-protocols discovers if a server supports dialects NT LM 0.12
  900     (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
  901     smbv2-enabled script. [Paulino Calderon]
  903   + [GH#943] smb2-capabilities lists the supported capabilities of SMB2/SMB3
  904     servers. [Paulino Calderon]
  906   + [GH#943] smb2-time determines the current date and boot date of SMB2
  907     servers. [Paulino Calderon]
  909   + [GH#943] smb2-security-mode determines the message signing configuration of
  910     SMB2/SMB3 servers. [Paulino Calderon]
  912   + [GH#943] smb2-vuln-uptime attempts to discover missing critical patches in
  913     Microsoft Windows systems based on the SMB2 server uptime. [Paulino Calderon]
  915   + ssh-auth-methods lists the authentication methods offered by an SSH server.
  916     [Devin Bjelland]
  918   + ssh-brute performs brute-forcing of SSH password credentials. [Devin Bjelland]
  920   + ssh-publickey-acceptance checks public or private keys to see if they could
  921     be used to log in to a target. A list of known-compromised key pairs is
  922     included and checked by default. [Devin Bjelland]
  924   + ssh-run uses user-provided credentials to run commands on targets via SSH.
  925     [Devin Bjelland]
  927 o [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
  928   improvements. It was fully replaced by the smb-protocols script.
  930 o [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect (client)
  931   mode with --udp --ssl. Also added Application Layer Protocol Negotiation
  932   (ALPN) support with the --ssl-alpn option. [Denis Andzakovic, Daniel Miller]
  934 o Updated the default ciphers list for Ncat and the secure ciphers list for
  935   Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
  936   ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
  938 o [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
  939   Exec Agent 15 or 16. [Andrew Orr]
  941 o [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino Calderon]
  943 o [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
  944   resolve to unique addresses will be listed. [Aaron Heesakkers]
  946 o [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
  947   TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]
  949 o [NSE][GH#936] Function url.escape no longer encodes so-called "unreserved"
  950   characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
  951   [nnposter]
  953 o [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
  954   connections are supported on HTTP 1.0 target (unless the target explicitly
  955   declares otherwise), as per RFC 7230. [nnposter]
  957 o [NSE][GH#934] The HTTP response object has a new member, version, which
  958   contains the HTTP protocol version string returned by the server, e.g. "1.0".
  959   [nnposter]
  961 o [NSE][GH#938] Fix handling of the objectSID Active Directory attribute
  962   by ldap.lua. [Tom Sellers]
  964 o [NSE] Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
  965   Carriage Return characters were being sent in the connection packets, likely
  966   resulting in failure of the script. [Anant Shrivastava]
  968 o [NSE][GH#141] http-useragent-checker now checks for changes in HTTP status
  969   (usually 403 Forbidden) in addition to redirects to indicate forbidden User
  970   Agents. [Gyanendra Mishra]
  972 Nmap 7.50 [2017-06-13]
  974 o [Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes
  975   for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
  977 o Integrated all of your service/version detection fingerprints submitted from
  978   September to March (855 of them). The signature count went up 2.9% to 11,418.
  979   We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon,
  980   slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140
  982 o [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566!
  983   They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
  985   + [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors.
  986     OSPFv2 authentication is supported. [Emiliano Ticci]
  988   + [GH#671] cics-info checks IBM TN3270 services for CICS transaction services
  989     and extracts useful information. [Soldier of Fortran]
  991   + [GH#671] cics-user-brute does brute-force enumeration of CICS usernames on
  992     IBM TN3270 services. [Soldier of Fortran]
  994   + [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and
  995     Secure flags. [Steve Benson]
  997   + http-security-headers checks for the HTTP response headers related to
  998     security given in OWASP Secure Headers Project, giving a brief description
  999     of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]
 1001   + [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache
 1002     Struts2. [Seth Jackson]
 1004   + [GH#876] http-vuln-cve2017-5689 detects a privilege escalation
 1005     vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT)
 1006     capable systems. [Andrew Orr]
 1008   + http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in
 1009     Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]
 1011   + [GH#713] impress-remote-discover attempts to pair with the LibreOffice
 1012     Impress presentation remote service and extract version info.  Pairing is
 1013     PIN-protected, and the script can optionally brute-force the PIN.  New
 1014     service probe and match line also added. [Jeremy Hiebert]
 1016   + [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked
 1017     Double Pulsar backdoor in Windows SMB servers. [Andrew Orr]
 1019   + smb-vuln-cve-2017-7494 detects a remote code execution vulnerability
 1020     affecting Samba versions 3.5.0 and greater with writable shares.
 1021     [Wong Wai Tuck]
 1023   + smb-vuln-ms17-010 detects a critical remote code execution vulnerability
 1024     affecting SMBv1 servers in Microsoft Windows systems (ms17-010).  The
 1025     script also reports patched systems. [Paulino Calderon]
 1027   + [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability
 1028     (CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]
 1030   + vmware-version queries VMWare SOAP API for version and product information.
 1031     Submitted in 2011, this was mistakenly turned into a service probe that was
 1032     unable to elicit any matches. [Aleksey Tyurin]
 1034 o [Ncat] A series of changes and fixes based on feedback from the Red Hat community:
 1036   + [GH#157] Ncat will now continue trying to connect to each resolved address
 1037     for a hostname before declaring the connection refused, allowing it to
 1038     fallback from IPv6 to IPv4 or to connect to names that use DNS failover.
 1039     [Jaromir Koncicky, Michal Hlavinka]
 1041   + The --no-shutdown option now also works in connect mode, not only in listen mode.
 1043   + Made -i/--idle-timeout not cause Ncat in server mode to close while
 1044     waiting for an initial connection. This was also causing -i to interfere
 1045     with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]
 1047   + [GH#773] Ncat in server mode properly handles TLS renegotiations and other
 1048     situations where SSL_read returns a non-fatal error. This was causing
 1049     SSL-over-TCP connections to be dropped. [Daniel Miller]
 1051   + Enable --ssl-ciphers to be used with Ncat in client mode, not only in
 1052     server (listen) mode. [Daniel Miller]
 1054 o [NSE] New fingerprints for http-enum:
 1055   - Endpoints for Spring MVC and Boot Actuator [Paulino Calderon]
 1056   - [GH#620][GH#715] 8 fingerprints for Hadoop infrastructure components
 1057     [Thomas Debize, Varunram Ganesh]
 1059 o [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use
 1060   fully qualified paths. SMB scripts now work against all modern versions
 1061   of Microsoft Windows. [Paulino Calderon]
 1063 o [NSE] smb library's share_get_list now properly uses anonymous connections
 1064   first before falling back authenticating as a known user.
 1066 o New service probes and matches for Apache HBase and Hadoop MapReduce.
 1067   [Paulino Calderon]
 1069 o Extended Memcached service probe and added match for Apache ZooKeeper.
 1070   [Paulino Calderon]
 1072 o [NSE] New script argument "vulns.short" will reduce vulns library script
 1073   output to a single line containing the target name or IP, the vulnerability
 1074   state, and the CVE ID or title of the vulnerability. [Daniel Miller]
 1076 o [NSE][GH#862] SNMP scripts will now take a community string provided like
 1077   `--script-args creds.snmp=private`, which previously did not work because it
 1078   was interpreted as a username. [Daniel Miller]
 1080 o [NSE] Resolved several issues in the default HTTP redirect rules:
 1081     - [GH#826] A redirect is now cancelled if the original URL contains
 1082       embedded credentials
 1083     - [GH#829] A redirect test is now more careful in determining whether
 1084       a redirect destination is related to the original host
 1085     - [GH#830] A redirect is now more strict in avoiding possible redirect
 1086       loops
 1087   [nnposter]
 1089 o [NSE][GH#766] The HTTP Host header will now include the port unless it is
 1090   the default one for a given scheme. [nnposter]
 1092 o [NSE] The HTTP response object has a new member, fragment, which contains
 1093   a partially received body (if any) when the overall request fails to
 1094   complete. [nnposter]
 1096 o [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which
 1097   are silently ignored (in accordance with RFC 6265). Unrecognized attributes
 1098   were previously causing HTTP requests with such cookies to fail. [nnposter]
 1100 o [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted
 1101   whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
 1103 o [NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie
 1104   header that has an extraneous trailing semicolon. [nnposter]
 1106 o [NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated
 1107   with option any_af. As an added benefit, option any_af is now available for
 1108   all connections via comm.lua, not just HTTP requests. [nnposter]
 1110 o [NSE][GH#781] There is a new common function, url.get_default_port(),
 1111   to obtain the default port number for a given scheme. [nnposter]
 1113 o [NSE][GH#833] Function url.parse() now returns the port part as a number,
 1114   not a string. [nnposter]
 1116 o No longer allow ICMP Time Exceeded messages to mark a host as down during
 1117   host discovery. Running traceroute at the same time as Nmap was causing
 1118   interference. [David Fifield]
 1120 o [NSE][GH#807] Fixed a JSON library issue that was causing long integers
 1121   to be expressed in the scientific/exponent notation. [nnposter]
 1123 o [NSE] Fixed several potential hangs in NSE scripts that used
 1124   receive_buf(pattern), which will not return if the service continues to send
 1125   data that does not match pattern. A new function in match.lua, pattern_limit,
 1126   is introduced to limit the number of bytes consumed while searching for the
 1127   pattern. [Daniel Miller, Jacek Wielemborek]
 1129 o [Nsock] Handle any and all socket connect errors the same: raise as an Nsock
 1130   error instead of fatal. This prevents Nmap and Ncat from quitting with
 1131   "Strange error from connect:" [Daniel Miller]
 1133 o [NSE] Added several commands to redis-info to extract listening addresses,
 1134   connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
 1136 o [NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting
 1137   changes at the source site (www.robtex.com). [aDoN]
 1139 o [NSE][GH#629] Added two new fingerprints to http-default-accounts
 1140   (APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
 1142 o [NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS
 1143   probe due to a string escaping mixup. [Alexandr Savca]
 1145 o [NSE][GH#694] ike-version now outputs information about supported attributes
 1146   and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was
 1147   submitted by Alexis La Goutte. [Daniel Miller]
 1149 o [GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter]
 1151 o [GH#649] New service probe and match lines for the JMON and RSE services of
 1152   IBM Explorer for z/OS. [Soldier of Fortran]
 1154 o Removed a duplicate service probe for Memcached added in 2011 (the original
 1155   probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
 1157 o New service probe and match line for NoMachine NX Server remote desktop.
 1158   [Justin Cacak]
 1160 o [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap
 1161   was installed to /Applications/Applications/Zenmap.app instead of
 1162   /Applications/Zenmap.app.
 1164 o [Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary
 1165   directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
 1167 o [Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option,
 1168   which was added in Nmap 7.10. Previously, this was treated the same as not
 1169   specifying -v at all. [lymanZerga11]
 1171 o [GH#630] Updated or removed some OpenSSL library calls that were deprecated
 1172   in OpenSSL 1.1. [eroen]
 1174 o [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
 1176 o [NSE][GH#627] Fixed script hang in several brute scripts due to the "threads"
 1177   script-arg not being converted to a number. Error message was
 1178   "nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]
 1180 Nmap 7.40 [2016-12-20]
 1182 o [Windows] Updated the bundled Npcap from 0.10r9 to 0.78r5, with an
 1183   improved installer experience, driver signing updates to work with
 1184   Windows 10 build 1607, and bugfixes for WiFi connectivity
 1185   problems. [Yang Luo, Daniel Miller]
 1187 o Integrated all of your IPv4 OS fingerprint submissions from April to
 1188   September (568 of them). Added 149 fingerprints, bringing the new total to
 1189   5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more.
 1190   Highlights: http://seclists.org/nmap-dev/2016/q4/110 [Daniel Miller]
 1192 o Integrated all of your service/version detection fingerprints submitted from
 1193   April to September (779 of them). The signature count went up 3.1% to 11,095.
 1194   We now detect 1161 protocols, from airserv-ng, domaintime, and mep to
 1195   nutcracker, rhpp, and usher. Highlights: http://seclists.org/nmap-dev/2016/q4/115
 1196   [Daniel Miller]
 1198 o Fix reverse DNS on Windows which was failing with the message "mass_dns:
 1199   warning: Unable to determine any DNS servers." This was because the interface
 1200   GUID comparison needed to be case-insensitive. [Robert Croteau]
 1202 o [NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552!
 1203   They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
 1205   + cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270
 1206     services. [Soldier of Fortran]
 1208   + cics-user-enum brute-forces usernames for CICS users on TN3270 services.
 1209     [Soldier of Fortran]
 1211   + fingerprint-strings will print the ASCII strings it finds in the service
 1212     fingerprints that Nmap shows for unidentified services. [Daniel Miller]
 1214   + [GH#606] ip-geolocation-map-bing renders IP geolocation data as an image
 1215     via Bing Maps API. [Mak Kolybabi]
 1217   + [GH#606] ip-geolocation-map-google renders IP geolocation data as an image
 1218     via Google Maps API. [Mak Kolybabi]
 1220   + [GH#606] ip-geolocation-map-kml records IP geolocation data in a KML file
 1221     for import into other mapping software [Mak Kolybabi]
 1223   + nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST
 1224     and OHOST. Helpfully, nje-node-brute can now brute force both of those
 1225     values. [Soldier of Fortran]
 1227   + [GH#557] ssl-cert-intaddr will search for private IP addresses in TLS
 1228     certificate fields and extensions. [Steve Benson]
 1230   + tn3270-screen shows the login screen from mainframe TN3270 Telnet services,
 1231     including any hidden fields. The script is accompanied by the new tn3270
 1232     library. [Soldier of Fortran]
 1234   + tso-enum enumerates usernames for TN3270 Telnet services. [Soldier of Fortran]
 1236   + tso-brute brute-forces passwords for TN3270 Telnet services. [Soldier of Fortran]
 1238   + vtam-enum brute-forces VTAM application IDs for TN3270 services.
 1239     [Soldier of Fortran]
 1241 o [NSE][GH#518] Brute scripts are faster and more accurate. New feedback and
 1242   adaptivity mechanisms in brute.lua help brute scripts use resources more
 1243   efficiently, dynamically changing number of threads based on protocol
 1244   messages like FTP 421 errors, network errors like timeouts, etc.
 1245   [Sergey Khegay]
 1247 o [GH#353] New option --defeat-icmp-ratelimit dramatically reduces UDP scan
 1248   times in exchange for labeling unresponsive (and possibly open) ports as
 1249   "closed|filtered". Ports which give a UDP protocol response to one of Nmap's
 1250   scanning payloads will be marked "open". [Sergey Khegay]
 1252 o [NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that
 1253   service at some point. Reported by Brian Morin.
 1255 o [NSE][GH#606] New NSE library, geoip.lua, provides a common framework for
 1256   storing and retrieving IP geolocation results. [Mak Kolybabi]
 1258 o [Ncat] Restore the connection success message that Ncat prints with -v. This
 1259   was accidentally suppressed when not using -z.
 1261 o [GH#316] Added scan resume from Nmap's XML output. Now you can --resume a
 1262   canceled scan from all 3 major output formats: -oN, -oG, and -oX.
 1263   [Tudor Emil Coman]
 1265 o [Ndiff][GH#591] Fix a bug where hosts with the same IP but different
 1266   hostnames were shown as changing hostnames between scans. Made sort stable
 1267   with regard to hostnames. [Daniel Miller]
 1269 o [NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for
 1270   TLS Server Name Indication extension. The argument overrides the default use
 1271   of the host's targetname. [Bertrand Bonnefoy-Claudet]
 1273 o [GH#505] Updated Russian translation of Zenmap by Alexander Kozlov.
 1275 o [NSE][GH#588] Fix a crash in smb.lua when using smb-ls due to a
 1276   floating-point number being passed to os.time ("bad argument").
 1277   [Dallas Winger]
 1279 o [NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in
 1280   mysql-brute and other scripts due to including a null terminator in the salt
 1281   value. This bug affects Nmap 7.25BETA2 and later releases.  [Daniel Miller]
 1283 o The --open option now implies --defeat-rst-ratelimit. This may result in
 1284   inaccuracies in the numbers of "Not shown:" closed and filtered ports, but
 1285   only in situations where it also speeds up scan times. [Daniel Miller]
 1287 o [NSE] Added known Diffie-Hellman parameters for haproxy, postfix, and
 1288   IronPort to ssl-dh-params. [Frank Bergmann]
 1290 o Added service probe for ClamAV servers (clam),
 1291   an open source antivirus engine used in mail scanning. [Paulino Calderon]
 1293 o Added service probe and UDP payload for Quick UDP Internet Connection (QUIC),
 1294   a secure transport developed by Google and used with HTTP/2. [Daniel Miller]
 1296 o [NSE] Enabled resolveall to run against any target provided as a hostname, so
 1297   the resolveall.hosts script-arg is no longer required. [Daniel Miller]
 1299 o [NSE] Revised script http-default-accounts in several ways [nnposter]:
 1300   - Added 21 new fingerprints, plus broadened 5 to cover more variants.
 1301   - [GH#577] It can now can test systems that return status 200 for
 1302     non-existent pages.
 1303   - [GH#604] Implemented XML output. Layout of the classic text output has also
 1304     changed, including reporting blank usernames or passwords as "<blank>",
 1305     instead of just empty strings.
 1306   - Added CPE entries to individual fingerprints (where known). They are
 1307     reported only in the XML output.
 1309 o [NSE][GH#573] Updated http.lua to allow processing of HTTP responses with
 1310   malformed header names. Such header lines are still captured in the rawheader
 1311   list but skipped otherwise. [nnposter]
 1313 o [GH#416] New service probe and match line for iperf3. [Eric Gershman]
 1315 o [NSE][GH#555] Add Drupal to the set of web apps brute forced by
 1316   http-form-brute. [Nima Ghotbi]
 1318 Nmap 7.31 [2016-10-20]
 1320 o [Windows] Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing
 1321   increased stability, bug fixes, and raw 802.11 WiFi capture (unused
 1322   by Nmap). Further details on these changes can be found at
 1323   https://github.com/nmap/npcap/releases. [Yang Luo]
 1325 o Fixed the way Nmap handles scanning names that resolve to the same IP. Due to
 1326   changes in 7.30, the IP was only being scanned once, with bogus results
 1327   displayed for the other names. The previous behavior is now restored.
 1328   [Tudor Emil Coman]
 1330 o [Nping][GH#559] Fix Nping's ability to use Npcap on Windows. A privilege
 1331   check was performed too late, so the Npcap loading code assumed the user had no
 1332   rights. [Yang Luo, Daniel Miller]
 1334 o [GH#350] Fix an assertion failure due to floating point error in equality
 1335   comparison, which triggered mainly on OpenBSD:
 1336     assertion "diff <= interval" failed: file "timing.cc", line 440
 1337   This was reported earlier as [GH#472] but the assertion fixed there was a
 1338   different one. [David Carlier]
 1340 o [Zenmap] Fix a crash in the About page in the Spanish translation due to a
 1341   missing format specifier:
 1342     File "zenmapGUI\About.pyo", line 217, in __init__
 1343     TypeError: not all arguments converted during string formatting
 1344   [Daniel Miller]
 1346 o [Zenmap][GH#556] Better visual indication that display of hostname is tied to
 1347   address in the Topology page. You can show numeric addresses with hostnames
 1348   or without, but you can't show hostnames without numeric addresses when they
 1349   are not available. [Daniel Miller]
 1351 o To increase the number of IPv6 fingerprint submissions, a prompt for
 1352   submission will be shown with some random chance for successful matches of OS
 1353   classes that are based on only a few submissions. Previously, only
 1354   unsuccessful matches produced such a prompt. [Daniel Miller]
 1356 Nmap 7.30 [2016-09-29]
 1358 o Integrated all 12 of your IPv6 OS fingerprint submissions from June to
 1359   September. No new groups, but several classifications were strengthened,
 1360   especially Windows localhost and OS X. [Daniel Miller]
 1362 o [NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541!
 1363   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 1364   (authors are listed in brackets):
 1366   + [GH#369] coap-resources grabs the list of available resources from CoAP
 1367     endpoints. [Mak Kolybabi]
 1369   + fox-info retrieves detailed version and configuration info from Tridium
 1370     Niagara Fox services. [Stephen Hilt]
 1372   + ipmi-brute performs authentication brute-forcing on IPMI services.
 1373     [Claudiu Perta]
 1375   + ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows
 1376     connection without a password. [Claudiu Perta]
 1378   + ipmi-version retrieves protocol version and authentication options from
 1379     ASF-RMCP (IPMI) services. [Claudiu Perta]
 1381   + [GH#352] mqtt-subscribe connects to a MQTT broker, subscribes to topics,
 1382     and lists the messages received. [Mak Kolybabi]
 1384   + pcworx-info retrieves PLC model, firmware version, and date from Phoenix
 1385     Contact PLCs. [Stephen Hilt]
 1387 o Upgraded Npcap, our new Windows packet capturing driver/library,
 1388   from version to 0.09 to 0.10r2. This includes many bug fixes, with a
 1389   particular on emphasis on concurrency issues discovered by running
 1390   hundreds of Nmap instances at a time. More details are available
 1391   from https://github.com/nmap/npcap/releases. [Yang Luo, Daniel
 1392   Miller, Fyodor]
 1394 o New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx,
 1395   ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]
 1397 o Improved some output filtering to remove or escape carriage returns ('\r')
 1398   that could allow output spoofing by overwriting portions of the screen. Issue
 1399   reported by Adam Rutherford. [Daniel Miller]
 1401 o [NSE] Fixed a few bad Lua patterns that could result in denial of service due
 1402   to excessive backtracking. [Adam Rutherford, Daniel Miller]
 1404 o Fixed a discrepancy between the number of targets selected with -iR and the
 1405   number of hosts scanned, resulting in output like "Nmap done: 1033 IP
 1406   addresses" when the user specified -iR 1000. [Daniel Miller]
 1408 o Fixed a bug in port specification parsing that could cause extraneous
 1409   'T', 'U', 'S', and 'P' characters to be ignored when they should have
 1410   caused an error. [David Fifield]
 1412 o [GH#543] Restored compatibility with LibreSSL, which was lost in adding
 1413   library version checks for OpenSSL 1.1. [Wonko7]
 1415 o [Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting
 1416   in this message instead of Ndiff output:
 1417     ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found.  Did find:
 1418     /Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
 1419   Reported by Kyle Gustafson. [Daniel Miller]
 1421 o [NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to
 1422   not output TLSv1.2 info with DHE ciphersuites or others involving
 1423   ServerKeyExchange messages. [Daniel Miller]
 1425 o [NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now
 1426   shows the Subject Alternative Name extension; all extensions are shown in the
 1427   XML output. [Daniel Miller]
 1429 Nmap 7.25BETA2 [2016-09-01]
 1431 o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
 1432   SHA256 certificate. This should give our users extra peace-of-mind and avoid
 1433   triggering Microsoft's ever-increasing security warnings.
 1435 o [NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a
 1436   utf8 library, and native binary packing and unpacking functions. Removed bit
 1437   library, added bits.lua, replaced base32, base64, and bin libraries. [Patrick
 1438   Donnelly]
 1440 o [NSE] Added 2 NSE scripts, bringing the total up to 534!  They are both listed
 1441   at https://nmap.org/nsedoc/, and the summaries are below:
 1443   + oracle-tns-version decodes the version number from Oracle Database Server's
 1444     TNS listener. [Daniel Miller]
 1446   + clock-skew analyzes and reports clock skew between Nmap and services that
 1447     report timestamps, grouping hosts with similar skews. [Daniel Miller]
 1449 o Integrated all of your service/version detection fingerprints submitted from
 1450   January to April (578 of them). The signature count went up 2.2% to 10760.
 1451   We now detect 1122 protocols, from elasticsearch, fhem, and goldengate to
 1452   ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]
 1454 o Upgraded Npcap, our new Windows packet capturing driver/library,
 1455   from version 0.07-r17 to 0.09. This includes many improvements you can
 1456   read about at https://github.com/nmap/npcap/releases.
 1458 o [Nsock][GH#148] Added the new IOCP Nsock engine which uses the Windows
 1459   Overlapped I/O API to improve performance of version scan and NSE against
 1460   many targets on Windows. [Tudor Emil Coman]
 1462 o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
 1463   SHA256 certificate. This should give our users extra peace-of-mind and avoid
 1464   triggering Microsoft's ever-increasing security warnings.
 1466 o Various performance improvements for large-scale high-rate scanning,
 1467   including increased ping host groups, faster probe matching, and ensuring
 1468   data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
 1470 o [NSE] Added the oracle-tns-version NSE script which decodes the version
 1471   number from Oracle Database Server's TNS
 1472   listener. https://nmap.org/nsedoc/scripts/oracle-tns-version.html [Daniel
 1473   Miller]
 1475 o [NSE] Added the clock-skew NSE script which analyzes and reports clock skew
 1476   between Nmap and services that report timestamps, grouping hosts with
 1477   similar skews. https://nmap.org/nsedoc/scripts/clock-skew.html [Daniel
 1478   Miller]
 1480 o [Zenmap] Long-overdue Spanish language translation has been added! Muy bien!
 1481   [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
 1483 o [Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only
 1484   zenmap.conf. User will be warned that config cannot be saved and that they
 1485   should fix the file permissions. [Daniel Miller]
 1487 o [NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support,
 1488   like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers
 1489   will label the ciphersuite strength as "unknown." Reported by Bertrand
 1490   Bonnefoy-Claudet. [Daniel Miller]
 1492 o [NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations
 1493   against LDAP services when version detection or STARTTLS were used.
 1494   [Tom Sellers]
 1496 o [GH#426] Remove a workaround for lack of selectable pcap file descriptors on
 1497   Windows, which required including pcap-int.h and locking us to a single
 1498   version of libpcap. The new method, using WaitForSingleObject should work
 1499   with all versions of both WinPcap and Npcap. [Daniel Miller]
 1501 o [NSE][GH#234] Added a --script-timeout option for limiting run time for
 1502   every individual NSE script. [Abhishek Singh]
 1504 o [Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in
 1505   traditional netcat, it can be used to quickly check the status of a
 1506   port. Port ranges are not supported since we recommend a certain other tool
 1507   for port scanning. [Abhishek Singh]
 1509 o Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and
 1510   "nmap" with no options result in the same behaviors as on Linux (and no
 1511   crashes) [Daniel Miller]
 1513 o [NSE] ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode,
 1514   which are vulnerable to the SWEET32 attack.
 1516 o [NSE][GH#117] tftp-enum now only brute-forces IP-address-based Cisco filenames when
 1517   the wordlist contains "{cisco}". Previously, custom wordlists would still end
 1518   up sending these extra 256 requests. [Sriram Raghunathan]
 1520 o [GH#472] Avoid an unnecessary assert failure in timing.cc when printing estimated
 1521   completion time. Instead, we'll output a diagnostic error message:
 1522     Timing error: localtime(n) is NULL
 1523   where "n" is some number that is causing problems. [Jean-Guilhem Nousse]
 1525 o [NSE][GH#519] Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]
 1527 o [NSE] Added 9 new fingerprints for script http-default-accounts.
 1528   (Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix,
 1529   Schneider controller, Xerox printer, Citrix NetScaler, ESXi hypervisor)
 1530   [nnposter]
 1532 o [NSE] Completed a refresh and validation of almost all fingerprints for
 1533   script http-default-accounts. Also improved the script speed. [nnposter]
 1535 o [GH#98] Added support for decoys in IPv6. Earlier we supported decoys only in
 1536   IPv4. [Abhishek Singh]
 1538 o Various performance improvements for large-scale high-rate scanning,
 1539   including increased ping host groups, faster probe matching, and ensuring
 1540   data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
 1542 o [GH#484] Allow Nmap to compile on some older Red Hat distros that disable EC
 1543   crypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]
 1545 o [GH#439] Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]
 1547 o [Ncat] Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssl
 1548   and --max-conns, due to improper accounting of file descriptors. [Daniel
 1549   Miller]
 1551 o FTP Bounce scan: improved some edge cases like anonymous login without
 1552   password, 500 errors used to indicate port closed, and timeouts for LIST
 1553   command. Also fixed a 1-byte array overrun (read) when checking for
 1554   privileged ports. [Daniel Miller]
 1556 o [GH#140] Allow target DNS names up to 254 bytes. We previously imposed an
 1557   incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]
 1559 o [NSE] The hard limit on number of concurrently running scripts can now
 1560   increase above 1000 to match a high user-set --min-parallelism value. [Tudor
 1561   Emil Coman]
 1563 o [NSE] Solved a memory corruption issue that would happen if a socket connect
 1564   operation produced an error immediately, such as Network Unreachable. The
 1565   event handler was throwing a Lua error, preventing Nsock from cleaning up
 1566   properly, leaking events. [Abhishek Singh, Daniel Miller]
 1568 o [NSE] Added the datetime library for performing date and time calculations,
 1569   and as a helper to the clock-skew script.
 1571 o [GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully
 1572   handling truncated replies. If a response is too long, we now fall back to
 1573   using the system resolver to answer it. [Abhishek Singh]
 1575 o [Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]
 1577 Nmap 7.25BETA1 [2016-07-15]
 1579 o Nmap now ships with and uses Npcap, our new packet sniffing library
 1580   for Windows. It's based on WinPcap (unmaintained for years), but
 1581   uses modern Windows APIs for better performance. It also includes
 1582   security improvements and many bug fixes. See https://npcap.org. And
 1583   it enables Nmap to perform SYN scans and OS detection against
 1584   localhost, which we haven't been able to do on Windows since
 1585   Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel
 1586   Miller, Fyodor]
 1588 o [NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533!
 1589   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 1590   (authors are listed in brackets):
 1592   + clamav-exec detects ClamAV servers vulnerable to unauthorized clamav
 1593     command execution. [Paulino Calderon]
 1595   + http-aspnet-debug detects ASP.NET applications with debugging enabled.
 1596     [Josh Amishav-Zlatin]
 1598   + http-internal-ip-disclosure determines if the web server leaks its internal
 1599     IP address when sending an HTTP/1.0 request without a Host header. [Josh
 1600     Amishav-Zlatin]
 1602   + [GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and dumps
 1603     its configuration. [Frank Spierings]
 1605   + [GH#365] sslv2-drown detects vulnerability to the DROWN attack, including
 1606     CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL.
 1607     [Bertrand Bonnefoy-Claudet]
 1609   + vnc-title logs in to VNC servers and grabs the desktop title, geometry, and
 1610     color depth. [Daniel Miller]
 1612 o Integrated all of your IPv4 OS fingerprint submissions from January
 1613   to April (539 of them). Added 98 fingerprints, bringing the new total
 1614   to 5187. Additions include Linux 4.4, Android 6.0, Windows Server
 1615   2016, and more. [Daniel Miller]
 1617 o Integrated all 31 of your IPv6 OS fingerprint submissions from January to
 1618   June. The classifier added 2 groups and expanded several others. Several
 1619   Apple OS X groups were consolidated, reducing the total number of groups to
 1620   93. [Daniel Miller]
 1622 o Update oldest supported Windows version to Vista (Windows 6.0). This enables
 1623   the use of the poll Nsock engine, which has significant performance and
 1624   accuracy advantages. Windows XP users can still use Nmap 7.12, available from
 1625   https://nmap.org/dist/?C=M&O=D [Daniel Miller]
 1627 o [NSE] Fix a crash that happened when trying to print the percent done of 0
 1628   NSE script threads:
 1629     timing.cc:710 bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.
 1630   This would happen if no scripts were scheduled in a scan phase and the user
 1631   pressed a key or specified a short --stats-every interval. Reported by
 1632   Richard Petrie. [Daniel Miller]
 1634 o [GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown
 1635   address family 0" crash on Windows and other platforms that do not set the
 1636   src_addr argument to recvfrom for TCP sockets. [Daniel Miller]
 1638 o Retrieve the correct network prefix length for an adapter on Windows. If more
 1639   than one address was configured on an adapter, the same prefix length would
 1640   be used for both. This incorrect behavior is still used on Windows XP and
 1641   earlier. Reported by Niels Bohr. [Daniel Miller]
 1643 o Changed libdnet-stripped to avoid bailing completely when an interface is
 1644   encountered with an unsupported hardware address type. Caused "INTERFACES:
 1645   NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address
 1646   types. [Daniel Miller]
 1648 o Improved service detection of Docker and fixed a bug in the output of
 1649   docker-version script. [Tom Sellers]
 1651 o Fix detection of Microsoft Terminal Services (RDP). Our improved TLS service
 1652   probes were matching on port 3389 before our specific Terminal Services
 1653   probe, causing the port to be labeled as "ssl/unknown". Reported by Josh
 1654   Amishav-Zlatin.
 1656 o [NSE] Update to enable smb-os-discovery to augment version detection
 1657   for certain SMB related services using data that the script discovers.
 1658   [Tom Sellers]
 1660 o Improved version detection and descriptions for Microsoft and Samba
 1661   SMB services. Also addresses certain issues with OS identification.
 1662   [Tom Sellers]
 1664 o [NSE] ssl-enum-ciphers will give a failing score to any server with an RSA
 1665   certificate whose public key uses an exponent of 1. It will also cap the
 1666   score of an RC4-ciphersuite handshake at C and output a warning referencing
 1667   RFC 7465. [Daniel Miller]
 1669 o [NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua .
 1670   [Daniel Miller]
 1672 o [GH#399] Zenmap's authorization wrapper now uses an AppleScript method for
 1673   privilege escalation on OS X, avoiding the deprecated
 1674   AuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]
 1676 o [GH#454] The OS X binary package is distributed in a .dmg disk image that now
 1677   features an instructive background image. [Vincent Dumont]
 1679 o [GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to
 1680   provide all dependencies. We no longer use Macports for this purpose.
 1681   [Vincent Dumont]
 1683 o [GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable
 1684   location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead of
 1685   next to the zenmap.exe executable. This avoids a warning message when closing
 1686   Zenmap if it produced any stderr output. [Daniel Miller]
 1688 o [GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable hosts.
 1689   Reported by alias1. [Paulino Calderon]
 1691 o [NSE][GH#371] Fix mysql-audit by adding needed library requires to the
 1692   mysql-cis.audit file. The script would fail with "Failed to load rulebase"
 1693   message. [Paolo Perego]
 1695 o [NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse.
 1696   Also added version detection and information extraction to match the
 1697   new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]
 1699 o [GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq
 1700   and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The
 1701   Probes will elicit responses from target services that allow better finger
 1702   -printing and information extraction. Also added nmap-payload entry for
 1703   detecting LDAP on udp. [Tom Sellers]
 1705 o [NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of
 1706   authentication sub-types in vnc-info, and all zero-authentication types are
 1707   recognized and reported. [Daniel Miller]
 1709 Nmap 7.12 [2016-03-29]
 1711 o [Zenmap] Avoid file corruption in zenmap.conf, reported as files containing
 1712   many null ("\x00") characters. Example exceptions:
 1713     TypeError: int() argument must be a string or a number, not 'list'
 1714     ValueError: unable to parse colour specification
 1716 o [NSE] VNC updates including vnc-brute support for TLS security type and
 1717   negotiating a lower RFB version if the server sends an unknown higher
 1718   version.  [Daniel Miller]
 1720 o [NSE] Added STARTTLS support for VNC, NNTP, and LMTP [Daniel Miller]
 1722 o Added new service probes and match lines for OpenVPN on UDP and TCP.
 1724 Nmap 7.11 [2016-03-22]
 1726 o [NSE][GH#341] Added support for diffie-hellman-group-exchange-* SSH key
 1727   exchange methods to ssh2.lua, allowing ssh-hostkey to run on servers that
 1728   only support custom Diffie-Hellman groups. [Sergey Khegay]
 1730 o [NSE] Added support in sslcert.lua for Microsoft SQL Server's TDS protocol,
 1731   so you can now grab certs with ssl-cert or check ciphers with
 1732   ssl-enum-ciphers.  [Daniel Miller]
 1734 o [Zenmap] Fix a crash when setting default window geometry:
 1735     TypeError: argument of type 'int' is not iterable
 1737 o [Zenmap] Fix a crash when displaying the date from an Nmap XML file due to an
 1738   empty or unknown locale:
 1739     File "zenmapCore/NmapParser.py", line 627, in get_formatted_date
 1740       locale.getpreferredencoding())
 1741     LookupError: unknown encoding:
 1743 o [Zenmap] Fix a crash due to incorrect file paths when installing to
 1744   /usr/local prefix. Example:
 1745     Exception: File '/home/blah/.zenmap/scan_profile.usp' does not exist or could not be found!
 1747 Nmap 7.10 [2016-03-17]
 1749 o [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527!
 1750   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 1751   (authors are listed in brackets):
 1753   + [GH#322] http-apache-server-status parses the server status page of
 1754     Apache's mod_status. [Eric Gershman]
 1756   + http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in
 1757     Allegro RomPager web server. Also added a fingerprint for detecting
 1758     CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]
 1760   + [GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon"
 1761     pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]
 1763   + imap-ntlm-info extracts hostname and sometimes OS version from
 1764     NTLM-auth-enabled IMAP services. [Justin Cacak]
 1766   + ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes.
 1767     The discovery is the same as targets-ipv6-multicast-mld, but the subscribed
 1768     addresses are decoded and listed.  [Alexandru Geana, Daniel Miller]
 1770   + ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL
 1771     Server instances via the NTLM challenge message. [Justin Cacak]
 1773   + nntp-ntlm-info extracts hostname and sometimes OS version from
 1774     NTLM-auth-enabled NNTP services. [Justin Cacak]
 1776   + pop3-ntlm-info extracts hostname and sometimes OS version from
 1777     NTLM-auth-enabled POP3 services. [Justin Cacak]
 1779   + rusers retrieves information about logged-on users from the rusersd RPC
 1780     service. [Daniel Miller]
 1782   + [GH#333] shodan-api queries the Shodan API (https://www.shodan.io) and
 1783     retrieves open port and service info from their Internet-wide scan data.
 1784     [Glenn Wilkinson]
 1786   + smtp-ntlm-info extracts hostname and sometimes OS version from
 1787     NTLM-auth-enabled SMTP and submission services. [Justin Cacak]
 1789   + telnet-ntlm-info extracts hostname and sometimes OS version from
 1790     NTLM-auth-enabled Telnet services. [Justin Cacak]
 1792 o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and Linux
 1793   RPM) to 1.0.2g with SSLv2 enabled.
 1795 o Integrated all of your IPv4 OS fingerprint submissions from October to
 1796   January (536 of them). Added 104 fingerprints, bringing the new total to
 1797   5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.
 1798   Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]
 1800 o Integrated all of your service/version detection fingerprints submitted from
 1801   October to January (508 of them). The signature count went up 2.2% to 10532.
 1802   We now detect 1108 protocols, from icy, finger, and rtsp to ipfs,
 1803   basestation, and minecraft-pe. Highlights:
 1804   http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]
 1806 o Integrated all 12 of your IPv6 OS fingerprint submissions from October to
 1807   January. The classifier added 3 new groups, including new and expanded groups
 1808   for OS X, bringing the new total to 96. Highlights:
 1809   http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]
 1811 o [NSE] Upgrade to http-form-brute allowing correct handling of token-based
 1812   CSRF protections and cookies. Also, a simple database of common login forms
 1813   supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller]
 1815 o [Zenmap] [GH#247] Remember window geometry (position and size) from the
 1816   previous time Zenmap was run. [isjing]
 1818 o New service probe for CORBA GIOP (General Inter-ORB Protocol) detection
 1819   should elicit a not-found exception from GIOP services that do not respond to
 1820   non-GIOP probes. [Quentin Hardy]
 1822 o [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given
 1823   /32 netmasks regardless of actual netmask configured, resulting in failed
 1824   routing. Reported by Martin Gysi. [Daniel Miller]
 1826 o [GH#272][GH#269] Give option parsing errors after the usage statement, or
 1827   avoid printing the usage statement in some cases. The options summary has
 1828   grown quite large, requiring users to scroll to the top to see the error
 1829   message. [Abhishek Singh]
 1831 o [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's
 1832   Slow Comprehensive Scan profile.  In the case of unknown OpenSSL errors,
 1833   ERR_reason_error_string would return NULL, which could not be printed with
 1834   the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]
 1836 o [GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to
 1837   not work in Zenmap on Windows.
 1839 o Changed Nmap's idea of reserved and private IP addresses to include
 1840   169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in
 1841   libnetutil's isipprivate function, is used to filter -iR randomly generated
 1842   targets. The newly-valid address ranges belong to the U.S. Department of
 1843   Defense, so users wanting to avoid those ranges should use their own
 1844   exclusion lists with --exclude or --exclude-file.  [Bill Parker, Daniel
 1845   Miller]
 1847 o Allow the -4 option for Nmap to indicate IPv4 address family. This is the
 1848   default, and using the option doesn't change anything, but does make it more
 1849   explicit which address family you want to scan. Using -4 with -6 is an error.
 1850   [Daniel Miller]
 1852 o [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the
 1853   screen. This happens at the time of argument parsing, so the usual meaning of
 1854   "verbosity 0" is preserved. [isjing]
 1856 o [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and
 1857   SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the
 1858   draft specification from Mozilla. [Bertrand Bonnefoy-Claudet]
 1860 o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection
 1861   against services that are not TLS encrypted by default but that support
 1862   post connection upgrade. This will enable more comprehensive detection
 1863   of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]
 1865 o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and
 1866   BeEF to http-default-accounts. [nnposter]
 1868 o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation
 1869   Required messages when tracing packets or in Nping output. Improper offset
 1870   meant we were printing the total IP length. [Sławomir Demeszko]
 1872 o [NSE] Added support for DHCP options "TFTP server name" and "Bootfile name"
 1873   to dhcp.lua and enabled checking for options with a code above 61 by default.
 1874   [Mike Rykowski]
 1876 o [NSE] whois-ip: Don't request a remote IANA assignments data file when the
 1877   local filesystem will not permit the file to cached in a local file. [jah]
 1879 o [NSE] Updated http-php-version hash database to cover all versions from PHP
 1880   4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled
 1881   from Shodan API (https://www.shodan.io/) [Daniel Miller]
 1883 o Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan
 1884   types, allowing periodic status updates with --stats-every or keypress
 1885   events.  [Daniel Miller]
 1887 o [GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for OS
 1888   X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have
 1889   properly select-able fds. Fix by OpenBSD port maintainer [David Carlier]
 1891 o Print service info in grepable output for ports which are not listed in
 1892   nmap-services when a service tunnel (SSL) is detected. Previously, the
 1893   service info ("ssl|unknown") was not printed unless the service inside the
 1894   tunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260
 1895   [Daniel Miller]
 1897 o [NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent.
 1898   [Tom Sellers]
 1900 Nmap 7.01 [2015-12-09]
 1902 o Switch to using gtk-mac-bundler and jhbuild for building the OS X installer.
 1903   This promises to reduce a lot of the problems we've had with local paths and
 1904   dependencies using the py2app and macports build system. [Daniel Miller]
 1906 o The Windows installer is now built with NSIS 2.47 which features LoadLibrary
 1907   security hardening to prevent DLL hijacking and other unsafe use of temporary
 1908   directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to
 1909   us and the many other projects that use it.
 1911 o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM)
 1912   to 1.0.2e.
 1914 o [Zenmap] [GH#235] Fix several failures to launch Zenmap on OS X. The new
 1915   build process eliminates these errors:
 1916     IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in'
 1917     LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810.
 1919 o [NSE] [GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers to
 1920   match the one in nmap-service-probes, which was fixed previously to correct a
 1921   length calculation error. [Daniel Miller]
 1923 o [NSE] [GH#251] Correct false positives and unexpected behavior in http-*
 1924   scripts which used http.identify_404 to determine when a file was not found
 1925   on the target. The function was following redirects, which could be an
 1926   indication of a soft-404 response. [Tom Sellers]
 1928 o [NSE] [GH#241] Fix a false-positive in hnap-info when the target responds
 1929   with 200 OK to any request. [Tom Sellers]
 1931 o [NSE] [GH#244] Fix an error response in xmlrpc-methods when run against a
 1932   non-HTTP service. The expected behavior is no output. [Niklaus Schiess]
 1934 o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett.
 1936 Nmap 7.00 [2015-11-19]
 1938 o This is the most important release since Nmap 6.00 back in May 2012!
 1939   For a list of the most significant improvements and new features,
 1940   see the announcement at: https://nmap.org/7/
 1942 o [NSE] Added 6 NSE scripts from 6 authors, bringing the total up to 515!
 1943   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 1944   (authors are listed in brackets):
 1946   + targets-xml extracts target addresses from previous Nmap XML results files.
 1947     [Daniel Miller]
 1949   + [GH#232] ssl-dh-params checks for problems with weak, non-safe, and
 1950     export-grade Diffie-Hellman parameters in TLS handshakes. This includes the
 1951     LOGJAM vulnerability (CVE-2015-4000). [Jacob Gajek]
 1953   + nje-node-brute does brute-forcing of z/OS JES Network Job Entry node names.
 1954     [Soldier of Fortran]
 1956   + ip-https-discover detectings support for Microsoft's IP over HTTPS
 1957     tunneling protocol. [Niklaus Schiess]
 1959   + [GH#165] broadcast-sonicwall-discover detects and extracts information from
 1960     SonicWall firewalls. [Raphael Hoegger]
 1962   + [GH#38] http-vuln-cve2014-8877 checks for and optionally exploits a
 1963     vulnerability in CM Download Manager plugin for Wordpress. [Mariusz Ziulek]
 1965 o [Ncat] [GH#151] [GH#142] New option --no-shutdown prevents Ncat from shutting
 1966   down when it reads EOF on stdin. This is the same as traditional netcat's
 1967   "-d" option. [Adam Saponara]
 1969 o [NSE] [GH#229] Improve parsing in http.lua for multiple Set-Cookie headers in
 1970   a single response.  [nnposter]
 1972 Nmap 6.49BETA6 [2015-11-03]
 1974 o Integrated all of your IPv6 OS fingerprint submissions from April to October
 1975   (only 9 of them!). We are steadily improving the IPv6 database, but we need
 1976   your submissions. The classifier added 3 new groups, bringing the new total
 1977   to 93. Highlights: http://seclists.org/nmap-dev/2015/q4/61 [Daniel Miller]
 1979 o Integrated all of your IPv4 OS fingerprint submissions from February to
 1980   October (1065 of them). Added 219 fingerprints, bringing the new total to
 1981   4985. Additions include Linux 4.1, Windows 10, OS X 10.11, iOS 9, FreeBSD
 1982   11.0, Android 5.1, and more. Highlights:
 1983   http://seclists.org/nmap-dev/2015/q4/60 [Daniel Miller]
 1985 o Integrated all of your service/version detection fingerprints submitted from
 1986   February to October (800+ of them). The signature count went up 2.5% to
 1987   10293. We now detect 1089 protocols, from afp, bitcoin, and caldav to
 1988   xml-rpc, yiff, and zebra. Highlights: http://seclists.org/nmap-dev/2015/q4/62
 1989   [Daniel Miller]
 1991 o [NSE] Added 10 NSE scripts from 5 authors, bringing the total up to 509!
 1992   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 1993   (authors are listed in brackets):
 1995   + knx-gateway-discover and knx-gateway-info scripts gather information from
 1996     multicast and unicast KNX gateways, which connect home automation systems
 1997     to IP networks. [Niklaus Schiess, Dominik Schneider]
 1999   + http-ls parses web server directory index pages with optional recursion.
 2000     [Pierre Lalet]
 2002   + xmlrpc-methods perfoms introspection of xmlrpc services and lists methods
 2003     and their descriptions. [Gyanendra Mishra]
 2005   + http-fetch can be used like wget or curl to fetch all files, specific
 2006     filenames, or files that match a given pattern. [Gyanendra Mishra]
 2008   + http-svn-enum enumerates users of a Subversion repository by examining
 2009     commit logs. [Gyanendra Mishra]
 2011   + http-svn-info requests information from a Subversion repository, similar to
 2012     the "svn info" command. [Gyanendra Mishra]
 2014   + hnap-info detects and outputs info for Home Network Administration Protocol
 2015     devices. [Gyanendra Mishra]
 2017   + http-webdav-scan detects WebDAV servers and reports allowed methods and
 2018     directory listing. [Gyanendra Mishra]
 2020   + tor-consensus-checker checks the target's address with the Tor directory
 2021     authorities to determine if a target is a known Tor node. [Jiayi Ye]
 2023 o [NSE] Several scripts have been split, combined, or renamed:
 2025   + [GH#171] smb-check-vulns has been split into:
 2026     * smb-vuln-conficker
 2027     * smb-vuln-cve2009-3103
 2028     * smb-vuln-ms06-025
 2029     * smb-vuln-ms07-029
 2030     * smb-vuln-regsvc-dos
 2031     * smb-vuln-ms08-067
 2032     The scripts now use the vulns library, and the "unsafe" script-arg has been
 2033     replaced by putting the scripts into the "dos" category. [Paulino Calderon]
 2035   + http-email-harvest was removed, as the new http-grep does email address
 2036     scraping by default. [Gyanendra Mishra]
 2038   + http-drupal-modules was renamed to http-drupal-enum. Extended to enumerate
 2039     both themes and modules of Drupal installaions. [Gyanendra Mishra]
 2041 o [Ncat] [GH#193] Fix Ncat listen mode over Unix sockets (named pipes) on OS X.
 2042   This was crashing with the error:
 2043     Ncat: getnameinfo failed: Undefined error: 0 QUITTING.
 2044   Fixed by forcing the name to "localhost" [Michael Wallner]
 2046 o [Zenmap] Fix a crash in Zenmap when using Compare Results:
 2047     AttributeError: 'NoneType' object has no attribute 'get_nmap_output'
 2048   [Daniel Miller]
 2050 o [NSE] [GH#194] Add support for reading fragmented TLS messages to
 2051   ssl-enum-ciphers. [Jacob Gajek]
 2053 o [GH#51] Added IPv6 support to nmap_mass_rdns, improved reverse DNS cache,
 2054   and refactored DNS code to improve readability and
 2055   extensibility. All in all, this makes the rDNS portion of IPv6 scans
 2056   much faster. [Gioacchino Mazzurco]
 2058 o [NSE] Added NTLM brute support to http-brute. [Gyanendra Mishra]
 2060 o [NSE] Added NTLM authentication support to http.lua and a related function to create
 2061   an ntlm v2 session response in smbauth.lua. [Gyanendra Mishra]
 2063 o [NSE] [GH#106] Added a new NSE module, ls.lua, for accumulating and
 2064   outputting file and directory listings. The afp-ls, nfs-ls, and smb-ls
 2065   scripts have been converted to use this module. [Pierre Lalet]
 2067 o [NSE] bacnet-info.nse and s7-info.nse were added to the version category.
 2068   [Paulino Calderon]
 2070 o [NSE] Added 124 new identifiers to bacnet-info.nse vendor database.
 2071   [Paulino Calderon]
 2073 o [NSE] Fixed bacnet-info.nse to bind to the service port detected
 2074   during scan instead of fixed port. [Paulino Calderon]
 2076 o [NSE] Enhanced reporting of elliptic curve names and strengths in
 2077   ssl-enum-ciphers. The name of the curve is now reported instead of just "ec"
 2078   [Brandon Paulsen]
 2080 o [GH#75] Normalize Makefile targets to use the same verb-project format, e.g.
 2081   build-ncat, check-zenmap, install-nping, clean-nsock [Gioacchino Mazzurco]
 2083 o [NSE] Added builtin pattern and multiple pattern search to http-grep. [Gyanendra Mishra]
 2085 o [NSE] http-crossdomainxml is now http-cross-domain-policy and supports client
 2086   access policies and uses the new SLAXML parser. [Gyanendra Mishra]
 2088 o [NSE] Added a patch for vulns lib that allows list of tables to be submitted
 2089   to fields in the vulns report. [Jacob Gajek]
 2091 o [NSE] Added additional checks for successful PUT request in http-put.
 2092   [Oleg Mitrofanov]
 2094 o [NSE] Added an update for http-methods that checks all possible methods not in
 2095   Allow or Public header of OPTIONS response. [Gyanendra Mishra]
 2097 o [NSE] Added SLAXML, an XML parser in Lua originally written by Gavin Kistner
 2098   (a.k.a. Phrogz). [Gyanendra Mishra]
 2100 o [NSE] [GH#122] Update the snmp-brute and other snmp-* scripts to use the
 2101   creds library to store brute-forced snmp community strings. This allows Nmap
 2102   to use the correct brute-forced string for each host. [Gioacchino Mazzurco]
 2104 o Several improvements to TLS/SSL detection in nmap-service-probes. A new
 2105   probe, TLSSessionReq, and improvements to default SSL ports should help speed
 2106   up -sV scans. http://seclists.org/nmap-dev/2015/q2/17 [Daniel Miller]
 2108 o [Nsock] Clean up the API so that nsp_* calls are now nsock_pool_* and nsi_*
 2109   are nsock_iod_*. Simplify Nsock SSL init API, and make logging global to the
 2110   library instead of associated with a nspool. [Henri Doreau]
 2112 o [GH#181] The configure script now prints a summary of configured options.
 2113   Most importantly, it warns if OpenSSL was not found, since most users will
 2114   want this library compiled in. [Gioacchino Mazzurco]
 2116 o Define TCP Options for SYN scan in nmap.h instead of literally throughout.
 2117   This string is used by p0f and other IDS to detect Nmap scans, so having it a
 2118   compile-time option is a step towards better evasion. [Daniel Miller]
 2120 o [GH#51] Nmap's parallel reverse-DNS resolver now handles IPv6 addresses. This
 2121   should result in faster -6 scans. The old behavior is available with
 2122   --system-dns. [Gioacchino Mazzurco]
 2124 o [NSE] Fix a couple odd bugs in NSE command-line parsing. Most notably,
 2125   --script broadcast-* will now work (generally, wildcards with scripts whose
 2126   name begins with a category name were not working properly). [Daniel Miller]
 2128 o [NSE] [GH#113] http-form-fuzzer will now stop increasing the size of a
 2129   request when an HTTP 413 or 414 error indicates the web server will not
 2130   accept a larger request. [Gioacchino Mazzurco]
 2132 o [NSE] [GH#159] Add the ability to tag credentials in the creds library with
 2133   freeform text for easy retrieval. This gives necessary granularity to track
 2134   credentials to multiple web apps on a single host+port. [Gioacchino Mazzurco]
 2136 Nmap 6.49BETA5 [2015-09-25]
 2138 o Work around a bug which could cause Nmap to hang when running
 2139   multiple instances at once on Windows. The actual bug appears to be
 2140   in the WinPCAP driver in that it hanges when accessed via
 2141   OpenServiceA by multiple processes at once. So for now we have added
 2142   a mutex to prevent even multiple Nmap processes from making
 2143   concurrent calls to this part of WinPcap. We've received the reports
 2144   from multiple users on Windows 8.1 and Windows Server 2012 R2 and
 2145   this fix seems to resolve the hang for them. [Daniel Miller]
 2147 o [GH#212][NSE] Fix http.get_url function which was wrongly attempting
 2148   non-SSL HTTP requests first when passed https URLs. [jah]
 2150 o [GH#201] Fix Ndiff interpreter path problems in the OS X .dmg
 2151   installer which could prevent Ndiff (and the related Zenmap "compare
 2152   results" window) from working on OS X in some cases. [Daniel Miller]
 2154 o Fix Nmap's DTD, which did not recognize that the script element
 2155   could contain character data when a script returns a number or a
 2156   boolean.  [Jonathan Daugherty]
 2158 o [GH#172][NSE] Fix reporting of DH parameter sizes by
 2159   ssl-enum-ciphers. The number shown was the length in bytes, not bits
 2160   as it should have been.  Reported by Michael Staruch. [Brandon
 2161   Paulsen]
 2163 o Our Windows Nmap packages are now compiled with the older platform
 2164   toolset (v120_xp rather than v120) and so they may work with Windows
 2165   XP again for the dwindling number of users still on that operating
 2166   system.
 2168 o [GH#34] Disable TPACKET_V3 in our included libpcap. This version of
 2169   the Linux kernel packet ring API has problems that result in lots of
 2170   lost packets. This patch falls back to TPACKET_V2 or earlier
 2171   versions if available. [nnposter]
 2173 o [NSE] Check for socket errors in iscsi.lua. This was causing the
 2174   iscsi-info script to crash against some services. [Daniel Miller]
 2176 o [NSE] Fix http-useragent-tester, which was using cached HTTP
 2177   responses instead of testing new User-Agent strings. [Daniel Miller]
 2179 o Output a warning when deprecated options are used, and suggest the
 2180   preferred option. Currently deprecated: -i -o -m -sP -P0 -PN -oM
 2181   -sR. The warning is only visible with -v. [Daniel Miller]
 2183 o Add a fatal error for options like -oG- which is interpreted as the
 2184   deprecated -o option, outputting to a file named "G-", instead of
 2185   the expected behavior of -oG - (Grepable output to stdout). [Daniel
 2186   Miller]
 2188 o [GH#196] Fix raw packet sending on FreeBSD 10.0 and later. FreeBSD
 2189   changed byte order of the IPv4 stack, so SYN scan and other raw
 2190   packet functions were broken. [Edward Napierała] Also reported in
 2191   [GH#50] by Olli Hauer.
 2193 o [GH#183] Fix compilation on Visual Studio 2010, which failed with
 2194   error: "service_scan.cc(2559): error C2065: 'EOPNOTSUPP' :
 2195   undeclared identifier" [Daniel Miller]
 2197 o [GH#115][NSE] ssl-enum-ciphers will still produce output if OpenSSL
 2198   (required for certificate parsing) is not available. In cases where
 2199   handshake strength depends on the certificate, it will be reported
 2200   as "unknown". [jrchamp]
 2202 Nmap 6.49BETA4 [2015-07-06]
 2204 o Fix a hang on OS X in Zenmap's Topology page with error
 2205   "zenmap_wrapper.py[857]: GError: Couldn't recognize the image file format for
 2206   file '/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'
 2207   http://seclists.org/nmap-dev/2015/q3/8 [Daniel Miller]
 2209 o Fix a small memory leak for each target specified as a hostname which fails
 2210   to resolve. [Daniel Miller]
 2212 o Allow 'make check' to succeed when Nmap is configured without OpenSSL
 2213   support. This was broken due to our NSE unittest library expecting to be able
 2214   to load every library without error. [Daniel Miller]
 2216 o [NSE] Enable ssl-enum-ciphers to safely scan servers with a long handshake
 2217   intolerance issue which resulted in incomplete results when the handshake was
 2218   greater than 255 bytes. [Jacob Gajek, Daniel Miller]
 2220 o [Ncat] Fix a write overrun in Ncat that could cause a segfault if the -g
 2221   (source route) option was given too many times. [Daniel Miller]
 2223 o [NSE] [GH#168] Allow ssl-enum-ciphers to run on non-typical ports when it is
 2224   selected by name. It will now send a service detection probe if the port is
 2225   not a typical SSL port and version scan (-sV) was not used. [Daniel Miller]
 2227 Nmap 6.49BETA3 [2015-06-25]
 2229 o [GH#166] Fix Ncat listen mode on Solaris and other platforms where struct sockaddr
 2230   does not have a sa_len member. This also affected use of the -p and -s
 2231   options. Brandon Haberfeld reported the crash. [Daniel Miller]
 2233 o [GH#164] Fix a Zenmap failure ot open on OS X with the error:
 2234   "dyld: Symbol not found: _iconv Referenced from: /usr/lib/libcups.2.dylib"
 2235   We had to remove the DYLD_LIBRARY_PATH environment variable from
 2236   zenmap_wrapper.py. Reported by Robert Strom. [Daniel Miller]
 2238 o Report our https URL (https://nmap.org) in more places rather than
 2239   our non-SSL one. [David Fifield]
 2241 o [NSE] Fix Diffie-Hellman parameter extraction in tls.lua. [Jacob Gajek]
 2243 Nmap 6.49BETA2 [2015-06-16]
 2245 o [GH#154] Fix a crash (assertion error) when Nmap receives an ICMP Host
 2246   Unreachable message.
 2248 o [GH#158] Fix a configure failure when Python is not present, but no Python
 2249   projects were requested. [Gioacchino Mazzurco]
 2251 o [GH#161] [Zenmap] Fix Zenmap on OS X which was failing with
 2252   zipimport.ZipImportError due to architecture mismatch.
 2254 o [NSE] Remove ahbl.org checks from dnsbl.lua, since the service was shut down.
 2255   [Forrest B.]
 2257 Nmap 6.49BETA1 [2015-06-03]
 2259 o Integrated all of your IPv4 OS fingerprint submissions from May 2014 to
 2260   February 2015 (1900+ of them). Added 281 fingerprints, bringing the new total
 2261   to 4766. Addtions include Linux 3.18, Windows 8.1, OS X 10.10, Android 5.0,
 2262   FreeBSD 10.1, OpenBSD 5.6, and more. Highlights:
 2263   http://seclists.org/nmap-dev/2015/q2/169 [Daniel Miller]
 2265 o Integrated all of your service/version detection fingerprints submitted from
 2266   June 2013 to February 2015 (2500+ of them). The signature count soared over
 2267   the 10000 mark, a 12% increase. We now detect 1062 protocols, from http,
 2268   telnet, and ftp to jute, bgp, and slurm. Highlights:
 2269   http://seclists.org/nmap-dev/2015/q2/171 [Daniel Miller]
 2271 o Integrated all of your IPv6 OS fingerprint submissions from June 2013 to
 2272   April 2015 (only 97 of them!). We are steadily improving the IPv6 database,
 2273   but we need your submissions. The classifier added 9 new groups, bringing the
 2274   new total to 90. Highlights: http://seclists.org/nmap-dev/2015/q2/170 [Daniel
 2275   Miller]
 2277 o Nmap now has an official bug tracker! We are using Github Issues, which you
 2278   can reach from http://issues.nmap.org/. We welcome your bug reports,
 2279   enhancement requests, and code submissions via the Issues and Pull Request
 2280   features of Github (https://github.com/nmap/nmap), though the repository
 2281   itself is just a mirror of our authoritative Subversion repository.
 2283 o [Zenmap] New Chinese-language (zh) translation from Jie Jiang, new Hindi (hi)
 2284   translation by Gyanendra Mishra, and updated translations for German (de,
 2285   Chris Leick), Italian (it, Jan Reister), Polish (pl, Jacek Wielemborek), and
 2286   French (fr, MaZ)
 2288 o Added options --data <hex string> and --data-string <string> to send custom
 2289   payloads in scan packet data. [Jay Bosamiya]
 2291 o --reason is enabled for verbosity > 2, and now includes the TTL of received
 2292   packets in Normal output (this was already present in XML) [Jay Bosamiya]
 2294 o Fix ICMP Echo (-PE) host discovery for IPv6, broken since 6.45, caused by
 2295   failing to set the ICMP ID for outgoing packets which is used to match
 2296   incoming responses. [Andrew Waters]
 2298 o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
 2299   passing a NULL pointer to a WinPcap function that then tries to write an
 2300   error message to it. [Peter Malecka]
 2302 o Enhance Nmap's tcpwrapped service detection by using a shorter timeout for
 2303   the tcpwrapped designation. This prevents falsely labeling services as
 2304   tcpwrapped which merely have a read timeout shorter than 6 seconds. Full
 2305   discussion: http://issues.nmap.org/39 [nnposter, Daniel Miller]
 2307 o All nmap.org pages are now available SSL-secured to improve privacy
 2308   and ensure your binaries can't be tampered with in transit. So be
 2309   sure to download from https://nmap.org/download.html . We will soon
 2310   remove the non-SSL version of the site. We still offer GPG-signed
 2311   binaries as well: https://nmap.org/book/install.html#inst-integrity
 2313 o [NSE] Added 25 NSE scripts from 17 authors, bringing the total up to 494!
 2314   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 2315   (authors are listed in brackets):
 2317   + bacnet-info gets device information from SCADA/ICS devices via BACnet
 2318     (Building Automation and Control Networks) [Stephen Hilt, Michael Toecker]
 2320   + docker-version detects and fingerprints Docker [Claudio Criscione]
 2322   + enip-info gets device information from SCADA/ICS devices via EtherNet/IP
 2323     [Stephen Hilt]
 2325   + fcrdns performs a Forward-confirmed Reverse DNS lookup and reports
 2326     anomalous results. [Daniel Miller]
 2328   + http-avaya-ipoffice-users enumerates users in Avaya IP Office 7.x systems.
 2329     [Paulino Calderon]
 2331   + http-cisco-anyconnect gets version and tunnel information from Cisco SSL
 2332     VPNs. [Patrik Karlsson]
 2334   + http-crossdomainxml detects overly permissive crossdomain policies and
 2335     finds trusted domain names available for purchase. [Paulino Calderon]
 2337   + http-shellshock detects web applications vulnerable to Shellshock
 2338     (CVE-2014-6271). [Paulino Calderon]
 2340   + http-vuln-cve2006-3392 exploits a file disclosure vulnerability in Webmin.
 2341     [Paul AMAR]
 2343   + http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and
 2344     http-vuln-cve2014-2129 detect specific vulnerabilities in Cisco AnyConnect
 2345     SSL VPNs. [Patrik Karlsson]
 2347   + http-vuln-cve2015-1427 detects Elasticsearch servers vulnerable to remote
 2348     code execution. [Gyanendra Mishra]
 2350   + http-vuln-cve2015-1635 detects Microsoft Windows systems vulnerable to
 2351     MS15-034. [Paulino Calderon]
 2353   + http-vuln-misfortune-cookie detects the "Misfortune Cookie" vulnerability
 2354     in Allegro RomPager 4.07, commonly used in SOHO routers for TR-069 access.
 2355     [Andrew Orr]
 2357   + http-wordpress-plugins was renamed http-wordpress-enum and extended to
 2358     enumerate both plugins and themes of Wordpress installations and their
 2359     versions. http-wordpress-enum is now http-wordpress-users. [Paulino Calderon]
 2361   + mikrotik-routeros-brute performs password auditing attacks against
 2362     Mikrotik's RouterOS API. [Paulino Calderon]
 2364   + omron-info gets device information from Omron PLCs via the FINS service.
 2365     [Stephen Hilt]
 2367   + s7-info gets device information from Siemens PLCs via the S7 service,
 2368     tunneled over ISO-TSAP on TCP port 102. [Stephen Hilt]
 2370   + snmp-info gets the enterprise number and other information from the
 2371     snmpEngineID in an SNMPv3 response packet. [Daniel Miller]
 2373   + ssl-ccs-injection detects whether a server is vulnerable to the SSL/TLS
 2374     CCS Injection vulnerability (CVE-2014-0224) [Claudiu Perta]
 2376   + ssl-poodle detects the POODLE bug in SSLv3 (CVE-2014-3566) [Daniel Miller]
 2378   + supermicro-ipmi-conf exploits Supermicro IPMI/BMC controllers. [Paulino
 2379     Calderon]
 2381   + targets-ipv6-map4to6 generates target IPv6 addresses which correspond to
 2382     IPv4 addresses mapped within a particular IPv6 subnet. [Raúl Fuentes]
 2384   + targets-ipv6-wordlist generates target IPv6 addresses from a wordlist made
 2385     of hexadecimal characters. [Raúl Fuentes]
 2387 o Update our Windows build system to VS 2013 on Windows 8.1. Also, we now build
 2388   our included OpenSSL with DEP, ASLR, and SafeSEH enabled. [Daniel Miller]
 2390 o Our OS X installer is now built for a minimum supported version of 10.8
 2391   (Mountain Lion), a much-needed update from 10.5 (Leopard). Additionally,
 2392   OpenSSL is now statically linked, allowing us to distribute the latest from
 2393   Macports instead of being subjected to the 0.9.8 branch still in use as of
 2394   10.9. [Daniel Miller]
 2396 o Add 2 more ASCII-art configure splash images to be rotated randomly with the
 2397   traditional dragon image. New ideas for other images to use here may be sent
 2398   to dev@nmap.org. [Jay Bosamiya, Daniel Miller]
 2400 o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
 2401   passing a NULL pointer to a WinPcap function that then tries to write an
 2402   error message to it. [Peter Malecka]
 2404 o Fix compilation and several bugs on AIX. [Daniel Miller]
 2406 o Fix a bug in libdnet-stripped on Solaris that resulted in the wrong MAC
 2407   address being detected for all interfaces.
 2408   http://seclists.org/nmap-dev/2015/q2/1 [Daniel Miller]
 2410 o New features for the IPv6 OS detection engine allow for better classification
 2411   of systems: IPv6 guessed initial hop limit (TTL) and ratio of TCP initial
 2412   window size to maximum segment size. [Alexandru Geana]
 2414 o [NSE] Rework ssl-enum-ciphers to actually score the strength of the SSL/TLS
 2415   handshake, including certificate key size and DH parameters if applicable.
 2416   This is similar to Qualys's SSL Labs scanner, and means that we no longer
 2417   maintain a list of scores per ciphersuite. [Daniel Miller]
 2419 o [NSE] Improved http-form-brute autodetection and behavior to handle more
 2420   unusual-but-valid HTML syntax, non-POST forms, success/failure testing on
 2421   HTTP headers, and more. [nnposter]
 2423 o [NSE] Reduce many NSE default timeouts and base them on Nmap's detected
 2424   timeouts for those hosts from the port scan phase. Scripts which take timeout
 2425   script-args can now handle 's' and 'ms' suffixes, just like Nmap's own
 2426   options. [Daniel Miller]
 2428 o [NSE] Remove db2-discover, as its functionality was performed by service
 2429   version detection since the broadcast portion was separated into
 2430   broadcast-db2-discover. http://seclists.org/nmap-dev/2014/q3/415 [Daniel
 2431   Miller]
 2433 o Cache dnet names not found on Windows when enumerating interfaces in the
 2434   Windows Registry. Reduces startup times. [Elon Natovich]
 2436 o [NSE] Make smb-ls able to leverage results from smb-enum-shares or list of
 2437   shares specified on command line. [Pierre Lalet]
 2439 o [NSE] Fix X509 cert date parsing for dates after 2049. Reported by Teppo
 2440   Turtiainen. [Daniel Miller]
 2442 o Handle a bunch of socket errors that can result from odd ICMP Type 3
 2443   Destination Unreachable messages received during service scanning. The crash
 2444   reported was "Unexpected error in NSE_TYPE_READ callback.  Error code: 92
 2445   (Protocol not available)" [Daniel Miller]
 2447 o Fixed a crash (NULL pointer dereference) in PortList::isTCPwrapped when using
 2448   -sV and -O on an unknown service not listed in nmap-services. [Pierre Lalet]
 2450 o Fixed a benign TOCTOU race between stat() and open() in mmapfile().
 2451   Reported by Camille Mougey. [Henri Doreau]
 2453 o Reduce CPU consumption when using nsock poll engine with no registered FD,
 2454   by actually calling Poll() for the time until timeout, instead of directly
 2455   returning zero and entering the loop again. [Henri Doreau]
 2457 o Change the URI for the fingerprint submitter to its new location at
 2458   https://nmap.org/cgi-bin/submit.cgi
 2460 o [NSE] Added a check for Cisco ASA version disclosure, CVE-2014-3398, to
 2461   http-enum in the 'security' category [Daniel Miller]
 2463 o Fixed a bug that caused Nmap to fail to find any network interface when a
 2464   Prism interface is in monitor mode. The fix was to define the
 2465   ARP_HRD_IEEE80211_PRISM header identifier in the libdnet-stripped code.
 2466   [Brad Johnson]
 2468 o Added a version probe for Tor. [David Fifield]
 2470 o [NSE] Add support to citrix-enum-apps-xml for reporting if Citrix
 2471   published applications in the list are enforcing/requiring the level
 2472   of ICA/session data encryption shown in the script result.
 2473   [Tom Sellers]
 2475 o [NSE] Updated our Wordpress plugin list to improve the
 2476   http-wordpress-enum NSE script. We can now detect 34,077 plugins,
 2477   up from 18,570. [Danila Poyarkov]
 2479 o [NSE] Add the signature algorithm that was used to sign the target port's
 2480   x509 certificate to the output of ssl-cert.nse [Tom Sellers]
 2482 o [NSE] Fixed a bug in the sslcert.lua library that was triggered against
 2483   certain services when version detection was used. [Tom Sellers]
 2485 o [NSE] vulns.Report:make_output() now generates XML structured output
 2486   reports automatically. [Paulino Calderon]
 2488 o [NSE] Add port.reason_ttl, host.reason, host.reason_ttl for use in scripts
 2489   [Jay Bosamiya]
 2491 o [NSE] If a version script is run by name, nmap.version_intensity() returns
 2492   the maximum value (9) for it [Jay Bosamiya]
 2494 o [NSE] shortport.version_port_or_service() takes an optional rarity parameter
 2495   now to run only when version intensity > rarity [Jay Bosamiya]
 2497 o [NSE] Added nmap.version_intensity() function so that NSE version scripts
 2498   can use the argument to --version-intensity (which can be overridden by the
 2499   script arg 'script-intensity') in order to decide whether to run or not
 2500   [Jay Bosamiya]
 2502 o Improve OS detection; If a port is detected to be 'tcpwrapped', then it will
 2503   not be used for OS detection. This helps in cases where a firewall might be
 2504   the port to be 'tcpwrapped' [Jay Bosamiya]
 2506 o [Zenmap] Reduce noise generated in Topology View due to anonymous
 2507   hops [Jay Bosamiya]
 2509 o Added option --exclude-ports to Nmap so that some ports can be excluded from
 2510   scanning (for example, due to policy) [Jay Bosamiya]
 2512 o [Zenmap] Catch the MemoryError caused in Zenmap due to large Nmap Output,
 2513   and display a more helpful error message [Jay Bosamiya]
 2515 o Catch badly named output files (such as those unintentionally caused by
 2516   "-oX -sV logfile.xml") [Jay Bosamiya]
 2518 o [Zenmap] Improved NmapParser to increase speed in opening scans. Large scans
 2519   now open in seconds instead of hours. [Jay Bosamiya]
 2521 o Modify the included libpcap configure script to disable certain unused
 2522   features: bluetooth, usb, usb-can, and dbus sniffing. Dbus support caused a
 2523   build problem on CentOS 6.5. [Daniel Miller]
 2525 o Updated the bundled libpcap from 1.2.1 to 1.5.3 [Jay Bosamiya]
 2527 o Correct the Target MAC Address in Nmap's ARP discovery to conform to what IP
 2528   stacks in currently popular operating systems use. [Jay Bosamiya]
 2530 o Fixed a bug which caused Nmap to be unable to have any runtime interaction
 2531   when called from sudo or from a shell script. [Jay Bosamiya]
 2533 o Improvements to whois-ip.nse: fix an unhandled error when a referred-to
 2534   response could not be understood; add a new pattern to recognise a
 2535   LACNIC "record not found" type of response and update the way ARIN is
 2536   queried. [jah]
 2538 Nmap 6.47 [2014-08-23]
 2540 o Integrated all of your IPv4 OS fingerprint submissions since June 2013
 2541   (2700+ of them). Added 366 fingerprints, bringing the new total to 4485.
 2542   Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2,
 2543   OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved.
 2544   Highlights: http://seclists.org/nmap-dev/2014/q3/325 [Daniel Miller]
 2546 o (Windows, RPMs) Upgraded the included OpenSSL to version 1.0.1i. [Daniel Miller]
 2548 o (Windows) Upgraded the included Python to version 2.7.8. [Daniel Miller]
 2550 o Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This
 2551   was added in 6.45, and resulted in trouble for Nmap XML parsers without
 2552   network access, as well as increased traffic to Nmap's servers. The doctype
 2553   is now:
 2554   <!DOCTYPE nmaprun>
 2556 o [Ndiff] Fixed the installation process on Windows, which was missing the
 2557   actual Ndiff Python module since we separated it from the driver script.
 2558   [Daniel Miller]
 2560 o [Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution,
 2561   which was giving the error, "\Microsoft was unexpected at this time." See
 2562   https://support.microsoft.com/kb/2524009 [Daniel Miller]
 2564 o [Zenmap] Fixed the Zenmap .dmg installer for OS X. Zenmap failed to launch,
 2565   producing this error:
 2566     Could not import the zenmapGUI.App module:
 2567     'dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so, 2):
 2568     Library not loaded: /Users/david/macports-10.5/lib/libffi.5.dylib\n
 2569     Referenced from:
 2570     /Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so\n
 2571     Reason: image not found'.
 2573 o [Ncat] Fixed SOCKS5 username/password authentication. The password length was
 2574   being written in the wrong place, so authentication could not succeed.
 2575   Reported with patch by Pierluigi Vittori.
 2577 o Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts
 2578   this to the string "(null)", but it caused segfault on Solaris. [Daniel Miller]
 2580 o [Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package
 2581   installed. Python tries to be nice and loads it when we import xml, but it
 2582   isn't compatible. Instead, we force Python to use the standard library xml
 2583   module. [Daniel Miller]
 2585 o Handle ICMP admin-prohibited messages when doing service version detection.
 2586   Crash reported by Nathan Stocks was: Unexpected error in NSE_TYPE_READ
 2587   callback.  Error code: 101 (Network is unreachable) [David Fifield]
 2589 o [NSE] Fix a bug causing http.head to not honor redirects. [Patrik Karlsson]
 2591 o [Zenmap] Fix a bug in DiffViewer causing this crash:
 2592      TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-only
 2593      buffer, not NmapParserSAX
 2594   Crash happened when trying to compare two scans within Zenmap. [Daniel Miller]
 2596 Nmap 6.46 [2014-04-18]
 2598 o [NSE] Made numerous improvements to ssl-heartbleed to provide
 2599   more reliable detection of the vulnerability.
 2601 o [Zenmap] Fixed a bug which caused this crash message:
 2602      IOError: [Errno socket error] [Errno 10060] A connection attempt failed
 2603      because the connected party did not properly respond after a period of
 2604      time, or established connection failed because connected host has
 2605      failed to
 2606      respond
 2607   The bug was caused by us adding a DOCTYPE definition to Nmap's XML
 2608   output which caused Python's XML parser to try and fetch the DTD
 2609   every time it parses an XML file.  We now override that DTD-fetching
 2610   behavior. [Daniel Miller]
 2612 o [NSE] Fix some bugs which could cause snmp-ios-config and
 2613   snmp-sysdescr scripts to crash
 2614   (http://seclists.org/nmap-dev/2014/q2/120) [Patrik Karlsson]
 2616 o [NSE] Improved performance of citrix.lua library when handling large XML
 2617   responses containing application lists. [Tom Sellers]
 2619 Nmap 6.45 [2014-04-11]
 2621 o Idle scan now supports IPv6. IPv6 packets don't usually come with
 2622   fragments identifiers like IPv4 packets do, so new techniques had to
 2623   be developed to make idle scan possible. The implementation is by
 2624   Mathias Morbitzer, who made it the subject of his master's thesis.
 2626 o When doing a ping scan (-sn), the --open option will prevent down hosts from
 2627   being shown when -v is specified. This aligns with similar output for other
 2628   scan types. [Daniel Miller]
 2630 o Fixed some syntax problems in nmap-os-db that were caused by some automated
 2631   merging of fingerprints (http://seclists.org/nmap-dev/2013/q4/68) [Daniel
 2632   Miller]
 2634 o New service probes and fingerprints for Quake1, TeamSpeak3, xmlsysd,
 2635   Freelancer game server, All-Seeing Eye, AndroMouse, and AirHD.
 2637 o Update included WinPcap to version 4.1.3 [Rob Nicholls]
 2639 o [NSE] Convert many more scripts to emit structured XML output
 2640   (https://nmap.org/book/nse-api.html#nse-structured-output) [Daniel Miller]
 2642 o [NSE] Added 24 NSE scripts from 12 authors, bringing the total up to 470.
 2643   They are all listed at https://nmap.org/nsedoc/, and the summaries are
 2644   below (authors are listed in brackets):
 2646   + allseeingeye-info gathers information from games using this query protocol.
 2647     A version detection probe was also added. [Marin Maržić]
 2649   + freelancer-info gathers information about the Freelancer game server. Also
 2650     added a related version detection probe and UDP protocol payload for
 2651     detecting the service. [Marin Maržić]
 2653   + http-csrf detects Cross Site Request Forgeries (CSRF) vulnerabilities by
 2654     searching for CSRF tokens in HTML forms. [George Chatzisofroniou]
 2656   + http-devframework finds out the technology behind the target website based
 2657     on HTTP headers, static URLs, and other content and resources. [George
 2658     Chatzisofroniou]
 2660   + http-dlink-backdoor detects DLink routers with firmware backdoor allowing
 2661     admin access over HTTP interface. [Patrik Karlsson]
 2663   + http-dombased-xss finds potential DOM-based Cross-site Scripting (XSS)
 2664     vulnerabilities by searching for specific patterns in JavaScript resources.
 2665     [George Chatzisofroniou]
 2667   + http-errors crawls for URIs that return error status codes (HTTP 400 and
 2668     above). [George Chatzisofroniou]
 2670   + http-feed crawls a web site for Atom and RSS feeds. [George Chatzisofroniou]
 2672   + http-iis-short-name-brute detects Microsoft IIS servers vulnerable to a
 2673     file/folder name disclosure and a denial of service vulnerability. The
 2674     script obtains the "shortnames" of the files and folders in the webroot
 2675     folder. [Paulino Calderon]
 2677   + http-mobileversion-checker checks for mobile versions of web pages by
 2678     setting an Android User-Agent header and checking for HTTP redirects.
 2679     [George Chatzisofroniou]
 2681   + http-ntlm-info gets server information from Web servers that require NTLM
 2682     authentication. [Justin Cacak]
 2684   + http-referer-checker finds JavaScript resources that are included from other
 2685     domains, increasing a website's attack surface. [George Chatzisofroniou]
 2687   + http-server-header grabs the Server header as a last-ditch effort to get a
 2688     software version. This can't be done as a softmatch because of the need to
 2689     match non-HTTP services that obey some HTTP requests. [Daniel Miller]
 2691   + http-useragent-tester checks for sites that redirect common Web spider
 2692     User-Agents to a different page than browsers get. [George Chatzisofroniou]
 2694   + http-vuln-cve2013-7091 (released as http-vuln-zimbra-lfi) looks for
 2695     CVE-2013-7091, a LFI vulnerability in Zimbra. [Paul AMAR, Ron Bowes]
 2697   + http-xssed searches the xssed.com database of Cross-site Scripting
 2698     vulnerabilities for previously-reported XSS vulnerabilities in the target.
 2699     [George Chatzisofroniou]
 2701   + qconn-exec tests the QNX QCONN service for remote command execution.
 2702     [Brendan Coles]
 2704   + quake1-info retrieves server and player information from Quake 1 game
 2705     servers. Reports potential DoS amplification factor.  [Ulrik Haugen]
 2707   + rfc868-time gets the date and time from an RFC 868 Time server. [Daniel
 2708     Miller]
 2710   + ssl-heartbleed detects the Heartbleed bug in OpenSSL CVE-2014-0160 [Patrik
 2711     Karlsson]
 2713   + sstp-discover discovers Microsoft's Secure Socket Tunnelling Protocol
 2714     (http://msdn.microsoft.com/en-us/library/cc247338.aspx) [Niklaus Schiess]
 2716   + unittest runs unit tests found in NSE libraries. The corresponding
 2717     unittest.lua library has examples. Run `nmap --script=unittest
 2718     --script-args=unittest.run -d` to run the tests. [Daniel Miller]
 2720   + weblogic-t3-info detects the T3 RMI protocol used by Oracle/BEA Weblogic
 2721     and extracts the Weblogic version. [Alessandro Zanni, Daniel Miller]
 2723   + whois-ip and whois-domain replace the whois script, which previously could
 2724     only collect whois info for IP addresses. [George Chatzisofroniou]
 2726 o [NSE] Fixed an error-handling bug in socks-open-proxy that caused it to fail
 2727   when scanning a SOCKS4-only proxy. Reported on IRC by Husky. [Daniel Miller]
 2729 o [NSE] Improved ntp-info script to handle underscores in returned
 2730   data. [nnposter]
 2732 o [NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and
 2733   other character sets to Unicode code points. Scripts that previously just
 2734   added or skipped nulls in UTF-16 data can use this to support non-ASCII
 2735   characters. [Daniel Miller]
 2737 o Significant code and documentation cleanup effort, fixing file encodings,
 2738   trailing whitespace, indentation, spelling mistakes, NSEdoc formatting
 2739   issues, PEP 8 compliance for Python, deprecation cleanup under python -3,
 2740   cleanup of warnings from LLVM's AddressSanitizer.  [Daniel Miller]
 2742 o [Ncat] Added support for socks5 and corresponding regression tests.
 2743   [Marek Lukaszuk, Petr Stodulka]
 2745 o Added TCP support to dns.lua. [John Bond]
 2747 o Added safe fd_set operations. This makes nmap fail gracefully instead of
 2748   crashing when the number of file descriptors grows over FD_SETSIZE. Jacek
 2749   Wielemborek reported the crash. [Henri Doreau]
 2751 o [NSE] Added tls library for functions related to SSLv3 and TLS messages.
 2752   Existing ssl-enum-ciphers, ssl-date, and tls-nextprotoneg scripts were
 2753   updated to use this library. [Daniel Miller]
 2755 o Added NSE and Zenmap unit tests to "make check" [Daniel Miller]
 2757 o [NSE] Enable http-enum to use the large Nikto fingerprint database at runtime
 2758   if provided by the user. For licensing reasons, we do not distribute this
 2759   database, but the integration effort has the blessing of the Nikto folks.
 2760   [George Chatzisofroniou]
 2762 o Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release) [Daniel Miller]
 2764 o Added version detection signatures and probes for a bunch of Android
 2765   remote mouse/keyboard servers, including AndroMouse, AirHID,
 2766   Wifi-mouse, and RemoteMouse. [Paul Hemberger]
 2768 o [Ncat] Fixed compilation when --without-liblua is specified in
 2769   configure (an #include needed an ifdef guard). [Quentin Glidic]
 2771 o Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on
 2772   FreeBSD >9 reported by idwer on IRC. Likely affected other *BSDs. Handled by
 2773   skipping these non-network addresses. [Daniel Miller]
 2775 o Fixed a bug with UDP checksum calculation. When the UDP checksum is zero
 2776   (0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid
 2777   ambiguity with +0, which indicates no checksum was calculated. This affected
 2778   UDP on IPv4 only. Reported by Michael Weber. [Daniel Miller]
 2780 o [NSE] Removed a fixed value (28428) which was being set for the Request ID in
 2781   the snmpWalk library function; a value based on nmap.clock_ms will now be set
 2782   instead. [jah]
 2784 o The ICMP ID of ICMP probes is now matched against the sent ICMP ID,
 2785   to reduce the chance of false matches. Patch by Chris Johnson.
 2787 o [NSE] Made telnet-brute support multiple parallel guessing threads,
 2788   reuse connections, and support password-only logins. [nnposter]
 2790 o [NSE] Made the table returned by ssh1.fetch_host_key contain a "key"
 2791   element, like that of ssh2.fetch_host_key. This fixed a crash in the
 2792   ssh-hostkey script reported by Dan Farmer and Florian Pelgrim. The
 2793   "key" element of ssh2.fetch_host_key now is base64-encoded, to match
 2794   the format used by the known_hosts file. [David Fifield]
 2796 o [Nsock] Handle timers and timeouts via a priority queue (using a heap)
 2797   for improved performance. Nsock now only iterates over events which are
 2798   completed or expired instead of inspecting the entire event set at each
 2799   iteration. [Henri Doreau]
 2801 o [NSE] Update dns-cache-snoop script to use a new list of top 50
 2802   domains rather than a 2010 list. [Nicolle Neulist]
 2804 o [Zenmap] Fixed a crash that would happen when you entered a search
 2805   term starting with a colon: "AttributeError:
 2806   'FilteredNetworkInventory' object has no attribute 'match_'".
 2807   Reported by Kris Paernell. [David Fifield]
 2810   and NCAT_LOCAL_PORT environment variables being set in all --*-exec child
 2811   processes.
 2813 Nmap 6.40 [2013-07-29]
 2815 o [Ncat] Added --lua-exec. This feature is basically the equivalent of 'ncat
 2816   --sh-exec "lua <scriptname>"' and allows you to run Lua scripts with Ncat,
 2817   redirecting all stdin and stdout operations to the socket connection. See
 2818   https://nmap.org/book/ncat-man-command-options.html [Jacek Wielemborek]
 2820 o Integrated all of your IPv4 OS fingerprint submissions since January
 2821   (1,300 of them). Added 91 fingerprints, bringing the new total to 4,118.
 2822   Additions include Linux 3.7, iOS 6.1, OpenBSD 5.3, AIX 7.1, and more.
 2823   Many existing fingerprints were improved. Highlights:
 2824   http://seclists.org/nmap-dev/2013/q2/518. [David Fifield]
 2826 o Integrated all of your service/version detection fingerprints submitted
 2827   since January (737 of them)! Our signature count jumped by 273 to 8,979.
 2828   We still detect 897 protocols, from extremely popular ones like http, ssh,
 2829   smtp and imap to the more obscure airdroid, gopher-proxy, and
 2830   enemyterritory. Highlights:
 2831   http://seclists.org/nmap-dev/2013/q3/80. [David Fifield]
 2833 o Integrated your latest IPv6 OS submissions and corrections. We're still
 2834   low on IPv6 fingerprints, so please scan any IPv6 systems you own or
 2835   administer and submit them to https://nmap.org/submit/.  Both new
 2836   fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap
 2837   guesses wrong) are useful. [David Fifield]
 2839 o [Nsock] Added initial proxy support to Nsock. Nmap version detection
 2840   and NSE can now establish TCP connections through chains of one or
 2841   more CONNECT or SOCKS4 proxies. Use the Nmap --proxies option with a
 2842   chain of one or more proxies as the argument (example:
 2843   http://localhost:8080,socks4://someproxy.example.com). Note that
 2844   only version detection and NSE are supported so far (no port
 2845   scanning or host discovery), and there are other limitations
 2846   described in the man page. [Henri Doreau]
 2848 o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 446.
 2849   They are all listed at https://nmap.org/nsedoc/, and the summaries are
 2850   below (authors are listed in brackets):
 2852   + hostmap-ip2hosts finds hostnames that resolve to the target's IP address
 2853     by querying the online database at http://www.ip2hosts.com (uses Bing
 2854     search results) [Paulino Calderon]
 2856   + http-adobe-coldfusion-apsa1301 attempts to exploit an authentication
 2857     bypass vulnerability in Adobe Coldfusion servers (APSA13-01:
 2858     http://www.adobe.com/support/security/advisories/apsa13-01.html) to
 2859     retrieve a valid administrator's session cookie. [Paulino Calderon]
 2861   + http-coldfusion-subzero attempts to retrieve version, absolute path of
 2862     administration panel and the file 'password.properties' from vulnerable
 2863     installations of ColdFusion 9 and 10. [Paulino Calderon]
 2865   + http-comments-displayer extracts and outputs HTML and JavaScript
 2866     comments from HTTP responses. [George Chatzisofroniou]
 2868   + http-fileupload-exploiter exploits insecure file upload forms in web
 2869     applications using various techniques like changing the Content-type
 2870     header or creating valid image files containing the payload in the
 2871     comment. [George Chatzisofroniou]
 2873   + http-phpmyadmin-dir-traversal exploits a directory traversal
 2874     vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to
 2875     retrieve remote files on the web server. [Alexey Meshcheryakov]
 2877   + http-stored-xss posts specially crafted strings to every form it
 2878     encounters and then searches through the website for those strings to
 2879     determine whether the payloads were successful. [George Chatzisofroniou]
 2881   + http-vuln-cve2013-0156 detects Ruby on Rails servers vulnerable to
 2882     object injection, remote command executions and denial of service
 2883     attacks. (CVE-2013-0156) [Paulino Calderon]
 2885   + ike-version obtains information (such as vendor and device type where
 2886     available) from an IKE service by sending four packets to the host.
 2887     This scripts tests with both Main and Aggressive Mode and sends multiple
 2888     transforms per request. [Jesper Kueckelhahn]
 2890   + murmur-version detects the Murmur service (server for the Mumble voice
 2891     communication client) versions 1.2.X. [Marin Maržić]
 2893   + mysql-enum performs valid-user enumeration against MySQL server using a
 2894     bug discovered and published by Kingcope
 2895     (http://seclists.org/fulldisclosure/2012/Dec/9). [Aleksandar Nikolic]
 2897   + teamspeak2-version detects the TeamSpeak 2 voice communication server
 2898     and attempts to determine version and configuration information. [Marin
 2899     Maržić]
 2901   + ventrilo-info detects the Ventrilo voice communication server service
 2902     versions 2.1.2 and above and tries to determine version and
 2903     configuration information. [Marin Maržić]
 2905 o Updated the Nmap license agreement to close some loopholes and stop some
 2906   abusers. It's particularly targeted at companies which distribute
 2907   malware-laden Nmap installers as we caught Download.com doing last
 2908   year--http://insecure.org/news/download-com-fiasco.html . The updated
 2909   license is in the all the normal places, including
 2910   https://svn.nmap.org/nmap/COPYING.
 2912 o [NSE][SECURITY] Oops, there was a vulnerability in one of our 437 NSE scripts.  If
 2913   you ran the (fortunately non-default) http-domino-enum-passwords script
 2914   with the (fortunately also non-default) domino-enum-passwords.idpath
 2915   parameter against a malicious server, it could cause an arbitrarily named
 2916   file to to be written to the client system. Thanks to Trustwave researcher
 2917   Piotr Duszynski for discovering and reporting the problem.  We've fixed
 2918   that script, and also updated several other scripts to use a new
 2919   stdnse.filename_escape function for extra safety. This breaks our record
 2920   of never having a vulnerability in the 16 years that Nmap has existed, but
 2921   that's still a fairly good run! [David, Fyodor]
 2923 o Unicast CIDR-style IPv6 range scanning is now supported, so you can
 2924   specify targets such as en.wikipedia.org/120.  Obviously it will take ages
 2925   if you specify a huge space.  For example, a /64 contains
 2926   18,446,744,073,709,551,616 addresses. [David Fifield]
 2928 o It's now possible to mix IPv4 range notation with CIDR netmasks in target
 2929   specifications. For example, 192.168-170.4-100,200.5/16 is effectively the
 2930   same as 192.168.168-170.0-255.0-255. [David Fifield]
 2932 o Timeout script-args are now standardized to use the timespec that Nmap's
 2933   command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that
 2934   previously took an integer number of milliseconds will now treat that as a
 2935   number of seconds if not explicitly denoted as ms. [Daniel Miller]
 2937 o Nmap may now partially rearrange its target list for more efficient
 2938   host groups. Previously, a single target with a different interface,
 2939   or with an IP address the same as a that of a target already in the
 2940   group, would cause the group to be broken off at whatever size it
 2941   was. Now, we buffer a small number of such targets, and keep looking
 2942   through the input for more targets to fill out the current group.
 2943   [David Fifield]
 2945 o [Ncat] The -i option (idle timeout) now works in listen mode as well as
 2946   connect mode. [Tomas Hozza]
 2948 o [Ncat] Ncat now support chained certificates with the --ssl-cert
 2949   option. [Greg Bailey]
 2951 o [Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid
 2952   receiving crosstalk from other ping programs running at the same
 2953   time. [David Fifield]
 2955 o [NSE] The ipOps.isPrivate library now considers the deprecated site-local
 2956   prefix fec0::/10 to be private. [Marek Majkowski]
 2958 o Nmap's routing table is now sorted first by netmask, then by metric.
 2959   Previously it was the other way around, which could cause a very general
 2960   route with a low metric to be preferred over a specific route with a
 2961   higher metric.
 2963 o Routes are now sorted to prefer those with a lower metric. Retrieval of
 2964   metrics is supported only on Linux and Windows. [David Fifield]
 2966 o Fixed a byte-ordering problem on little-endian architectures when doing
 2967   idle scan with a zombie that uses broken ID increments.  [David Fifield]
 2969 o Stop parsing TCP options after reaching EOL in libnetutil. Bug reported by
 2970   Gustavo Moreira. [Henri Doreau]
 2972 o [NSE] The dns-ip6-arpa-scan script now optionally accepts "/" syntax for a
 2973   network mask. Based on a patch by Indula Nayanamith.
 2975 o [Ncat] Reduced the default --max-conns limit from 100 to 60 on Windows, to
 2976   stay within platform limitations. Suggested by Andrey Olkhin.
 2978 o Fixed IPv6 routing table alignment on NetBSD.
 2980 o Fixed our NSEDoc system so the author field uses UTF-8 and we can spell
 2981   people's name properly, even if they use crazy non-ASCII characters like
 2982   Marin Maržić.  [David Fifield]
 2984 o UDP protocol payloads were added for detecting the Murmer service (a
 2985   server for the Mumble voice communication client) and TeamSpeak 2 VoIP
 2986   software.
 2988 o [NSE] Added http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.
 2990 o Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. This
 2991   was reported to break on -current as of May 2013. [Giovanni Bechis]
 2993 o Fixed address matching for SCTP (-PY) ping. [Marin Maržić]
 2995 o Removed some non-ANSI-C strftime format strings ("%F") and
 2996   locale-dependent formats ("%c") from NSE scripts and libraries.
 2997   C99-specified %F was noticed by Alex Weber. [Daniel Miller]
 2999 o [Zenmap] Improved internationalization support:
 3000   + Added Polish translation by Jacek Wielemborek.
 3001   + Updated the Italian translation. [Giacomo]
 3003 o [Zenmap] Fixed internationalization files. Running in a language other
 3004   than the default English would result in the error "ValueError: too many
 3005   values to unpack". [David Fifield]
 3007 o [NSE] Updated the included Liblua from version 5.2.1 to 5.2.2. [Patrick
 3008   Donnelly]
 3010 o [Nsock] Added a minimal regression test suite for Nsock. [Henri Doreau]
 3012 o [NSE] Updated the redis-brute and redis-info scripts to work against the
 3013   latest versions of redis server. [Henri Doreau]
 3015 o [Ncat] Fixed errors in connecting to IPv6 proxies. [Joachim Henke]
 3017 o [NSE] Updated hostmap-bfk to work with the latest version of their website
 3018   (bfk.de). [Paulino Calderon]
 3020 o [NSE] Added XML structured output support to:
 3021   + xmpp-info, irc-info, sslv2, address-info [Daniel Miller]
 3022   + hostmap-bfk, hostmap-robtex, hostmap-ip2hosts. [Paulino Calderon]
 3023   + http-git.nse. [Alex Weber]
 3025 o Added new service probes for:
 3026   + Erlang distribution nodes [Michael Schierl]
 3027   + Minecraft servers. [Eric Davisson]
 3028   + Hazelcast data grid. [Pavel Kankovsky]
 3030 o [NSE] Rewrote telnet-brute for better compatibility with a variety of
 3031   telnet servers. [nnposter]
 3033 o Fixed a regression that changed the number of delimiters in machine
 3034   output. [Daniel Miller]
 3036 o Fixed a regression in broadcast-dropbox-listener which prevented it from
 3037   producing output. [Daniel Miller]
 3039 o Handle ICMP type 11 (Time Exceeded) responses to port scan probes.  Ports
 3040   will be reported as "filtered", to be consistent with existing Connect
 3041   scan results, and will have a reason of time-exceeded.  DiabloHorn
 3042   reported this issue via IRC. [Daniel Miller]
 3044 o Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and
 3045   changed output of some of the decoders slightly. [Patrik Karlsson]
 3047 o The list of name servers on Windows now ignores those from inactive
 3048   interfaces. [David Fifield]
 3050 o Namespace the pipes used to communicate with subprocesses by PID, to avoid
 3051   multiple instances of Ncat from interfering with each other.  Patch by
 3052   Andrey Olkhin.
 3054 o [NSE] Changed ip-geolocation-geoplugin to use the web service's new output
 3055   format. Reported by Robin Wood.
 3057 o Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fast
 3058   connect scans could write past the end of an fd_set and cause a variety of
 3059   crashes:
 3060     nmap: scan_engine.cc:978: bool ConnectScanInfo::clearSD(int): Assertion `numSDs > 0' failed.
 3061     select failed in do_one_select_round(): Bad file descriptor (9)
 3062   [David Fifield]
 3064 o Fixed a bug that prevented Nmap from finding any interfaces when one of
 3065   them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk
 3066   interfaces. However, This support is not complete since AppleTalk
 3067   interfaces use different size hardware addresses than Ethernet.  Nmap IP
 3068   level scans should work without any problem, please refer to the
 3069   '--send-ip' switch and to the following thread:
 3070   http://seclists.org/nmap-dev/2013/q1/214.  This bug was reported by Steven
 3071   Gregory Johnson. [Daniel Miller]
 3073 o [Nping] Nping on Windows now skips localhost targets for privileged pings
 3074   on (with an error message) because those generally don't work.  [David
 3075   Fifield]
 3077 o [Ncat] Ncat now keeps running in connect mode after receiving EOF from the
 3078   remote socket, unless --recv-only is in effect.  [Tomas Hozza]
 3080 o Packet trace of ICMP packets now include the ICMP ID and sequence number
 3081   by default. [David Fifield]
 3083 o [NSE] Fixed various NSEDoc bugs found by David Matousek.
 3085 o [Zenmap] Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGED
 3086   environment variables. [Tyler Wagner]
 3088 o Added an ncat_assert macro.  This is similar to assert(), but remains even
 3089   if NDEBUG is defined. Replaced all Ncat asserts with this. We also moved
 3090   operation with side effects outside of asserts as yet another layer of
 3091   bug-prevention [David Fifield].
 3093 o Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML into
 3094   XSL-FO, which can be converted into PDF using tools suck as Apache FOP.
 3096 o Increased the number of slack file descriptors not used during connect
 3097   scan. Previously, the calculation did not consider the descriptors used by
 3098   various open log files. Connect scans using a lot of sockets could fail
 3099   with the message "Socket creation in sendConnectScanProbe: Too many open
 3100   files". [David Fifield]
 3102 o Changed the --webxml XSL stylesheet to point to the new location of
 3103   nmap.xsl in the new repository (https://svn.nmap.org/nmap/docs/nmap.xsl).
 3104   It still may not work in web browsers due to same origin policy (see
 3105   http://seclists.org/nmap-dev/2013/q1/58). [David Fifield, Simon John]
 3107 o [NSE] The vulnerability library can now preserve vulnerability information
 3108   across multiple ports of the same host. The bug was reported by
 3109   iphelix. [Djalal Harouni]
 3111 o Removed the undocumented -q option, which renamed the nmap process to
 3112   something like "pine".
 3114 o Moved the Japanese man page from man1/jp to man1/ja. JP is a country code
 3115   while JA is a language code. Reported by Christian Neukirchen.
 3117 o [Nsock] Reworked the logging infrastructure to make it more flexible and
 3118   consistent. Updated Nmap, Nping and Ncat accordingly. Nsock log level can
 3119   now be adjusted at runtime by pressing d/D in nmap.  [Henri Doreau, David
 3120   Fifield]
 3122 o [NSE] Fixed scripts using unconnected UDP sockets. The bug was reported by
 3123   Dhiru Kholia at http://seclists.org/nmap-dev/2012/q4/422. [David Fifield]
 3125 o Made some changes to Ndiff to reduce parsing time when dealing with large
 3126   Nmap XML output files. [Henri Doreau]
 3128 o Clean up the source code a bit to resolve some false positive issues
 3129   identified by the Parfait static code analysis program. Oracle apparently
 3130   runs this on programs (including Nmap) that they ship with Solaris.  See
 3131   http://seclists.org/nmap-dev/2012/q4/504. [David Fifield]
 3133 o [Zenmap] Fixed a crash that could be caused by opening the About dialog,
 3134   using the window manager to close it, and opening it again.  This was
 3135   reported by Yashartha Chaturvedi and Jordan Schroeder.  [David Fifield]
 3137 o [Ncat] Made test-addrset.sh exit with nonzero status if any tests
 3138   fail. This in turn causes "make check" to fail if any tests fail.
 3139   [Andreas Stieger]
 3141 o Fixed compilation with --without-liblua. The bug was reported by Rick
 3142   Farina, Nikos Chantziaras, and Alex Turbov. [David Fifield]
 3144 o Fixed CRC32c calculation (as used in SCTP scans) on 64-bit
 3145   platforms. [Pontus Andersson]
 3147 o [NSE] Added multicast group name output to
 3148   broadcast-igmp-discovery.nse. [Vasily Kulikov]
 3150 o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3,
 3151   SquirrelMail, RoundCube. [Jesper Kückelhahn]
 3153 Nmap 6.25 [2012-11-29]
 3155 o [NSE] Added CPE to smb-os-discovery output.
 3157 o [Ncat] Fixed the printing of warning messages for large arguments to
 3158   the -i and -w options. [Michal Hlavinka]
 3160 o [Ncat] Shut down the write part of connected sockets in listen mode
 3161   when stdin hits EOF, just as was already done in connect mode.
 3162   [Michal Hlavinka]
 3164 o [Zenmap] Removed a crashing error that could happen when canceling a
 3165   "Print to File" on Windows:
 3166     Traceback (most recent call last):
 3167       File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb
 3168       File "zenmapGUI\Print.pyo", line 156, in run_print_operation
 3169     GError: Error from StartDoc
 3170   This bug was reported by Imre Adácsi. [David Fifield]
 3172 o Added some new checks for failed library calls. [Bill Parker]
 3174 Nmap 6.20BETA1 [2012-11-16]
 3176 o Integrated all of your IPv4 OS fingerprint submissions since January
 3177   (more than 3,000 of them).  Added 373 fingerprints, bringing the new
 3178   total to 3,946.  Additions include Linux 3.6, Windows 8, Windows
 3179   Server 2012, Mac OS X 10.8, and a ton of new WAPs, printers,
 3180   routers, and other devices--including our first IP-enabled doorbell!
 3181   Many existing fingerprints were improved. [David Fifield]
 3183 o Integrated all of your service/version detection fingerprints
 3184   submitted since January (more than 1,500)!  Our signature
 3185   count jumped by more than 400 to 8,645.  We now detect 897
 3186   protocols, from extremely popular ones like http, ssh, smtp and imap
 3187   to the more obscure airdroid, gopher-proxy, and
 3188   enemyterritory. [David Fifield]
 3190 o Integrated your latest IPv6 OS submissions and corrections. We're
 3191   still low on IPv6 fingerprints, so please scan any IPv6 systems you
 3192   own or administer and submit them to https://nmap.org/submit/.  Both
 3193   new fingerprints (if Nmap doesn't find a good match) and corrections
 3194   (if Nmap guesses wrong) are useful.
 3196 o Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto
 3197   (Next Header) probes.  Previously, only TCP and ICMP were
 3198   supported.  [David Fifield]
 3200 o Scripts can now return a structured name-value table so that results
 3201   are query-able from XML output. Scripts can return a string as
 3202   before, or a table, or a table and a string. In this last case, the
 3203   table will go to XML output and the string will go to screen output.
 3204   See https://nmap.org/book/nse-api.html#nse-structured-output [Daniel
 3205   Miller, David Fifield, Patrick Donnelly]
 3207 o [Nsock] Added new poll and kqueue I/O engines for improved
 3208   performance on Windows and BSD-based systems including Mac OS X.
 3209   These are in addition to the epoll engine (used on Linux) and the
 3210   classic select engine fallback for other system.  [Henri Doreau]
 3212 o [Ncat] Added support for Unix domain sockets. The new -U and
 3213   --unixsock options activate this mode.  These provide compatibility
 3214   with Hobbit's original Netcat. [Tomas Hozza]
 3216 o Moved some Windows dependencies, including OpenSSL, libsvn, and the
 3217   vcredist files, into a new public Subversion directory
 3218   /nmap-mswin32-aux and moved it out of the source tarball. This
 3219   reduces the compressed tarball size from 22 MB to 8 MB and similarly
 3220   reduces the bandwidth and storage required for an svn checkout.
 3221   Folks who build Nmap on Windows will need to check out
 3222   /nmap-mswin32-aux along with /nmap as described at
 3223   https://nmap.org/book/inst-windows.html#inst-win-source.
 3225 o Many of the great features in this release were created by college
 3226   and grad students generously sponsored by Google's Summer of Code
 3227   program.  Thanks, Google Open Source Department!  This year's team
 3228   of five developers is introduced at
 3229   http://seclists.org/nmap-dev/2012/q2/204 and their successes
 3230   documented at http://seclists.org/nmap-dev/2012/q4/138
 3232 o [NSE] Replaced old RPC grinder (RPC enumeration, performed as part
 3233   of version detection when a port seems to run a SunRPC service) with
 3234   a faster and easier to maintain NSE-based implementation.  This also
 3235   allowed us to remove the crufty old pos_scan scan engine. [Hani
 3236   Benhabiles]
 3238 o Updated our Nmap Scripting Engine to use Lua 5.2 (and then 5.2.1)
 3239   rather than 5.1. See http://seclists.org/nmap-dev/2012/q2/34 for
 3240   details. [Patrick Donnelly]
 3242 o [NSE] Added 85(!) NSE scripts, bringing the total up to 433.  They
 3243   are all listed at https://nmap.org/nsedoc/, and the summaries are
 3244   below (authors are listed in brackets):
 3246   + ajp-auth retrieves the authentication scheme and realm of an AJP
 3247     service (Apache JServ Protocol) that requires authentication. The
 3248     Apache JServ Protocol is commonly used by web servers to
 3249     communicate with back-end Java application server
 3250     containers. [Patrik Karlsson]
 3252   + ajp-brute performs brute force passwords auditing against the
 3253     Apache JServ protocol. [Patrik Karlsson]
 3255   + ajp-headers performs a HEAD or GET request against either the root
 3256     directory or any optional directory of an Apache JServ Protocol
 3257     server and returns the server response headers. [Patrik Karlsson]
 3259   + ajp-methods discovers which options are supported by the AJP
 3260     (Apache JServ Protocol) server by sending an OPTIONS request and
 3261     lists potentially risky methods. [Patrik Karlsson]
 3263   + ajp-request requests a URI over the Apache JServ Protocol and
 3264     displays the result (or stores it in a file). Different AJP
 3265     methods such as; GET, HEAD, TRACE, PUT or DELETE may be
 3266     used. [Patrik Karlsson]
 3268   + bjnp-discover retrieves printer or scanner information from a
 3269     remote device supporting the BJNP protocol. The protocol is known
 3270     to be supported by network based Canon devices. [Patrik Karlsson]
 3272   + broadcast-ataoe-discover discovers servers supporting the ATA over
 3273     Ethernet protocol. ATA over Ethernet is an ethernet protocol
 3274     developed by the Brantley Coile Company and allows for simple,
 3275     high-performance access to SATA drives over Ethernet. [Patrik
 3276     Karlsson]
 3278   + broadcast-bjnp-discover attempts to discover Canon devices
 3279     (Printers/Scanners) supporting the BJNP protocol by sending BJNP
 3280     Discover requests to the network broadcast address for both ports
 3281     associated with the protocol. [Patrik Karlsson]
 3283   + broadcast-eigrp-discovery performs network discovery and routing
 3284     information gathering through Cisco's EIGRP protocol. [Hani
 3285     Benhabiles]
 3287   + broadcast-igmp-discovery discovers targets that have IGMP
 3288     Multicast memberships and grabs interesting information. [Hani
 3289     Benhabiles]
 3291   + broadcast-pim-discovery discovers routers that are running PIM
 3292     (Protocol Independent Multicast). [Hani Benhabiles]
 3294   + broadcast-tellstick-discover discovers Telldus Technologies
 3295     TellStickNet devices on the LAN. The Telldus TellStick is used to
 3296     wirelessly control electric devices such as lights, dimmers and
 3297     electric outlets. [Patrik Karlsson]
 3299   + cassandra-brute performs brute force password auditing against the
 3300     Cassandra database. [Vlatko Kosturjak]
 3302   + cassandra-info attempts to get basic info and server status from a
 3303     Cassandra database. [Vlatko Kosturjak]
 3305   + cups-info lists printers managed by the CUPS printing
 3306     service. [Patrik Karlsson]
 3308   + cups-queue-info Lists currently queued print jobs of the remote
 3309     CUPS service grouped by printer. [Patrik Karlsson]
 3311   + dict-info Connects to a dictionary server using the DICT protocol,
 3312     runs the SHOW SERVER command, and displays the result. [Patrik
 3313     Karlsson]
 3315   + distcc-cve2004-2687 detects and exploits a remote code execution
 3316     vulnerability in the distributed compiler daemon distcc. [Patrik
 3317     Karlsson]
 3319   + dns-check-zone checks DNS zone configuration against best
 3320     practices, including RFC 1912.  The configuration checks are
 3321     divided into categories which each have a number of different
 3322     tests. [Patrik Karlsson]
 3324   + dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6
 3325     network using a technique which analyzes DNS server response codes
 3326     to dramatically reduce the number of queries needed to enumerate
 3327     large networks. [Patrik Karlsson]
 3329   + dns-nsec3-enum tries to enumerate domain names from the DNS server
 3330     that supports DNSSEC NSEC3 records. [Aleksandar Nikolic, John
 3331     Bond]
 3333   + eppc-enum-processes attempts to enumerate process info over the
 3334     Apple Remote Event protocol.  When accessing an application over
 3335     the Apple Remote Event protocol the service responds with the uid
 3336     and pid of the application, if it is running, prior to requesting
 3337     authentication. [Patrik Karlsson]
 3339   + firewall-bypass detects a vulnerability in Netfilter and other
 3340     firewalls that use helpers to dynamically open ports for protocols
 3341     such as ftp and sip. [Hani Benhabiles]
 3343   + flume-master-info retrieves information from Flume master HTTP
 3344     pages. [John R. Bond]
 3346   + gkrellm-info queries a GKRellM service for monitoring
 3347     information. A single round of collection is made, showing a
 3348     snapshot of information at the time of the request. [Patrik
 3349     Karlsson]
 3351   + gpsd-info retrieves GPS time, coordinates and speed from the GPSD
 3352     network daemon. [Patrik Karlsson]
 3354   + hostmap-robtex discovers hostnames that resolve to the target's IP
 3355     address by querying the Robtex service at
 3356     http://www.robtex.com/dns/. [Arturo Busleiman]
 3358   + http-drupal-enum-users enumerates Drupal users by exploiting a an
 3359     information disclosure vulnerability in Views, Drupal's most
 3360     popular module. [Hani Benhabiles]
 3362   + http-drupal-modules enumerates the installed Drupal modules by
 3363     using a list of known modules. [Hani Benhabiles]
 3365   + http-exif-spider spiders a site's images looking for interesting
 3366     exif data embedded in .jpg files. Displays the make and model of
 3367     the camera, the date the photo was taken, and the embedded geotag
 3368     information. [Ron Bowes]
 3370   + http-form-fuzzer performs a simple form fuzzing against forms
 3371     found on websites.  Tries strings and numbers of increasing length
 3372     and attempts to determine if the fuzzing was successful. [Piotr
 3373     Olma]
 3375   + http-frontpage-login checks whether target machines are vulnerable
 3376     to anonymous Frontpage login. [Aleksandar Nikolic]
 3378   + http-git checks for a Git repository found in a website's document
 3379     root (/.git/<something>) then retrieves as much repo
 3380     information as possible, including language/framework, Github
 3381     username, last commit message, and repository description. [Alex
 3382     Weber]
 3384   + http-gitweb-projects-enum retrieves a list of Git projects, owners
 3385     and descriptions from a gitweb (web interface to the Git revision
 3386     control system). [riemann]
 3388   + http-huawei-hg5xx-vuln detects Huawei modems models HG530x,
 3389     HG520x, HG510x (and possibly others...) vulnerable to a remote
 3390     credential and information disclosure vulnerability. It also
 3391     extracts the PPPoE credentials and other interesting configuration
 3392     values. [Paulino Calderon]
 3394   + http-icloud-findmyiphone retrieves the locations of all "Find my
 3395     iPhone" enabled iOS devices by querying the MobileMe web service
 3396     (authentication required). [Patrik Karlsson]
 3398   + http-icloud-sendmsg sends a message to a iOS device through the
 3399     Apple MobileMe web service. The device has to be registered with
 3400     an Apple ID using the Find My iPhone application. [Patrik
 3401     Karlsson]
 3403   + http-phpself-xss crawls a web server and attempts to find PHP
 3404     files vulnerable to reflected cross site scripting via the
 3405     variable $_SERVER["PHP_SELF"].  [Paulino Calderon]
 3407   + http-rfi-spider crawls webservers in search of RFI (remote file
 3408     inclusion) vulnerabilities. It tests every form field it finds and
 3409     every parameter of a URL containing a query. [Piotr Olma]
 3411   + http-robtex-shared-ns Finds up to 100 domain names which use the
 3412     same name server as the target by querying the Robtex service at
 3413     http://www.robtex.com/dns/. [Arturo Busleiman]
 3415   + http-sitemap-generator spiders a web server and displays its
 3416     directory structure along with number and types of files in each
 3417     folder. Note that files listed as having an 'Other' extension are
 3418     ones that have no extension or that are a root document. [Piotr
 3419     Olma]
 3421   + http-slowloris-check tests a web server for vulnerability to the
 3422     Slowloris DoS attack without actually launching a DoS
 3423     attack. [Aleksandar Nikolic]
 3425   + http-slowloris tests a web server for vulnerability to the
 3426     Slowloris DoS attack by launching a Slowloris attack. [Aleksandar
 3427     Nikolic, Ange Gutek]
 3429   + http-tplink-dir-traversal exploits a directory traversal
 3430     vulnerability existing in several TP-Link wireless
 3431     routers. Attackers may exploit this vulnerability to read any of
 3432     the configuration and password files remotely and without
 3433     authentication. [Paulino Calderon]
 3435   + http-traceroute exploits the Max-Forwards HTTP header to detect
 3436     the presence of reverse proxies. [Hani Benhabiles]
 3438   + http-virustotal checks whether a file has been determined as
 3439     malware by virustotal. Virustotal is a service that provides the
 3440     capability to scan a file or check a checksum against a number of
 3441     the major antivirus vendors. [Patrik Karlsson]
 3443   + http-vlcstreamer-ls connects to a VLC Streamer helper service and
 3444     lists directory contents. The VLC Streamer helper service is used
 3445     by the iOS VLC Streamer application to enable streaming of
 3446     multimedia content from the remote server to the device. [Patrik
 3447     Karlsson]
 3449   + http-vuln-cve2010-0738 tests whether a JBoss target is vulnerable
 3450     to jmx console authentication bypass (CVE-2010-0738). [Hani
 3451     Benhabiles]
 3453   + http-waf-fingerprint Tries to detect the presence of a web
 3454     application firewall and its type and version. [Hani Benhabiles]
 3456   + icap-info tests a list of known ICAP service names and prints
 3457     information about any it detects. The Internet Content Adaptation
 3458     Protocol (ICAP) is used to extend transparent proxy servers and is
 3459     generally used for content filtering and antivirus
 3460     scanning. [Patrik Karlsson]
 3462   + ip-forwarding detects whether the remote device has ip forwarding
 3463     or "Internet connection sharing" enabled, by sending an ICMP echo
 3464     request to a given target using the scanned host as default
 3465     gateway. [Patrik Karlsson]
 3467   + ipv6-ra-flood generates a flood of Router Advertisements (RA) with
 3468     random source MAC addresses and IPv6 prefixes. Computers, which
 3469     have stateless autoconfiguration enabled by default (every major
 3470     OS), will start to compute IPv6 suffix and update their routing
 3471     table to reflect the accepted announcement. This will cause 100%
 3472     CPU usage on Windows and platforms, preventing to process other
 3473     application requests. [Adam Stevko]
 3475   + irc-sasl-brute performs brute force password auditing against IRC
 3476     (Internet Relay Chat) servers supporting SASL
 3477     authentication. [Piotr Olma]
 3479   + isns-info lists portals and iSCSI nodes registered with the
 3480     Internet Storage Name Service (iSNS). [Patrik Karlsson]
 3482   + jdwp-exec attempts to exploit java's remote debugging port. When
 3483     remote debugging port is left open, it is possible to inject java
 3484     bytecode and achieve remote code execution.  This script abuses
 3485     this to inject and execute a Java class file that executes the
 3486     supplied shell command and returns its output. [Aleksandar
 3487     Nikolic]
 3489   + jdwp-info attempts to exploit java's remote debugging port.  When
 3490     remote debugging port is left open, it is possible to inject java
 3491     bytecode and achieve remote code execution.  This script injects
 3492     and execute a Java class file that returns remote system
 3493     information. [Aleksandar Nikolic]
 3495   + jdwp-inject attempts to exploit java's remote debugging port.
 3496     When remote debugging port is left open, it is possible to inject
 3497     java bytecode and achieve remote code execution.  This script
 3498     allows injection of arbitrary class files. [Aleksandar Nikolic]
 3500   + llmnr-resolve resolves a hostname by using the LLMNR (Link-Local
 3501     Multicast Name Resolution) protocol. [Hani Benhabiles]
 3503   + mcafee-epo-agent check if ePO agent is running on port 8081 or
 3504     port identified as ePO Agent port. [Didier Stevens and Daniel
 3505     Miller]
 3507   + metasploit-info gathers info from the Metasploit RPC service.  It
 3508     requires a valid login pair. After authentication it tries to
 3509     determine Metasploit version and deduce the OS type.  Then it
 3510     creates a new console and executes few commands to get additional
 3511     info. [Aleksandar Nikolic]
 3513   + metasploit-msgrpc-brute performs brute force username and password
 3514     auditing against Metasploit msgrpc interface. [Aleksandar Nikolic]
 3516   + mmouse-brute performs brute force password auditing against the
 3517     RPA Tech Mobile Mouse servers. [Patrik Karlsson]
 3519   + mmouse-exec connects to an RPA Tech Mobile Mouse server, starts an
 3520     application and sends a sequence of keys to it. Any application
 3521     that the user has access to can be started and the key sequence is
 3522     sent to the application after it has been started. [Patrik
 3523     Karlsson]
 3525   + mrinfo queries targets for multicast routing information. [Hani
 3526     Benhabiles]
 3528   + msrpc-enum queries an MSRPC endpoint mapper for a list of mapped
 3529     services and displays the gathered information. [Aleksandar
 3530     Nikolic]
 3532   + ms-sql-dac queries the Microsoft SQL Browser service for the DAC
 3533     (Dedicated Admin Connection) port of a given (or all) SQL Server
 3534     instance. The DAC port is used to connect to the database instance
 3535     when normal connection attempts fail, for example, when server is
 3536     hanging, out of memory or in other bad states. [Patrik Karlsson]
 3538   + mtrace queries for the multicast path from a source to a
 3539     destination host. [Hani Benhabiles]
 3541   + mysql-dump-hashes dumps the password hashes from an MySQL server
 3542     in a format suitable for cracking by tools such as John the
 3543     Ripper.  Appropriate DB privileges (root) are required. [Patrik
 3544     Karlsson]
 3546   + mysql-query runs a query against a MySQL database and returns the
 3547     results as a table. [Patrik Karlsson]
 3549   + mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQL
 3550     and MariaDB servers by exploiting CVE2012-2122. If its vulnerable,
 3551     it will also attempt to dump the MySQL usernames and password
 3552     hashes. [Paulino Calderon]
 3554   + oracle-brute-stealth exploits the CVE-2012-3137 vulnerability, a
 3555     weakness in Oracle's O5LOGIN authentication scheme.  The
 3556     vulnerability exists in Oracle 11g R1/R2 and allows linking the
 3557     session key to a password hash. [Dhiru Kholia]
 3559   + pcanywhere-brute performs brute force password auditing against
 3560     the pcAnywhere remote access protocol. [Aleksandar Nikolic]
 3562   + rdp-enum-encryption determines which Security layer and Encryption
 3563     level is supported by the RDP service. It does so by cycling
 3564     through all existing protocols and ciphers. [Patrik Karlsson]
 3566   + rmi-vuln-classloader tests whether Java rmiregistry allows class
 3567     loading.  The default configuration of rmiregistry allows loading
 3568     classes from remote URLs, which can lead to remote code
 3569     execution. The vendor (Oracle/Sun) classifies this as a design
 3570     feature. [Aleksandar Nikolic]
 3572   + rpc-grind fingerprints the target RPC port to extract the target
 3573     service, RPC number and version. [Hani Benhabiles]
 3575   + sip-call-spoof spoofs a call to a SIP phone and detects the action
 3576     taken by the target (busy, declined, hung up, etc.) [Hani
 3577     Benhabiles]
 3579   + sip-methods enumerates a SIP Server's allowed methods (INVITE,
 3580     OPTIONS, SUBSCRIBE, etc.) [Hani Benhabiles]
 3582   + smb-ls attempts to retrieve useful information about files shared
 3583     on SMB volumes.  The output is intended to resemble the output of
 3584     the UNIX <code>ls</code> command. [Patrik Karlsson]
 3586   + smb-print-text attempts to print text on a shared printer by
 3587     calling Print Spooler Service RPC functions. [Aleksandar Nikolic]
 3589   + smb-vuln-ms10-054 tests whether target machines are vulnerable to
 3590     the ms10-054 SMB remote memory corruption
 3591     vulnerability. [Aleksandar Nikolic]
 3593   + smb-vuln-ms10-061 tests whether target machines are vulnerable to
 3594     ms10-061 Printer Spooler impersonation vulnerability. [Aleksandar
 3595     Nikolic]
 3597   + snmp-hh3c-logins attempts to enumerate Huawei / HP/H3C Locally
 3598     Defined Users through the hh3c-user.mib OID [Kurt Grutzmacher]
 3600   + ssl-date retrieves a target host's time and date from its TLS
 3601     ServerHello response. [Aleksandar Nikolic]
 3603   + tls-nextprotoneg enumerates a TLS server's supported protocols by
 3604     using the next protocol negotiation extension. [Hani Benhabiles]
 3606   + traceroute-geolocation lists the geographic locations of each hop
 3607     in a traceroute and optionally saves the results to a KML file,
 3608     plottable on Google earth and maps. [Patrik Karlsson]
 3610 o [NSE] Added 12 new protocol libraries, bring our total to 105!  Here
 3611   they are, with authors enclosed in brackets:
 3612   + ajp (Apache JServ Protocol) [Patrik Karlsson]
 3613   + base32 (Base32 encoding/decoding - RFC 4648) [Philip Pickering]
 3614   + bjnp (Canon BJNP printer/scanner discovery protocol) [Patrik Karlsson]
 3615   + cassandra (Cassandra database protocol) [Vlatko Kosturjak]
 3616   + eigrp (Cisco Enhanced Interior Gateway Routing Protocol) [Hani Benhabiles]
 3617   + gps (Global Positioning System - does GPRMC NMEA decoding) [Patrik Karlsson]
 3618   + ipp (CUPS Internet Printing Protocol) [Patrik Karlsson]
 3619   + isns (Internet Storage Name Service) [Patrik Karlsson]
 3620   + jdwp (Java Debug Wire Protocol) [Aleksandar Nikolic]
 3621   + mobileme (a service for managing Apple/Mac devices) [Patrik Karlsson]
 3622   + ospf (Open Shortest Path First routing protocol) [Patrik Karlsson]
 3623   + rdp (Remote Desktop Protocol) [Patrik Karlsson]
 3625 o Added Common Platform Enumeration (CPE) identifiers to nearly 1,000
 3626   more OS detection signatures.  Nmap 6.01 had them for 2,608 of 3,572
 3627   fingerprints (73%) and now we have them for 3,558 out of 3,946
 3628   (90%). [David Fifield]
 3630 o Scans that use OS sockets (including TCP connect scan, version
 3631   detection, and script scan) now use the SO_BINDTODEVICE sockopt on
 3632   Linux, so that the -e (select network device) option is
 3633   honored. [David Fifield]
 3635 o [Zenmap] Host filters can now do negative matching, for example you
 3636   can use "os:!linux" to match hosts NOT detected as Linux. [Daniel
 3637   Miller]
 3639 o Fixed a bug that caused an incorrect source address to be set when
 3640   scanning certain addresses (apparently those ending in .0) on
 3641   Windows XP. The symptom of this bug was the messages
 3642     get_srcaddr: can't connect socket: The requested address is not valid in its context.
 3643     Failed to convert source address to presentation format!?!  Error: Unknown error
 3644   Thanks to Robert Washam and Jorge Hernandez for reports and help
 3645   debugging. [David Fifield]
 3647 o Upgraded the included OpenSSL to version 1.0.1c. [David Fifield]
 3649 o [NSE] Added changes to brute and unpwdb libraries to allow more
 3650   flexible iterator specification and control. [Aleksandar Nikolic]
 3652 o Tested that our WinPcap installer works on Windows 8 and Windows
 3653   Server 2012 build 8400.  Updated to installer text to recommend that
 3654   users select the option to start 'NPF' at startup. [Rob Nicholls]
 3656 o Changed libdnet's routing interface to return an interface name for
 3657   each route on the most common operating systems. This is used to
 3658   improve the quality of Nmap's matching of routes to interfaces,
 3659   which was previously done by matching routes to interface addresses.
 3660   [Djalal Harouni, David Fifield]
 3662 o Fixed a bug that prevented Nmap from finding any interfaces when one
 3663   of them had the type ARPHDR_INFINIBAND; this was the case for
 3664   IP-over-InfiniBand interfaces. However, This support is not complete
 3665   since IPoIB interfaces use 20 bytes for the hardware address, and
 3666   currently we only report and handle 6 bytes.
 3667   Nmap IP level scans should work without any problem, please refer to
 3668   the '--send-ip' switch and to the following thread:
 3669   http://seclists.org/nmap-dev/2012/q3/642
 3670   This bug was reported by starlight.2012q3. [Djalal Harouni]
 3672 o Fixed a bug that prevented Nmap from finding any interfaces when one
 3673   of them had the type ARPHDR_IEEE80211; this was the case for wireless
 3674   interfaces operating in access point mode. This bug was reported by
 3675   Sebastiaan Vileijn. [Djalal Harouni]
 3677 o Updated the Zenmap desktop icons on Windows, Linux, and Mac with higher
 3678   resolution ones. [Sean Rivera, David Fifield]
 3680 o [NSE] Script results for a host or service are now sorted
 3681   alphabetically by script name. [Sean Rivera]
 3683 o Fixed a bug that prevented Nmap from finding any interfaces when any
 3684   interface had the type ARPHRD_VOID; this was the case for OpenVZ
 3685   venet interfaces. [Djalal Harouni, David Fifield]
 3687 o Linux unreachable routes are now properly ignored. [David Fifield]
 3689 o Added Dan Miller as an Nmap committer.  He has done a ton of great
 3690   work on Nmap, as you can see by searching for him in this CHANGELOG
 3691   or reading the Nmap committers list at
 3692   https://svn.nmap.org/nmap/docs/committers.txt .
 3694 o Added a new --disable-arp-ping option. This option prevents Nmap
 3695   from implicitly using ARP or ND host discovery for discovering
 3696   directly connected Ethernet targets. This is useful in networks
 3697   using proxy ARP, which make all addresses appear to be up using ARP
 3698   scan. The previously recommended workaround for this situation,
 3699   --send-ip, didn't work on Windows because that lame excuse for an
 3700   operating system is still missing raw socket support.  [David
 3701   Fifield (editorializing added by Fyodor)]
 3703 o Protocol scan (-sO) probes for TCP, UDP, and SCTP now go to ports
 3704   80, 40125, and 80 respectively, instead of being randomly generated
 3705   or going to the same port as the source port. [David Fifield]
 3707 o The Nmap --log-errors functionality (including errors and warnings
 3708   in the normal-format output file) is now always true, whether you
 3709   pass that option or not. [Sean Rivera]
 3711 o [NSE] Rewrote ftp-brute script to use the brute library for
 3712   performing password auditing. [Aleksandar Nikolic]
 3714 o Reduced the size of Port structures by about two thirds (from 176 to
 3715   64 bytes on x86_64). They had accidentally grown during the IPv6
 3716   code merge. [David Fifield]
 3718 o Made source port numbers (used to encode probe metadata) increment
 3719   so as not to overlap between different scanning phases. Previously
 3720   it was possible for an RST response to an ACK probe from host
 3721   discovery to be misinterpreted as a reply to a SYN probe from port
 3722   scanning. [Sean Rivera, David Fifield]
 3724 o [NSE] Added support for ECDSA keys to ssh-hostkey.nse. [Adam Števko]
 3726 o Changed the CPE for Linux from cpe:/o:linux:kernel to
 3727   cpe:/o:linux:linux_kernel to reflect deprecation in the official CPE
 3728   dictionary.
 3730 o Added some additional CPE entries to nmap-service-probes.
 3731   [Dillon Graham]
 3733 o Fixed an assertion failure with IPv6 traceroute trying to use an
 3734   unsupported protocol:
 3735     nmap: traceroute.cc:749: virtual unsigned char*
 3736     UDPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion
 3737     `source->ss_family == 2' failed.
 3738   This was reported by Pierre Emeriaud. [David Fifield]
 3740 o Added version detection signatures for half a dozen new or changed
 3741   products. [Tom Sellers]
 3743 o Fixed protocol number-to-name mapping. A patch was contributed by
 3744   hejianet.
 3746 o [NSE] The nmap.ip_send function now takes a second argument, the
 3747   destination to send to. Previously the destination address was taken
 3748   from the packet buffer, but this failed for IPv6 link-local
 3749   addresses, because the scope ID is not part of the packet. Calling
 3750   ip_send without a destination address will continue to use the old
 3751   behavior, but this practice is deprecated.
 3753 o Increased portability of configure scripts on systems using a libc
 3754   other than Glibc. Several problems were reported by John Spencer.
 3756 o [NSE] Fixed a bug in rpc-grind.nse that would cause unresponsive UDP
 3757   ports to be wrongly marked open. This was reported by Christopher
 3758   Clements. [David Fifield]
 3760 o [Ncat] Close connection endpoint when receiving EOF on
 3761   stdin. [Michal Hlavinka].
 3763 o Fixed interface listing on NetBSD. The bug was first noticed by
 3764   Fredrik Pettai and diagnosed by Jan Schaumann. [David Fifield]
 3766 o [Ncat] Applied a blocking-socket workaround for a bug that could
 3767   prevent some sends from working in listen mode. The problem was
 3768   reported by Jonas Wielicki. [Alex Weber, David Fifield]
 3770 o [NSE] Updated mssql.lua library to support additional data types,
 3771   enhanced some of the existing data types, added the DoneProc
 3772   response token, and reordered code for maintainability. [Tom
 3773   Sellers]
 3775 o [Nping] Nping now prints out an error and exists when the user tries to use
 3776   the -p flag for a scan option where that is meaningless. [Sean Rivera]
 3778 o [NSE] Added spoolss functions and constants to msrpc.lua. [Aleksandar Nikolic]
 3780 o [NSE] Reduced the number of names tried by http-vhosts by default.
 3781   [Vlatko Kosturjak]
 3783 o [Zenmap] Fixed a crash when using the en_NG locale: "ValueError:
 3784   unknown locale: en_NG" [David Fifield]
 3786 o [NSE] Fixed some bugs in snmp-interfaces which prevented the script from
 3787   outputting discovered interface info and caused it to abort in the
 3788   pre-scanning phase. [jah]
 3790 o [NSE] Do a connect on rpc-grind (rpc.lua) UDP sockets so that socket_lock
 3791   is invoked.  This is necessary to avoid "Too many open files" errors if
 3792   RPC grind creates an excessive number of sockets.  We should have a
 3793   cleaner general solution for this, and not require scripts to "connect"
 3794   their unconnected UDP sockets.  But there may be a good reason for
 3795   enforcing socket locking only on connect, not on creation. [David Fifield]
 3797 o [NSE] lltd-discovery scripts now parses for hostnames and outputs network
 3798   card manufacturer. [Hani Benhabiles]
 3800 o Added protocol specific payloads for IPv6 hop-by-hop (0x00), routing (0x2b),
 3801   fragment (0x2c), and destination (0x3c). [Sean Rivera]
 3803 o [NSE] Added support for decoding OSPF Hello packets to broadcast-listener.
 3804   [Hani Benhabiles]
 3806 o [NSE] Fixed a false positive in http-vuln-cve2011-3192.nse, which detected
 3807   Apache 2.2.22 as vulnerable. [Michael Meyer]
 3809 o [NSE] Modified multiple scripts that operated against HTTP based services
 3810   so as to remove false positives that were generated when the target service
 3811   answers with a 200 response to all requests. [Tom Sellers]
 3813 o [NSOCK] Fixed an epoll-engine-specific bug. The engine didn't recognized FDs
 3814   that were internally closed and replaced by other ones. This happened during
 3815   reconnect attempts. Also, the IOD flags were not properly cleared.
 3816   [Henri Doreau, Daniel Miller]
 3818 o Added support for log type bitmasks in log_vwrite(). Also replaced a fatal()
 3819   statement by an assert(0) to get rid of a possible infinite call loop when
 3820   passed an invalid log type. [Henri Doreau]
 3822 o Added handling for the unexpected error WSAENETRESET (10052). This error is
 3823   currently wrapped in the ifdef for WIN32 as there error appears to be unique
 3824   to windows [Sean Rivera]
 3826 o [NSE] Added default values for Expires, Call-ID, Allow and Content-Length
 3827   headers in SIP requests and removed redundant code in sip library.
 3828   [Hani Benhabiles]
 3830 o [NSE] Calling methods of unconnected sockets now causes the usual
 3831   error code return value, instead of raising a Lua error. The problem
 3832   was noticed by Daniel Miller. [David Fifield]
 3834 o [NSE] Added AUTH_UNIX support to the rpc library and NFS scripts.
 3835   [Daniel Miller]
 3837 o [Zenmap] Fixed a crash in the profile editor that would happen when
 3838   the nmap binary couldn't be found. [David Fifield]
 3840 o Made the various Makefiles' treatment of makefile.dep uniform:
 3841   "make clean" keeps the file and "make distclean" deletes it.
 3842   [Michael McTernan]
 3844 o [NSE] Fixed dozens of scripts and libraries to work better on
 3845   system which don't have OpenSSL available. [Patrik Karlsson]
 3847 o [Ncat] --output logging now works in UDP mode. Thanks to Michal
 3848   Hlavinka for reporting the bug. [David Fifield]
 3850 o [NSE] More Windows 7 and Windows 2008 fixes for the smb library and smb-ls
 3851   scripts. [Patrik Karlsson]
 3853 o [NSE] Added SPNEGO authentication supporting Windows 7 and Windows 2008 to
 3854   the smb library. [Patrik Karlsson]
 3856 o [NSE] Changed http-brute so that it works against the root path
 3857   ("/") by default rather than always requiring the http-brute.path
 3858   script argument. [Fyodor]
 3860 o [NSE] Applied patch from Daniel Miller that fixes bug in several scripts and
 3861   libraries http://seclists.org/nmap-dev/2012/q2/593 [Daniel Miller]
 3863 o [Zenmap] Added Italian translation by Francesco Tombolini and
 3864   Japanese translation by Yujiy Tounai.  Some typos in the Japanese
 3865   translation were corrected by OKANO Takayoshi.
 3867 o [NSE] Rewrote mysql-brute to use brute library [Aleksandar Nikolic]
 3869 o Improved the mysql library to handle multiple columns with the same name,
 3870   added a formatResultset function to format a query response to a table
 3871   suitable for script output. [Patrik Karlsson]
 3873 o The message "nexthost: failed to determine route to ..." is now a
 3874   warning rather than a fatal error. Addresses that are skipped in
 3875   this way are recorded in the XML output as "target" elements. [David
 3876   Fifield]
 3878 o [NSE] targets-sniffer now is capable of sniffing IPv6 addresses.
 3879   [Daniel Miller]
 3881 o [NSE] Ported the pop3-brute script to use the brute library.
 3882   [Piotr Olma]
 3884 o [NSE] Added an error message indicating script failure, when Nmap is being
 3885   run in non verbose/debug mode. [Patrik Karlsson]
 3887 o Service-scan information is now included in XML and grepable output
 3888   even if -sV wasn't used. This information can be set by scripts in the
 3889   absence of -sV. [Daniel Miller]
 3891 Nmap 6.01 [2012-06-16]
 3893 o [Zenmap] Fixed a hang that would occur on Mac OS X 10.7. A symptom
 3894   of the hang was this message in the system console:
 3895   "Couldn't recognize the image file format for file
 3896   '/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'".
 3897   [David Fifield]
 3899 o [Zenmap] Fixed a crash that happened when activating the host filter.
 3900       File "zenmapCore\SearchResult.pyo", line 155, in match_os
 3901     KeyError: 'osmatches'
 3902   [jah]
 3904 o Fixed an error that occurred when scanning certain addresses like
 3905 on Windows XP:
 3906     get_srcaddr: can't connect socket: The requested address is not valid in its context.
 3907     nexthost: failed to determine route to
 3908   [David Fifield]
 3910 o Fixed a bug that caused Nmap to fail to find any network interface when
 3911   at least one of them is in the monitor mode. The fix was to define the
 3912   ARP_HRD_IEEE80211_RADIOTAP 802.11 radiotap header identifier in the
 3913   libdnet-stripped code. Network interfaces that are in this mode are used
 3914   by radiotap for 802.11 frame injection and reception. The bug was
 3915   reported by Tom Eichstaedt and Henri Doreau.
 3916   http://seclists.org/nmap-dev/2012/q2/449
 3917   http://seclists.org/nmap-dev/2012/q2/478
 3918   [Djalal Harouni, Henri Doreau]
 3920 o Fixed the greppable output of hosts that time-out (when --host-timeout was
 3921   used and the host timed-out after something was received from that host).
 3922   This issue was reported by Matthew Morgan. [jah]
 3924 o [Zenmap] Updated the version of Python used to build the Windows
 3925   release from 2.7.1 to 2.7.3 to remove a false-positive security
 3926   alarm flagged by tools such as Secunia PSI. There was a minor
 3927   vulnerability in certain Python27.dll web functionality (which Nmap
 3928   doesn't use anyway) and Secunia was flagging all software which
 3929   includes that version of Python27.dll. This update should prevent
 3930   the false alarm.
 3932 Nmap 6.00 [2012-05-21]
 3934 o Most important release since Nmap 5.00 in July 2009! For a list of
 3935   the most significant improvements and new features, see the
 3936   announcement at: https://nmap.org/6/
 3938 o In XML output, "osclass" elements are now child elements of the
 3939   "osmatch" they belong to. Old output was thus:
 3940     <os><osclass/><osclass/>...<osmatch/><osmatch/>...</os>
 3941   New output is:
 3942     <os><osmatch><osclass/><osclass/>...</osmatch>...</os>
 3943   The option --deprecated-xml-osclass restores the old output, in case
 3944   you use an Nmap XML parser that doesn't understand the new
 3945   structure. The xmloutputversion has been increased to 1.04.
 3947 o Added a new "target" element to XML output that indicates when a
 3948   target specification was ignored, perhaps because of a syntax error
 3949   or DNS failure. It looks like this:
 3950     <target specification="" status="skipped" reason="invalid"/>
 3951   [David Fifield]
 3953 o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the
 3954   SAMBA pre-auth remote root vulnerability (CVE-2012-1182).
 3955   [Aleksandar Nikolic]
 3957 o [NSE] Added http-vuln-cve2012-1823.nse, which checks for PHP CGI
 3958   installations with a remote code execution vulnerability. [Paulino
 3959   Calderon]
 3961 o [NSE] Added script targets-ipv6-mld that sends a malformed ICMP6 MLD Query
 3962   to discover IPv6 enabled hosts on the LAN. [Niteesh Kumar]
 3964 o [NSE] Added rdp-vuln-ms12-020.nse by Aleksandar Nikolic. This tests
 3965   for two Remote Desktop vulnerabilities, including one allowing
 3966   remote code execution, that were fixed in the MS12-020 advisory.
 3968 o [NSE] Added a stun library and the scripts stun-version and stun-info, which
 3969   extract version information and the external NAT:ed address.
 3970   [Patrik Karlsson]
 3972 o [NSE] Added the script duplicates which attempts to determine duplicate
 3973   hosts by analyzing information collected by other scripts. [Patrik Karlsson]
 3975 o Fixed the routing table loop on OS X so that on-link routes appear.
 3976   Previously, they were ignored so that things like ARP scan didn't
 3977   work. [Patrik Karlsson, David Fifield]
 3979 o Upgraded included libpcap to version 1.2.1.
 3981 o [NSE] Added ciphers from RFC 5932 and Fortezza-based ciphers to
 3982   ssl-enum-ciphers.nse. The patch was submitted by Darren McDonald.
 3984 o [NSE] Renamed hostmap.nse to hostmap-bfk.nse.
 3986 o Fixed a compilation problem on Solaris 9 caused by a missing
 3987   definition of IPV6_V6ONLY. Reported by Dagobert Michelsen.
 3989 o Setting --min-parallelism by itself no longer forces the maximum
 3990   parallelism to the same value. [Chris Woodbury, David Fifield]
 3992 o Changed XML output to show the "service" element whenever a tunnel
 3993   is discovered for a port, even if the service behind it was unknown.
 3994   [Matt Foster]
 3996 o [Zenmap] Fixed a crash that would happen in the profile editor when
 3997   the script.db file doesn't exist. The bug was reported by Daniel
 3998   Miller.
 4000 o [Zenmap] It is now possible to compare scans having the same name or
 4001   command line parameters. [Jah, David Fifield]
 4003 o Fixed an error that could occur with ICMPv6 probes and -d4 debugging:
 4004   "Unexpected probespec2ascii type encountered" [David Fifield]
 4006 o [NSE] Added new script http-chrono, which measures min, max and average
 4007   response times of web servers. [Ange Gutek]
 4009 o Applied a workaround to make pcap captures work better on Solaris
 4010   10. This involves peeking at the pcap buffer to ensure that captures
 4011   are not being lost. A symptom of the previous behavior was that,
 4012   when doing ARP host discovery against two targets, only one would be
 4013   reported as up. [David Fifield]
 4015 o Fixed a bug that could cause Nsock timers to fire too early. This
 4016   could happen for the timed probes in IPv6 OS detection, causing an
 4017   incorrect measurement of the TCP_ISR feature. [David Fifield]
 4019 o [Zenmap] We now build on Windows with a newer version of PyGTK, so
 4020   copy and paste should work again.
 4022 o Changed the way timeout calculations are made in the IPv6 OS engine.
 4023   In rare cases a certain interleaving of probes and responses would
 4024   result in an assertion failure.
 4026 Nmap 5.61TEST5 [2012-03-09]
 4028 o Integrated all of your IPv4 OS fingerprint submissions since June
 4029   2011 (about 1,900 of them).  Added about 256 new fingerprints (and
 4030   deleted some bogus ones), bringing the new total to 3,572.
 4031   Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0
 4032   through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other
 4033   devices. Many existing fingerprints were improved. For more details,
 4034   see http://seclists.org/nmap-dev/2012/q1/431 [David Fifield]
 4036 o Integrated all of your service/version detection fingerprints
 4037   submitted since November 2010--more than 2,500 of them!  Our
 4038   signature count increased more than 10% to 7,423 covering 862
 4039   protocols. Some amusing and bizarre new services are described at
 4040   http://seclists.org/nmap-dev/2012/q1/359 [David Fifield]
 4042 o Integrated your latest IPv6 OS submissions and corrections. We're
 4043   still low on IPv6 fingerprints, so please scan any IPv6 systems you
 4044   own or administer and submit them to https://nmap.org/submit/.  Both
 4045   new fingerprints (if Nmap doesn't find a good match) and corrections
 4046   (if Nmap guesses wrong) are useful.
 4048 o [NSE] Added a host-based registry which only persists (for the given
 4049   host) until all scripts have finished scanning that host. The normal
 4050   registry saves information until it is deleted or the Nmap scan
 4051   ends. That is a waste of memory for information which doesn't need
 4052   to persist that long. Use the host based registry instead if you
 4053   can. See https://nmap.org/book/nse-api.html#nse-api-registry. [Patrik
 4054   Karlsson]
 4056 o IPv6 OS detection now includes a novelty detection system which
 4057   avoids printing a match when an observed fingerprint is too
 4058   different from fingerprints seen before. As the OS database is still
 4059   small, this helps to avoid making (essentially) wild guesses when
 4060   seeing a new operating system. [David Fifield]
 4062 o Refactored the nsock library to add the nsock-engines system. This
 4063   allows system-specific scalable IO notification facilities to be
 4064   used while maintaining the portable Nsock API. This initial version
 4065   comes with an epoll-based engine for Linux and a select-based
 4066   fallback engine for all other operating systems. Also added the
 4067   --nsock-engine option to Nmap, Nping and Ncat to enforce use of a
 4068   specific Nsock IO engine. [Henri Doreau]
 4070 o [NSE] Added 43(!) NSE scripts, bringing the total up to 340.  They
 4071   are all listed at https://nmap.org/nsedoc/, and the summaries are
 4072   below (authors are listed in brackets):
 4074   + acarsd-info retrieves information from a listening acarsd
 4075     daemon. Acarsd decodes ACARS (Aircraft Communication Addressing
 4076     and Reporting System) data in real time. [Brendan Coles]
 4078   + asn-to-prefix produces a list of IP prefixes for a given AS number
 4079     (ASN). It uses the external Shadowserver API (with their
 4080     permission). [John Bond]
 4082   + broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to the
 4083     DHCPv6 multicast address, parses the response, then extracts and
 4084     prints the address along with any options returned by the
 4085     server. [Patrik Karlsson]
 4087   + broadcast-networker-discover discovers the EMC Networker backup
 4088     software server on a LAN by using network broadcasts. [Patrik Karlsson]
 4090   + broadcast-pppoe-discover discovers PPPoE servers using the PPPoE
 4091     Discovery protocol (PPPoED). [Patrik Karlsson]
 4093   + broadcast-ripng-discover discovers hosts and routing information
 4094     from devices running RIPng on the LAN by sending a RIPng Request
 4095     command and collecting the responses from all responsive
 4096     devices. [Patrik Karlsson]
 4098   + broadcast-versant-locate discovers Versant object databases using
 4099     the srvloc protocol. [Patrik Karlsson]
 4101   + broadcast-xdmcp-discover discovers servers running the X Display
 4102     Manager Control Protocol (XDMCP) by sending a XDMCP broadcast
 4103     request to the LAN. [Patrik Karlsson]
 4105   + cccam-version detects the CCcam service (software for sharing
 4106     subscription TV among multiple receivers). [David Fifield]
 4108   + dns-client-subnet-scan performs a domain lookup using the
 4109     edns-client-subnet option that adds support for adding subnet
 4110     information to the query describing where the query is
 4111     originating. The script uses this option to supply a number of
 4112     geographically distributed locations in an attempt to enumerate as
 4113     many different address records as possible. [John Bond]
 4115   + dns-nsid retrieves information from a DNS nameserver by requesting
 4116     its nameserver ID (nsid) and asking for its id.server and
 4117     version.bind values. [John Bond]
 4119   + dns-srv-enum enumerates various common service (SRV) records for a
 4120     given domain name.  The service records contain the hostname, port
 4121     and priority of servers for a given service. [Patrik Karlsson]
 4123   + eap-info enumerates the authentication methods offered by an EAP
 4124     authenticator for a given identity or for the anonymous identity
 4125     if no argument is passed. [Riccardo Cecolin]
 4127   + http-auth-finder spiders a web site to find web pages requiring
 4128     form-based or HTTP-based authentication. [Patrik Karlsson]
 4130   + http-config-backup checks for backups and swap files of common
 4131     content management system and web server configuration
 4132     files. [Riccardo Cecolin]
 4134   + http-generator displays the contents of the "generator" meta tag
 4135     of a web page (default: /) if there is one. [Michael Kohl]
 4137   + http-proxy-brute performs brute force password guessing against a
 4138     HTTP proxy server. [Patrik Karlsson]
 4140   + http-qnap-nas-info attempts to retrieve the model, firmware
 4141     version, and enabled services from a QNAP Network Attached Storage
 4142     (NAS) device. [Brendan Coles]
 4144   + http-vuln-cve2009-3960 exploits cve-2009-3960 also known as Adobe
 4145     XML External Entity Injection. [Hani Benhabiles]
 4147   + http-vuln-cve2010-2861 executes a directory traversal attack
 4148     against a ColdFusion server and tries to grab the password hash
 4149     for the administrator user. It then uses the salt value (hidden in
 4150     the web page) to create the SHA1 HMAC hash that the web server
 4151     needs for authentication as admin. [Micah Hoffman]
 4153   + iax2-brute performs brute force password auditing against the
 4154     Asterisk IAX2 protocol. [Patrik Karlsson]
 4156   + membase-brute performs brute force password auditing against
 4157     Couchbase Membase servers. [Patrik Karlsson]
 4159   + membase-http-info retrieves information (hostname, OS, uptime,
 4160     etc.) from the CouchBase Web Administration port. [Patrik
 4161     Karlsson]
 4163   + memcached-info retrieves information (including system
 4164     architecture, process ID, and server time) from distributed memory
 4165     object caching system memcached. [Patrik Karlsson]
 4167   + mongodb-brute performs brute force password auditing against the
 4168     MongoDB database. [Patrik Karlsson]
 4170   + nat-pmp-mapport maps a WAN port on the router to a local port on
 4171     the client using the NAT Port Mapping Protocol (NAT-PMP). [Patrik
 4172     Karlsson]
 4174   + ndmp-fs-info lists remote file systems by querying the remote
 4175     device using the Network Data Management Protocol (ndmp). [Patrik
 4176     Karlsson]
 4178   + ndmp-version retrieves version information from the remote Network
 4179     Data Management Protocol (NDMP) service. [Patrik Karlsson]
 4181   + nessus-xmlrpc-brute performs brute force password auditing against
 4182     a Nessus vulnerability scanning daemon using the XMLRPC
 4183     protocol. [Patrik Karlsson]
 4185   + redis-brute performs brute force passwords auditing against a
 4186     Redis key-value store. [Patrik Karlsson]
 4188   + redis-info retrieves information (such as version number and
 4189     architecture) from a Redis key-value store. [Patrik Karlsson]
 4191   + riak-http-info retrieves information (such as node name and
 4192     architecture) from a Basho Riak distributed database using the
 4193     HTTP protocol. [Patrik Karlsson]
 4195   + rpcap-brute performs brute force password auditing against the
 4196     WinPcap Remote Capture Daemon (rpcap). [Patrik Karlsson]
 4198   + rpcap-info connects to the rpcap service (provides remote sniffing
 4199     capabilities through WinPcap) and retrieves interface
 4200     information. [Patrik Karlsson]
 4202   + rsync-brute performs brute force password auditing against the
 4203     rsync remote file syncing protocol. [Patrik Karlsson]
 4205   + rsync-list-modules lists modules available for rsync (remote file
 4206     sync) synchronization. [Patrik Karlsson]
 4208   + socks-auth-info determines the supported authentication mechanisms
 4209     of a remote SOCKS 5 proxy server. [Patrik Karlsson]
 4211   + socks-brute performs brute force password auditing against SOCKS 5
 4212     proxy servers. [Patrik Karlsson]
 4214   + url-snarf sniffs an interface for HTTP traffic and dumps any URLs, and their
 4215     originating IP address. [Patrik Karlsson]
 4217   + versant-info extracts information, including file paths, version
 4218     and database names from a Versant object database. [Patrik
 4219     Karlsson]
 4221   + vmauthd-brute performs brute force password auditing against the
 4222     VMWare Authentication Daemon (vmware-authd). [Patrik Karlsson]
 4224   + voldemort-info retrieves cluster and store information from the
 4225     Voldemort distributed key-value store using the Voldemort Native
 4226     Protocol. [Patrik Karlsson]
 4228   + xdmcp-discover requests an XDMCP (X display manager control
 4229     protocol) session and lists supported authentication and
 4230     authorization mechanisms. [Patrik Karlsson]
 4232 o [NSE] Added 14 new protocol libraries! They were all written by
 4233   Patrik Karlsson, except for the EAP library by Riccardo Cecolin:
 4234   + dhcp6 (Dynamic Host Configuration Protocol for IPv6)
 4235   + eap (Extensible Authentication Protocol)
 4236   + iax2 (Inter-Asterisk eXchange v2 VoIP protocol)
 4237   + membase (Couchbase Membase TAP protocol)
 4238   + natpmp (NAT Port Mapping Protocol)
 4239   + ndmp (Network Data Management Protocol)
 4240   + pppoe (Point-to-point protocol over Ethernet)
 4241   + redis (in-memory key-value data store)
 4242   + rpcap (WinPcap Remote Capture Deamon)
 4243   + rsync (remote file sync)
 4244   + socks (SOCKS 5 proxy protocol)
 4245   + sslcert (for collecting SSL certificates and storing them in the
 4246     host-based registry)
 4247   + versant (an object database)
 4248   + xdmcp (X Display Manager Control Protocol)
 4250 o CPE (Common Platform Enumeration) OS classification is now supported
 4251   for IPv6 OS detection. Previously it was only available for
 4252   IPv4. [David Fifield]
 4254 o [NSE] The host.os table is now a structured array of table that
 4255   include OS class information and CPE. See
 4256   https://nmap.org/book/nse-api.html for documentation of the new
 4257   structure. [Henri Doreau, David]
 4259 o [NSE] Service matches can now access CPE through the
 4260   port.version.cpe array. [Henri Doreau]
 4262 o Added a new --script-args-file option which allows you to specify
 4263   the name of a file containing all of your desired NSE script
 4264   arguments. The arguments may be separated with commas or newlines
 4265   and may be overridden by arguments specified on the command-line
 4266   with --script-args. [Daniel Miller]
 4268 o Audited the nmap-service-probes database to remove all unused
 4269   captures, fixing dozens of bugs with captures either being ignored
 4270   or two fields erroneously using the same capture. [Lauri Kokkonen,
 4271   David Fifield, and Rob Nicholls]
 4273 o Added new version detection probes and match lines for:
 4274   + Erlang Port Mapper Daemon
 4275   + Couchbase Membase NoSQL database
 4276   + Basho Riak distributed database protocol buffers client (PBC)
 4277   + Tarantool in-memory data store
 4278   [Patrik Karlsson]
 4280 o Split the nmap-update client into its own binary RPM to avoid the
 4281   Nmap RPM having a dependency on the Subversion and APR libraries.
 4282   We're not yet distributing this binary nmap-update RPM since the
 4283   system isn't complete, but the source code is available in the Nmap
 4284   tarball and source RPM. [David]
 4286 o [NSE] Added authentication support to the MongoDB library and
 4287   modified existing scripts to support it. [Patrik Karlsson]
 4289 o [NSE] Added support to broadcast-listener for extracting address, native VLAN
 4290   and management IP address from CDP packets. [Tom Sellers]
 4292 o [NSE] Added RPC Call CALLIT to the RPC library and modified UDP sockets to be
 4293   unconnected in order to support broadcast. [Patrik Karlsson]
 4295 o [NSE] Modified the ssl-cert and ssl-google-cert-catalog scripts to
 4296   take advantage of the new sslcert library which retrieves and caches
 4297   SSL certificates in the registry.
 4299 o [NSE] Patch our bitcoin library to support recent changes in the
 4300   BitCoin protocol. [Andrew Orr, Patrik Karlsson]
 4302 o Fixed an error where very long messages could cause an
 4303   assertion failure: "log_vwrite: vsnprintf failed.  Even after
 4304   increasing bufferlen to ---, Vsnprintf returned -1 (logt == 1)."
 4305   This was reported by David Hingos.
 4307 o Fixed an assertion failure that was printed when a fatal error
 4308   occurred while an XML tag was incomplete: "!xml.tag_open, file
 4309   ..\xml.cc, line 401". This was reported by David Hingos. [David
 4310   Fifield]
 4312 o [NSE] Added support for decoding EIGRP broadcasts from Cisco routers
 4313   to broadcast-listener. [Tom Sellers]
 4315 o [NSE] Added redirect support to the http library. All calls to
 4316   http.get and http.head now transparently handle any HTTP
 4317   redirects. The number and destination of redirects are limited by
 4318   default to avoid endless loops or unwanted follows of redirects to
 4319   different servers, but they can be configured. [Patrik Karlsson]
 4321 o [NSE] Modified the sql-injection script to use the httpspider library.
 4322   [Lauri Kokkonen]
 4324 o Added --with-apr and --with-subversion configuration options to
 4325   support systems where those libraries aren't in the usual places.
 4326   [David Fifield]
 4328 o [NSE] Fixed a bunch of global access errors in various libraries reported by
 4329   the nse_check_globals script. [Patrik Karlsson]
 4331 o Fixed an assertion failure which could occur when connecting to an
 4332   SSL server:
 4333   nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.
 4334   Thanks to Ron for reporting the bug and testing. [Henri Doreau]
 4336 o [NSE] Added support to the DNS library for the CHAOS class and NSID
 4337   requests. [John Bond]
 4339 o [NSE] Changed the dnsbl library to take a much faster threaded
 4340   approach to querying DNS blacklists. [Patrik Karlsson]
 4342 o [NSE] Added new services and the ATTACK category to the dnsbl
 4343   script. [Duarte Silva]
 4345 o [NSE] Fixed a memory leak in PortList::setServiceProbeResults()
 4346   which was noticed and reported by David Fifield. The leak was
 4347   triggered by set_port_version calls from NSE.  [Henri Doreau]
 4349 o [NSE] Fixed a race condition in broadcast-dhcp-discover.nse that
 4350   could cause responses to be missed on fast networks. It was noticed
 4351   by Vasiliy Kulikov. [David Fifield]
 4353 o Fixed a bug in reverse name resolution: a name of "." would leave
 4354   the hostname unintialized and cause "Illegal character(s) in
 4355   hostname" warnings. [Gisle Vanem]
 4357 o Allow overriding the AR variable to use a different version of the
 4358   ar library creation tool when creating the liblinear library. [Nuno
 4359   Gonçalves]
 4361 o Added vcredist2008_x86.exe to the Windows zip file. This installer
 4362   from MS must be run on new Windows 2008 systems (those which don't
 4363   already have it) before running Nmap.  The Nmap Windows installer
 4364   already takes care of this. [David Fifield]
 4366 o Removed about 5MB of unnecessary DocBook XSL from the Nping docs
 4367   directory. [David Fifield]
 4369 o The packet library now uses consistent naming of the address fields
 4370   for IPv4 and IPv6 packets (ip_bin_src, ip_bin_dst, ip_src, and
 4371   ip_dst). [Henri Doreau]
 4373 o Update to the latest MAC address prefix assignments from IEEE as of
 4374   March 8, 2012. [Fyodor]
 4376 o Fixed a problem in the ippackethdrinfo function which was leading to
 4377   warning messages like: "BOGUS!  Can't parse supposed IP packet" during
 4378   certain IPv6 scans. [David Fifield]
 4380 o Fixed building on Arch Linux. The PCAP_IS_SUITABLE test had to be
 4381   modified to ensure that -lnl was passed on the build line. See the
 4382   r28202 svn log for further information. [David Fifield]
 4384 o Include net/if.h before net/if_arp.h in netutil.cc and tcpip.cc to
 4385   hopefully fix some build problems on AIX 5.3.
 4387 o [NSE] Added IPv6 support to firewalk.nse. [Henri Doreau]
 4389 Nmap 5.61TEST4 [2012-01-02]
 4391 o [NSE] Added a new httpspider library which is used for recursively
 4392   crawling web sites for information.  New scripts using this
 4393   functionality include http-backup-finder, http-email-harvest,
 4394   http-grep, http-open-redirect, and http-unsafe-output-escaping. See
 4395   https://nmap.org/nsedoc/ or the list later in this file for details
 4396   on these. [Patrik]
 4398 o Our Mac OS X packages are now x86-only (rather than universal),
 4399   reducing the download size from 30 MB to about 17.  If you still
 4400   need a PowerPC version (Apple stopped selling those machines in
 4401   2006), you can use Nmap 5.51 or 5.61TEST2 from
 4402   https://nmap.org/dist/?C=M&O=D.
 4404 o We set up a new SVN server for the Nmap codebase.  This one uses SSL
 4405   for better security, WebDAV rather than svnserve for greater
 4406   functionality, is hosted on a faster (virtual) machine, provides
 4407   Nmap code history back to 1998 rather than 2005, and removes the
 4408   need for the special "guest" username.  The new server is at
 4409   https://svn.nmap.org.  More information:
 4410   http://seclists.org/nmap-dev/2011/q4/504.
 4412 o [NSE] Added a vulnerability management library (vulns.lua) to store and to
 4413   report discovered vulnerabilities.  Modified these scripts to use
 4414   the new library:
 4415   - ftp-libopie.nse
 4416   - http-vuln-cve2011-3192.nse
 4417   - ftp-vuln-cve2010-4221.nse
 4418   - ftp-vsftpd-backdoor.nse
 4419   - smtp-vuln-cve2011-1720.nse
 4420   - smtp-vuln-cve2011-1764.nse
 4421   - afp-path-vuln.nse
 4422   [Djalal, Henri]
 4424 o [NSE] Added a new script force feature.  You can force scripts to
 4425   run against target ports (even if the "wrong" service is detected)
 4426   by placing a plus in front of the script name passed to --script.
 4427   See
 4428   https://nmap.org/book/nse-usage.html#nse-script-selection. [Martin
 4429   Swende]
 4431 o [NSE] Added 51(!) NSE scripts, bringing the total up to 297.  They
 4432   are all listed at https://nmap.org/nsedoc/, and the summaries are
 4433   below (authors listed in brackets):
 4435   + amqp-info gathers information (a list of all server properties)
 4436     from an AMQP (advanced message queuing protocol)
 4437     server. [Sebastian Dragomir]
 4439   + bitcoin-getaddr queries a Bitcoin server for a list of known
 4440     Bitcoin nodes. [Patrik Karlsson]
 4442   + bitcoin-info extracts version and node information from a Bitcoin
 4443     server [Patrik Karlsson]
 4445   + bitcoinrpc-info obtains information from a Bitcoin server by
 4446     calling getinfo on its JSON-RPC interface. [Toni
 4447     Ruottu]
 4449   + broadcast-pc-anywhere sends a special broadcast probe to discover
 4450     PC-Anywhere hosts running on a LAN. [Patrik Karlsson]
 4452   + broadcast-pc-duo discovers PC-DUO remote control hosts and
 4453     gateways running on the LAN. [Patrik Karlsson]
 4455   + broadcast-rip-discover discovers hosts and routing information
 4456     from devices running RIPv2 on the LAN. It does so by sending a
 4457     RIPv2 Request command and collects the responses from all devices
 4458     responding to the request. [Patrik Karlsson]
 4460   + broadcast-sybase-asa-discover discovers Sybase Anywhere servers on
 4461     the LAN by sending broadcast discovery messages. [Patrik Karlsson]
 4463   + broadcast-wake-on-lan wakes a remote system up from sleep by
 4464     sending a Wake-On-Lan packet. [Patrik Karlsson]
 4466   + broadcast-wpad-discover Retrieves a list of proxy servers on the
 4467     LAN using the Web Proxy Autodiscovery Protocol (WPAD). [Patrik
 4468     Karlsson]
 4470   + dns-blacklist checks target IP addresses against multiple DNS
 4471     anti-spam and open proxy blacklists and returns a list of services
 4472     where the IP has been blacklisted. [Patrik Karlsson]
 4474   + dns-zeustracker checks if the target IP range is part of a Zeus
 4475     botnet by querying ZTDNS @ abuse.ch. [Mikael Keri]
 4477   + ganglia-info retrieves system information (OS version, available
 4478     memory, etc.) from a listening Ganglia Monitoring Daemon or
 4479     Ganglia Meta Daemon. [Brendan Coles]
 4481   + hadoop-datanode-info discovers information such as log directories
 4482     from an Apache Hadoop DataNode HTTP status page. [John R. Bond]
 4484   + hadoop-jobtracker-info retrieves information from an Apache Hadoop
 4485     JobTracker HTTP status page. [John R. Bond]
 4487   + hadoop-namenode-info retrieves information from an Apache Hadoop
 4488     NameNode HTTP status page. [John R. Bond]
 4490   + hadoop-secondary-namenode-info retrieves information from an
 4491     Apache Hadoop secondary NameNode HTTP status page. [John R. Bond]
 4493   + hadoop-tasktracker-info retrieves information from an Apache
 4494     Hadoop TaskTracker HTTP status page. [John R. Bond]
 4496   + hbase-master-info retrieves information from an Apache HBase
 4497     (Hadoop database) master HTTP status page. [John R. Bond]
 4499   + hbase-region-info retrieves information from an Apache HBase
 4500     (Hadoop database) region server HTTP status page. [John R. Bond]
 4502   + http-apache-negotiation checks if the target http server has
 4503     mod_negotiation enabled.  This feature can be leveraged to find
 4504     hidden resources and spider a web site using fewer requests. [Hani
 4505     Benhabiles]
 4507   + http-backup-finder Spiders a website and attempts to identify
 4508     backup copies of discovered files.  It does so by requesting a
 4509     number of different combinations of the filename (e.g. index.bak,
 4510     index.html~, copy of index.html). [Patrik Karlsson]
 4512   + http-cors tests an http server for Cross-Origin Resource Sharing
 4513     (CORS), a way for domains to explicitly opt in to having certain
 4514     methods invoked by another domain. [Toni Ruottu]
 4516   + http-email-harvest spiders a web site and collects e-mail
 4517     addresses. [Patrik Karlsson]
 4519   + http-grep spiders a website and attempts to match all pages and
 4520     urls against a given string. Matches are counted and grouped per
 4521     url under which they were discovered. [Patrik Karlsson]
 4523   + http-method-tamper tests whether a JBoss target is vulnerable to
 4524     jmx console authentication bypass (CVE-2010-0738). [Hani
 4525     Benhabiles]
 4527   + http-open-redirect spiders a website and attempts to identify open
 4528     redirects. Open redirects are handlers which commonly take a URL
 4529     as a parameter and responds with a http redirect (3XX) to the
 4530     target. [Martin Holst Swende]
 4532   + http-put uploads a local file to a remote web server using the
 4533     HTTP PUT method. You must specify the filename and URL path with
 4534     NSE arguments. [Patrik Karlsson]
 4536   + http-robtex-reverse-ip Obtains up to 100 forward DNS names for a
 4537     target IP address by querying the Robtex service
 4538     (http://www.robtex.com/ip/). [riemann]
 4540   + http-unsafe-output-escaping spiders a website and attempts to
 4541     identify output escaping problems where content is reflected back
 4542     to the user. [Martin Holst Swende]
 4544   + http-vuln-cve2011-3368 tests for the CVE-2011-3368 (Reverse Proxy
 4545     Bypass) vulnerability in Apache HTTP server's reverse proxy
 4546     mode. [Ange Gutek, Patrik Karlsson]
 4548   + ipv6-node-info obtains hostnames, IPv4 and IPv6 addresses through
 4549     IPv6 Node Information Queries. [David Fifield]
 4551   + irc-botnet-channels checks an IRC server for channels that are
 4552     commonly used by malicious botnets. [David Fifield, Ange Gutek]
 4554   + irc-brute performs brute force password auditing against IRC
 4555     (Internet Relay Chat) servers. [Patrik Karlsson]
 4557   + krb5-enum-users discovers valid usernames by brute force querying
 4558     likely usernames against a Kerberos service. [Patrik Karlsson]
 4560   + maxdb-info retrieves version and database information from a SAP
 4561     Max DB database. [Patrik Karlsson]
 4563   + metasploit-xmlrpc-brute performs brute force password auditing
 4564     against a Metasploit RPC server using the XMLRPC protocol. [Vlatko
 4565     Kosturjak]
 4567   + ms-sql-dump-hashes Dumps the password hashes from an MS-SQL server
 4568     in a format suitable for cracking by tools such as
 4569     John-the-ripper. In order to do so the user needs to have the
 4570     appropriate DB privileges. [Patrik Karlsson]
 4572   + nessus-brute performs brute force password auditing against a
 4573     Nessus vulnerability scanning daemon using the NTP 1.2
 4574     protocol. [Patrik Karlsson]
 4576   + nexpose-brute performs brute force password auditing against a
 4577     Nexpose vulnerability scanner using the API 1.1. [Vlatko
 4578     Kosturjak]
 4580   + openlookup-info parses and displays the banner information of an
 4581     OpenLookup (network key-value store) server. [Toni Ruottu]
 4583   + openvas-otp-brute performs brute force password auditing against a
 4584     OpenVAS vulnerability scanner daemon using the OTP 1.0
 4585     protocol. [Vlatko Kosturjak]
 4587   + reverse-index creates a reverse index at the end of scan output
 4588     showing which hosts run a particular service. [Patrik Karlsson]
 4590   + rexec-brute performs brute force password auditing against the
 4591     classic UNIX rexec (remote exec) service. [Patrik Karlsson]
 4593   + rlogin-brute performs brute force password auditing against the
 4594     classic UNIX rlogin (remote login) service. [Patrik Karlsson]
 4596   + rtsp-methods determines which methods are supported by the RTSP
 4597     (real time streaming protocol) server. [Patrik Karlsson]
 4599   + rtsp-url-brute attempts to enumerate RTSP media URLS by testing
 4600     for common paths on devices such as surveillance IP
 4601     cameras. [Patrik Karlsson]
 4603   + telnet-encryption determines whether the encryption option is
 4604     supported on a remote telnet server.  Some systems (including
 4605     FreeBSD and the krb5 telnetd available in many Linux
 4606     distributions) implement this option incorrectly, leading to a
 4607     remote root vulnerability. [Patrik Karlsson, David Fifield,
 4608     Fyodor]
 4610   + tftp-enum enumerates TFTP (trivial file transfer protocol) filenames by testing
 4611     for a list of common ones. [Alexander Rudakov]
 4613   + unusual-port compares the detected service on a port against the
 4614     expected service for that port number (e.g. ssh on 22, http on 80)
 4615     and reports deviations. An early version of this same idea was
 4616     written by Daniel Miller. [Patrik Karlsson]
 4618   + vuze-dht-info retrieves some basic information, including protocol
 4619     version from a Vuze filesharing node. [Patrik Karlsson]
 4621 o [NSE] Added some new protocol libraries
 4622   + amqp (advanced message queuing protocol) [Sebastian Dragomir]
 4623   + bitcoin crypto currency [Patrik Karlsson
 4624   + dnsbl for DNS-based blacklists [Patrik Karlsson
 4625   + rtsp (real time streaming protocol) [Patrik Karlsson]
 4626   + httpspider and vulns have separate entries in this CHANGELOG
 4628 o Nmap now includes a nmap-update program for obtaining the latest
 4629   updates (new scripts, OS fingerprints, etc.)  The system is
 4630   currently only available to a few developers for testing, but we
 4631   hope to enable a larger set of beta testers soon. [David]
 4633 o On Windows, the directory [HOME]\AppData\Roaming\nmap is now
 4634   searched for data files. This is the equivalent of $HOME/.nmap on
 4635   POSIX. [David]
 4637 o Improved OS detection performance by scaling congestion control
 4638   increments by the response rate during OS scan, just as was done
 4639   for port scan before. [David]
 4641 o [NSE] The targets-ipv6-multicast-*.nse scripts now scan all
 4642   interfaces by default. They show the MAC address and interface name
 4643   now too. [David, Daniel Miller]
 4645 o Added some new version detection probes:
 4646   + MongoDB service [Martin Holst Swende]
 4647   + Metasploit XMLRPC service [Vlatko Kosturjak]
 4648   + Vuze filesharing system [Patrik]
 4649   + Redis key-value store [Patrik]
 4650   + memcached [Patrik]
 4651   + Sybase SQL Anywhere [Patrik]
 4652   + VMware ESX Server [Aleksey Tyurin]
 4653   + TCP Kerberos [Patrik]
 4654   + PC-Duo [Patrik]
 4655   + PC Anywhere [Patrik]
 4657 o Targets requiring different source addresses now go into different
 4658   hostgroups, not only for host discovery but also for port scanning.
 4659   Before, only responses to one of the source addresses would be
 4660   processed, and the others would be ignored. [David]
 4662 o Tidied up the version detection DB (nmap-service-probes) with a new
 4663   cleanup/canonicalization program sv-tidy.  In particular, this:
 4664   - Removes excess whitespace
 4665   - Sorts templates in the order m p v i d o h cpe:
 4666   - Canonicalizes template delimiters in the order: / | % = @ #.
 4667   [David]
 4669 o The --exclude and --excludefile options for excluding targets can
 4670   now be used together. [David]
 4672 o [NSE] Added support for detecting whether a http connection was established
 4673   using SSL or not to the http.lua library [Patrik]
 4675 o [NSE] Added local port to BPF filter in snmp-brute to fix bug that would
 4676   prevent multiple scripts from receiving the correct responses. The bug was
 4677   discovered by Brendan Bird. [Patrik]
 4679 o [NSE] Changed the dhcp-discover script to use the DHCPINFORM request
 4680   to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code
 4681   from dhcp-discover and placed the script into the discovery and safe
 4682   categories. Added support for adding options to DHCP requests and
 4683   cleaned up some code in the dhcp library. [Patrik]
 4685 o [NSE] Applied patch to snmp-brute that solves problems with handling
 4686   errors that occur during community list file parsing. [Duarte
 4687   Silva]
 4689 o [NSE] Added new fingerprints to http-enum for:
 4690   - Subversion, CVS and Apache Archiva [Duarte Silva]
 4691   - DVCS systems Git, Mercurial and Bazaar [Hani Benhabiles].
 4693 o [NSE] Applied some code cleanup to the snmp library. [Brendan Byrd]
 4695 o [NSE] Fixed an undeclared variable bug in snmp-ios-config [Patrik]
 4697 o [NSE] Add additional version information to Mongodb scripts [Martin
 4698   Swende]
 4700 o [NSE] Added path argument to the http-auth script and update the
 4701   script to use stdnse.format_output. [Duarte Silva, Patrik]
 4703 o [NSE] Fixed bug in the http library that would fail to parse
 4704   authentication headers if no parameters were present. [Patrik]
 4706 o Made a syntax change in the zenmap.desktop file for compliance with
 4707   the XDG standard. [Frederik Schwarzer]
 4709 o [NSE] Replaced a number of GET requests to HEAD in http-
 4710   fingerprints.lua.  HEAD is quicker and sufficient when no matching
 4711   is performed on the returned contents.  [Hani Benhabiles]
 4713 o [NSE] Added support for retrieving SSL certificates from FTP
 4714   servers. [Matt Selsky]
 4716 o [Nping] The --safe-payloads option is now the default. Added
 4717   --include-payloads for the special situations where payloads are
 4718   needed. [Colin Rice]
 4720 o [NSE] Added new functionality and fixed some bugs in the brute library:
 4721   - Added support for restricting the number of guesses performed by the
 4722     brute library against users, to prevent account lockouts.
 4723   - Added support to guess the username as password. The documentation
 4724     previously suggested (wrongly) that this was the default behavior.
 4725   - Added support to guess an empty string as password if not
 4726     present in the dictionary. [Patrik]
 4728 o [NSE] Re-enabled support for guessing the username in addition to password
 4729   that was incorrectly removed from the metasploit-xmlrpc-brute in previous
 4730   commit. [Patrik]
 4732 o [NSE] Fixed bug that would prevent brute scripts from running if no service
 4733   field was present in the port table. [Patrik]
 4735 o [NSE] Turned on promiscuous mode in targets-sniffer.nse so that it
 4736   finds packets not only from or to the scanning host. [David]
 4738 o The Zenmap topology display feature is now disabled when there are
 4739   more than 1,000 target hosts.  Those topology maps slow down the
 4740   interface and are generally too crowded to be of much use.
 4742 o [NSE] Modified the http library to support servers that don't return valid
 4743   chunked encoded data, such as the Citrix XML service. [Patrik]
 4745 o [NSE] Fixed a bug where the brute library would not abort even after all
 4746   retries were exhausted [Patrik]
 4748 o Fixed a bug in the IPv6 OS probe called NI. The Node Information
 4749   Query didn't include the target address as the payload, so at least
 4750   OS X didn't respond. This differed from the probe sent by the
 4751   ipv6fp.py program from which some of our fingerprints were derived.
 4752   [David]
 4754 o [NSE] Fixed an error in the mssql library that was causing the
 4755   broadcast-ms-sql-discover script to fail when trying to update port version
 4756   information. [Patrik]
 4758 o [NSE] Added the missing broadcast category to the broadcast-listener script.
 4759   [Jasey DePriest]
 4761 o [NSE] Made changes to the categories of the following scripts (new
 4762   categories shown) [Duarte Silva]:
 4763   - http-userdir-enum.nse (auth,intrusive)
 4764   - mysql-users.nse (auth,intrusive)
 4765   - http-wordpress-enum.nse (auth,intrusive,vuln)
 4766   - krb5-enum-users.nse (auth,intrusive)
 4767   - snmp-win32-users.nse (default,auth,safe)
 4768   - smtp-enum-users.nse (auth,external,intrusive)
 4769   - ncp-enum-users.nse (auth,safe)
 4770   - smb-enum-users.nse (auth,intrusive)
 4772 o Made nbase compile with the clang compiler that is a part of Xcode
 4773   4.2. [Daniel J. Luke]
 4775 o [NSE] Fix a nil table index bug discovered in the mongodb
 4776   library. [Thomas Buchanan]
 4778 o [NSE] Added XMPP support to ssl-cert.nse.
 4780 o [NSE] Made http-wordpress-enum.nse able to get names of users who
 4781   have no posts. [Duarte Silva]
 4783 o Increased hop distance estimates from OS detection by one. The
 4784   distance now counts the number of hops including the final one to
 4785   the target, not just the number of intermediate nodes. The IPv6
 4786   distance calculation already worked this way. [David]
 4788 Nmap 5.61TEST2 [2011-09-30]
 4790 o Added IPv6 OS detection system! The new system utilizes many tests
 4791   similar to IPv4, and also some IPv6-specific ones that we found to
 4792   be particularly effective. And it uses a machine learning approach
 4793   rather than the static classifier we use for IPv4. We hope to move
 4794   some of the IPv6 innovations back to our IPv4 system if they work
 4795   out well. The database is still very small, so please submit any
 4796   fingerprints that Nmap gives you to the specified URL (as long as
 4797   you are certain that you know what the target system is
 4798   running). Usage and results output are basically the same as with
 4799   IPv4, but we will soon document the internal mechanisms at
 4800   https://nmap.org/book/osdetect.html, just as we have for IPv4. For an
 4801   example, try "nmap -6 -O scanme.nmap.org". [David, Luis]
 4803 o [NSE] Added 3 scripts, bringing the total to 246!  You can learn
 4804   more about them at https://nmap.org/nsedoc/. Here they are (authors
 4805   listed in brackets):
 4807   + lltd-discovery uses the Microsoft LLTD protocol to discover hosts
 4808     on a local network. [Gorjan Petrovski]
 4810   + ssl-google-cert-catalog queries Google's Certificate Catalog for
 4811     the SSL certificates retrieved from target hosts. [Vasiliy Kulikov]
 4813   + quake3-info extracts information from a Quake3-like game
 4814     server. [Toni Ruottu]
 4816 o Improved AIX support for raw scans. This includes some patches
 4817   originally written by Peter O'Gorman and Florian Schmid. It also
 4818   involved various build fixes found necessary on AIX 6.1 and 7.1. See
 4819   https://nmap.org/book/inst-other-platforms.html . [David]
 4821 o Fixed Nmap so that it again compiles and runs on Solaris 10,
 4822   including IPv6 support. [David]
 4824 o [NSE] Moved our brute force authentication cracking scripts
 4825   (*-brute) from the "auth" category into a new "brute"
 4826   category. Nmap's brute force capabilities have grown tremendously!
 4827   You can see all 32 of them at
 4828   https://nmap.org/nsedoc/categories/brute.html .  It isn't clear
 4829   whether dns-brute should be in the brute category, so for now it
 4830   isn't. [Fyodor]
 4832 o Made the interface gathering loop work on Linux when an interface
 4833   index is more than two digits in /proc/sys/if_inet6. Joe McEachern
 4834   tracked down the problem and provided the fix.
 4836 o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
 4837   (status, response) and replaced the workaround in asn-query.nse by the proper
 4838   use. [Henri]
 4840 o [NSE] Made irc-info.nse handle the case where the MOTD is missing.
 4841   Patch by Sebastian Dragomir.
 4843 o Updated nmap-mac-prefixes to include the latest IEEE assignments
 4844   as of 2011-09-29.
 4846 Nmap 5.61TEST1 [2011-09-19]
 4848 o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
 4849   output for OS and service versions. This is a standard way to
 4850   identify operating systems and applications so that Nmap can
 4851   better interoperate with other software. Nmap's own (generally more
 4852   comprehensive) taxonomy/classification system is still supported as
 4853   well. Some OS and version detection results don't have CPE entries
 4854   yet. CPE entries show up in normal output with the headings "OS
 4855   CPE:" and "Service Info:":
 4856     OS CPE: cpe:/o:linux:kernel:2.6.39
 4857     Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
 4858   These also appear in XML output, which additionally has CPE entries
 4859   for service versions. [David, Henri]
 4861 o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4
 4862   ARP scan. It is the default ping type for local IPv6 networks.
 4863   [Weilin]
 4865 o Integrated your latest (IPv4) OS detection submissions and
 4866   corrections until June 22. New fingerprints include Linux 3, FreeBSD
 4867   9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to
 4868   3,308 fingerprints. See
 4869   http://seclists.org/nmap-dev/2011/q3/556. Please keep those
 4870   fingerprints coming! We now accept IPv4 and IPv6 OS fingerprints as
 4871   well as service fingerprints, plus corrections of all types if Nmap
 4872   guess wrong.
 4874 o [NSE] Added 27 scripts, bringing the total to 243!  You can learn
 4875   more about any of them at https://nmap.org/nsedoc/. Here are the new
 4876   ones (authors listed in brackets):
 4878   + address-info shows extra information about IPv6 addresses, such as
 4879     embedded MAC or IPv4 addresses when available. [David Fifield]
 4881   + bittorrent-discovery discovers bittorrent peers sharing a file
 4882     based on a user-supplied torrent file or magnet link. [Gorjan
 4883     Petrovski]
 4885   + broadcast-db2-discover attempts to discover DB2 servers on the
 4886     network by sending a broadcast request to port 523/udp. [Patrik
 4887     Karlsson]
 4889   + broadcast-dhcp-discover sends a DHCP request to the broadcast
 4890     address ( and reports the results. [Patrik
 4891     Karlsson]
 4893   + broadcast-listener sniffs the network for incoming broadcast
 4894     communication and attempts to decode the received packets. It
 4895     supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and
 4896     a few more. [Patrik Karlsson]
 4898   + broadcast-ping sends broadcast pings on a selected interface using
 4899     raw ethernet packets and outputs the responding hosts' IP and MAC
 4900     addresses or (if requested) adds them as targets. [Gorjan
 4901     Petrovski]
 4903   + cvs-brute performs brute force password auditing against CVS
 4904     pserver authentication. [Patrik Karlsson]
 4906   + cvs-brute-repository attempts to guess the name of the CVS
 4907     repositories hosted on the remote server.  With knowledge of the
 4908     correct repository name, usernames and passwords can be
 4909     guessed. [Patrik Karlsson]
 4911   + ftp-vsftpd-backdoor tests for the presence of the vsFTPd 2.3.4
 4912     backdoor reported on 2011-07-04 (CVE-2011-2523). This script
 4913     attempts to exploit the backdoor using the innocuous 'id' command
 4914     by default, but that can be changed with the 'exploit.cmd' or
 4915     'ftp-vsftpd-backdoor.cmd' script arguments. [Daniel Miller]
 4917   + ftp-vuln-cve2010-4221 checks for a stack-based buffer overflow in
 4918     the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. [Djalal
 4919     Harouni]
 4921   + http-awstatstotals-exec exploits a remote code execution
 4922     vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other
 4923     products based on it (CVE: 2008-3922). [Paulino Calderon]
 4925   + http-axis2-dir-traversal Exploits a directory traversal
 4926     vulnerability in Apache Axis2 version 1.4.1 by sending a specially
 4927     crafted request to the parameter 'xsd' (OSVDB-59001). By default
 4928     it will try to retrieve the configuration file of the Axis2
 4929     service '/conf/axis2.xml' using the path '/axis2/services/' to
 4930     return the username and password of the admin account. [Paulino
 4931     Calderon]
 4933   + http-default-accounts tests for access with default credentials
 4934     used by a variety of web applications and devices. [Paulino
 4935     Calderon]
 4937   + http-google-malware checks if hosts are on Google's blacklist of
 4938     suspected malware and phishing servers. These lists are constantly
 4939     updated and are part of Google's Safe Browsing service. [Paulino
 4940     Calderon]
 4942   + http-joomla-brute performs brute force password auditing against
 4943     Joomla web CMS installations. [Paulino Calderon]
 4945   + http-litespeed-sourcecode-download exploits a null-byte poisoning
 4946     vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to
 4947     retrieve the target script's source code by sending a HTTP request
 4948     with a null byte followed by a .txt file extension
 4949     (CVE-2010-2333). [Paulino Calderon]
 4951   + http-vuln-cve2011-3192 detects a denial of service vulnerability
 4952     in the way the Apache web server handles requests for multiple
 4953     overlapping/simple ranges of a page. [Duarte Silva]
 4955   + http-waf-detect attempts to determine whether a web server is
 4956     protected by an IPS (Intrusion Prevention System), IDS (Intrusion
 4957     Detection System) or WAF (Web Application Firewall) by probing the
 4958     web server with malicious payloads and detecting changes in the
 4959     response code and body. [Paulino Calderon]
 4961   + http-wordpress-brute performs brute force password auditing
 4962     against Wordpress CMS/blog installations. [Paulino Calderon]
 4964   + http-wordpress-enum enumerates usernames in Wordpress blog/CMS
 4965     installations by exploiting an information disclosure
 4966     vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and
 4967     3.2-beta2 and possibly others. [Paulino Calderon]
 4969   + imap-brute performs brute force password auditing against IMAP
 4970     servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
 4971     authentication. [Patrik Karlsson]
 4973   + smtp-brute performs brute force password auditing against SMTP
 4974     servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
 4975     authentication. [Patrik Karlsson]
 4977   + smtp-vuln-cve2011-1764 checks for a format string vulnerability in
 4978     the Exim SMTP server (version 4.70 through 4.75) with DomainKeys
 4979     Identified Mail (DKIM) support (CVE-2011-1764). [Djalal Harouni]
 4981   + targets-ipv6-multicast-echo sends an ICMPv6 echo request packet to
 4982     the all-nodes link-local multicast address (ff02::1) to discover
 4983     responsive hosts on a LAN without needing to individually ping
 4984     each IPv6 address. [David Fifield, Xu Weilin]
 4986   + targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with an
 4987     invalid extension header to the all-nodes link-local multicast
 4988     address (ff02::1) to discover (some) available hosts on the
 4989     LAN. This works because some hosts will respond to this probe with
 4990     an ICMPv6 parameter problem packet. [David Fifield, Xu Weilin]
 4992   + targets-ipv6-multicast-slaac performs IPv6 host discovery by
 4993     triggering stateless address auto-configuration (SLAAC). [David
 4994     Fifield, Xu Weilin]
 4996   + xmpp-brute Performs brute force password auditing against XMPP
 4997     (Jabber) instant messaging servers. [Patrik Karlsson]
 4999 o Fixed compilation on OS X 10.7 Lion. Thanks to Patrik Karlsson and
 5000   Babak Farroki for researching fixes.
 5002 o [NSE] The script arguments which start with a script name
 5003   (e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the
 5004   unqualified arguments as well (hostname, maxfiles). This lets you
 5005   use the generic version ("hostname") when you want to affect
 5006   multiple scripts, while using the qualified version to target
 5007   individual scripts. If both are specified, the qualified version
 5008   takes precedence for that particular script. This works for library
 5009   script arguments too (e.g. you can specify 'timelimit' rather than
 5010   unpwdb.timelimit). [Paulino]
 5012 o [Ncat] Updated SSL certificate store (ca-bundle.crt), primarily to
 5013   remove the epic fail known as DigiNotar.
 5015 o Nmap now defers options parsing until it has read through all the
 5016   command line arguments.  This removes the few remaining cases where
 5017   option order mattered (for example, IPv6 users previously had to
 5018   specify -6 before -S). [Shinnok]
 5020 o [NSE] Added a new default credential list for Oracle databases and
 5021   modified the oracle-brute script to make use of it. [Patrik]
 5023 o [NSE] Our Packet library (packet.lua) now handles IPv6. This is used
 5024   by the new multicast IPv6 host discovery scripts
 5025   (targets-ipv6-*). [Weilin]
 5027 o [NSE] Replaced xmpp.nse with an an overhauled version named
 5028   xmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov]
 5030 o [NSE] Fixed SSL compressor names in ssl-enum-ciphers.nse, and
 5031   removed redundant multiple listings of the NULL compressor.
 5032   [Matt Selsky]
 5034 o [NSE] Added cipher strength ratings to ssl-enum-ciphers.nse.
 5035   [Gabriel Lawrence]
 5037 o [NSE] Fixed a bug in the ssh2-enum-algos script that would prevent it from
 5038   displaying any output unless run in debug mode. [Patrik]
 5040 o [NSE] Added 4 more protocol libraries. You can learn more about any
 5041   of them at https://nmap.org/nsedoc/. Here are the new ones (authors
 5042   listed in brackets):
 5044   + bittorrent supports the BitTorrent file sharing protocol [Gorjan
 5045     Petrovski]
 5047   + cvs includes support for the Concurrent Versions System (CVS)
 5048     [Patrik Karlsson]
 5050   + sasl provides common code for "Simple Authentication and Security
 5051     Layer" to services supporting it. The algorithms supported by the
 5052     library are: PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. [Djalal
 5053     Harouni, Patrik Karlsson]
 5055   + xmpp handles XMPP (Jabber) IM servers [Patrik Karlsson]
 5057 o [NSE] Removed the mac-geolocation script, which relied on a Google
 5058   database to determine strikingly accurate GPS coordinates for
 5059   anyone's wireless access points (based on their MAC address).  It
 5060   was very powerful.  Perhaps Google decided it was too powerful, as
 5061   they discontinued the service before our script was even 2 months
 5062   old.
 5064 o [Ncat] Added an --append-output option which, when used along with
 5065   -o and/or -x, prevents clobbering (truncating) an existing
 5066   file. [Shinnok]
 5068 o Fixed RPC scan (part of -sV) to work on the 64-bit machines where
 5069   "unsigned long" is 8 bytes rather than 4.  We now use the more
 5070   portable u32 in the code. [David]
 5072 o [NSE] Moved some scripts into the default category: giop-info,
 5073   vnc-info, ncp-serverinfo, smb-security-mode, and and
 5074   afp-serverinfo. [Djalal]
 5076 o Relaxed the XML DTD to allow validation of files where the verbosity
 5077   level changed during the scan.  Also made a service confidence of 8
 5078   (used when tcpwrapped) or any other number between 0 and 10
 5079   legal. [Daniel Miller]
 5081 o [NSE] Fixed authentication problems in the TNS library that would prevent
 5082   authentication from working against Oracle XE [Chris Woodbury]
 5084 o [NSE] Added basic query support to the Oracle TNS library so that scripts
 5085   can now make SQL queries against database servers.  Also improved
 5086   support for 64-bit database servers and improved the documentation. [Patrik]
 5088 o Removed some restrictions on probe matching that, for example,
 5089   prevented a RST/ACK reply from being recognized in a NULL scan. This
 5090   was found and fixed by Matthew Stickney and Joe McEachern.
 5092 o Rearranged some characters classes in service matches to avoid any
 5093   that look like POSIX collating symbols ("[.xyz.]"). John Hutchison
 5094   discovered this error caused by one of the match lines:
 5095     InitMatch: illegal regexp: POSIX collating elements are not supported
 5096   [Daniel Miller]
 5098 o [NSE] Added more than 100 new signatures to http-enum (many for
 5099   known vulnerabilities). They are in the categories: general,
 5100   attacks, cms, security, management and database [Paulino]
 5102 o [NSE] Updated account status text in brute force password discovery
 5103   scripts in an effort to make the reporting more consistent across
 5104   all scripts.  This will have an impact on any code that parses these
 5105   values.  [Tom Sellers]
 5107 o Nmap now includes the Liblinear library for large linear
 5108   classification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). We
 5109   are using it for the upcoming IPv6 OS detection system, and (if that
 5110   works out well) may eventually use it for IPv4 too.  It uses a
 5111   three-clause BSD license.
 5113 o [NSE] Better error messages (including a traceback) are now provided
 5114   when script loading fails. [Patrick]
 5116 o [Zenmap] Prevent Zenmap from deleting ports when merging scans
 5117   results based on newer scans which did not actually scan the ports
 5118   in question. Additionally Zenmap now only updates ports with new
 5119   information if the new information uses the same protocol--not just
 5120   the same port number. [Colin Rice]
 5122 o [Ncat] Fixed a crash which would occur when --ssl-verify is combined
 5123   with -vvv on windows. [Colin Rice]
 5125 o [Nping] Added new --safe-payloads option for echo mode which causes
 5126   returned packet payloads to be zeroed to reduce privacy risks if
 5127   Nping echo server was to accidentally (or through malicious intent)
 5128   return a packet which wasn't sent by the Nping echo client.  We hope
 5129   to soon make this behavior the default. [Luis]
 5131 o Fixed a bug that would make Nmap segfault if it failed to open an
 5132   interface using pcap. The bug details and patch are posted at
 5133   http://seclists.org/nmap-dev/2011/q3/365 [Patrik]
 5135 o Ncat SCTP mode now supports connection brokering
 5136   (--sctp --broker). [Shinnok]
 5138 o Consolidated a bunch of duplicate code between Ncat's listen
 5139   (ncat_listen.c) and broker (ncat_broker.c) modes to ease
 5140   maintenance. [Shinnok]
 5142 o Added a 'nostore' nse argument to the brute force library which
 5143   prevents the brute force authentication cracking scripts from
 5144   storing found credentials in the creds library (they will still be
 5145   printed in script output).
 5147 o [NSE] Fixed the nsedebug print_hex() function so it does not print an
 5148   empty line if there are no remaining characters, and improved its NSEDoc.
 5149   [Chris Woodbury].
 5151 o [Ncat] Ncat no longer blocks while an ssl handshake is taking place
 5152   or waiting to complete.  This could make listening Ncat instances
 5153   unavailable to other clients because one client was taking too long
 5154   to complete the SSL handshake.  Our public Ncat chat server is now
 5155   much more reliable (connect with: ncat --ssl -v chat.nmap.org).
 5156   [Shinnok]
 5158 o [NSE] Updated SMTP and IMAP libraries to support authentication
 5159   using both plain-text and the SASL library. [Patrik]
 5161 o [Zenmap] The Zenmap crash handler now instructs users to mail in
 5162   crash information to nmap-dev rather than offering to create a
 5163   Sourceforge bug tracker entry. [Colin Rice]
 5165 o [NSE] Applied patch from Chris Woodbury that adds the following
 5166   additional information to the output of smb-os-discovery: NetBIOS
 5167   computer name, NetBIOS domain name, FQDN, and forest name.
 5169 o [NSE] Updated smb-brute to add detection for valid credentials where the
 5170   target account was expired or limited by time or login host constraints.
 5171   [Tom Sellers]
 5173 o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag.
 5174   Additionally ncat listens on both ::1 and localhost when passed
 5175   -l, or any other listening mode unless a specific listening address is
 5176   supplied. [Colin Rice]
 5178 o Fixed broken XML output in the case of timed-out hosts; the
 5179   enclosing host element was missing. The fix was suggested by Rémi
 5180   Mollon.
 5182 o [NSE] Multiple ldap-brute changes by Tom Sellers:
 5183   + Added support for 2008 R2 functional level Active Directory instances
 5184   + Added detection for valid credentials where the target account was
 5185     expired or limited by time or login host constraints.
 5186   + Added support for specifying a UPN suffix to be appended to usernames
 5187     when brute forcing Microsoft Active Directory accounts.
 5188   + Added support for saving discovered credentials to a CSV file.
 5189   + Now reports valid credentials as they are discovered when the script
 5190     is run with -vv or higher.
 5192 o [NSE] ldap-search.nse - Added support for saving search results to
 5193   CSV.  This is done by using the ldap.savesearch script argument to
 5194   specify an output filename prefix.  [Tom Sellers]
 5196 o Handle an unconventional IPv6 internal link-local address convention
 5197   used by Mac OS X. See
 5198   http://seclists.org/nmap-dev/2011/q3/906. [David]
 5200 o [NSE] Optimized stdnse.format_output (changing the data structures)
 5201   to improve performance for scripts which produce a lot of output. See
 5202   http://seclists.org/nmap-dev/2011/q3/623. [Djalal]
 5204 o [NSE] Fix nping-brute so that it again works on IPv6. [Toni Ruottu]
 5206 o [NSE] Added the make_array and make_object functions to our json
 5207   library, allowing LUA tables to be treated as JSON arrays or
 5208   objects. See http://seclists.org/nmap-dev/2011/q3/15 [Daniel Miller]
 5210 o [NSE] The ip-geolocation-ipinfodb now allows you to specify an
 5211   IPInfoDB API key using the apikey NSE argument. [Gorjan]
 5213 o [NSE] Renamed http-wp-plugins to http-wordpress-plugins script for
 5214   consistency with http-wordpress-brute and now
 5215   http-wordpress-enum. [Fyodor]
 5217 Nmap 5.59BETA1 [2011-06-30]
 5219 o [NSE] Added 40 scripts, bringing the total to 217!  You can learn
 5220   more about any of them at https://nmap.org/nsedoc/. Here are the new
 5221   ones (authors listed in brackets):
 5223   + afp-ls: Lists files and their attributes from Apple Filing
 5224     Protocol (AFP) volumes. [Patrik Karlsson]
 5226   + backorifice-brute: Performs brute force password auditing against
 5227     the BackOrifice remote administration (trojan) service. [Gorjan
 5228     Petrovski]
 5230   + backorifice-info: Connects to a BackOrifice service and gathers
 5231     information about the host and the BackOrifice service
 5232     itself. [Gorjan Petrovski]
 5234   + broadcast-avahi-dos: Attempts to discover hosts in the local
 5235     network using the DNS Service Discovery protocol, then tests
 5236     whether each host is vulnerable to the Avahi NULL UDP packet
 5237     denial of service bug (CVE-2011-1002). [Djalal Harouni]
 5239   + broadcast-netbios-master-browser: Attempts to discover master
 5240     browsers and the Windows domains they manage. [Patrik Karlsson]
 5242   + broadcast-novell-locate: Attempts to use the Service Location
 5243     Protocol to discover Novell NetWare Core Protocol (NCP)
 5244     servers. [Patrik Karlsson]
 5246   + creds-summary: Lists all discovered credentials (e.g. from brute
 5247     force and default password checking scripts) at end of scan.
 5248     [Patrik Karlsson]
 5250   + dns-brute: Attempts to enumerate DNS hostnames by brute force
 5251     guessing of common subdomains. [Cirrus]
 5253   + dns-nsec-enum: Attempts to discover target hosts' services using
 5254     the DNS Service Discovery protocol. [Patrik Karlsson]
 5256   + dpap-brute: Performs brute force password auditing against an
 5257     iPhoto Library. [Patrik Karlsson]
 5259   + epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and
 5260     retrieves a list of nodes with their respective port
 5261     numbers. [Toni Ruottu]
 5263   + http-affiliate-id: Grabs affiliate network IDs (e.g. Google
 5264     AdSense or Analytics, Amazon Associates, etc.) from a web
 5265     page. These can be used to identify pages with the same
 5266     owner. [Hani Benhabiles, Daniel Miller]
 5268   + http-barracuda-dir-traversal: Attempts to retrieve the
 5269     configuration settings from a Barracuda Networks Spam & Virus
 5270     Firewall device using the directory traversal vulnerability
 5271     described at
 5272     http://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles]
 5274   + http-cakephp-version: Obtains the CakePHP version of a web
 5275     application built with the CakePHP framework by fingerprinting
 5276     default files shipped with the CakePHP framework. [Paulino
 5277     Calderon]
 5279   + http-majordomo2-dir-traversal: Exploits a directory traversal
 5280     vulnerability existing in the Majordomo2 mailing list manager to
 5281     retrieve remote files. (CVE-2011-0049). [Paulino Calderon]
 5283   + http-wp-plugins: Tries to obtain a list of installed WordPress
 5284     plugins by brute force testing for known plugins. [Ange Gutek]
 5286   + ip-geolocation-geobytes: Tries to identify the physical location
 5287     of an IP address using the Geobytes geolocation web service
 5288     (http://www.geobytes.com/iplocator.htm). [Gorjan Petrovski]
 5290   + ip-geolocation-geoplugin: Tries to identify the physical location
 5291     of an IP address using the Geoplugin geolocation web service
 5292     (http://www.geoplugin.com/). [Gorjan Petrovski]
 5294   + ip-geolocation-ipinfodb: Tries to identify the physical location
 5295     of an IP address using the IPInfoDB geolocation web service
 5296     (http://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski]
 5298   + ip-geolocation-maxmind: Tries to identify the physical location of
 5299     an IP address using a Geolocation Maxmind database file (available
 5300     from http://www.maxmind.com/app/ip-location). [Gorjan Petrovski]
 5302   + ldap-novell-getpass: Attempts to retrieve the Novell Universal
 5303     Password for a user. You must already have (and include in script
 5304     arguments) the username and password for an eDirectory server
 5305     administrative account. [Patrik Karlsson]
 5307   + mac-geolocation: Looks up geolocation information for BSSID (MAC)
 5308     addresses of WiFi access points in the Google geolocation
 5309     database. [Gorjan Petrovski]
 5311   + mysql-audit: Audit MySQL database server security configuration
 5312     against parts of the CIS MySQL v1.0.2 benchmark (the engine can
 5313     also be used for other MySQL audits by creating appropriate audit
 5314     files).  [Patrik Karlsson]
 5316   + ncp-enum-users: Retrieves a list of all eDirectory users from the
 5317     Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
 5319   + ncp-serverinfo: Retrieves eDirectory server information (OS
 5320     version, server name, mounts, etc.) from the Novell NetWare Core
 5321     Protocol (NCP) service. [Patrik Karlsson]
 5323   + nping-brute: Performs brute force password auditing against an
 5324     Nping Echo service. [Toni Ruottu]
 5326   + omp2-brute: Performs brute force password auditing against the
 5327     OpenVAS manager using OMPv2. [Henri Doreau]
 5329   + omp2-enum-targets: Attempts to retrieve the list of target systems
 5330     and networks from an OpenVAS Manager server. [Henri Doreau]
 5332   + ovs-agent-version: Detects the version of an Oracle OVSAgentServer
 5333     by fingerprinting responses to an HTTP GET request and an XML-RPC
 5334     method call. [David Fifield]
 5336   + quake3-master-getservers: Queries Quake3-style master servers for
 5337     game servers (many games other than Quake 3 use this same
 5338     protocol). [Toni Ruottu]
 5340   + servicetags: Attempts to extract system information (OS, hardware,
 5341     etc.) from the Sun Service Tags service agent (UDP port
 5342     6481). [Matthew Flanagan]
 5344   + sip-brute: Performs brute force password auditing against Session
 5345     Initiation Protocol (SIP -
 5346     http://en.wikipedia.org/wiki/Session_Initiation_Protocol)
 5347     accounts.  This protocol is most commonly associated with VoIP
 5348     sessions. [Patrik Karlsson]
 5350   + sip-enum-users: Attempts to enumerate valid SIP user accounts.
 5351     Currently only the SIP server Asterisk is supported. [Patrik
 5352     Karlsson]
 5354   + smb-mbenum: Queries information managed by the Windows Master
 5355     Browser. [Patrik Karlsson]
 5357   + smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow
 5358     within versions of Exim prior to version 4.69 (CVE-2010-4344) and
 5359     a privilege escalation vulnerability in Exim 4.72 and prior
 5360     (CVE-2010-4345). [Djalal Harouni]
 5362   + smtp-vuln-cve2011-1720: Checks for a memory corruption in the
 5363     Postfix SMTP server when it uses Cyrus SASL library authentication
 5364     mechanisms (CVE-2011-1720).  This vulnerability can allow denial
 5365     of service and possibly remote code execution. [Djalal Harouni]
 5367   + snmp-ios-config: Attempts to downloads Cisco router IOS
 5368     configuration files using SNMP RW (v1) and display or save
 5369     them. [Vikas Singhal, Patrik Karlsson]
 5371   + ssl-known-key: Checks whether the SSL certificate used by a host
 5372     has a fingerprint that matches an included database of problematic
 5373     keys. [Mak Kolybabi]
 5375   + targets-sniffer: Sniffs the local network for a configurable
 5376     amount of time (10 seconds by default) and prints discovered
 5377     addresses. If the newtargets script argument is set, discovered
 5378     addresses are added to the scan queue. [Nick Nikolaou]
 5380   + xmpp: Connects to an XMPP server (port 5222) and collects server
 5381     information such as supported auth mechanisms, compression methods
 5382     and whether TLS is supported and mandatory. [Vasiliy Kulikov]
 5384 o Nmap has long supported IPv6 for basic (connect) port scans, basic
 5385   host discovery, version detection, Nmap Scripting Engine.  This
 5386   release dramatically expands and improves IPv6 support:
 5387   + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,
 5388     etc.) are now supported. [David, Weilin]
 5389   + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP
 5390     discovery packets, etc.) is now supported. [David, Weilin]
 5391   + IPv6 traceroute is now supported [David]
 5392   + IPv6 protocol scan (-sO) is now supported, including creating
 5393     realistic headers for many protocols. [David]
 5394   + IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel
 5395     Miller, Patrik]
 5396   + The --exclude and --excludefile now support IPV6 addresses with
 5397     netmasks.  [Colin]
 5399 o Scanme.Nmap.Org (the system anyone is allowed to scan for testing
 5400   purposes) is now dual-stacked (has an IPv6 address as well as IPv4)
 5401   so you can scan it during IPv6 testing.  We also added a DNS record
 5402   for ScanmeV6.nmap.org which is IPv6-only. See
 5403   http://seclists.org/nmap-dev/2011/q2/428. [Fyodor]
 5405 o The Nmap.Org website as well as sister sites Insecure.Org,
 5406   SecLists.Org, and SecTools.Org all have working IPv6 addresses now
 5407   (dual stacked). [Fyodor]
 5409 o Nmap now determines the filesystem location it is being run from and
 5410   that path is now included early in the search path for data files
 5411   (such as nmap-services).  This reduces the likelihood of needing to
 5412   specify --datadir or getting data files from a different version of
 5413   Nmap installed on the system.  For full details, see
 5414   https://nmap.org/book/data-files-replacing-data-files.html .  Thanks
 5415   to Solar Designer for implementation advice. [David]
 5417 o Created a page on our SecWiki for collecting Nmap script ideas! If
 5418   you have a good idea, post it to the incoming section of the page.
 5419   Or if you're in a script writing mood but don't know what to write,
 5420   come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.
 5422 o The development pace has greatly increased because Google (again)
 5423   sponsored a 7 full-time college and graduate student programmer
 5424   interns this summer as part of their Summer of Code program!
 5425   Thanks, Google Open Source Department!  We're delighted to introduce
 5426   the team: http://seclists.org/nmap-dev/2011/q2/312
 5428 o [NSE] Added 7 new protocol libraries, bringing the total to 66.  You
 5429   can read about them all at https://nmap.org/nsedoc/. Here are the new
 5430   ones (authors listed in brackets):
 5432   + creds: Handles storage and retrieval of discovered credentials
 5433     (such as passwords discovered by brute force scripts). [Patrik
 5434     Karlsson]
 5436   + ncp: A tiny implementation of Novell Netware Core Protocol
 5437     (NCP). [Patrik Karlsson]
 5439   + omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri
 5440     Doreau]
 5442   + sip: Supports a limited subset of SIP commands and
 5443     methods. [Patrik Karlsson]
 5445   + smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal
 5446     Harouni]
 5448   + srvloc: A relatively small implementation of the Service Location
 5449     Protocol. [Patrik Karlsson]
 5451   + tftp: Implements a minimal TFTP server. It is used in
 5452     snmp-ios-config to obtain router config files.[Patrik Karlsson]
 5454 o Improved Nmap's service/version detection database by adding:
 5455   + Apple iPhoto (DPAP) protocol probe [Patrik]
 5456   + Zend Java Bridge probe [Michael Schierl]
 5457   + BackOrifice probe [Gorjan Petrovski]
 5458   + GKrellM probe [Toni Ruottu]
 5459   + Signature improvements for a wide variety of services (we now have
 5460     7,375 signatures)
 5462 o [NSE] ssh-hostkey now additionally has a postrule that prints hosts
 5463   found during the scan which share the same hostkey. [Henri Doreau]
 5465 o [NSE] Added 300+ new signatures to http-enum which look for admin
 5466   directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, Wordpress,
 5467   and more. [Paulino]
 5469 o Made the final IP address space assignment update as all available
 5470   IPv4 address blocks have now been allocated to the regional
 5471   registries.  Our random IP generation (-iR) logic now only excludes
 5472   the various reserved blocks.  Thanks to Kris for years of regular
 5473   updates to this function!
 5475 o [NSE] Replaced http-trace with a new more effective version. [Paulino]
 5477 o Performed some output cleanup work to remove unimportant status
 5478   lines so that it is easier to find the good stuff! [David]
 5480 o [Zenmap] now properly kills Nmap scan subprocess when you cancel a
 5481   scan or quit Zenmap on Windows. [Shinnok]
 5483 o [NSE] Banned scripts from being in both the "default" and
 5484   "intrusive" categories.  We did this by removing dhcp-discover and
 5485   dns-zone-transfer from the set of scripts run by default (leaving
 5486   them "intrusive"), and reclassifying dns-recursion, ftp-bounce,
 5487   http-open-proxy, and socks-open-proxy as "safe" rather than
 5488   "intrusive" (keeping them in the "default" set).
 5490 o [NSE] Added a credential storage library (creds.lua) and modified
 5491   the brute library and scripts to make use of it. [Patrik]
 5493 o [Ncat] Created a portable version of ncat.exe that you can just drop
 5494   onto Microsoft Windows systems without having to run any installer
 5495   or copy over extra library files. See the Ncat page
 5496   (https://nmap.org/ncat/) for binary downloads and a link to build
 5497   instructions. [Shinnok]
 5499 o Fix a segmentation fault which could occur when running Nmap on
 5500   various Android-based phones.  The problem related to NULL being
 5501   passed to freeaddrinfo(). [David, Vlatko Kosturjak]
 5503 o [NSE] The host.bin_ip and host.bin_ip_src entries now also work with
 5504   16-byte IPv6 addresses. [David]
 5506 o [Ncat] Updated the ca-bundle.crt list of trusted certificate
 5507   authority certificates. [David]
 5509 o [NSE] Fixed a bug in the SMB Authentication library which could
 5510   prevent concurrently running scripts with valid credentials from
 5511   logging in. [Chris Woodbury]
 5513 o [NSE] Re-worked http-form-brute.nse to better autodetect form
 5514   fields, allow brute force attempts where only the password (no
 5515   username) is needed, follow HTTP redirects, and better detect
 5516   incorrect login attempts. [Patrik, Daniel Miller]
 5518 o [Zenmap] Changed the "slow comprehensive scan" profile's NSE script
 5519   selection from "all" to "default or (discovery and safe)"
 5520   categories.  Except for testing and debugging, "--script all" is
 5521   rarely desirable.
 5523 o [NSE] Added the stdnse.silent_require method which is used for
 5524   library requires that you know might fail (e.g. "openssl" fails if
 5525   Nmap was compiled without that library).  If these libraries are
 5526   called with silent_require and fail to load, the script will cease
 5527   running but the user won't be presented with ugly failure messages
 5528   as would happen with a normal require. [Patrick Donnelly]
 5530 o [Zenmap] Fixed a bug in topology mapper which caused endpoints
 5531   behind firewalls to sometimes show up in the wrong place (see
 5532   http://seclists.org/nmap-dev/2011/q2/733).  [Colin Rice]
 5534 o [Zenmap] If you scan a system twice, any open ports from the first
 5535   scan which are closed in the 2nd will be properly marked as
 5536   closed. [Colin Rice].
 5538 o [Zenmap] Fixed an error that could cause a crash ("TypeError: an
 5539   integer is required") if a sort column in the ports table was unset.
 5540   [David]
 5542 o [Ndiff] Added nmaprun element information (Nmap version, scan date,
 5543   etc.) to the diff.  Also, the Nmap banner with version number and
 5544   data is now only printed if there were other differences in the
 5545   scan. [Daniel Miller, David, Dr. Jesus]
 5547 o [NSE] Added nmap.get_interface and nmap.get_interface_info functions
 5548   so scripts can access characteristics of the scanning interface.
 5549   Removed nmap.get_interface_link. [Djalal]
 5551 o Fixed an overflow in scan elapsed time display that caused negative
 5552   times to be printed after about 25 days. [Daniel Miller]
 5554 o Updated nmap-rpc from the master list, now maintained by IANA.
 5555   [Daniel Miller, David]
 5557 o [Zenmap] Fixed a bug in the option parser: -sN (null scan) was
 5558   interpreted as -sn (no port scan). This was reported by
 5559   Shitaneddine. [David]
 5561 o [Ndiff] Fixed the Mac OS X packages to use the correct path for
 5562   Python: /usr/bin/python instead of /opt/local/bin/python. The bug
 5563   was reported by Wellington Castello. [David]
 5565 o Removed the -sR (RPC scan) option--it is now an alias for -sV
 5566   (version scan), which always does RPC scan when an rpcinfo service
 5567   is detected.
 5569 o [NSE] Improved the ms-sql scripts and library in several ways:
 5570   - Improved version detection and server discovery
 5571   - Added support for named pipes, integrated authentication, and
 5572     connecting to instances by name or port
 5573   - Improved script and library stability and documentation.
 5574   [Patrik Karlsson, Chris Woodbury]
 5576 o [NSE] Fixed http.validate_options when handling a cookie table.
 5577   [Sebastian Prengel]
 5579 o Added a Service Tags UDP probe for port 6481/udp. [David]
 5581 o [NSE] Enabled firewalk.nse to automatically find the gateways at
 5582   which probes are dropped and fixed various bugs. [Henri Doreau]
 5584 o [Zenmap] Worked around a pycairo bug that prevented saving the
 5585   topology graphic as PNG on Windows: "Error Saving Snapshot:
 5586   Surface.write_to_png takes one argument which must be a filename
 5587   (str), file object, or a file-like object which has a 'write' method
 5588   (like StringIO)". The problem was reported by Alex Kah. [David]
 5590 o The -V and --version options now show the platform Nmap was compiled
 5591   on, which features are compiled in, the version numbers of libraries
 5592   it is linked against, and whether the libraries are the ones that
 5593   come with Nmap or the operating system.  [Ambarisha B., David]
 5595 o Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre
 5596   from netVigilance.
 5598 o The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]
 5600 o [NSE] Added a shortport.ssl function which can be used as a script
 5601   portrule to match SSL services.  It is similar in concept to our
 5602   existing shortport.http. [David]
 5604 o Set up the RPM build to use the compat-glibc and compat-gcc-34-c++
 5605   packages (on CentOS 5.3) to resolve a report of Nmap failing to run
 5606   on old versions of Glibc. [David]
 5608 o We no longer support Nmap on versions of Windows earlier than XP
 5609   SP2.  Even Microsoft no longer supports Windows versions that old.
 5610   But if you must use Nmap on such systems anyway, please see
 5611   https://secwiki.org/w/Nmap_On_Old_Windows_Releases.
 5613 o There were hundreds of other little bug fixes and improvements
 5614   (especially to NSE scripts).  See the SVN logs for revisions 22,274
 5615   through 24,460 for details.
 5617 Nmap 5.51 [2011-02-11]
 5619 o [Ndiff] Added support for prerule and postrule scripts. [David]
 5621 o [NSE] Fixed a bug which caused some NSE scripts to fail due to the
 5622   absence of the NSE SCRIPT_NAME environment variable when loaded.
 5623   Michael Pattrick reported the problem. [Djalal]
 5625 o [Zenmap] Selecting one of the scan targets in the left pane is
 5626   supposed to jump to that host in the Nmap Output in the right pane
 5627   (but it wasn't).  Brian Krebs reported this bug. [David]
 5629 o Fixed an obscure bug in Windows interface matching. If the MAC
 5630   address of an interface couldn't be retrieved, it might have been
 5631   used instead of the correct interface. Alexander Khodyrev reported
 5632   the problem.  [David]
 5634 o [NSE] Fixed portrules in dns-zone-transfer and ftp-proftpd-backdoor
 5635   that used shortport functions incorrectly and always returned
 5636   true. [Jost Krieger]
 5638 o [Ndiff] Fixed ndiff.dtd to include two elements that can be diffed:
 5639   status and address. [Daniel Miller]
 5641 o [Ndiff] Fixed the ordering of hostscript-related elements in XML
 5642   output. [Daniel Miller]
 5644 o [NSE] Fixed a bug in the nrpe-enum script that would make it run for
 5645   every port (when it was selected--it isn't by default).  Daniel
 5646   Miller reported the bug. [Patrick]
 5648 o [NSE] When an NSE script sets a negative socket timeout, it now
 5649   causes a controlled Lua stack trace instead of a fatal error.
 5650   Vlatko Kosturjak reported the bug. [David]
 5652 o [Zenmap] Worked around an error that caused the py2app bootstrap
 5653   executable to be non-universal even when the rest of the application
 5654   was universal. This prevented the binary .dmg from working on
 5655   PowerPC. Yxynaxen reported the problem. [David]
 5657 o [Ndiff] Fixed an output line that wasn't being redirected to a file
 5658   when all other output was. [Daniel Miller]
 5660 Nmap 5.50 [2011-01-28]
 5662 o [Zenmap] Added a new script selection interface, allowing you to
 5663   choose scripts and arguments from a list which includes descriptions
 5664   of every available script. Just click the "Scripting" tab in the
 5665   profile editor. [Kirubakaran]
 5667 o [Nping] Added echo mode, a novel technique for discovering how your
 5668   packets are changed (or dropped) in transit between the host they
 5669   originated and a target machine. It can detect network address
 5670   translation, packet filtering, routing anomalies, and more.  You can
 5671   try it out against our public Nping echo server using this command:
 5672     nping --echo-client "public" echo.nmap.org'
 5673   Or learn more about echo mode at
 5674   https://nmap.org/book/nping-man-echo-mode.html . [Luis]
 5676 o [NSE] Added an amazing 46 scripts, bringing the total to 177! You
 5677   can learn more about any of them at https://nmap.org/nsedoc/. Here
 5678   are the new ones (authors listed in brackets):
 5680   + broadcast-dns-service-discovery: Attempts to discover hosts'
 5681     services using the DNS Service Discovery protocol.  It sends a
 5682     multicast DNS-SD query and collects all the responses. [Patrik
 5683     Karlsson]
 5685   + broadcast-dropbox-listener: Listens for the LAN sync information
 5686     broadcasts that the Dropbox.com client broadcasts every 20
 5687     seconds, then prints all the discovered client IP addresses, port
 5688     numbers, version numbers, display names, and more.  [Ron Bowes,
 5689     Mak Kolybabi, Andrew Orr, Russ Tait Milne]
 5691   + broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the
 5692     same broadcast domain. [Patrik Karlsson]
 5694   + broadcast-upnp-info: Attempts to extract system information from the
 5695     UPnP service by sending a multicast query, then collecting,
 5696     parsing, and displaying all responses. [Patrik Karlsson]
 5698   + broadcast-wsdd-discover: Uses a multicast query to discover devices
 5699     supporting the Web Services Dynamic Discovery (WS-Discovery)
 5700     protocol. It also attempts to locate any published Windows
 5701     Communication Framework (WCF) web services (.NET 4.0 or
 5702     later). [Patrik Karlsson]
 5704   + db2-discover: Attempts to discover DB2 servers on the network by
 5705     querying open ibm-db2 UDP ports (normally port 523). [Patrik
 5706     Karlsson]
 5708   + dns-update.nse: Attempts to perform an unauthenticated dynamic DNS
 5709     update. [Patrik Karlsson]
 5711   + domcon-brute: Performs brute force password auditing against the
 5712     Lotus Domino Console. [Patrik Karlsson]
 5714   + domcon-cmd: Runs a console command on the Lotus Domino Console with
 5715     the given authentication credentials (see also: domcon-brute).
 5716     [Patrik Karlsson]
 5718   + domino-enum-users: Attempts to discover valid IBM Lotus Domino users
 5719     and download their ID files by exploiting the CVE-2006-5835
 5720     vulnerability. [Patrik Karlsson]
 5722   + firewalk: Tries to discover firewall rules using an IP TTL
 5723     expiration technique known as firewalking. [Henri Doreau]
 5725   + ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c
 5726     backdoor reported as OSVDB-ID 69562. This script attempts to
 5727     exploit the backdoor using the innocuous id command by default,
 5728     but that can be changed with a script argument. [Mak Kolybabi]
 5730   + giop-info: Queries a CORBA naming server for a list of
 5731     objects. [Patrik Karlsson]
 5733   + gopher-ls: Lists files and directories at the root of a gopher
 5734     service. Remember those? [Toni Ruottu]
 5736   + hddtemp-info: Reads hard disk information (such as brand, model, and
 5737     sometimes temperature) from a listening hddtemp service. [Toni
 5738     Ruottu]
 5740   + hostmap: Tries to find hostnames that resolve to the target's IP
 5741     address by querying the online database at
 5742     http://www.bfk.de/bfk_dnslogger.html . [Ange Gutek]
 5744   + http-brute: Performs brute force password auditing against http
 5745     basic authentication. [Patrik Karlsson]
 5747   + http-domino-enum-passwords: Attempts to enumerate the hashed Domino
 5748     Internet Passwords that are (by default) accessible by all
 5749     authenticated users. This script can also download any Domino ID
 5750     Files attached to the Person document. [Patrik Karlsson]
 5752   + http-form-brute: Performs brute force password auditing against http
 5753     form-based authentication. [Patrik Karlsson]
 5755   + http-vhosts: Searches for web virtual hostnames by making a large
 5756     number of HEAD requests against http servers using common
 5757     hostnames. [Carlos Pantelides]
 5759   + informix-brute: Performs brute force password auditing against
 5760     IBM Informix Dynamic Server. [Patrik Karlsson]
 5762   + informix-query: Runs a query against IBM Informix Dynamic Server
 5763     using the given authentication credentials (see also:
 5764     informix-brute). [Patrik Karlsson]
 5766   + informix-tables: Retrieves a list of tables and column definitions
 5767     for each database on an Informix server. [Patrik Karlsson]
 5769   + iscsi-brute: Performs brute force password auditing against iSCSI
 5770     targets. [Patrik Karlsson]
 5772   + iscsi-info: Collects and displays information from remote iSCSI
 5773     targets. [Patrik Karlsson]
 5775   + modbus-discover: Enumerates SCADA Modbus slave ids (sids) and
 5776     collects their device information. [Alexander Rudakov]
 5778   + nat-pmp-info: Queries a NAT-PMP service for its external
 5779     address. [Patrik Karlsson]
 5781   + netbus-auth-bypass: Checks if a NetBus server is vulnerable to an
 5782     authentication bypass vulnerability which allows full access
 5783     without knowing the password. [Toni Ruottu]
 5785   + netbus-brute: Performs brute force password auditing against the
 5786     Netbus backdoor ("remote administration") service. [Toni Ruottu]
 5788   + netbus-info: Opens a connection to a NetBus server and extracts
 5789     information about the host and the NetBus service itself. [Toni
 5790     Ruottu]
 5792   + netbus-version: Extends version detection to detect NetBuster, a
 5793     honeypot service that mimes NetBus. [Toni Ruottu]
 5795   + nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to
 5796     obtain information such as load averages, process counts, logged in
 5797     user information, etc. [Mak Kolybabi]
 5799   + oracle-brute: Performs brute force password auditing against Oracle
 5800     servers. [Patrik Karlsson]
 5802   + oracle-enum-users: Attempts to enumerate valid Oracle user names
 5803     against unpatched Oracle 11g servers (this bug was fixed in
 5804     Oracle's October 2009 Critical Patch Update). [Patrik Karlsson]
 5806   + path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris
 5807     Katterjohn]
 5809   + resolveall: Resolves hostnames and adds every address (IPv4 or IPv6,
 5810     depending on Nmap mode) to Nmap's target list.  This differs from
 5811     Nmap's normal host resolution process, which only scans the first
 5812     address (A or AAAA record) returned for each host name. [Kris
 5813     Katterjohn]
 5815   + rmi-dumpregistry: Connects to a remote RMI registry and attempts to
 5816     dump all of its objects. [Martin Holst Swende]
 5818   + smb-flood: Exhausts a remote SMB server's connection limit by by
 5819     opening as many connections as we can.  Most implementations of
 5820     SMB have a hard global limit of 11 connections for user accounts
 5821     and 10 connections for anonymous. Once that limit is reached,
 5822     further connections are denied. This script exploits that limit by
 5823     taking up all the connections and holding them. [Ron Bowes]
 5825   + ssh2-enum-algos: Reports the number of algorithms (for encryption,
 5826     compression, etc.) that the target SSH2 server offers. If
 5827     verbosity is set, the offered algorithms are each listed by
 5828     type. [Kris Katterjohn]
 5830   + stuxnet-detect: Detects whether a host is infected with the Stuxnet
 5831     worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]
 5833   + svn-brute: Performs brute force password auditing against Subversion
 5834     source code control servers. [Patrik Karlsson]
 5836   + targets-traceroute: Inserts traceroute hops into the Nmap scanning
 5837     queue. It only functions if Nmap's --traceroute option is used and
 5838     the newtargets script argument is given. [Henri Doreau]
 5840   + vnc-brute: Performs brute force password auditing against VNC
 5841     servers. [Patrik Karlsson]
 5843   + vnc-info: Queries a VNC server for its protocol version and
 5844     supported security types. [Patrik Karlsson]
 5846   + wdb-version: Detects vulnerabilities and gathers information (such
 5847     as version numbers and hardware support) from VxWorks Wind DeBug
 5848     agents. [Daniel Miller]
 5850   + wsdd-discover: Retrieves and displays information from devices
 5851     supporting the Web Services Dynamic Discovery (WS-Discovery)
 5852     protocol. It also attempts to locate any published Windows
 5853     Communication Framework (WCF) web services (.NET 4.0 or
 5854     later). [Patrik Karlsson]
 5856 o [NSE] Added 12 new protocol libraries:
 5857   - dhcp.lua by Ron
 5858   - dnssd.lua (DNS Service Discovery) by Patrik
 5859   - ftp.lua by David
 5860   - giop.lua (CORBA naming service) by Patrik
 5861   - informix.lua (Informix database) by Patrik
 5862   - iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik
 5863   - nrpc.lua (Lotus Domino RPC) by Patrik
 5864   - rmi.lua (Java Remote Method Invocation) by Martin Holst Swende
 5865   - tns.lua (Oracle) by Patrik
 5866   - upnp.lua (UPnP support) by Thomas Buchanan and Patrik
 5867   - vnc.lua (Virtual Network Computing) by Patrik
 5868   - wsdd.lua (Web Service Dynamic Discovery) by Patrik
 5870 o [NSE] Added a new brute library that provides a basic framework and logic
 5871   for brute force password auditing scripts. [Patrik]
 5873 o [Zenmap] Greatly improved performance for large scans by
 5874   benchmarking intensively and then recoding dozens of slow parts.
 5875   Time taken to load our benchmark file (a scan of just over a million
 5876   IPs belonging to Microsoft corporation, with 74,293 hosts up) was
 5877   reduced from hours to less than two minutes. Memory consumption
 5878   decreased dramatically as well. [David]
 5880 o Performed a major OS detection integration run. The database has
 5881   grown more than 14% to 2,982 fingerprints and many of the existing
 5882   fingerprints were improved. Highlights include Linux 2.6.37, iPhone
 5883   OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4.
 5884   David posted highlights of his integration work at
 5885   http://seclists.org/nmap-dev/2010/q4/651
 5887 o Performed a huge version detection integration run. The number of
 5888   signatures has grown by more than 11% to 7,355.  More than a third
 5889   of our signatures are for http, but we also detect 743 other service
 5890   protocols, from abc, acap, access-remote-pc, and achat to zenworks,
 5891   zeo, and zmodem.  David posted highlights at
 5892   http://seclists.org/nmap-dev/2010/q4/761.
 5894 o [NSE] Added the target NSE library which allows scripts to add newly
 5895   discovered targets to Nmap's scanning queue. This allows Nmap to
 5896   support a wide range of target acquisition techniques. Scripts which
 5897   can now use this feature include dns-zone-transfer, hostmap,
 5898   ms-sql-info, snmp-interfaces, targets-traceroute, and several
 5899   more. [Djalal]
 5901 o [NSE] Nmap has two new NSE script scanning phases. The new pre-scan
 5902   occurs before Nmap starts scanning. Some of the initial pre-scan
 5903   scripts use techniques like broadcast DNS service discovery or DNS
 5904   zone transfers to enumerate hosts which can optionally be treated as
 5905   targets. The other phase (post scan) runs after all of Nmap's
 5906   scanning is complete. We don't have any of these scripts yet, but
 5907   they could compile scan statistics or present the results in a
 5908   different way. One idea is a reverse index which provides a list of
 5909   services discovered during a network scan, along with a list of IPs
 5910   found to be running each service. See
 5911   https://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]
 5913 o [NSE] A new --script-help option describes all scripts matching a
 5914   given specification. It accepts the same specification format as
 5915   --script does. For example, try 'nmap --script-help "default or
 5916   http-*"'. [David, Martin Holst Swende]
 5918 o Dramatically improved nmap.xsl (used for converting Nmap XML output
 5919   to HTML). In particular:
 5920   - Put verbose details behind expander buttons so you can see them if
 5921     you want, but they don't distract from the main output.  In
 5922     particular, offline hosts and traceroute results are collapsed by
 5923     default.
 5924   - Improved the color scheme to be less garish.
 5925   - Added support for the new NSE pre-scan and post-scan phases.
 5926   - Changed script output to use 'pre' tags to keep even lengthy
 5927     output readable.
 5928   - Added a floating menu to the lower-right for toggling whether
 5929     closed/filtered ports are shown or not (they are now hidden by
 5930     default if Javascript is enabled).
 5931   Many smaller improvements were made as well. You can find the new
 5932   file at https://nmap.org/svn/docs/nmap.xsl, and here is an example
 5933   scan processed through it: https://nmap.org/book/output-formats-output-to-html.html . [Tom]
 5935 o [NSE] Created a new "broadcast" script category for the broadcast-*
 5936   scripts.  These perform network discovery by broadcasting on the
 5937   local network and listening for responses.  Since they don't
 5938   directly relate to targets specified on the command line, these are
 5939   kept out of the default category (nor do they go in "discovery").
 5941 o Integrated cracked passwords from the Gawker.com compromise
 5942   (http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000
 5943   password database. A team of Nmap developers lead by Brandon Enright
 5944   has cracked 635,546 out of 748,081 password hashes so far
 5945   (85%). Gawker doesn't exactly have the most sophisticated users on
 5946   the Internet--their top passwords are "123456", "password",
 5947   "12345678", "lifehack", "qwerty", "abc123", "12345", "monkey",
 5948   "111111", "consumer", and "letmein".
 5950 o XML output now excludes output for down hosts when only doing host
 5951   discovery, unless verbosity (-v) was requested. This is how it
 5952   already worked for normal scans, but the ping-only case was
 5953   overlooked.  [David]
 5955 o Updated the Windows build process to work with (and require) Visual
 5956   C++ 2010 rather than 2008.  If you want to build Zenmap too, you now
 5957   need Python 2.7 (rather than 2.6) and GTK+ 2.22. See
 5958   https://nmap.org/book/inst-windows.html#inst-win-source [David, Rob
 5959   Nicholls, KX]
 5961 o Merged port names in the nmap-services file with allocated names
 5962   from the IANA (http://www.iana.org/assignments/port-numbers). We
 5963   only added IANA names which were "unknown" in our file--we didn't
 5964   deal with conflicting names. [David]
 5966 o Enabled the ASLR and DEP security technologies for Nmap.exe,
 5967   Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will
 5968   set the /DYNAMICBASE and /NXCOMPAT flags in the PE
 5969   header. Executables generated using py2exe or NSIS and third party
 5970   binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support
 5971   for DEP on XP SP3, using SetProcessDEPPolicy(), could still be
 5972   implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]
 5974 o Investigated using the CPE (Common Platform Enumeration) standard
 5975   for describing operating systems, devices, and service names for
 5976   Nmap OS and service detection. You can read David's reports at
 5977   http://seclists.org/nmap-dev/2010/q3/278 and
 5978   http://seclists.org/nmap-dev/2010/q3/303.
 5980 o [Zenmap] Improved the output viewer to show new output in constant
 5981   time. Previously it would get slower and slower as the output grew
 5982   longer, eventually making Zenmap appear to freeze with 100% CPU. Rob
 5983   Nicholls and Ray Middleton helped with testing. [David]
 5985 o The Linux RPM builds of Nmap and related tools (ncat, nping, etc.)
 5986   now link to system libraries dynamically rather than statically.
 5987   They still link statically to dependency libraries such as OpenSSL,
 5988   Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so
 5989   the RPMs will work on distributions with older software (like RHEL,
 5990   Debian stable) as well as more bleeding edge ones like
 5991   Fedora. [David]
 5993 o [NSE] Added the ability to send and receive on unconnected sockets.
 5994   This can be used, for example, to receive UDP broadcasts without
 5995   having to use Libpcap. A number of scripts have been changed so that
 5996   they can work as prerule scripts to discover services by UDP
 5997   broadcasting, and optionally add the discovered targets to the
 5998   scanning queue:
 5999     - ms-sql-info
 6000     - upnp-info
 6001     - dns-service-discovery
 6002   The nmap.new_socket function can now optionally take a default
 6003   protocol and address family, which will be used if the socket is not
 6004   connected. There is a new nmap.sendto function to be used with
 6005   unconnected UDP sockets. [David, Patrik]
 6007 o [Nping] Substantially improved the Nping man page. You can read it
 6008   online at https://nmap.org/book/nping-man.html . [Luis, David]
 6010 o Documented the licenses of the third-party software used by Nmap and
 6011   its sibling tools:
 6012   https://svn.nmap.org/nmap/docs/3rd-party-licenses.txt . [David]
 6014 o [NSE] Improved the SMB scripts so that they can run in parallel
 6015   rather than using a mutex to force serialization.  This quadrupled
 6016   the SMB scan speed in one large scale test.  See
 6017   http://seclists.org/nmap-dev/2010/q3/819. [Ron]
 6019 o Added a simple Nmap NSE script template to make writing new scripts
 6020   easier: https://nmap.org/svn/docs/sample-script.nse. [Ron]
 6022 o [Zenmap] Made the topology node radiuses grow logarithmically
 6023   instead of linearly, so that hosts with thousands of open ports
 6024   don't overwhelm the diagram. Also only open ports (not
 6025   open|filtered) are considered when calculating node sizes. Henri
 6026   Doreau found and fixed a bug in the implementation. [Daniel Miller]
 6028 o [NSE] Added the get_script_args NSE function for parsing script
 6029   arguments in a clean and standardized way
 6030   (https://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]
 6032 o Increased the initial RTT timeout for ARP scans from 100 ms to 200
 6033   ms. Some wireless and VPN links were taking around 300 ms to
 6034   respond. The default of one retransmission gives them 400 ms to be
 6035   detected.
 6037 o Added new version detection probes and signatures from Patrik for:
 6038   - Lotus Domino Console running on tcp/2050 (shows OS and hostname)
 6039   - IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
 6040   - Database servers running the DRDA protocol
 6041   - IBM Websphere MQ (shows name of queue-manager and channel)
 6043 o Fix Nmap compilation on OpenSolaris (see
 6044   http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]
 6046 o [NSE] The http library's request functions now accept an additional
 6047   "auth" table within the option table, which causes Basic
 6048   authentication credentials to be sent. [David]
 6050 o Improved IPv6 host output in that we now remember and report the
 6051   forward DNS name (given by the user) and any non-scanned addresses
 6052   (usually because of round robin DNS).  We already did this for
 6053   IPv4. [David]
 6055 o [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation
 6056   messages about gtk.Tooltip. [Rob Nicholls]
 6058 o [NSE] Made dns-zone-transfer script able to add new discovered DNS
 6059   records to the Nmap scanning queue. [Djalal]
 6061 o [NSE] Enhance ssl-cert to also report the type and bit size of SSL
 6062   certificate public keys [Matt Selsky]
 6064 o [Ncat] Make --exec and --idle-timeout work when connecting with
 6065   --proxy. Florian Roth reported the bug. [David]
 6067 o [Nping] Fixed a bug which caused Nping to fail when targeting
 6068   broadcast addresses (see
 6069   http://seclists.org/nmap-dev/2010/q3/752). [Luis]
 6071 o [Nping] Nping now limits concurrent open file descriptors properly
 6072   based on the resources available on the host (see
 6073   http://seclists.org/nmap-dev/2010/q4/2). [Luis]
 6075 o [NSE] Improved ssh2's kex_init() parameters: all of the algorithm
 6076   and language lists can be set using new keys in the "options" table
 6077   argument. These all default to the same value used before. Also, the
 6078   required "cookie" argument is now replaced by an optional "cookie"
 6079   key in the "options" table, defaulting to random bytes as suggested
 6080   by the RFC. [Kris]
 6082 o Ncat now logs Nsock debug output to stderr instead of stdout for
 6083   consistency with its other debug messages. [David]
 6085 o [NSE] Added a new function, shortport.http, for HTTP script
 6086   portrules and changed 14 scripts to use it. [David]
 6088 o Updated to the latest config.guess and config.sub. Thanks to Ty
 6089   Miller for a reminder. [David]
 6091 o [NSE] Added prerule support to snmp-interfaces and the ability to
 6092   add the remote host's interface addresses to the scanning queue.
 6093   The new script arguments used for this functionality are "host"
 6094   (required) and "port" (optional). [Kris]
 6096 o Fixed some inconsistencies in nmap-os-db and a small memory leak
 6097   that would happen where there was more than one round of OS
 6098   detection. These were reported by Xavier Sudre from
 6099   netVigilance. [David]
 6101 o [NSE] Fixed a bug with worker threads calling the wrong destructors.
 6102   Fixing this allows better parallelism in http-brute.nse. The problem
 6103   was reported by Patrik Karlsson. [David, Patrick]
 6105 o Upgraded the OpenSSL binaries shipped in our Windows installer to
 6106   version 1.0.0a. [David]
 6108 o [NSE] Added prerule support to the dns-zone-transfer script,
 6109   allowing it to run early to discover IPs from DNS records and
 6110   optionally add those IPs to Nmap's target queue.  You must specify
 6111   the DNS server and domain name to use with script
 6112   arguments. [Djalal]
 6114 o Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with
 6115   a struct of the same name in netinet/sctp.h. This caused a
 6116   compilation error when Nmap was compiled with an OpenSSL that had
 6117   SCTP support. [Olli Hauer, Daniel Roethlisberger]
 6119 o [NSE] Implemented a big cleanup of the Nmap NSE Nsock library
 6120   binding code. [Patrick]
 6122 o Added a bunch of Apple and Netatalk AFP service detection
 6123   signatures.  These often provide extra details such as whether the
 6124   target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]
 6126 o [NSE] Host tables now have a host.traceroute member available when
 6127   --traceroute is used. This array contains the IP address, reverse
 6128   DNS name, and RTT for each traceroute hop. [Henri Doreau]
 6130 o [NSE] Made the ftp-anon script return a directory listing when
 6131   anonymous login is allowed. [Gutek, David]
 6133 o [NSE] Added the nmap.resolve() function. It takes a host name and
 6134   optionally an address family (such as "inet") and returns a table
 6135   containing all of its matching addresses. If no address family is
 6136   specified, all addresses for the name are returned. [Kris]
 6138 o [NSE] Added the nmap.address_family() function which returns the address
 6139   family Nmap is using as a string (e.g., "inet6" is returned if Nmap is
 6140   called with the -6 option). [Kris]
 6142 o [NSE] Scripts can now access the MTU of the host.interface device using
 6143   host.interface_mtu. [Kris]
 6145 o Restrict the default Windows DLL search path by removing the current
 6146   directory. This adds extra protection against DLL hijacking attacks,
 6147   especially if we were to add file type associations to Nmap in the
 6148   future. We implement this with the SetDllDirectory function when
 6149   available (Windows XP SP1 and later). Otherwise, we call
 6150   SetCurrentDirectory with the directory containing the
 6151   executable. [David]
 6153 o Nmap now prints the MTU for interfaces in --iflist output. [Kris]
 6155 o [NSE] Removed references to the MD2 algorithm, which OpenSSL 1.x.x
 6156   no longer supports. [Alexandru]
 6158 o [Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and
 6159   Nmap NSE, allowing them to connect to servers which run multiple SSL
 6160   websites on one IP address. To enable this for NSE, the nmap.connect
 6161   function has been changed to accept host and port tables (like those
 6162   provided to the action function) in place of a string and a
 6163   number. [David]
 6165 o [NSE] Renamed db2-info and db2-brute scripts to drda-*. Added
 6166   support other DRDA based databases such as IBM Informix Dynamic
 6167   Server and Apache Derby.  [Patrik]
 6169 o [Nsock] Added a new function, nsi_set_hostname, to set the intended
 6170   hostname of the target. This allows the use of Server Name
 6171   Indication in SSL connections. [David]
 6173 o [NSE] Limits the number of ports that qscan will scan (now up to 8
 6174   open ports and up to 1 closed port by default). These limits can be
 6175   controlled with the qscan.numopen and qscan.numclosed script
 6176   arguments. [David]
 6178 o [NSE] Made sslv2.nse give special output when SSLv2 is supported,
 6179   but no SSLv2 ciphers are offered. This happened with a specific
 6180   Sendmail configuration. [Matt Selsky]
 6182 o [NSE] Added a "times" table to the host table passed to scripts.
 6183   This table contains Nmap's timing data (srtt, the smoothed round
 6184   trip time; rttvar, the rtt variance; and timeout), all represented
 6185   as floating-point seconds.  The ipidseq and qscan scripts were
 6186   updated to utilize the host's timeout value rather than using a
 6187   conservative guess of 3 seconds for read timeouts. [Kris]
 6189 o Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping),
 6190   which were improperly sending whole packets in version
 6191   5.35DC1. [Kris]
 6193 o [NSE] When receiving raw packets from Pcap, the packet capture time
 6194   is now available to scripts as an additional return value from
 6195   pcap_receive().  It is returned as the floating point number of
 6196   seconds since the epoch.  Also added the nmap.clock() function which
 6197   returns the current time (and convenience functions clock_ms() and
 6198   clock_us()).  Qscan.nse was updated to use this more accurate timing
 6199   data. [Kris]
 6201 o [Ncat,Nsock] Fixed some minor bugs discovered using the Smatch
 6202   source code analyzer (http://smatch.sourceforge.net/). [David]
 6204 o [Zenmap] Fixed a crash that would happen after opening the search
 6205   window, entering a relative date criterion such as "after:-7", and
 6206   then clicking the "Expressions" button. The error message was
 6207     AttributeError: 'tuple' object has no attribute 'strftime'
 6208   [David]
 6210 o Added a new packet payload--a NAT-PMP external address request for
 6211   port 5351/udp.  Payloads help us elicit responses from listening UDP
 6212   services to better distinguish them from filtered ports.  This
 6213   payload goes well with our new nat-pmp-info script. [David, Patrik]
 6215 o Updated IANA IP address space assignment list for random IP (-iR)
 6216   generation. [Kris]
 6218 o [Ncat] Ncat now uses case-insensitive string comparison when
 6219   checking authentication schemes and parameters. Florian Roth found a
 6220   server offering "BASIC" instead of "Basic", and the HTTP RFC
 6221   requires case-insensitive comparisons in most places. [David]
 6223 o [NSE] There is now a limit of 1,000 concurrent running scripts,
 6224   instituted to keep memory under control when there are many open
 6225   ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE
 6226   crash) for one host with tens of thousands of open ports. This limit
 6227   can be controlled with the variable CONCURRENCY_LIMIT in
 6228   nse_main.lua. [David]
 6230 o The command line in XML output (/nmaprun/@args attribute) now does
 6231   quoting of whitespace using double quotes and backslashes. This
 6232   allows recovering the original command line array even when
 6233   arguments contain whitespace. [David]
 6235 o Added a service detection probe for master servers of Quake 3 and
 6236   related games.  [Toni Ruottu]
 6238 o [Zenmap] Updated French translation. [Henri Doreau]
 6240 o [Zenmap] Fixed an crash when printing a scan that had no output
 6241   (like a scan made by command-line Nmap). Henri Doreau noticed the
 6242   error. [David]
 6244 Nmap 5.35DC1 [2010-07-16]
 6246 o [NSE] Added 17 scripts, bringing the total to 131! They are
 6247   described individually in the CHANGELOG, but here is the list of new
 6248   ones:
 6249   afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
 6250   http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
 6251   ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
 6252   ms-sql-query, ms-sql-tables, ms-sql-xp-cmdshell, nfs-ls,
 6253   ntp-monlist .
 6254   Learn more about any of these at: https://nmap.org/nsedoc/
 6256 o Performed a major OS detection integration run. The database has
 6257   grown to 2,608 fingerprints (an increase of 262) and many of the
 6258   existing fingerprints were improved. These include the Apple iPad
 6259   and Cisco IOS 15.X devices. We also received many fingerprints for
 6260   ancient Microsoft systems including MS-DOS with MS Networking Client
 6261   3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
 6262   integration work at http://seclists.org/nmap-dev/2010/q2/283.
 6264 o Performed a large version detection integration run. The number of
 6265   signatures has grown to 6,622 (an increase of 279). New signatures
 6266   include a remote administrative backdoor that a school famously used
 6267   to spy on its students, an open source digital currency scheme named
 6268   Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
 6269   Frozen Bubble. You can read David's highlights at
 6270   http://seclists.org/nmap-dev/2010/q2/385.
 6272 o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
 6273   attributes. The nfs-acls and nfs-dirlist scripts were deleted
 6274   because all their features are supported by this script. [Djalal]
 6276 o [NSE] Add new DB2 library and two scripts
 6277   - db2-brute.nse uses the unpwdb library to guess credentials for DB2
 6278   - db2-info.nse re-write of Tom Sellers script to use the new library
 6279   [Patrik]
 6281 o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
 6282   scripts are:
 6283   - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
 6284   - ms-sql-config retrieves various configuration details from the server
 6285   - ms-sql-empty-password checks if the sa account has an empty password
 6286   - ms-sql-hasdbaccess lists database access per user
 6287   - ms-sql-query add support for running custom queries against the database
 6288   - ms-sql-tables lists databases, tables, columns and datatypes with optional
 6289     keyword filtering
 6290   - ms-sql-xp-cmdshell adds support for OS command execution to privileged
 6291     users
 6292   [Patrik]
 6294 o [NSE] Added the afp-serverinfo script that gets a hostname, IP
 6295   addresses, and other configuration information from an AFP server.
 6296   The script, and a patch to the afp library, were contributed by
 6297   Andrew Orr and subsequently enhanced by Patrik and David.
 6299 o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
 6300   The Windows RAS RPC service vulnerability MS06-025
 6301   (http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)
 6302   and the Windows DNS Server RPC vuln MS07-029
 6303   (http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).
 6304   Note that these are only run if you specify the "unsafe" script arg
 6305   because the implemented test crashes vulnerable services. [Drazen]
 6307 o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs
 6308   cache snooping by either sending non-recursive queries or by measuring
 6309   response times.
 6311 o [Zenmap] Added the ability to print Nmap output to a
 6312   printer. [David]
 6314 o [Nmap, Ncat, Nping] The default unit for time specifications is now
 6315   seconds, not milliseconds, and times may have a decimal point. 1000
 6316   now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.
 6317   Floating point values such as 1.5 are now allowed.  This affects the
 6318   following options:
 6319   Nmap:
 6320     --host-timeout
 6321     --max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout
 6322     --scan-delay --max-scan-delay
 6323     --stats-every
 6324   Ncat:
 6325     -d --delay
 6326     -i --idle-timeout
 6327     -w --wait
 6328   Nping:
 6329     --delay
 6330     --host-timeout
 6331     --icmp-orig-time --icmp-recv-time --icmp-trans-time
 6332   Some sanity checks have been added to catch what looks like an
 6333   attempt to use the old millisecond defaults. For example,
 6334   --host-timeout 10000 yields
 6335     Since April 2010, the default unit for --host-timeout is seconds,
 6336     so your time of "10000" is 2.8 hours. If this is what you want,
 6337     use "10000s".
 6338     QUITTING!
 6339   You can always disable the warning by giving an explicit unit.
 6341 o [NSE] Scripts which take an argument for a time duration can now
 6342   have the duration be a number followed by a unit, like elsewhere in
 6343   Nmap. An example is "10m" for 10 minutes. The units understood are
 6344   "ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for
 6345   hours.  Seconds are the default if no unit is specified. The new
 6346   function stdnse.parse_timespec does the parsing of these
 6347   formats. The qscan.delay script argument, which formerly interpreted
 6348   its argument as being in milliseconds, now defaults to seconds;
 6349   append "ms" to continue using the same numbers. [David]
 6351 o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor
 6352   that was in UnrealIRCd source code distributions between November
 6353   2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826.
 6354   [Vlatko Kosturjak, Ron, David]
 6356 o Ports are now considered open during a SYN scan if a SYN packet
 6357   (without the ACK flag) is received in response. This can be due to
 6358   an extremely rare TCP feature known as a simultaneous open or split
 6359   handshake connection. see http://bit.ly/tcp-sh and
 6360   http://seclists.org/nmap-dev/2010/q2/723. [Jah]
 6362 o [Ncat] In listen mode, the --exec and --sh-exec options now accept a
 6363   single connection and then exit, just like in normal listen mode.
 6364   Use the --keep-open option to get the old default inetd-like
 6365   behavior. This was suggested by David Millis. [David]
 6367 o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an
 6368   off-by-one stack overflow vulnerability in libopie by giving the FTP
 6369   service an overly long name. See
 6370   http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
 6371   details.
 6373 o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and
 6374   client hosts associated with a scanned target by sending NTPv2
 6375   Private Mode 'monitor' and 'peers' commands to the target. [Jah]
 6377 o [NSE] Added http-php-version.nse from Gutek. This script retrieves
 6378   version-specific pages through a couple of magic PHP queries, which
 6379   can identify the PHP version even when a server doesn't advertise
 6380   it.
 6382 o [NSE] New script dns-fuzz launches a fuzzing attack against DNS
 6383   servers. Added a new category - fuzzer - for scripts like this.
 6384   [Michael Pattrick]
 6386 o David made many improvements to the NSEDoc for individual scripts,
 6387   including adding @output sections to scripts which didn't have them.
 6388   He also improved the generated HTML with features like
 6389   auto-generating usage strings if the scripts don't include their own
 6390   and allowing the giant sidebar lists of scripts/libraries to expand
 6391   and contract.  See https://nmap.org/nsedoc/.
 6393 o UDP payloads are now stored in an external data file, nmap-payloads,
 6394   instead of being hard-coded in the executable. This makes it easier
 6395   to add your own payloads or disable those you find problematic. [Jay
 6396   Fink, David]
 6398 o The Windows executable installer now uses LZMA compression instead
 6399   of zlib, making it about 15% smaller. See
 6400   http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David]
 6402 o Open XML elements are now closed in case of a fatal error, so the
 6403   output should at least be well-formed. There are new attributes
 6404   "exit" and "errormsg" in the finished element. "exit" is "success"
 6405   or "error". When it is "error", the "errormsg" attribute contains
 6406   the error message. Thanks to Grant Bartlett, who found a typo in the
 6407   new output. [David]
 6409 o Fixed name resolution in environments where gethostbyname can return
 6410   IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
 6411   would wrongly use the first four bytes of the IPv6 address as an
 6412   IPv4 address. You could force this, at least on Debian, by adding
 6413   the line "options inet6" to /etc/resolv.conf or by running with
 6414   RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik
 6415   Andersson, who also suggested the fix. [David]
 6417 o Fixed the assignment of interface aliases to directly connected
 6418   routes on Linux, which was broken in 5.30BETA1 (it always assigned
 6419   the base interface instead of the alias). This was visible in the
 6420   host.interface variable passed to NSE scripts. The bug was reported
 6421   Victor Rudnev. [David]
 6423 o When Nmap is passed a hostname such as google.com which resolves to
 6424   several IP addresses, Nmap now prints each IP address.  It still
 6425   only scans the first one in the returned list. [David]
 6427 o Nmap now works if you specify several target host names which
 6428   resolve to the same IP address.  This can be useful when you are
 6429   scanning virtual-hosted web servers and want to see NSE results
 6430   specific to each site name even though they reside on the same
 6431   machine. [David]
 6433 o Made a list of current Nmap SVN committers:
 6434   https://svn.nmap.org/nmap/docs/committers.txt
 6436 o Added a new library, libnetutil, which contains about 2,700 lines of
 6437   networking related code which is now shared between Nmap and Nping
 6438   (it was previously duplicated by each tool). [Luis, David]
 6440 o [NSE] http-passwd.nse now also checks for boot.ini to support
 6441   Windows targets. [Gutek]
 6443 o Removed --interactive mode, a miniature shell whose primary purpose
 6444   was to hide command line arguments from the process list. It had
 6445   been broken (would segfault during the second scan) for at least 9
 6446   months and was rarely used. The fact that it was broken was reported
 6447   by Juan Carlos Castro. [David]
 6449 o Added a version probe, match line, and UDP payload for the
 6450   serialnumberd service of Mac OS X Server. This service overrides
 6451   firewall settings to make itself visible, so it's useful for host
 6452   discovery. [Patrik]
 6454 o Improved service detection match lines for:
 6455   - Oracle Enterprise Manager Agent and mupdate by Matt Selsky
 6456   - Twisted web server, Apple Filing Protocol, Apple Mac OS X Password
 6457     Server, XAVi XG6546p Wireless Gateway, Sun GlassFish
 6458     Communications Server, and Comdasys, SIParator and Glassfish SIP
 6459     by Patrik
 6460   - PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring
 6461     HTTPd by Tom Sellers
 6463 o Improved our brute force password guessing list by mixing in some
 6464   data sent in by Solar Designer of John the Ripper fame.
 6466 o [Zenmap] IP addresses are now sorted by octet rather than their
 6467   string representation. For example, is now sorted before
 6468 This problem was reported by Norris Carden. [David]
 6470 o [NSE] Added UDP header parsing support to packet.lua. [jah]
 6472 o Fixed a bug in Libpcap which lead to Nmap hanging forever in some
 6473   cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3.  The fix was
 6474   actually already available in upstream Libpcap, just not released.
 6475   We also had to make Nmap build with its own Libpcap on 64-bit OS X
 6476   if an already-installed system Libpcap has this bug. [David]
 6478 o Updated our WinPcap to the new 4.1.2 release. [Rob Nicholls]
 6480 o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence
 6481   level of 0.9995 was used.  Thanks to Marcin Hoffmann for noticing
 6482   the problem. [Kris]
 6484 o [libpcap] Added a --disable-packet-ring option to force the use of
 6485   an older, slower packet capture mechanism on Linux. Before Linux
 6486   2.6.27, the packet ring mechanism uses different-sized kernel
 6487   structures on 32- and 64-bit architectures, so a 32-bit program will
 6488   not run correctly on a 64-bit kernel. The older mechanism does not
 6489   have this flaw.
 6491 o Fixed some errors in nmap-os-db, probably caused by incorrect string
 6492   replacement during integration. This patch is from James Cook.
 6494 o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that
 6495   allows setting the SO_BROADCAST option on sockets. Ncat now sets
 6496   this option unconditionally in connect mode to allow connections to
 6497   broadcast addresses (useful in UDP mode). [Daniel Miller]
 6499 o Nmap now works with "teamed" network interfaces on Windows. In order
 6500   to distinguish the interfaces, their textual descriptions are now
 6501   compared in addition to their MAC addresses. Without this, Nmap
 6502   would send on the wrong interface and not receive any replies. A
 6503   symptom of this problem was all scans failing except when
 6504   --unprivileged was used. Norris Carden reported this bug. [David]
 6506 o [Ncat] When receiving a connection/datagram in listen mode, Ncat now
 6507   prints the connecting source port along with the IP address (when
 6508   verbosity is enabled). [Rebellis]
 6510 o Fixed a problem where the time variable used in some port scanning
 6511   algorithms (for probe timeouts, etc) could vary based on the
 6512   debugging level. [Kris]
 6514 o Moved the parse_long function from ncat to nbase for better reuse,
 6515   and used it to simplify netmask parsing code. [William Pursell]
 6517 o Added EPROTO to the list of known error codes in service scan. Daniel
 6518   Miller reported that an EPROTO was causing Nmap to exit after sending
 6519   the Sqlping probe during service scan. The error message was
 6520   "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
 6521   error)". We suspect this was caused by a forged ICMP packet sent by an
 6522   active firewall. [David]
 6524 o [NSE] Improved smtp-commands.nse to work against more mail servers,
 6525   made it take an smtp-commands.domain script argument, and rewrote it
 6526   in the style of other smtp scripts. [Jasey DePriest]
 6528 o [NSE] Made smtp-commands run for the services smtp, smtps,
 6529   submission rather than just smtp.  The other smtp scripts already do
 6530   this. [David]
 6532 o [NSE] The dns-recursion script now marks the port as open when it
 6533   gets a response. [Olivier M]
 6535 o [Nping] A big correctness and code cleanliness audit was performed
 6536   which resulted in many bugs being fixed and much more code being
 6537   shared with Nmap rather than duplicated. A structured testing
 6538   script system was also created. [Luis, David]
 6540 o [Nping] Now allows a --count value of zero to run almost
 6541   indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]
 6543 o [Nping] Fixed --data argument parsing. The value passed was not
 6544   actually making it into outgoing packets. Reported by Tim
 6545   Poth. [Luis]
 6547 o [Nping] When a RST packet is received in response to a connection
 6548   attempt in TCP-Connect mode, Nping now properly prints "Connection
 6549   refused" rather than "Operation now in progress". [Luis]
 6551 o [Nping] Fixed a bug which caused failure when the first supplied
 6552   target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com
 6553   tcpdump.com). [Luis]
 6555 o [Nping] Fixed some bugs in the BPF filter creation to avoid capture
 6556   and printing of packets Nping sent or which are destined for another
 6557   process. [Luis]
 6559 o [Nping] Fixed a bug which prevented ARP replies from being displayed
 6560   properly. [Luis]
 6562 o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to
 6563   be set in host byte order rather than proper network byte
 6564   order. [Luis]
 6566 o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek]
 6568 o The Mac OS X installer is now built with MacPorts 1.9.1 rather than
 6569   1.8.2. Among other changes, this fixes a segmentation fault reported
 6570   by some OS X 10.6.3 users.
 6572 o Nsock now supports an option to remove its Pcap support.  This
 6573   allows the same Nsock to be shared with Nmap (which needs that
 6574   support) and Ncrack (which doesn't.) Pcap support can be disabled by
 6575   specifying --disable-pcap at configure time on UNIX, or by selecting
 6576   the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on
 6577   Windows.
 6579 o Sped up compilation by not building both shared and static libdnet
 6580   libraries--we only use the static one. [David]
 6582 o [NSE] Improved error handling and reporting and re-designed communication
 6583   class in RPC library with patch from Djalal Harouni. [Patrik]
 6585 o Upgraded the included libpcap to version 1.1.1. [David]
 6587 o [NSE] Add some special-use IPv4 addresses to isPrivate which are
 6588   described in RFC 5736 and RFC 5737, published in Jan 2010. Improve
 6589   performance of isPrivate for IPv4 addresses by using ip_in_range
 6590   less frequently. Add an extra return value to isPrivate - when the
 6591   first return value is true, the second return value will now be a
 6592   string representing the special use assignment in which the supplied
 6593   address is located. [jah]
 6595 o Fix compilation on OpenSolaris.  We had to make the libdnet autoconf
 6596   check for PF_PACKET Linux-specific.  Recent versions of OpenSolaris
 6597   support PF_PACKET, but not in a way which is entirely compatible
 6598   with the Linux approach. This problem was reported by Darren Reed. A
 6599   few other minor compatibility changes were made as well. [David]
 6601 o [NSE] Added script arguments "username" and "password" to ftp-bounce
 6602   to override the default anonymous:IEUser@ login combination. [Kris]
 6604 o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik]
 6606 o [NSE] Added an snmpWalk() function to the SNMP library and updated
 6607   scripts to use it.  [Patrik]
 6609 o [NSE] Fixed this dns.lua error reported by Eugene Alexeev:
 6610   nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value)
 6611   [Jah]
 6613 o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13.
 6615 o Updated IANA IP address space assignment list for random IP (-iR)
 6616   generation. [Kris]
 6618 o Created a new directory for storing todo lists for Nmap and related
 6619   projects.  You can see what we're working on and planning by
 6620   visiting https://nmap.org/svn/todo/.
 6622 o [NSE] Removed explicit time limit checking from ms-sql-brute,
 6623   pgsql-brute, mysql-brute, ldap-brute, and afp-brute. The unpwdb
 6624   library does this automatically now. [David]
 6626 o [NSE] Correct global access errors in afp.lua reported by Patrick Donnelly
 6627   [Patrik]
 6629 o [NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis"
 6630   name in the MySQL library. [Kris]
 6632 o Cleaned up our Winpcap header file directory, and also updated to
 6633   the latest files from the official developer pack
 6634   (WpdPack_4_1_1.zip). [Fyodor]
 6636 o [NSE] Fixed a bug which would prevent rpcinfo.nse from returning any
 6637   results for RPC programs which could not be matched to a
 6638   name. [Patrik]
 6640 o [NSE] The ftp-anon script is now much smarter about parsing server
 6641   responses and detecting successful (or not) logins.  It now knows
 6642   how to send the ACCT command where appropriate as well. [Rob
 6643   Nicholls]
 6645 o Normalized a bunch of version detection entries with "webserver" in
 6646   the description.  In most cases this was changed to "httpd".
 6648 o [Ncat] Fixed the --crlf option not to insert an extra \r byte in the
 6649   case that one system read ends with \r and the next begins with \n
 6650   (should be rare). [David]
 6652 o [NSE] Fixed bug in rpc.lua library that incorrectly required file handles
 6653   to be 32 octets when calling the ReadDir function. The bug was reported by
 6654   Djalal Harouni. [Patrik]
 6656 Nmap 5.30BETA1 [2010-03-29]
 6658 o [NSE] Added 37 scripts, bringing the total to 117! They are
 6659   described individually in the CHANGELOG, but here is the list of new
 6660   ones:
 6661   afp-brute afp-path-vuln afp-showmount couchdb-databases
 6662   couchdb-stats daap-get-library db2-das-info dns-service-discovery
 6663   http-methods http-vmware-path-vuln ipidseq jdwp-version ldap-brute
 6664   ldap-rootdse ldap-search lexmark-config mongodb-databases
 6665   mongodb-info mysql-brute mysql-databases mysql-empty-password
 6666   mysql-users mysql-variables nfs-acls nfs-dirlist nfs-statfs
 6667   pgsql-brute qscan smtp-enum-users snmp-interfaces snmp-netstat
 6668   snmp-processes snmp-win32-services snmp-win32-shares
 6669   snmp-win32-software snmp-win32-users ssl-enum-ciphers
 6670   .
 6671   Learn more about any of these at: https://nmap.org/nsedoc/
 6673 o [NSE] New script afp-path-vuln detects and can exploit a major Mac
 6674   OS X AFP directory traversal vulnerability (CVE-2010-0533)
 6675   discovered by Nmap developer Patrik Karlsson. See
 6676   https://nmap.org/nsedoc/scripts/afp-path-vuln.html and
 6677   http://bit.ly/nmapafp.
 6679 o An ALPHA TEST VERSION of Nping, a packet generator written by Luis
 6680   MartinGarcia and Fyodor last summer, is now included in the Nmap
 6681   distribution. While it works, we consider the application unfinished
 6682   and we hope to improve it greatly as a Summer of Code project this
 6683   summer and then do an official release. See https://nmap.org/nping/.
 6685 o [NSE] Added RPC library and three new NFS scripts. Modified the
 6686   rpcinfo and nfs-showmount scripts to use the new library. The new
 6687   scripts are:
 6688   - nfs-acls shows the owner and directory mode of NFS exports
 6689     (https://nmap.org/nsedoc/scripts/nfs-acls.html).
 6690   - nfs-dirlist lists the contents of NFS exports
 6691     (https://nmap.org/nsedoc/scripts/nfs-dirlist.html)
 6692   - nfs-statfs shows file system statistics for NFS exports
 6693     (https://nmap.org/nsedoc/scripts/nfs-statfs.html).
 6694   [Patrik]
 6696 o [NSE] Added the new dns-service-discovery script which uses DNS-SD
 6697   to identify services. DNS-SD is one part of automatic configuration
 6698   technologies known by names such as Bonjour, Rendezvous, and
 6699   Zeroconf. This one script can provide as much information as a full
 6700   port scan in some cases. See
 6701   https://nmap.org/nsedoc/scripts/dns-service-discovery.html . [Patrik
 6702   Karlsson]
 6704 o [NSE] New script afp-brute for brute force authentication attempts
 6705   against the Apple AFP filesharing protocol. See
 6706   https://nmap.org/nsedoc/scripts/afp-brute.html . [Patrik]
 6708 o [NSE] Added a new script afp-showmount which displays Apple AFP
 6709   shares and their permissions.  See
 6710   https://nmap.org/nsedoc/scripts/afp-showmount.html . [Patrik]
 6712 o [NSE] Added the qscan script to repeatedly probe ports on a host to
 6713   gather round-trip times for each port. The script then uses these
 6714   times to group together ports with statistically equivalent round
 6715   trip times.  Ports in different groups could be the result of things
 6716   such as port forwarding to hosts behind a NAT. It is based on work
 6717   by Doug Hoyte. This script also utilizes the new NSE raw IP sending
 6718   functionality. See https://nmap.org/nsedoc/scripts/qscan.html . [Kris]
 6720 o [NSE] Added a new script, db2-das-info.nse, that connects to the IBM
 6721   DB2 Administration Server (DAS) exports the server profile. No
 6722   authentication is required for this request. The script will also
 6723   set the port product and version if a version scan is requested. See
 6724   https://nmap.org/nsedoc/scripts/db2-das-info.html . [Patrik Karlsson,
 6725   Tom Sellers]
 6727 o [NSE] Added a new library for ASN.1 parsing and adapted the SNMP
 6728   library to make use of it. Added 5 SNMP scripts that use the new
 6729   libraries:
 6730   - snmp-netstat shows listening and connected
 6731     sockets (https://nmap.org/nsedoc/scripts/snmp-netstat.html).
 6732   - snmp-processes shows process information including name, pid, path
 6733     & parameters (https://nmap.org/nsedoc/scripts/snmp-processes.html).
 6734   - snmp-win32-services shows the names of running Windows services
 6735     (https://nmap.org/nsedoc/scripts/snmp-win32-services.html).
 6736   - snmp-win32-shares shows the names and path of Windows shares
 6737     (https://nmap.org/nsedoc/scripts/snmp-win32-shares.html).
 6738   - snmp-win32-software shows a list of installed Windows software
 6739     (https://nmap.org/nsedoc/scripts/snmp-win32-software.html).
 6740   - snmp-win32-users shows a list of local Windows users
 6741     (https://nmap.org/nsedoc/scripts/snmp-win32-users.html).
 6742   [Patrik]
 6744 o [NSE] Added the snmp-interfaces script by Thomas Buchanan, which
 6745   enumerates network interfaces over SNMP. See
 6746   https://nmap.org/nsedoc/scripts/snmp-interfaces.html .
 6748 o [NSE] Added http-vmware-path-vuln.nse, which checks for a critical
 6749   and easy to exploit path-traversal vulnerability in VMWare
 6750   (CVE-2009-3733). See
 6751   https://nmap.org/nsedoc/scripts/http-vmware-path-vuln.html . [Ron]
 6753 o [NSE] Added a new library for LDAP and three new scripts by Patrik:
 6754   - ldap-brute uses the unpwdb library to guess credentials for LDAP
 6755     (https://nmap.org/nsedoc/scripts/ldap-brute.html).
 6756   - ldap-rootdse retrieves the LDAP root DSA-specific Entry (DSE)
 6757     (https://nmap.org/nsedoc/scripts/ldap-rootdse.html).
 6758   - ldap-search queries a LDAP directory for either
 6759     all, or a number of pre-defined object types
 6760     (https://nmap.org/nsedoc/scripts/ldap-search.html).
 6762 o [NSE] Added a new library for PostgreSQL and the script pgsql-brute
 6763   that uses it to guess credentials. See
 6764   https://nmap.org/nsedoc/scripts/pgsql-brute.html . [Patrik]
 6766 o [NSE] Added 5 new MySQL NSE scripts and a MySQL library by Patrik Karlsson:
 6767   - mysql-brute uses the unpwdb library to guess credentials for MySQL
 6768     (https://nmap.org/nsedoc/scripts/mysql-brute.html).
 6769   - mysql-databases queries MySQL for a list of databases
 6770     (https://nmap.org/nsedoc/scripts/mysql-databases.html).
 6771   - mysql-empty-password attempts to authenticate anonymously or as
 6772     root with an empty password
 6773     (https://nmap.org/nsedoc/scripts/mysql-empty-password.html).
 6774   - mysql-users queries MySQL for a list of database users
 6775     (https://nmap.org/nsedoc/scripts/mysql-users.html).
 6776   - mysql-variables queries MySQL for its variables and their
 6777     settings (https://nmap.org/nsedoc/scripts/mysql-variables.html).
 6779 o Improved the passwords.lst database used by NSE by combining several
 6780   leaked password databases collected by Ron Bowes. The size of the
 6781   database has been increased from 200 to 5000.
 6783 o Zenmap's "slow comprehensive scan profile" has been modified to use
 6784   the best 7-probe host discovery combination we were able to find in
 6785   extensive empirical testing
 6786   (http://www.bamsoftware.com/wiki/nmap/EffectivenessOfPingProbes).
 6787   That combination is "-PE -PP -PS21,22,23,25,80,113,31339
 6788   -PA80,113,443,10042 -PO". [David]
 6790 o Switched to -Pn and -sn and as the preferred syntax for skipping
 6791   ping scan and skipping port scan, respectively. Previously the -PN
 6792   and -sP options were recommended. This establishes a more regular
 6793   syntax for some options that disable phases of a scan:
 6794   + -n  no reverse DNS
 6795   + -Pn no host discovery
 6796   + -sn no port scan
 6797   We also felt that the old -sP ("ping scan") option was a bit
 6798   misleading because current versions of Nmap can go much further
 6799   (including -sC and --traceroute) even with port scans disabled. We
 6800   will retain support for the previous option names for the foreseeable
 6801   future.
 6803 o [NSE] Added the ipidseq script to classify a host's IP ID sequence
 6804   numbers in the same way Nmap does.  This can be used to test hosts'
 6805   suitability for Nmap's Idle Scan (-sI), i.e. check if a host is an
 6806   idle zombie.  This is the first script to use the new raw IP sending
 6807   functionality in NSE. See
 6808   https://nmap.org/nsedoc/scripts/ipidseq.html . [Kris]
 6810 o [NSE] Added the ssl-enum-ciphers script by Mak Kolybabi. It lists
 6811   the ciphers and compressors supported by SSL/TLS servers. See
 6812   https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html .
 6814 o [NSE] Added two new scripts for the MongoDB database from Martin
 6815   Holst Swende. mongodb-info
 6816   (https://nmap.org/nsedoc/scripts/mongodb-info.html) gets information
 6817   like the version number, memory use, and operating system, while
 6818   mongodb-databases
 6819   (https://nmap.org/nsedoc/scripts/mongodb-databases.html) lists the
 6820   databases and their size on disk.
 6822 o [NSE] Added the scripts couchdb-databases and couchdb-stats, which
 6823   list CouchDB databases and show access statistics, and a new
 6824   json.lua library they depend on. See
 6825   https://nmap.org/nsedoc/scripts/couchdb-databases.html and
 6826   https://nmap.org/nsedoc/scripts/couchdb-stats.html [Martin Holst
 6827   Swende]
 6829 o [NSE] Added the new lexmark-config script that lists product
 6830   information and configuration for Lexmark printers. See
 6831   https://nmap.org/nsedoc/scripts/lexmark-config.html . [Patrik
 6832   Karlsson]
 6834 o [NSE] Added the new daap-get-library script which uses the Digital
 6835   Audio Access Protocol to enumerate the contents of a library. The
 6836   contents contain the name of the artist, album and song. See
 6837   https://nmap.org/nsedoc/scripts/daap-get-library.html . [Patrik]
 6839 o [NSE] Added jdwp-version.nse, a script by Michael Schierl that finds
 6840   the version of a Java Debug Wire Protocol server. This is a
 6841   dangerous service to find running as it does not provide any
 6842   security against malicious attackers who can inject their own
 6843   bytecode into the debugged process. See
 6844   https://nmap.org/nsedoc/scripts/jdwp-version.html .
 6846 o [NSE] Added the smtp-enum-users script from Duarte Silva, which
 6847   attempts to find user account names over SMTP by brute force testing
 6848   using RCPT, VRFY, and EXPN tests.
 6850 o [NSE] The unpwdb library now has a default time limit on the
 6851   usernames and passwords iterators. This will prevent brute force
 6852   scripts from running for a long time when a service is slow. These
 6853   new script arguments control the limits:
 6854   - unpwdb.userlimit  Limit on number of usernames.
 6855   - unpwdb.passlimit  Limit on number of passwords.
 6856   - unpwdb.timelimit  Time limit in seconds.
 6857   Pass 0 for any of these limits to disable it. For more details, see
 6858   https://nmap.org/nsedoc/lib/unpwdb.html . [David]
 6860 o When --open is used, Nmap no longer prints output for hosts which
 6861   don't have any open ports. All output formats are treated the same
 6862   way, so if a host isn't shown in normal output, it won't be shown in
 6863   XML output either.
 6865 o [NSE] Added the script http-methods from Bernd Stroessenreuther.
 6866   This script sends an HTTP OPTIONS request to get the methods
 6867   supported by the server, highlights potentially risky methods, and
 6868   optionally tests each method to see if they are restricted by IP
 6869   address or something similar. See
 6870   https://nmap.org/nsedoc/scripts/http-methods.html .
 6872 o The -v and -d options are now handled in the same way. These three
 6873   forms are equivalent:
 6874     -v -v -v    -vvv    -v3
 6875     -d -d -d    -ddd    -d3
 6876   Formerly, the -ddd and -v3 forms didn't work. Mak Kolybabi submitted
 6877   a patch.
 6879 o Fixed a libpcap compilation error on Solaris. This was actually
 6880   fixed in libpcap's source control back in 2008, but they haven't made
 6881   a release since then :(. They still seem to be actively developing
 6882   though, so let's hope for a release soon. Solaris compilation fixes
 6883   were made to Ncat and Nping as well.
 6885 o Zenmap now lets you save scan results in normal Nmap text output
 6886   format or (as before) as XML. The XML format still has the text
 6887   version embedded inside it, and is still the only format Zenmap can
 6888   load again. The "Save to Directory" mode for saving multiple
 6889   aggregated scans at once still always saves XML results. [David]
 6891 o Fixed the packaging of x64 versions of WinPcap drivers in the
 6892   winpcap-nmap installer to ensure that 64-bit applications (such as
 6893   64-bit Wireshark) work properly. [Rob Nicholls]
 6895 o Fixed the Idle Scan (-sI) so that scanning multiple hosts doesn't
 6896   retest the zombie proxy and reinitialize all of the associated data
 6897   at the beginning of each run. [Kris]
 6899 o [NSE] Raw packet sending at the IP layer is now supported, in
 6900   addition to the existing Ethernet sending functionality.  Packets to
 6901   send start with an IPv4 header and can be sent to arbitrary
 6902   hosts. For details, see
 6903   https://nmap.org/book/nse-api.html#nse-api-networkio-raw [Kris]
 6905 o Added version detection match line for the Arucer backdoor, which was
 6906   found packaged with drivers for the Energizer USB recharger product
 6907   (see http://www.kb.cert.org/vuls/id/154421). [Ron]
 6909 o Fixed --resume to work again despite our recent changes to the Nmap
 6910   output format. [jlanthea]
 6912 o [Zenmap] Localized most of the remaining strings in the GUI
 6913   interface which were English-only. The actual textual Nmap results
 6914   are still in English since Nmap, but the GUI is now almost fully
 6915   localized. [David]
 6917 o [Zenmap] Updated the localization files for the French
 6918   translation. [Gutek]
 6920 o [Zenmap] Fixed an interface bug which could cause hostnames with
 6921   underscores like "host_a" to be rendered like "hosta" with the "a"
 6922   underlined. Thanks to Toralf F. for the report, and David for the
 6923   fix.
 6925 o Nmap now honors routing table entries that override interface
 6926   addresses and netmasks. For example, with this configuration:
 6927     ************************INTERFACES************************
 6928     DEV  (SHORT) IP/MASK         TYPE     UP MAC
 6929     eth0 (eth0) ethernet up 00:00:00:00:00:00
 6930     .
 6931     **************************ROUTES**************************
 6932     DST/MASK       DEV  GATEWAY
 6933 eth0
 6934 eth0
 6935   Nmap will not consider directly connected through eth0,
 6936   even though it matches the interface's netmask. It won't try to ARP
 6937   ping, but will route traffic through
 6939 o [Ncat] The HTTP proxy server now accepts client connections over
 6940   SSL. That means connections to the proxy can be encrypted and
 6941   authenticated. We haven't found any HTTP clients that directly
 6942   support SSL connections to proxies, but you can use Ncat as a tunnel
 6943   to an SSL-supporting Ncat proxy. This new feature was implemented by
 6944   Markus Klinik.
 6946 o Updated our Mac OS X build system so that our binary packages are
 6947   built on Mac OS X 10.6 rather than 10.5. [David]
 6949 o Fixed reading of the interface table on NetBSD. Running nmap
 6950   --iflist would report "INTERFACES: NONE FOUND(!)" and any scan done
 6951   as root would fail with "WARNING: Unable to find appropriate
 6952   interface for system route to...". This was first reported by Jay
 6953   Fink, and had already been patched in the NetBSD pkgsrc
 6954   tree. [David]
 6956 o Fixed a bug in traceroute that could happen when directly connected
 6957   and routed targets were in the same hostgroup. If the first target
 6958   was directly connected, the traceroute for all targets in the group
 6959   would have a trace of one hop.
 6961 o ARP requests now work with libpcap Linux "cooked" encapsulation.
 6962   According to http://wiki.wireshark.org/SLL, this encapsulation is
 6963   used on devices "where the native link layer header isn't available
 6964   or can't be used." Before this, attempting any ARP operation on such
 6965   an interface would fail with the error
 6966     read_arp_reply_pcap called on interfaces that is datatype 113
 6967       rather than DLT_EN10MB (1)
 6968   [David]
 6970 o Fixed the display of route netmask bits in --iflist on little-endian
 6971   architectures. Formerly, any mask less than /24 was shown as /0, and
 6972   other masks were also wrong. [David]
 6974 o Fixed an assertion failure which could occur when connecting to an
 6975   SSL server:
 6976     nsock_core.c:199: socket_count_write_dec: Assertion `(iod->writesd_count)
 6977 > 0' failed.
 6978   This was observed when running the http-enum script but could
 6979   possibly have happened in other situations. Thanks to Brandon for
 6980   reporting the bug and testing. [David]
 6982 o Added the function bignum_add to the nse_openssl library to support
 6983   BIGNUM addition [Patrik]
 6985 o The redistributable Visual C++ runtime components installer
 6986   (vcredist_x86.exe) has been upgraded to version 9.0.30729.4148. Axel
 6987   Pettinger reported that the previous version 9.0.30729.17, caused a
 6988   Windows Update on Windows 7 because of Microsoft security advisory
 6989   MS09-035.
 6991 o [Ncat] Fixed an error that could make programs run with --exec exit
 6992   prematurely on Windows. The problem was related to a program writing
 6993   too quickly into a non-blocking socket. A symptom was the message:
 6994     NCAT DEBUG: Subprocess ended with exit code 259.
 6995   Reported by David Millis. [David]
 6997 o [Ncat] Fixed a bug that prevented detection of EOF from stdin on
 6998   Windows. Reported by Adrian Crenshaw and Andy Zwirko. [David]
 7000 o [Nsock] WSAEACCES was added to the list of known connect error
 7001   codes. This error can happen on Windows when a port is blocked by
 7002   Windows Firewall. Thanks to Taemun for reporting this and
 7003   investigating.
 7005 o XML output now only includes host elements for down hosts in verbose
 7006   mode. This makes it consistent with the other output formats.
 7008 o [NSE] Fixed http-enum so it uses the full path name for the
 7009   fingerprints file. This prevents it from quitting with an error like
 7010   this:
 7011     NSE: http-enum: Attempting to parse fingerprint file
 7012     nselib/data/http-fingerprints NSE: http-enum against
 7013 threw an error! C:\Program
 7014     Files\Nmap\scripts\http-enum.nse:198: bad argument #1 to 'lines'
 7015     (nselib/data/http-fingerprints: No such file or directory) stack
 7016     traceback:
 7017   [Kris, Brandon, Ron Meldau]
 7019 o [NSE] Added a missing dirname function to http-favicon. Its absence
 7020   was causing this error message when a web page specified a relative
 7021   icon URL in a link element:
 7022    http-favicon.nse:141: variable 'dirname' is not declared
 7023   [David, Ron Meldau]
 7025 o Fixed the parsing of libdnet DLPI interface names that contain more
 7026   than one string of digits. Joe Dietz reported that an interface with
 7027   the name e1000g0 was causing this error message on Solaris 9:
 7028     Warning: Unable to open interface e1000g0 -- skipping it.
 7029   [David]
 7031 o [NSE] Added the function nmap.is_privileged() to tell a script if,
 7032   as far as Nmap's concerned, it can do privileged operations. For
 7033   instance, this can be used to determine whether a script can open a
 7034   raw socket or Ethernet interface. [Kris]
 7036 o [NSE] Added the function nmap.get_ports() so scripts can iterate
 7037   over a host's port table entries matching a given protocol and
 7038   state. [Kris, Patrick]
 7040 o [Ncat] Fixed a handle leak with --exec and --sh-exec on Windows,
 7041   found by Jon Greaves. One thread handle was being leaked per child
 7042   process invocation. [David]
 7044 o [NSE] nbstat.nse can now look up the MAC prefix vendor string. Other
 7045   scripts can now do the same thing using the
 7046   datafiles.parse_mac_prefixes function. [Thomas Buchanan]
 7048 o Remove the PYTHONPATH and PYTHONHOME variables from the environment
 7049   before executing a sub-ndiff if they exist and if Zenmap is running
 7050   in a py2app bundle. These variables are set by py2app to point
 7051   inside our application bundle. Having them set in the environment
 7052   makes Ndiff use the same settings because it is also a Python
 7053   application. Deleting the variables is somewhat wrong, because the
 7054   user may have set those outside of Zenmap expecting them to be used
 7055   with their system-installed Python programs. But this is at least no
 7056   worse than before our build system update, because previously py2app
 7057   was stomping on the variables anyway. [David]
 7059 o [Ncat] Fixed a segmentation fault caused by access to freed memory.
 7060   It could be triggered by making multiple connections to a server
 7061   that was constantly sending in SSL mode, such as:
 7062     ncat -l -k --ssl < /dev/zero
 7063   This bug was reported by Mak Kolybabi. [David]
 7065 o [NSE] Moved the smtp-open-relay.nse script out of the "demo"
 7066   category after improvements by Duarte Silva. We have now met the
 7067   goal of removing all scripts from that category.
 7069 o [NSE] Fixed a bug which prevented smb-brute from properly detecting
 7070   account lockouts, which could lead to lockouts of many accounts on
 7071   the target machine. Now smb-brute tries to check the lockout policy
 7072   before starting and refuses to run (unless you force it to with the
 7073   smblockout variable) if lockouts are enabled or if it locks out an
 7074   account. [Ron]
 7076 o [NSE] Rewrote smb-enum-domains to be more generalized and rely on
 7077   library functions which will eventually be shared with
 7078   smb-brute. [Ron]
 7080 o Qualified an assertion to allow zero-byte sends in Nsock. Without
 7081   this, an NSE script could cause this assertion failure by doing
 7082   socket:send(""):
 7083     nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
 7084   [David]
 7086 o Added a service probe for Logitech SqueezeCenter command line interface
 7087   [Patrik]
 7089 o Improved PostgreSQL match lines by matching the line of the error to a
 7090   specific version [Patrik].
 7092 o Added a mac_addr_next_hop member to the host tables used in NSE for
 7093   scripts which need to know the MAC address of the next hop router
 7094   for reaching a target host. [Michael Pattrick, KX].
 7096 o Removed the nmap_service.exe helper program for smb-psexec, as it
 7097   was still being flagged by malware detection even after the
 7098   bit-flipping in the next release. In fact, the obfuscation backfired
 7099   and caused more false positives! You can now download it from
 7100   https://nmap.org/psexec/nmap_service.exe. (The script will remind you
 7101   if you run the script and it's not installed.)
 7103 o Added service probes and UDP payloads for games based on the Quake 2
 7104   and Quake 3 engine, submitted by Mak Kolybabi.
 7106 o [Ncat] Added support for HTTP digest authentication of proxies, as
 7107   both client and server. Previously only the less secure basic
 7108   authentication method was supported. [Venkat, David]
 7110 o Improved the MIT Kerberos version detection signatures. [Matt Selsky]
 7112 o [Ndiff] Show a nicer error message when an input file can't be
 7113   loaded. Suggested by Derril Lucci, who also contributed a patch.
 7115 o [NSE] Added a new library afp.lua which handles the Apple Filing
 7116   Protocol (AFP) filesharing system. The library handles
 7117   authentication and many other protocol features, and enables the new
 7118   afp-path-vuln, afp-brute, and afp-showmount scripts. [Patrik]
 7120 o Added an Apple Filing Protocol service probe that detects Netatalk
 7121   servers. (Apple's AFP servers are coincidentally triggered by the
 7122   SSLSessionReq probe.) [Patrik Karlsson]
 7124 o [NSE] Fixed packet.lua so that functions used to set packet header
 7125   fields (e.g. ip_set_ttl) also set the appropriate variables used to
 7126   access the data (e.g. ip_ttl). [Kris]
 7128 o Updated and corrected IANA assignment IP list for random IP (-iR)
 7129   generation.  Now even 001/8 has been allocated. [Kris]
 7131 Nmap 5.21 [2010-01-27]
 7133 o [Zenmap] Added a workaround for a Ubuntu Python packaging idiosyncrasy.
 7134   As of version python2.6-2.6.4-0ubuntu3, Ubuntu's distutils modifies
 7135   self.prefix, a variable we use in the setup.py script. This would
 7136   cause Zenmap to look in the wrong place for its configuration files,
 7137   and show the dialog "Error creating the per-user configuration
 7138   directory" with the specific error "[Errno 2] No such file or
 7139   directory: '/usr/share/zenmap/config'". This problem was reported by
 7140   Chris Clements, who also helped debug. [David]
 7142 o Fixed an error that occurred when UDP scan was combined with version
 7143   scan. UDP ports would appear in the state "unknown" at the end of
 7144   the scan, and in some cases an assertion failure would be raised.
 7145   This was an unintended side effect of the memory use reduction
 7146   changes in 5.20. The bug was reported by Jon Kibler. [David]
 7148 o [NSE] Did some simple bit-flipping on the nmap_service.exe program
 7149   used by the smb-psexec script, to avoid its being falsely detected
 7150   as malware. [Ron]
 7152 o [NSE] Fixed a bug in http.lua that could lead to an assertion
 7153   failure. It happened when there was an error getting the a response
 7154   at the beginning of a batch in http.pipeline. The symptoms of the
 7155   bug were:
 7156     NSE: Received only 0 of 1 expected reponses.
 7157     Decreasing max pipelined requests to 0.
 7158     NSOCK (0.1870s) Write request for 0 bytes...
 7159     nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
 7160   The error was reported by Brandon Enright and pyllyukko.
 7162 o [NSE] Restored the ability of http.head to return a body if the
 7163   server returns one. This was lost in the http.lua overhaul from
 7164   5.20. [David]
 7166 o [NSE] Fixed the use of our strict.lua library on distributions that
 7167   install their own strict.lua. The error message was
 7168     nse_main.lua:97: attempt to call a boolean value
 7169   It was reported by Onur K. [Patrick]
 7171 o Fixed handing of nameserver entries in /etc/resolv.conf so it could
 7172   handle entries containing more than 16 bytes, which can occur with
 7173   IPv6 addresses.  Gunnar Lindberg reported the problem and
 7174   contributed an initial patch, then Brandon and Kris refined and
 7175   implemented it.
 7177 o [NSE] Corrected a behavior change in http.request that was
 7178   accidentally made in 5.20: it could return nil instead of a table
 7179   indicating failure. [David]
 7181 o [NSE] Fixed the use of an undefined variable in smb-enum-sessions,
 7182   reported by Brandon. [Ron]
 7184 o Fixed a compiler error when --without-liblua is used. [Brandon]
 7186 o [NSE] Fixed an error with running http-enum.nse along with the
 7187   --datadir option. The script would report the error
 7188     http-enum.nse:198: bad argument #1 to 'lines'
 7189       (nselib/data/http-fingerprints: No such file or directory)
 7190   The error was reported by Ron Meldau and Brandon. [Kris]
 7192 o Added a function that was missing from http-favicon.nse. Its absence
 7193   would cause the error
 7194     http-favicon.nse:141: variable 'dirname' is not declared
 7195   when a web page specified an relative icon URL through the link
 7196   element. This bug was reported by Ron Meldau. [David]
 7198 o Fixed a bug with the decoding of NMAP OID component values greater
 7199   than 127. [Patrik Karlsson, David]
 7201 Nmap 5.20 [2010-01-20]
 7203 o Dramatically improved the version detection database, integrating
 7204   2,596 submissions that users contributed since February 3, 2009!
 7205   More than a thousand signatures were added, bringing the total to
 7206   8,501. Many existing signatures were improved as well. Please keep
 7207   those submissions and corrections coming! Nmap prints a submission
 7208   URL and fingerprint when it receives responses it can't yet
 7209   interpret.
 7211 o [NSE] Added a new script, oracle-sid-brute, which queries the Oracle
 7212   TNS-listener for default instance/sid names. The SID enumeration
 7213   list was prepared by Red Database security. See
 7214   https://nmap.org/nsedoc/scripts/oracle-sid-brute.html . [Patrik
 7215   Karlsson]
 7217 o [Ncat] The --ssl, --output, and --hex-dump options now work with
 7218   --exec and --sh-exec. Among other things, this allows you to make a
 7219   program's I/O available over the network wrapped in SSL encryption
 7220   for security.  It is implemented by forking a separate process to
 7221   handle network communications and relay the data to the
 7222   sub-process. [Venkat, David]
 7224 o Nmap now tries start the WinPcap NPF service on Windows if it is not
 7225   already running. This is rare, since our WinPcap installer starts
 7226   NPF running at system boot time by default. Because starting NPF
 7227   requires administrator privileges, a UAC dialog for net.exe may
 7228   appear on Windows Vista and Windows 7 before NPF is loaded.  Once
 7229   NPF is loaded, it generally stays loaded until you reboot or run
 7230   "net stop npf". [David, Michael Pattrick]
 7232 o The Nmap Windows installer and our WinPcap installer now have an
 7233   option /NPFSTARTUP=NO, which inhibits the installer from setting the
 7234   WinPcap NPF service to start at system startup and at install-time.
 7235   This option only affects silent mode (/S) because existing GUI
 7236   checkboxes allow you to configure this behavior during interactive
 7237   installation. [David]
 7239 o [NSE] Replaced our runlevel system for managing the order of script
 7240   execution with a much more powerful dependency system. This allows
 7241   scripts to specify which other scripts they depend on (e.g. a brute
 7242   force authentication script might depend on username enumeration
 7243   scripts) and NSE manages the order. Dependencies only enforce
 7244   ordering, they cannot pull in scripts which the user didn't
 7245   specify. See
 7246   https://nmap.org/book/nse-script-format.html#nse-format-dependencies
 7247   [Patrick]
 7249 o [Ncat] For compatibility with Hobbit's original Netcat, The -p
 7250   option now works to set the listening port number in listen mode.
 7251   So "ncat -l 123" can now be expressed as "ncat -l -p 123"
 7252   too. [David]
 7254 o A new script argument, http.useragent, lets you modify
 7255   the User-Agent header sent by NSE from its default of "Mozilla/5.0
 7256   (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)".
 7257   Set it to the empty string to disable the User-Agent
 7258   entirely. [David, Tom Sellers, Jah]
 7260 o [Zenmap] The locale setting had been taken from the Windows locale,
 7261   which inadvertently made setting the locale with the LANG
 7262   environment variable stop working. Now the LANG variable is examined
 7263   first, and if that is not present, the system-wide setting is
 7264   used. This change allows users to keep Zenmap in its original
 7265   English (or any of Zenmap's other languages) even if their system is
 7266   set to use a different locale.  [David]
 7268 o [NSE] The http-favicon script is now better at finding "link
 7269   rel=icon" tags in pages, and uses that icon in preference to
 7270   /favicon.ico if found. If the favicon.uri script arg is given, only
 7271   that is tried.  Meanwhile, a giant (10 million web servers) favicon
 7272   scan by Brandon allowed us to add about 40 more of the most popular
 7273   icons to the DB. [David, Brandon]
 7275 o [NSE] smb-psexec now works against Windows XP (as well as
 7276   already-supported Win2K and Windows 2003). The solution involved
 7277   changing the seemingly irrelevant PID field in the SMB packet. See
 7278   http://seclists.org/nmap-dev/2010/q1/13. [Ron]
 7280 o [NSE] Fixed a bug which kept the nselib/data/psexec subdirectory out
 7281   of the Windows packages. We needed to add the /s and /e options to
 7282   xcopy in our Visual C++ project file. [David]
 7284 o [NSE] Overhauled our http library to centralize HTTP parsing and
 7285   make it more robust. The biggest user-visible change is that
 7286   http.request goes back to returning a parsed result table rather than raw
 7287   HTTP data. Also the http.pipeline function no longer accepts the
 7288   no-longer-used "raw" option. [David]
 7290 o Fixed a bug in traceroute that could lead to a crash:
 7291     terminate called after throwing an instance of 'std::out_of_range'
 7292       what():  bitset::test
 7293   It happened when the preliminary distance guess for a target was
 7294   greater than 30, the size of an internal data structure. David and
 7295   Brandon tracked down the problem.
 7297 o Fixed compilation of libdnet-stripped on platforms that don't have
 7298   socklen_t. [Michael Pattrick]
 7300 o Added a service probe and match lines for the Logitech/SlimDevices
 7301   SqueezeCenter music server. [Patrik Karlsson]
 7303 o Fixed the RTSPRequest version probe, which was accidentally modified
 7304   to say "RTSP/2.0" rather than "RTSP/1.0" in 5.10BETA2. [Matt Selsky]
 7306 o [NSE] Our http library no longer allows cached responses from a GET
 7307   request to be returned for a HEAD request. This could cause problems
 7308   with at least the http-enum script. [David]
 7310 o Fixed a bug in the WinPcap installer: If the "Start the WinPcap
 7311   service 'NPF' at startup" box was unchecked and the "Start the
 7312   WinPcap service 'NPF' now" box was checked, the second checkbox
 7313   would be ignored (the service would not be started now). [Rob
 7314   Nicholls]
 7316 Nmap 5.10BETA2 [2009-12-24]
 7318 o Added 7 new NSE scripts for a grand total of 79! You can learn about
 7319   them all at https://nmap.org/nsedoc/.  Here are the new ones:
 7321   * nfs-showmount displays NFS exports like "showmount -e" does. See
 7322     https://nmap.org/nsedoc/scripts/nfs-showmount.html . [Patrik
 7323     Karlsson]
 7325   * ntp-info prints the time and configuration variables provided by
 7326     an NTP service. It may get such interesting information as the
 7327     operating system, server build date, and upstream time server IP
 7328     address. See
 7329     https://nmap.org/nsedoc/scripts/ntp-info.html . [Richard Sammet]
 7331   * citrix-brute-xml uses the unpwdb library to guess credentials for
 7332     the Citrix PN Web Agent Service. See
 7333     https://nmap.org/nsedoc/scripts/citrix-brute-xml.html . [Patrik Karlsson]
 7335   * citrix-enum-apps and citrix-enum-apps-xml print a list of published
 7336     applications from the Citrix ICA Browser or XML service,
 7337     respectively. See
 7338     https://nmap.org/nsedoc/scripts/citrix-enum-apps.html and
 7339     https://nmap.org/nsedoc/scripts/citrix-enum-apps-xml.html . [Patrik Karlsson]
 7341   * citrix-enum-servers and citrix-enum-servers-xml print a list
 7342     of Citrix servers from the Citrix ICA Browser or XML service,
 7343     respectively. See
 7344     https://nmap.org/nsedoc/scripts/citrix-enum-servers.html and
 7345     https://nmap.org/nsedoc/scripts/citrix-enum-servers-xml.html . [Patrik
 7346     Karlsson]
 7348 o We performed a memory consumption audit and made changes to
 7349   dramatically reduce Nmap's footprint.  This improves performance on
 7350   all systems, but is particularly important when running Nmap on
 7351   small embedded devices such as phones.  Our intensive UDP scan
 7352   benchmark saw peak memory usage decrease from 34MB to 6MB, while OS
 7353   detection consumption was reduced from 67MB to 3MB.  Read about the
 7354   changes at http://seclists.org/nmap-dev/2009/q4/663.  Here are the
 7355   highlights:
 7357   * The size of the internal representation of nmap-os-db was reduced
 7358     more than 90%. Peak memory consumption in our OS detection
 7359     benchmark was reduced from 67MB to 3MB. [David]
 7361   * The size of individual Port structures without service scan
 7362     results was reduced about 70%. [Pavel Kankovsky]
 7364   * When a port receives no response, Nmap now avoids allocating a
 7365     Port structure at all, so scans against filtered hosts can be
 7366     light on memory. [David]
 7368 o David started a major service detection submission integration
 7369   run. So far he has processed submissions since February for the
 7370   following services: imap, pop3, afp, sip, printer, transmission,
 7371   svnserve, vmware, domain, backdoor, finger, freeciv, hp, imaps, irc,
 7372   landesk, netbios-ssn, netsupport, nntp, oracle, radmin, routersetup,
 7373   rtorrent, serv-u, shoutcast, ssh, tcpmux, torrent, utorrent, vnc and
 7374   ipp. The rest will come in the next release, along with full stats
 7375   on the additions.
 7377 o Added service detection probe for Kerberos (udp/88) and IBM DB2
 7378   DAS (523/UDP). [Patrik Karlsson]
 7380 o Added a UDP payload and service detection probe for Citrix
 7381   MetaFrame, which typically runs on 1604/udp. [Thomas Buchanan]
 7383 o Added a UDP SIPOptions service detection probe corresponding to the
 7384   TCP one. [Patrik Karlsson, Matt Selsky, David Fifield]
 7386 o Updated service detection signatures for Microsoft SQL Server 2005
 7387   to detect recent Microsoft security update (MS09-062), and also
 7388   updated ms-sql-info.nse to support MS SQL Server 2008
 7389   detection. [Tom]
 7391 o Nmap now provides Christmas greetings and a reminder of Xmas scan
 7392   (-sX) when run in verbose mode on December 25. [Fyodor]
 7394 o Removed a limitation of snmp.lua which only allowed it to properly
 7395   encode OID component values up to 127. The bug was reported by
 7396   Victor Rudnev. [David]
 7398 o Nmap script output now uses two spaces of indention rather than
 7399   three for the first level. This better aligns with the standard set by
 7400   the stdnse.format_output function added in the last release. Output
 7401   now looks like:
 7402   8082/tcp open  http        Apache httpd 2.2.13 ((Fedora))
 7403   |_http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
 7404   |_html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
 7405   ...
 7406   Host script results:
 7407   | smb-os-discovery:
 7408   |   OS: Unix (Samba 3.4.2-0.42.fc11)
 7409   |   Name: Unknown\Unknown
 7410   |_  System time: 2009-11-24 17:19:21 UTC-8
 7411   |_smbv2-enabled: Server doesn't support SMBv2 protocol
 7412   [Fyodor]
 7414 o [NSE] Fixed (we hope) a deadlock we were seeing when doing a
 7415   favicon.nse survey against millions of hosts. We now restore all
 7416   threads that are waiting on a socket lock when a thread relinquishes
 7417   its lock. We expect only one of them to be able to grab the newly
 7418   freed lock, and the rest to go back to waiting. [David, Patrick]
 7420 o [Zenmap] Fixed a crash when filtering with inroute: in scans without
 7421   traceroute data. (KeyError: 'hops') [David]
 7423 o [NSE] Use a looser match pattern in auth-owners.nse for retrieving
 7424   the owner out of an identd response. See
 7425   http://seclists.org/nmap-dev/2009/q4/549. [Richard Sammet]
 7427 o Improved some Cyrus pop3 and Polycom SoundStation sip match
 7428   lines. [Matt Selsky]
 7430 o [Ncat] In the Windows version of netrun, we weren't noticing when a
 7431   command fails to be executed (when CreateProcess fails). We now see
 7432   the return value and close the socket to disconnect the
 7433   client. [David]
 7435 o [NSE] Updated http-iis-webdav-vuln to run against SSL-enabled
 7436   servers [Ron]
 7438 o [NSE] Improved db2-info to set port product and state (rather than
 7439   just port.version.name and confidence) when a DB2 service is
 7440   positively identified. Error reporting was improved as well. [Tom]
 7442 Nmap 5.10BETA1 [2009-11-23]
 7444 o Added 14 new NSE scripts for a grand total of 72! You can learn
 7445   about them all at https://nmap.org/nsedoc/. Here are the new ones:
 7447   + smb-psexec implements remote process execution similar to the
 7448     Sysinternals' psexec tool (or Metasploit's psexec "exploit"),
 7449     allowing a user to run a series of programs on a remote machine
 7450     and read the output. This is great for gathering information about
 7451     servers, running the same tool on a range of system, or even
 7452     installing a backdoor on a collection of computers. See
 7453     https://nmap.org/nsedoc/scripts/smb-psexec.html [Ron]
 7455   + dhcp-discover sends out DHCP probes on UDP/67 and displays all
 7456     interesting results (or, with verbosity, all results).
 7457     Optionally, multiple probes can be sent and the MAC address can be
 7458     randomized in an attempt to exhaust the DHCP server's address pool
 7459     and potentially create a denial of service condition. See
 7460     https://nmap.org/nsedoc/scripts/dhcp-discover.html . [Ron]
 7462   + http-enum enumerates URLs used by popular web applications and
 7463     servers and reports which ones exist on a target web server. See
 7464     https://nmap.org/nsedoc/scripts/http-enum.html . [Ron, Andrew Orr,
 7465     Rob Nicholls]
 7467   + ssl-cert retrieves and prints a target server's SSL
 7468     certificate. See
 7469     https://nmap.org/nsedoc/scripts/ssl-cert.html . [David]
 7471   + x11-access checks whether access to an X11 server is allowed (as
 7472     with "xhost +" for example). See
 7473     https://nmap.org/nsedoc/scripts/x11-access.html . [jlanthea]
 7475   + db2-info enhances DB2 database instance detection. It provides
 7476     detection when version probes fail, but will default to the
 7477     version detection probe value if that is more precise. It also
 7478     detects the server platform and database instance name. The DB2
 7479     version detection port ranges were broadened to 50000-50025 and
 7480     60000-60025 as well. [Tom]
 7482   + smbv2-enabled checks if the smbv2 protocol is enabled on target
 7483     servers. SMBv2 has already suffered from at least one major
 7484     security vulnerability. See
 7485     https://nmap.org/nsedoc/scripts/smbv2-enabled.html . [Ron]
 7487   + http-favicon obtains the favicon file (/favicon.ico or whatever is
 7488     specified by the HTML link tag) and tries to identify its source
 7489     (such as a certain web application) using a database lookup. See
 7490     https://nmap.org/nsedoc/scripts/http-favicon.html . [Vladz]
 7492   + http-date obtains the Date: header field value from an HTTP server
 7493     then displays it along with how much it differs from local
 7494     time. See https://nmap.org/nsedoc/scripts/http-date.html . [David]
 7496   + http-userdir-enum attempts to enumerate users on a system by
 7497     trying URLs with common usernames in the Apache mod_userdir format
 7498     (e.g. http://target-server.com/~john). See
 7499     https://nmap.org/nsedoc/scripts/http-userdir-enum.html . [Jah]
 7501   + pjl-ready-message allows viewing and setting the status message on
 7502     printers which support the Printer Job Language (many HP printers
 7503     do). See https://nmap.org/nsedoc/scripts/pjl-ready-message.html .
 7504     [Aaron Leininger]
 7506   + http-headers performs a GET request for the root folder ("/") of a
 7507     web server and displays the HTTP headers returned. See
 7508     https://nmap.org/nsedoc/scripts/http-headers.html . [Ron]
 7510   + http-malware-host is designed to discover hosts that are serving
 7511     malware (perhaps because they were compromised), but so far it
 7512     only checks for one specific attack. See
 7513     https://nmap.org/nsedoc/scripts/http-malware-host.html . [Ron]
 7515   + smb-enum-groups displays a list of groups on the remote system
 7516     along with their membership (like enum.exe -G). See
 7517     https://nmap.org/nsedoc/scripts/smb-enum-users.html [Ron]
 7519 o Nmap's --traceroute has been rewritten for better performance.
 7520   Probes are sent in parallel to individual hosts, not just across all
 7521   hosts as before. Trace consolidation is more sophisticated, allowing
 7522   common traces to be identified sooner and fewer probes to be sent.
 7523   The older traceroute could be very slow (taking minutes per target)
 7524   if the target did not respond to the trace probes, and this new
 7525   traceroute avoids that. In a trace of 110 hosts in a /24 over the
 7526   Internet, the number of probes sent dropped 50% from 1565 to 743,
 7527   and the time taken dropped 92% from 95 seconds to 7.6
 7528   seconds. Traceroute now uses an ICMP echo request probe if no
 7529   working probes against the target were discovered during
 7530   scanning. [David]
 7532 o [Zenmap] After performing or loading a scan, you can now filter
 7533   results to just the hosts you are interested in by pressing Ctrl+L
 7534   (or the "Filter Hosts" button) to open the host filtering interface.
 7535   This makes it easy to select just Linux hosts, or those running a
 7536   certain version of Apache, or whatever interests you. You can easily
 7537   modify the filter or remove it to see the whole scan again. See
 7538   https://nmap.org/book/zenmap-filter.html . [Josh Marlow]
 7540 o For some UDP ports, Nmap will now send a protocol-specific payload
 7541   that is more likely to get a response than an empty packet is. This
 7542   improves the effectiveness of probes to those ports for host
 7543   discovery, and also makes an open port more likely to be classified
 7544   open rather than open|filtered. The ports and payloads are defined
 7545   in payload.cc. The ports that have a payload are 7 (echo),
 7546   53 (domain), 111 (rpcbind), 123 (ntp), 137 (netbios-ns), 161 (snmp),
 7547   177 (xdmcp), 500 (isakmp), 520 (route), 1645 and 1812 (radius),
 7548   2049 (nfs), 5353 (zeroconf), and 10080 (amanda). [David]
 7550 o Integrated 1,349 fingerprints (and 81 corrections) submitted by Nmap
 7551   users! They resulted in 342 new fingerprints (a 17% increase),
 7552   including Google's Android Linux system for smart phones, Mac OS X
 7553   10.6 (Snow Leopard), the Chumby, and a slew number of printers, broadband
 7554   routers, and other devices (40 new vendors). See
 7555   http://seclists.org/nmap-dev/2009/q4/416 [David]
 7557 o [NSE] For all the services which are commonly tunneled over SSL
 7558   (pop3, http, imap, irc, smtp, etc.), we audited the scripts to
 7559   ensure they can support that tunneling. The com.tryssl function
 7560   was added for easy SSL detection. See
 7561   https://nmap.org/nsedoc/lib/comm.html [Joao]
 7563 o Nmap now prefers to display the hostname supplied by the user instead
 7564   of the reverse-DNS name in most places. If a reverse DNS record
 7565   exists, and it differs from the user-supplied name, it is printed
 7566   like this:
 7567     Nmap scan report for www.google.com (
 7568     rDNS record for pw-in-f103.1e100.net
 7569   And in XML it looks like:
 7570     <hostnames>
 7571       <hostname name="openbsd.org" type="user"/>
 7572       <hostname name="cvs.openbsd.org" type="PTR"/>
 7573     </hostnames>
 7574   Host latency is now printed more often. See
 7575   http://seclists.org/nmap-dev/2009/q4/199 for a summary of other
 7576   output changes. [David]
 7578 o Ndiff now shows changes in script (NSE) output for each target
 7579   host (in both text output format and XML). [David]
 7581 o We now print output for down hosts, even when doing scanning beyond
 7582   just a ping scan.  This always prints to XML and grepable output,
 7583   and is printed to normal and interactive output in verbose mode. The
 7584   format for printing a down host has changed slightly: "Nmap scan
 7585   report for [host down]" [David]
 7587 o [NSE] Default socket parallelism has been doubled from 10 to 20,
 7588   which doubles speed in some situations. See
 7589   http://seclists.org/nmap-dev/2009/q3/161. [Patrick]
 7591 o Version detection's maximum socket concurrency has been increased
 7592   from 10-20 based on timing level to 20-40. This can dramatically
 7593   speed up version detection when there are many open ports in a host
 7594   group being scanned. [Fyodor]
 7596 o The Nmap source tarball (and RPMs) now included man page
 7597   translations (16 languages so far). Nmap always installs the English
 7598   man page, and installs the translations by default. If you only want
 7599   some of the translations, set the LINGUAS environmental variable to
 7600   the language codes you are interested in (e.g. "es de"). You can
 7601   specify the configure option --disable-nls or set LINGUAS to the
 7602   empty string to avoid installation of any man page translations. The
 7603   RPM always installs them. [David]
 7605 o [NSE] Added a function for scripts to format their output in a
 7606   consistent way. See
 7607   https://nmap.org/nsedoc/lib/stdnse.html#format_output. [Ron]
 7609 o [NSE] Now supports worker threads so that a single script can
 7610   perform multiple network operations concurrently. This patch also
 7611   includes condition variables for synchronization. See
 7612   https://nmap.org/nsedoc/lib/stdnse.html#new_thread,
 7613   https://nmap.org/nsedoc/lib/nmap.html#condvar, and
 7614   http://seclists.org/nmap-dev/2009/q4/294.
 7616 o Fixed a problem in which the Nmap installer wrongly reported that
 7617   the Microsoft Visual C++ 2008 Redistributable Package (vcredist.exe)
 7618   failed to install. We had to update a registry key--see
 7619   http://seclists.org/nmap-dev/2009/q3/164. [Jah]
 7621 o Added support for connecting to nameservers over IPv6. IPv6 addresses
 7622   can be used in /etc/resolv.conf or with the --dns-servers option. The
 7623   parallel reverse DNS resolver still only support IPv4 addresses, but
 7624   it can look them up over IPv6. [Ankur Nandwani]
 7626 o Zenmap now includes ports in the services view whenever Nmap found
 7627   them "interesting," whatever their state. Previously they were only
 7628   included if the state was "open", "filtered", or "open|filtered",
 7629   which led to confusing behavior when a closed port showed up in the
 7630   Services column but clicking on the service showed no ports in the
 7631   display. [David]
 7633 o [Ncat] Now has configure-time ASCII art just like Nmap does:
 7634             .       .
 7635             \`-"'"-'/
 7636              } 6 6 {
 7637             ==. Y ,==
 7638               /^^^\  .
 7639              /     \  )  Ncat: A modern interpretation of classic Netcat
 7640             (  )-(  )/
 7641             -""---""---   /
 7642            /   Ncat    \_/
 7643           (     ____
 7644            \_.=|____E
 7646 o [NSE] Added HTTP pipelining support to the HTTP library and and to
 7647   the http-enum, http-userdir-enum, and sql-injection.nse
 7648   scripts. Pipelining can increase speed dramatically for scripts
 7649   which make many requests.
 7651 o [NSE] The HTTP library now caches responses from http.get or
 7652   http.head so that resources aren't requested multiple times during
 7653   the same Nmap run even if several scripts request them. See
 7654   http://seclists.org/nmap-dev/2009/q3/733. [Patrick]
 7656 o [Ncat, Ndiff] The exit codes of these programs now reflect whether
 7657   they succeeded. For Ncat, 0 means the connection was successful, 1
 7658   indicates a network error, and 2 indicates any other error. For
 7659   Ndiff, 0 means the scans were equal, 1 means they were different,
 7660   and 2 indicates a runtime error. [David]
 7662 o [Ncat] In verbose mode, Ncat now prints the number of bytes read and
 7663   written after the client connection is terminated. Ncat also now
 7664   prints elapsed time. For example, "Ncat finished: 16 bytes sent, 566
 7665   bytes received in 8.05 seconds." [Venkat]
 7667 o [NSE] telnet-brute.nse now uses the unpw database instead of a
 7668   hard coded list. [Ron]
 7670 o [NSE] ssl-cert.nse now supports TLS negotiation against SMTP ports
 7671   that support it. [Tom Sellers, David]
 7673 o [NSE] Scripts that are listed by name with the --script option now
 7674   have their verbosity level automatically increased by one. Many
 7675   will print negative results ("no infection found") at a higher
 7676   verbosity level. The idea is that if you ask for a script
 7677   specifically, you are more interested in such results.
 7678   [David, Patrick]
 7680 o Upgraded our Winpcap installer to use the new WinPcap version 4.1.1.
 7681   A bug which could prevent proper uninstallation of previous versions
 7682   was fixed at the same time. Later we made it set some registry keys
 7683   for compatibility with the official Winpcap project installer (see
 7684   http://seclists.org/nmap-dev/2009/q4/237). [Rob Nicholls]
 7686 o [Ncat] Ncat now prints a message like "Connection refused." by
 7687   default when a socket error occurs. This used to require -v, but
 7688   printing no message at all could make a failed connection look like
 7689   success in a case like
 7690     ncat remote < short-file
 7692 o Zenmap no longer displays down hosts in the GUI. [Josh]
 7694 o The Ndiff man page was dramatically improved with examples and
 7695   sample output. See https://nmap.org/book/ndiff-man.html .
 7696   [David]
 7698 o [NSE] At debug level 2 or higher (-d2), Nmap now prints all active
 7699   scripts (running & waiting) and a backtrace whenever a key is
 7700   pressed. This can be quite helpful in debugging deadlocks and other
 7701   script/NSE problems. [Patrick]
 7703 o Nmap now allows you to specify --data-length 0, and that is now the
 7704   documented way to disable the new UDP protocol-specific probe
 7705   payload feature. [David]
 7707 o Fixed compilation of our libdnet on Debian GNU/kFreeBSD (patch from
 7708   Petr Salinger).
 7710 o Our Windows packages are now built on Windows 7, though they are
 7711   32-bit binaries and should continue to work on Win2K and later.
 7713 o Fixed a bug that could cause an infinite loop ("Unable to find
 7714   listening socket in get_rpc_results") in RPC scan. The loop would
 7715   happen when scanning a port that sent no responses, and there was at
 7716   least one other port to scan. Thanks to Lionel Cons for reporting
 7717   the problem. [David]
 7719 o [NSE] The dns-zone-transfer and whois script argument table syntax has been
 7720   improved so you don't need curly braces.
 7722 o [NSE] smb-enum-shares.nse now checks whether or not a share is
 7723   writable by attempting to write a file (and deleting it if it's
 7724   successful).  Significantly cleaned up the code, as well. [Ron]
 7726 o The nselib/data directory is now installed. It was not installed
 7727   before because of an error in the Makefile. The scripts that would
 7728   not have worked after installation because they were missing data
 7729   files are http-enum.nse, http-favicon.nse, http-iis-webdav-vuln.nse,
 7730   http-userdir-enum.nse, smb-pwdump.nse, pop3-brute.nse,
 7731   smb-brute.nse, and snmp-brute.nse. [David]
 7733 o Upgraded the included libpcap to 1.0.0. [David]
 7735 o Optimize MAC address prefix lookup by using an std::map rather than
 7736   a custom hash table. This increases performance and code simplicity
 7737   at the cost of some extra memory consumption. In one test, this
 7738   reduced the time of a single target ARP ping scan from 0.59 seconds
 7739   to 0.13. [David]
 7741 o Added -Pn and -sn as aliases for -PN and -sP, respectively. They
 7742   will eventually become the recommended and documented way to disable
 7743   host discovery (ping scanning) and port scanning. They are more
 7744   consistent and also match the existing -n option for disabling
 7745   reverse DNS resolution. [David]
 7747 o Fixed an error in the handling of exclude groups that used IPv4
 7748   ranges. Si Stransky reported the problem and provided a number of
 7749   useful test cases in http://seclists.org/nmap-dev/2009/q4/276. The
 7750   error caused various assertion failures along the lines of
 7751     TargetGroup.cc:465: int
 7752     TargetGroup::get_next_host(sockaddr_storage*, size_t*):
 7753     Assertion `ipsleft > 1' failed.
 7754   [David]
 7756 o [NSE] Improved the authentication used by the smb-* scripts. Instead of
 7757   looking in a bunch of places (registry, command-line, etc) for the
 7758   usernames/passwords, a table is kept. This lets us store any number
 7759   of accounts for later use, and remove them if they stop working. This
 7760   also fixes a bug where typing in a password incorrectly would lock
 7761   out an account (since it wouldn't stop trying the account in question).
 7762   [Ron]
 7764 o Removed IP ID matching in packet headers returned in ICMP errors.
 7765   This was already the case for some operating systems that are known
 7766   to mangle the IDs of sent IP packets. Requiring such a match could
 7767   occasionally cause valid replies to be ignored. See
 7768   http://seclists.org/nmap-dev/2009/q2/580 for an example of host
 7769   order affecting scan results due to this phenomenon. [David]
 7771 o [NSE] The HTTP library now handles chunked transfer decoding more
 7772   robustly. See http://seclists.org/nmap-dev/2009/q3/13 [David]
 7774 o [NSE] Unexpected error messages from scripts now include the target
 7775   host and port number. [David]
 7777 o [NSE] Fixed many libraries which were inappropriately using global
 7778   variables, meaning that multiple scripts running concurrently could
 7779   overwrite each others values. NSE now automatically checks for this
 7780   problem at runtime, and we have a static code checker
 7781   (check_globals) available as well. See this whole thread
 7782   http://seclists.org/nmap-dev/2009/q3/70. [Patrick]
 7784 o Added some additional matching rules to keep a reply to a SYN probe
 7785   from matching an ACK probe to the same port, or vice versa, in ping
 7786   scans that include both scan types. Such a mismatch could cause an
 7787   ineffective timing ping or traceroute probe to be selected. [David]
 7789 o [Zenmap] There is a new command-line option, --confdir, which sets
 7790   the per-user configuration directory. Its value defaults to
 7791   $HOME/.zenmap. This was suggested by Jesse McCoppin. [David]
 7793 o Open bpf devices in read/write mode, not read-only, in libdnet on
 7794   BSD. This is to work around a bug in Mac OS X 10.6 that causes
 7795   incoming traffic to become invisible. [David]
 7797 o "make install" now removes from the Nmap script directory some
 7798   scripts which only existed in previous versions of Nmap but weren't
 7799   deleted during upgrades. [David]
 7801 o [NSE] Added the reconnect_ssl method for sockets. We sometimes need
 7802   to reconnect a socket with SSL because the initial communication on
 7803   the socket is done without SSL. See this thread for more details:
 7804   http://seclists.org/nmap-dev/2009/q4/3 [Patrick, Tom Sellers]
 7806 o [Zenmap] Fixed a crash that could occur when entering certain
 7807   characters in the target entry (those whose UTF-8 encoding contains
 7808   a byte that counts as whitespace in the Windows locale):
 7809     File "zenmapGUI\ScanNotebook.pyo", line 184, in _target_entry_changed
 7810     File "zenmapCore\NmapOptions.pyo", line 719, in render_string
 7811     UnicodeDecodeError: 'utf8' codec can't decode byte 0xc3 in position 1:
 7812       unexpected end of data
 7813   For more details on this curious problem, see
 7814   http://seclists.org/nmap-dev/2009/q4/82 [David]
 7816 o [NSE] There is a new function, nmap.bind, to set the source address
 7817   of a socket. [David]
 7819 o [Nsock] Made it a fatal error instead of silent memory corruption
 7820   when an attempt is made to use a file descriptor whose number is not
 7821   less than FD_SETSIZE. This applies only on non-Windows platforms
 7822   where FD_SETSIZE is a limit on the value of file descriptors as well
 7823   as a limit on the number of descriptors in the set. The error will
 7824   look like
 7825     nsock_core.c:186: Attempt to FD_SET fd 1024, which is not less
 7826     than FD_SETSIZE (1024). Try using a lower parallelism.
 7827   Thanks to Brandon Enright for discovering the problem and much help
 7828   debugging it, and to Jay Fink for submitting an initial patch. [David]
 7830 o [Ncat] Fixed proxy connections in connect mode on Windows. Because
 7831   the dup function does not work on Windows, an assertion failure
 7832   would be raised reading
 7833     (fh >= 0 && (unsigned)fd < (unsigned)_nhandle)
 7834   [David]
 7836 o [Ncat] Fixed the combination of --max-conns and --exec on Windows.
 7837   The count of connected clients was not decreased when the program
 7838   spawned by --exec finished. With --max-conns 5, for example, no more
 7839   connections would be allowed after the fifth, even if some of the
 7840   earlier ones had ended. Jon Greaves reported the problem and Venkat
 7841   contributed a patch.
 7843 o [Ncat] The code that manages the count of connected clients has been
 7844   made robust with respect to signals. The code was contributed by
 7845   Solar Designer.
 7847 o The files read by the -iL (input from file) and --excludefile
 7848   options now support comments that start with # and go to the end of
 7849   the line. [Tom Sellers]
 7851 o [Zenmap] On Windows, Zenmap no longer uses the cmd.exe shell to run
 7852   Nmap sub-processes. This means that canceling a scan will kill the
 7853   Nmap process as it does on other platforms (previously it would just
 7854   kill the shell). It also means that that scanning will work as a
 7855   user whose name contains characters like '&' that are significant to
 7856   the shell.  Mike Crawford and Nick Marsh reported bugs related to
 7857   this. [David]
 7859 o [NSE] All scripts (except for those in "version" or "demo"
 7860   categories) are now classified in either the "safe" or "intrusive"
 7861   categories, based on how likely they are to cause problems when run
 7862   against other machines on the network. Those classifications already
 7863   existed, but weren't used consistently. [Fyodor]
 7865 o Added a check for a SMBv2 vulnerability (CVE-2009-3103) to
 7866   smb-check-vulns. Due to its nature (it performs a DoS, then checks
 7867   if the system is still online), the script isn't run by default and
 7868   requires a special script-arg to work. [Ron]
 7870 o Fixed an integer overflow in uptime calculation which could occur
 7871   when a target with a low TCP timestamp clock frequency uses large
 7872   timestamp values, such that a naive uptime calculation shows a boot
 7873   time before the epoch. Also fixed a printf format specifier mismatch
 7874   that was revealed by the bug. Toby Simmons reported the problem and
 7875   helped with the fix.  [David]
 7877 o [NSE] The HTTP library now supports HTTP cookies. [Joao Correa]
 7879 o Fixed a compile error on NetBSD. It was
 7880     tcpip.cc:2948: error: pointer of type 'void *' used in arithmetic
 7881   Thanks to Jay Fink for reporting the problem and submitting a patch.
 7883 o [Zenmap] If you have any hosts or services selected, they will
 7884   remain selected after aggregating another scan or running a filter
 7885   (as long as they are still up and visible). Previously the selection
 7886   was lost whenever the scan inventory was changed. This is
 7887   particularly important due to the new host filter system. [David]
 7889 o [Zenmap] New translation: Russian (contributed by Alexander Khodyrev).
 7890   Updated translations: French and German.
 7892 o Nmap now generates IP addresses without duplicates (until you cycle
 7893   through all the allowed IPs) thanks to a new collision-free 32-bit
 7894   number generator in nbase_rnd.c. See
 7895   http://seclists.org/nmap-dev/2009/q3/695 [Brandon]
 7897 o There is a new OS detection pseudo-test, SCAN.DC, which records how
 7898   the network distance in SCAN.DS was calculated. Its value can be "L"
 7899   for localhost, "D" for a direct connection, "I" for an ICMP TTL
 7900   calculation, and "T" for a traceroute hop count. This is mainly for
 7901   the benefit of OS integration, when it is sometimes important to
 7902   distinguish between DS=1%DC=I (probably the result of forged TTLs)
 7903   and DS=1%DC=D (a true one-hop connection.) [David]
 7905 o Canonicalized the list of OS detection device types to a smaller set
 7906   with descriptions: https://svn.nmap.org/nmap/docs/device-types.txt .
 7907   [David, Fyodor, Doug]
 7909 o [Ncat] The --idle-timeout option now exits when *both* stdin and the
 7910   socket have been idle for the given time. Previously it would exit
 7911   when *either* of them had been idle, meaning that the program would
 7912   quit contrary to your expectation when downloading a large file
 7913   without sending anything, for example. [David]
 7915 o [Ncat] Ncat now always prefixes its own output messages with "Ncat: "
 7916   or "NCAT DEBUG: " to make it clear that they are not coming from the
 7917   remote host. This only matters when output goes to a terminal, where
 7918   the standard output and standard error streams are mixed. [David]
 7920 o Nmap's Nbase library now has a new hexdump() function which produces
 7921   output similar to Wireshark. nmap_hexdump() is a wrapper which
 7922   prints the output using Nmap's log_write facility. The old hdump()
 7923   and lamont_dump() functions have been removed. [Luis]
 7925 o Added explicit casts to (int)(unsigned char) for arguments to ctype function
 7926   calls in nmap, ncat and nbase.  Thanks to Solar Designer for pointing out
 7927   the need and fix for this. [Josh]
 7929 o Ncat now supports wildcard SSL certificates.  The wildcard character
 7930   (*) can be in commonname field or in DNS field of Subject
 7931   Alternative Name (SAN) Extension of SSL certificate. Matching Rules:
 7932   - '*' should be only on the leftmost component of FQDN. (*.example.com
 7933     but not www.*.com or www.example*.com).
 7934   - The leftmost component should contain only '*' and it should be
 7935     followed by '.' (*.example.com but not *w.example.com or
 7936     w*.example.com).
 7937   - There should be at least three components in FQDN. (*.example.com but
 7938     not *.com or *.com.). [venkat]
 7940 o Nmap now handles the case when a primary network interface (venet0)
 7941   does not have an address assigned but its aliases do (venet0:1
 7942   etc.). This could result in the error messages
 7943     Failed to find device venet0 which was referenced in /proc/net/route
 7944     Failed to lookup subnet/netmask for device (venet0): venet0: no IPv4 address assigned
 7945   This was observed under OpenVZ. [Dmitry Levin]
 7947 o [Ncat] The --ssl-cert, --ssl-key, and --ssl-trustfile options now
 7948   automatically turn on SSL mode. Previously they were ignored if
 7949   --ssl was not also used. [David]
 7951 o [Nsock] Now Nsock supports pure TLSv1 and SSLv3 servers in addition
 7952   to the (already supported and far more common) SSLv2 and SSLv23
 7953   servers.  Ncat currently never uses SSLv2 for security reasons, so
 7954   it is unaffected by this change.
 7956 o [Ncat] Implemented basic SCTP client functionality (server already
 7957   exists).  Only the default SCTP stream is used.  This is also called
 7958   TCP compatible mode.  While it allows Ncat to be used for manually
 7959   probing open SCTP ports, more complicated services making use of
 7960   multiple streams or depending on specific message boundaries cannot
 7961   be talked to successfully.  [Daniel Roethlisberger]
 7963 o [Ncat] Implemented SSL over SCTP in both client (connect) and server
 7964   (listen) modes. [Daniel Roethlisberger]
 7966 o Nmap now filters received ARP packets based on their target address
 7967   address field, not the destination address in the enclosing ethernet
 7968   frame. Some operating systems, including Windows 7 and Solaris 10,
 7969   are known to at least sometimes send their ARP replies to the
 7970   broadcast address and Nmap wouldn't notice them. The symptom of this
 7971   was that root scans wouldn't work ("Host seems down") but non-root
 7972   scans would work. Thanks to Mike Calmus and Vijay Sankar for
 7973   reporting the problem, and Marcus Haebler for suggesting the
 7974   fix. [David]
 7976 o The -fno-strict-aliasing option is now used unconditionally when
 7977   using GCC. It was already this way, in effect, because a test
 7978   against the GCC version number was reversed: <= 4 rather than >= 4.
 7979   Solar Designer reported the problem.
 7981 o Nmap now prints a warning instead of a fatal error when the hardware
 7982   address of an interface can't be found. This is the case for
 7983   FireWire interfaces, which have a hardware address format not
 7984   supported by libdnet. Thanks to Julian Berdych for the bug report.
 7985   [David]
 7987 o Zenmap's UI performance has improved significantly thanks to
 7988   optimization of the update_ui() function. In particular, this speeds
 7989   up the new host filter system. [Josh]
 7991 o Add a service probe for DNS-based service discovery (DNS-SD). See
 7992   http://seclists.org/nmap-dev/2009/q3/0610.html . [David]
 7994 o Made RPC grinding work from service detection again by changing the
 7995   looked-for service name from "rpc" to "rpcbind", the name it has in
 7996   nmap-service-probes. Also removed some dead code. [David]
 7998 o Fixed a log_write call and a pfatal call to use a syntax which is
 7999   safer from format strings bugs.  This allows Nmap to build with the
 8000   gcc -Wformat -Werror=format-security options. [Guillaume Rousse,
 8001   Dmitry Levin]
 8003 o A bug in Nsock was fixed: On systems where a non-blocking connect
 8004   could succeed immediately, connections that were requested to be
 8005   tunneled through SSL would actually be plain text. This could be
 8006   verified with an Ncat client and server running on localhost. This
 8007   was observed to happen with localhost connections on FreeBSD 7.2.
 8008   Non-localhost connections were likely not affected. The bug was
 8009   reported by Daniel Roethlisberger. [David]
 8011 o Ncat proxy now hides the proxy's response ("HTTP/1.0 200 OK" or
 8012   whatever it may be). Before, if you retrieved a file through a
 8013   proxy, it would have the "HTTP/1.0 200 OK" stuck to the top of
 8014   it. For this Ncat uses blocking sockets until the proxy negotiation
 8015   is done and once it is successful, Nsock takes over for rest of the
 8016   connection.[Venkat]
 8018 o [NSE] socket garbage collection was rewritten for better performance
 8019   and to ensure that socket slots are immediately available to others
 8020   after a socket is closed.  See
 8021   http://seclists.org/nmap-dev/2009/q2/0624.html . [Patrick]
 8023 o [NSE] Fixed a rare but possible segfault which could occur if the
 8024   nsock binding attempted to push values on the stack of a thread
 8025   which had already ended due to an error, and if that internal Lua
 8026   stack was already completely full. This bug is very hard to
 8027   reproduce with a SEGFAULT but is usually visible when Lua assertion
 8028   checks are turned on. A socket handler routine must be called AFTER
 8029   a thread has ended in error. [Patrick]
 8031 o [Ncat] Fixed an error that would cause Ncat to use 100% CPU in
 8032   broker mode after a client disconnected or a read error happened.
 8033   [Kris, David]
 8035 o [NSE] --script-args may now have whitespace in unquoted strings (but
 8036   surrounding whitespace is ignored). For example,
 8037   --script-args 'greeting = This is a greeting' Becomes:
 8038   { ["greeting"] = "This is a greeting" } [Patrick]
 8040 o [Ncat] Using --send-only in conjunction with the plain listen or
 8041   broker modes now behaves as it should: nothing will be read from the
 8042   network end.  Ncat previously read and discarded any data
 8043   received. [Kris]
 8045 o [Nsock] Added a socket_count abstraction that counts the number of
 8046   read or write events pending on a socket, for the purpose of
 8047   maintaining an fd_set. The bit is set in the fd_set whenever the
 8048   count is positive, and cleared when it is zero. The reason for doing
 8049   this was that write bits were not being properly cleared when using
 8050   Ncat with SSL in connect mode, such that a client send would cause
 8051   Ncat to use 100% CPU until it received something from the
 8052   server. See the thread at
 8053   http://seclists.org/nmap-dev/2009/q2/0413.html . This change will
 8054   also make it easier to use a different back end than select in the
 8055   future. [David]
 8057 o [Nsock] Added compilation dependency generation (makefile.dep)
 8058   [David]
 8060 o [Ncat] The --broker option now automatically implies --listen. [David]
 8062 o Fixed a logic error in getinterfaces_siocgifconf. The check for
 8063   increasing the capacity of the list of interfaces was off by
 8064   one. This caused a crash on initialization for systems with more
 8065   than 16 network interfaces. [David]
 8067 o Added Apache JServe protocol version detection probe and signatures
 8068   and some some other nmap-service-probes patches. [Tom Sellers]
 8070 o Fixed two memory leaks in ncat_posix.c and a bug where an open file was not
 8071   being closed in libdnet-stripped/src/intf.c [Josh Marlow]
 8073 o [Zenmap] Added profile editor support for the Nmap SCTP options:
 8074   -PY, -sY and -sZ. [Josh Marlow]
 8076 o Fixed a bug in --data-length parsing which in some cases could
 8077   result in useless buffer allocations and unpredictable payload
 8078   lengths. See http://seclists.org/nmap-dev/2009/q2/0763.html [Luis]
 8080 o The configure script now allows cross-compiling by assuming that
 8081   libpcap is recent enough to use rather than trying to compile and
 8082   run a test program. Libpcap will always be recent enough when Nmap's
 8083   included copy is used. [Mike Frysinger]
 8085 o Updated the IANA assignment IP list for random IP (-iR)
 8086   generation. The Mac OS prefix file was updated as
 8087   well. [Kris, Fyodor]
 8089 o [Zenmap] Fix a bug which could cause a crash in the (very rare) case
 8090   where Nmap would produce port tags in XML output without a state
 8091   attribute. [David]
 8093 o Added a convenience top-level BSDmakefile which automatically
 8094   redirects BSD make to GNU make on BSD systems. The Nmap Makefile
 8095   relies on numerous GNU Make extensions. [Daniel Roethlisberger]
 8097 Nmap 5.00 [2009-07-16]
 8099 o Bumped up version number to 5.00!
 8101 o [NSE] http-open-proxy script fixed to avoid false positives from bad
 8102   pattern matching and to properly declare some formerly-global
 8103   variables as local. [Joao]
 8105 Nmap 4.90RC1 [2009-06-25]
 8107 o [Zenmap] Fixed a display hanging problem on Mac OS X reported by
 8108   Christopher Caldwell at
 8109   http://seclists.org/nmap-dev/2009/q2/0721.html .  This was done by
 8110   adding gtk2 back to macports-1.8.0-universal.diff and removing the
 8111   dependency on shared-mime-info so it doesn't expect /usr/share/mime
 8112   files at runtime. Also included GDK pixbuf loaders statically rather
 8113   than as external loadable modules.  [David]
 8115 o Fixed a memory bug (access of freed memory) when loading exclude
 8116   targets with --exclude. This was reported to occasionally cause a
 8117   crash. Will Cladek reported the bug and contributed an initial
 8118   patch. [David]
 8120 o Zenmap application icons were regenerated using the newer SVG
 8121   representation of the Nmap eye. [David]
 8123 Nmap 4.85BETA10 [2009-06-12]
 8125 o The host discovery (ping probe) defaults have been enhanced to
 8126   include twice as many probes.  The default is now "-PE -PS443 -PA80
 8127   -PP". In exhaustive testing of 90 different probes, this emerged as
 8128   the best four-probe combination, finding 14% more Internet hosts
 8129   than the previous default, "-PE -PA80". The default for non-root
 8130   users is -PS80,443, replacing the previous default of -PS80. In
 8131   addition, ping probes are now sent in order of effectiveness (-PE
 8132   first) so that less effective probes may not have to be sent. ARP
 8133   ping is still the default on local ethernet networks. [David,
 8134   Fyodor]
 8136 o Added SCTP port scanning support to Nmap. SCTP is a layer 4 protocol
 8137   used mostly for telephony related applications.  This brings the
 8138   following new features:
 8139   - SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
 8140     chunk, closed ones an ABORT chunk.  This is the SCTP equivalent
 8141     of a TCP SYN stealth scan.
 8142   - SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
 8143     closed ports return an ABORT chunk.
 8144   - SCTP INIT chunk ping probes (-PY): host discovery using SCTP
 8145     INIT chunk packets.
 8146   - SCTP-specific IP protocol scan (-sO -p sctp).
 8147   - SCTP-specific traceroute support (--traceroute).
 8148   - The ability to use the deprecated Adler32 algorithm as specified
 8149     in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
 8150   - 42 well-known SCTP ports were added to the nmap-services file.
 8151   - The server scanme.csnc.ch has been set up for your SCTP scan
 8152     testing pleasure. But note that SCTP doesn't pass through most
 8153     NAT devices. See http://seclists.org/nmap-dev/2009/q2/0669.html .
 8154   Part of the work on SCTP support was kindly sponsored by
 8155   Compass Security AG, Switzerland. [Daniel Roethlisberger]
 8157 o [NSE] Added http-iis-webdav-vuln.nse, which detects the recently
 8158   discovered WebDAV unicode bug in MS IIS 5.1/6.0 web server which can
 8159   allow arbitrary users to access password protected folders without
 8160   authentication. See
 8161   https://nmap.org/svn/scripts/http-iis-webdav-vuln.nse. [Ron]
 8163 o The Nmap Reference Guide has been translated to German by Open
 8164   Source Press and Indonesian by Tedi Heriyanto. You can now read it
 8165   in 16 languages at https://nmap.org/docs.html . We're always looking
 8166   for more translations of Nmap and its documentation--if you'd like
 8167   to help, see http://seclists.org/nmap-dev/2009/q2/0667.html .
 8169 o Open Source Press completed and released the German translation of
 8170   the official Nmap book (Nmap Network Scanning). Learn more at
 8171   https://nmap.org/book/#translations.
 8173 o [NSE] Added socks-open-proxy.nse for scanning networks for open
 8174   SOCKS proxy servers. See
 8175   https://nmap.org/nsedoc/scripts/socks-open-proxy.html . [Joao Correa]
 8177 o [NSE] http-open-proxy.nse has been updated to attempt HEAD and
 8178   CONNECT methods as well as previously supported GET method.  It
 8179   still tries to reach http://www.google.com through the proxy by
 8180   default, but now also offers an argument for specifying a different
 8181   URL. [Joao Correa]
 8183 o [Ncat] There is a backwards-incompatible change in the way that
 8184   listen mode works. The new default behavior is to accept only one
 8185   connection, and quit when the connection ends. This was necessary to
 8186   prevent data loss in some situations; some programs require Ncat to
 8187   send an EOF before they flush their internal buffers and finish
 8188   processing the last bit of data. See
 8189   http://seclists.org/nmap-dev/2009/q2/0528.html for more information.
 8190   Use the new -k or --keep-open option to get the old behavior, in
 8191   which Ncat will accept multiple simultaneous connection, combine all
 8192   their input, and accept more connections after a disconnection.
 8193   [Daniel Roethlisberger, David]
 8195 o Ncat handling of newlines on Windows has been improved. CRLF is
 8196   automatically converted to a bare LF when input is from the console,
 8197   but left untouched when it is from a pipe or a file. No newline
 8198   translation is done on output (where it was being done before). This
 8199   makes it possible to transfer binary files with Ncat on Windows
 8200   without any corruption, while still being able to interactively ncat
 8201   into UNIX shells and other processes which require bare
 8202   newlines. Ncat clients now work the same way on UNIX and Windows in
 8203   that respect.  For cases where you do want \r\n line endings (such
 8204   as connections to web and email servers or Windows cmd.exe shells),
 8205   specify -C whether your client is running on UNIX or
 8206   Windows. [David]
 8208 o Nmap RPM packages (x86 and x86-64) are now built with OpenSSL
 8209   support (statically linked in to avoid dependencies).  They are also
 8210   now built on CentOS 5.3 for compatibility with RHEL, Fedora, and
 8211   other distributions. Please let us know if you discover any
 8212   compatibility problems (or other issues) with the new RPMs. [Fyodor]
 8214 o [Zenmap] The Topology tab now has a "Save Graphic" button that
 8215   allows saving the current topology display as a PNG, postscript,
 8216   PDF, and SVG image.  [Joao Medeiros, David]
 8218 o Changed the default UDP ping (-PU) port from 31338 to 40125.  This
 8219   appears to be a better port based on David's empirical testing.
 8221 o [NSE] Added the imap-capabilities script, which uses the CAPABILITY
 8222   command to determine the capabilities of a target IMAP mail server.
 8223   A simple supporting IMAP library was added as well. See
 8224   https://nmap.org/nsedoc/scripts/imap-capabilities.html . [Brandon]
 8226 o [NSE] Brandon Enright from UCSD reports that, thanks to all the NSE
 8227   fixes in this release, he no longer sees any Nmap crashes in his
 8228   large scale scans. See
 8229   http://seclists.org/nmap-dev/2009/q2/0639.html .
 8231 o Zenmap now works on RHEL/CentOS since it no longer requires the
 8232   hashlib library (which was introduced in Python 2.5, but RHEL 5
 8233   still uses 2.4) and removing the pysqlite2 requirement (RHEL does
 8234   not offer that module).  It is still desirable to have pysqlite2
 8235   when available, since it enables Zenmap searching and database
 8236   saving features. [David]
 8238 o Ncat can now send SSL certificates in connect mode for client
 8239   authentication by using the --ssl-cert and --ssl-key options.  The
 8240   specified certificates are only sent when requested by the
 8241   server. [Venkat]
 8243 o Nmap can now handle -PS and -PA at the same time when running nmap
 8244   as non-root or using IPv6.  It now combines the two port lists [Josh
 8245   Marlow]
 8247 o [Ncat] SSL in listen mode now works on systems like BSD in which a
 8248   socket inherits its blocking or non-blocking status from the
 8249   listening socket. [David, Daniel Roethlisberger]
 8251 o The --packet-trace/--version-trace options now shows the names of
 8252   version detection probes as they are sent, making the version
 8253   detection process easier to understand and debug. [Tom Sellers]
 8255 o The GPG detached signatures for Nmap releases now use the more
 8256   standard .asc extension rather than .gpg.txt.  They can still be
 8257   found at https://nmap.org/dist/sigs/ and the .gpg.txt versions for
 8258   previous releases are still available for compatibility reasons. For
 8259   instructions on verifying Nmap package integrity, see
 8260   https://nmap.org/book/install.html#inst-integrity. [Fyodor]
 8262 o [Zenmap] Fixed two bugs: 1) When two scans are performed in Zenmap
 8263   and aggregated, the first one was being modified in the process,
 8264   preventing you from doing diffs in the "compare scans" dialogue or
 8265   properly saving the first scan individually. 2) If you start two
 8266   scans, then the faster one finishes and you cancel and remove the
 8267   slower one while still in progress, much of the results from both
 8268   scans are lost. [Josh Marlow]
 8270 o [Ncat] When connecting to an SSL service in verbose mode, Ncat now
 8271   prints confirmation of the SSL connection, some certificate
 8272   information, and a cert fingerprint. For example:
 8273   SSL connection to Electronic Frontier Foundation
 8274   SHA-1 fingerprint: 28BE B476 2E49 7ED5 3A9B 4D79 AD1E 69A9 82DB C75A
 8276 o [NSE] Clean up output (generally reducing default verbosity) for the
 8277   p2p-conficker, smb-check-vulns, and http-iis-webdav-vuln scripts. In
 8278   general, we don't ask scripts to report that a host is clean unless
 8279   Nmap's verbosity level (-v) is at least one or two. [Ron, Fyodor]
 8281 o [Zenmap] Added the -PS22,25,80 option found in the Quick Traceroute
 8282   profile to some of the Intense scan profiles for improved host
 8283   discovery. [Josh Marlow]
 8285 o Fixed a bug with the --defeat-rst-ratelimit option which prevented
 8286   it from working properly.  See this thread:
 8287   http://seclists.org/nmap-dev/2009/q2/0476.html . [Josh]
 8289 o [Ndiff] Avoid printing a "Not shown:" line if there weren't any
 8290   ports in the non-shown (extraports) list. [David]
 8292 o [Ncat] Fixed Ncat compilation with versions of OpenSSL before 0.9.7.
 8293   Previously it would fail in ncat_openssl.c with the message
 8294   "structure has no member named `it'". The problem was reported by
 8295   Jaroslav Fojtik. [David]
 8297 o [NSE] Removed the packet.hextobin(str) and packet.bintohex(str)
 8298   functions. They are redundant since you get the same functionality
 8299   by calling bin.pack("H", str) and bin.unpack("H", str),
 8300   respectively. [Patrick]
 8302 o [NSE] Fixed the parsing of --script-args, which was only accepting
 8303   alphanumeric characters and underscores in values. Now a key, value,
 8304   or array value may be a sequence of any characters except '{', '}',
 8305   ',', '=', and all space characters. You may overcome this
 8306   restriction by using quotes (single or double) to allow all
 8307   characters within the quotation marks. You may also use the quote
 8308   delimiter inside the sequence so long as it is escaped by a
 8309   backslash. See
 8310   http://seclists.org/nmap-dev/2009/q2/0211.html . [Patrick]
 8312 o [NSE] When a script ends for any reason, all of its mutexes are now
 8313   unlocked.  This prevents a permanent (and painful to debug) deadlock
 8314   when a script crashes without unlocking a mutex. See
 8315   http://seclists.org/nmap-dev/2009/q2/0533.html . [Patrick]
 8317 o Fixed a bug wherein nmap would not display the post-scan count of
 8318   raw packets sent during a SYN ping scan (-sP -PS). [Josh Marlow]
 8320 o Changed the ICMP ping probes to use a random non-zero ICMP id.
 8321   David's empirical testing found that some hosts drop probes when the
 8322   ICMP id is 0 [Josh Marlow]
 8324 o [NSE] Fixed a --script argument processing bug in which Nmap would
 8325   abort when an expression matches a set of scripts which were loaded
 8326   by other expressions first (a simple example is "--script
 8327   default,DEFAULT". [Patrick]
 8329 o [Zenmap] Operating system icons are now always loaded as PNGs, even on
 8330   platforms which support SVG images. That is much faster, and Zenmap
 8331   currently never scales the images anyway. [Josh]
 8333 o [Ncat] The Nmap Windows uninstaller now removes the Ncat CA list
 8334   (ca-bundle.crt) which has been installed since 4.85BETA9. [Jah]
 8336 o Optimized some Nmap version detection match lines for slightly
 8337   better performance. See
 8338   http://seclists.org/nmap-dev/2009/q2/0328.html . [Brandon]
 8340 o [NSE] Upon connection failure, a socket now immediately unlocks its
 8341   "socket lock" to allow other pending socket connections to succeed
 8342   sooner. This slightly improves scan speeds by eliminating the wait
 8343   for garbage collection to free the resource. [Patrick]
 8345 o [NSE] Corrected a bug in nse_nsock.cc that could result in a crash
 8346   from the use of an invalid Lua state if a thread is collected due to
 8347   timeout or other rare reasons. Essentially, the callbacks from the
 8348   nsock library were returning to an already-collected Lua state. We
 8349   now maintain a reference to the Lua State Thread in the nsock
 8350   userdata environment table to prevent early collection.  This is a
 8351   temporary patch for the stable release pending a more detailed
 8352   review of the NSE nsock library binding. [Patrick]
 8354 o [NSE] When an NSE script in the database (script.db) is requested
 8355   but not found on the filesystem, Nmap now prints a warning rather
 8356   than aborting. We accidentally shipped with such a phantom script
 8357   (smb-check-vulns-2.nse) in 4.85BETA8. [Patrick]
 8359 o Fixed a bug where an ICMP echo, timestamp, or address mask reply
 8360   could be matched up with the wrong ICMP probe if more than one ICMP
 8361   probe type was being sent (as with the new default ping). This lead
 8362   to timing calculation problems. [David]
 8364 o Improved the host expression parser to better handle a few cases
 8365   where invalid target specifiers would case Nmap to scan unintended
 8366   hosts. See http://seclists.org/nmap-dev/2009/q2/0319.html . [Jah]
 8368 o [Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when
 8369   searching scan results by date. [David]
 8370   The error message was: File "zenmapGUI\SearchGUI.pyo", line 816, in
 8371   set_date TypeError: argument must be sequence of length 9, not 3
 8373 o Patched configure.ac to detect Lua include and library files in
 8374   "lua5.1" subdirectories of /usr/include and the like. Debian
 8375   apparently puts them there. We still check the likes of
 8376   /usr/include/lua.h and /usr/include/lua/lua.h as well. [Jan
 8377   Christoph Nordholz]
 8379 o Improved nsock's fselect() to be a more complete replacement for
 8380   select() on the Windows platform. In particularly, any or all of the
 8381   FD sets can be null or empty descriptor sets. This fixes an error
 8382   ("nsock_loop error 10022") which would occur when you ran ncat
 8383   --send-only on Windows. [David]
 8385 o The --with-openssl= directive now works for specifying the SSL
 8386   location to the nsock library.  It was previously not passing the
 8387   proper include file path to the compiler. [Fyodor]
 8389 o The --traceroute feature is now properly disabled for IPv6 ping
 8390   scans (-6 -sP) since IPv6 traceroute is not currently
 8391   supported. [Jah]
 8393 o Fixed an assertion failure which could occur on at least SPARC Linux
 8394   The error looked like "nsock_core.c:294: handle_connect_result:
 8395   Assertion `0' failed. Aborted". [David Fifield, Fabio Pedretti]
 8397 o Nmap's make install target now uses $(INSTALL) rather than cp to
 8398   copy NSE scripts and libraries to ensure that file permissions are
 8399   set properly. [Fyodor]
 8401 o Improved the Oracle DB version detection signatures. [Tom Sellers]
 8403 o [NSE] Remove the old nse_macros.h header file. This involved
 8404   removing the SCRIPT_ENGINE_* status defines, moving the likes of
 8405   SCRIPT_ENGINE_LUA_DIR to nse_main.h, removing the last remaining use
 8406   of SCRIPT_ENGINE_TRY, and moving the FILES and DIRS defines to
 8407   nse_fs.h. [Patrick]
 8409 o Cleaned up the libpcre build system a bit by removing Makefile.am
 8410   and modifying configure.ac to prevent unnecessary removal of
 8411   pcre_chartables.cc in some instances. [Fyodor]
 8413 o Fixed a bug which would cause Nmap to sometimes miscount the number
 8414   of hosts scanned and produce warnings such as "WARNING: No targets
 8415   were specified, so 0 hosts scanned" when --traceroute and -sP were
 8416   combined. [Jah]
 8418 o Changed Nmap and Ncat's configure.ac files to check in more
 8419   situations whether -ldl is required for compilation and add it where
 8420   necessary. [Fyodor]
 8422 o When building Nmap RPMs using the spec file, you can now pass in an
 8423   openssl argument, the contents of which are passed to ./configure's
 8424   --with-openssl option. So you can pass rpmbuild an option such as
 8425   --define "openssl /usr/local/ssl". [Fyodor]
 8427 o Fixed the make distclean target to avoid a failure which could occur
 8428   when you ran it right after a make clean (it might have failed in
 8429   other situations as well). [David]
 8431 o Updated nmap-mac-prefixes with the latest MAC address prefix data
 8432   from http://standards.ieee.org/regauth/oui/oui.txt as of
 8433   5/20/09. [Fyodor]
 8435 o Ncat now makes sockets blocking before handing them off to another
 8436   program with --exec or --sh-exec. This is to resolve a failure where
 8437   the command "ncat --exec /usr/bin/yes localhost" would stop sending
 8438   because yes would send data so quickly that kernel send buffers
 8439   could not keep up and socket writes would start generating EAGAIN
 8440   errors. [Venkat]
 8442 o Ncat now ignores SIGPIPE in listen mode.  This fixes the command
 8443   "yes | ncat -l --keep-open --send-only", which was failing after the
 8444   first client disconnected due to a broken pipe signal when Ncat
 8445   would try to write more date before realizing that the client had
 8446   closed the connection.
 8448 o Version detection can now detect Ncat's --chat mode. [David]
 8450 Nmap 4.85BETA9 [2009-05-12]
 8452 o Integrated all of your 1,156 of your OS detection submissions and
 8453   your 50 corrections since January 8.  Please keep them coming!  The
 8454   second generation OS detection DB has grown 14% to more than 2,000
 8455   fingerprints!  That is more than we ever had with the first system.
 8456   The 243 new fingerprints include Microsoft Windows 7 beta, Linux
 8457   2.6.28, and much more.  See
 8458   http://seclists.org/nmap-dev/2009/q2/0335.html . [David]
 8460 o [Ncat] A whole lot of work was done by David to improve SSL
 8461   security and functionality:
 8462   - Ncat now does certificate domain and trust validation against
 8463     trusted certificate lists if you specify --ssl-verify.
 8464   - [Ncat] To enable SSL certificate verification on systems whose
 8465     default trusted certificate stores aren't easily usable by
 8466     OpenSSL, we install a set of certificates extracted from Windows
 8467     in the file ca-bundle.crt. The trusted contents of this file are
 8468     added to whatever default trusted certificates the operating
 8469     system may provide. [David]
 8470   - Ncat now automatically generates a temporary keypair and
 8471     certificate in memory when you request it to act as an SSL server
 8472     but you don't specify your own key using --ssl-key and --ssl-cert
 8473     options. [David]
 8474   - [Ncat] In SSL mode, Ncat now always uses secure connections,
 8475     meaning that it uses only good ciphers and doesn't use
 8476     SSLv2. Certificates can optionally be verified with the
 8477     --ssl-verify and --ssl-trustfile options. Nsock provides the
 8478     option of making SSL connections that prioritize either speed or
 8479     security; Ncat uses security while version detection and NSE
 8480     continue to use speed. [David]
 8482 o [NSE] Added Boolean Operators for --script. You may now use ("and",
 8483   "or", or "not") combined with categories, filenames, and wildcarded filenames
 8484   to match a set files.  Parenthetical subexpressions are allowed for
 8485   precedence too.  For example, you can now run:
 8486     nmap --script "(default or safe or intrusive) and not http-*" scanme.nmap.org
 8487   For more details, see
 8488   https://nmap.org/book/nse-usage.html#nse-args. [Patrick]
 8490 o [Ncat] The HTTP proxy server now works on Windows too. [David]
 8492 o [Zenmap] The command wizard has been removed. The profile editor has
 8493   the same capabilities with a better interface that doesn't require
 8494   clicking through many screens. The profile editor now has its own
 8495   "Scan" button that lets you run an edited command line immediately
 8496   without saving a new profile. The profile editor now comes up
 8497   showing the current command rather than being blank. [David]
 8499 o [Zenmap] Added an small animated throbber which indicates that a
 8500   scan is still running (similar in concept to the one on the
 8501   upper-right Firefox corner which animates while a page is
 8502   loading). [David]
 8504 o Regenerate script.db to remove references to non-existent
 8505   smb-check-vulns-2.nse. This caused the following error messages when
 8506   people used the --script=all option: "nse_main.lua:319:
 8507   smb-check-vulns-2.nse is not a file!"  The script.db entries are now
 8508   sorted again to make diffs easier to read. [David, Patrick]
 8510 o Fixed --script-updatedb on Windows--it was adding bogus backslashes
 8511   preceding file names in the generated script.db. Reported by
 8512   Michael Patrick at http://seclists.org/nmap-dev/2009/q2/0192.html,
 8513   and fixed by Jah.  The error message was also improved.
 8515 o The official Windows binaries are now compiled with MS Visual C++
 8516   2008 Express Edition SP1 rather than the RTM version. We also now
 8517   distribute the matching SP1 version of the MS runtime components
 8518   (vcredist_x86.exe). A number of compiler warnings were fixed
 8519   too. [Fyodor,David]
 8521 o Fixed a bug in the new NSE Lua core which caused it to round
 8522   fractional runlevel values to the next integer. This could cause
 8523   dependency problems for the smb-* scripts and others which rely on
 8524   floating point runlevel values (e.g. that smb-brute at runlevel 0.5
 8525   will run before smb-system-info at the default runlevel of 1).
 8527 o The SEQ.CI OS detection test introduced in 4.85BETA4 now has some
 8528   examples in nmap-os-db and has been assigned a MatchPoints value of
 8529   50. [David]
 8531 o [Ncat] When using --send-only, Ncat will now close the network
 8532   connection and terminate after receiving EOF on standard input.
 8533   This is useful for, say, piping a file to a remote ncat where you
 8534   don't care to wait for any response.  [Daniel Roethlisberger]
 8536 o [Ncat] Fix hostname resolution on BSD systems where a recently
 8537   fixed libc bug caused getaddrinfo(3) to fail unless a socket type
 8538   hint is provided. Patch originally provided by Hajimu Umemoto of
 8539   FreeBSD. [Daniel Roethlisberger]
 8541 o [NSE] Fixed bug in the DNS library which caused the error message
 8542   "nselib/dns.lua:54: 'for' limit must be a number". [Jah]
 8544 o Fixed Solaris 10 compilation by renaming a yield structure which
 8545   conflicted with a yield function declared in unistd.h on that
 8546   platform. [Pieter Bowman, Patrick]
 8548 o [Ncat] Minor code cleanup of Ncat memory allocation and string
 8549   duplication calls. [Ithilgore]
 8551 o Fixed a bug which could cause -iR to only scan the first host group
 8552   and then terminate prematurely.  The problem related to the way
 8553   hosts are counted by o.numhosts_scanned. [David]
 8555 o Fixed a bug in the su-to-zenmap.sh script so that, in the cases
 8556   where it calls su, it uses the proper -c option rather than
 8557   -C. [Michal Januszewski, Henry Gebhardt]
 8559 o Overhaul the NSE documentation "Usage and Examples" section and add
 8560   many more examples: https://nmap.org/book/nse-usage.html [David]
 8562 o [NSE] Made hexify in nse_nsock.cc take an unsigned char * to work
 8563   around an assertion in Visual C++ in Debug mode. The isprint,
 8564   isalpha, etc. functions from ctype.h have an assertion that the
 8565   value of the character passed in is <= 255. If you pass a character
 8566   whose value is >= 128, it is cast to an unsigned int, making it a
 8567   large positive number and failing the assertion. This is the same
 8568   thing that was reported in
 8569   http://seclists.org/nmap-dev/2007/q2/0257.html, in regard to
 8570   non-ASCII characters in nmap-mac-prefixes. [David]
 8572 o [NSE] Fixed a segmentation fault which could occur in scripts which
 8573   use the NSE pcap library. The problem was reported by Lionel Cons
 8574   and fixed by Patrick.
 8576 o [NSE] Port script start/finish debug messages now show the target
 8577   port number as well as the host/IP. [Jah]
 8579 o Updated IANA assignment IP list for random IP (-iR)
 8580   generation. [Kris]
 8582 o [NSE] Fixed http.table_argument so that user-supplied HTTP headers
 8583   are now properly sent in HTTP requests. [Jah]
 8585 Nmap 4.85BETA8 [2009-04-21]
 8587 o Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in
 8588   addition to the CONNECT tunneling method, so it can be used as a
 8589   proxy with an ordinary web browser.[David]
 8591 o Ncat can now run as an authenticated proxy in HTTP proxy mode. Use
 8592   --proxy-auth to provide a username and password that will be required
 8593   of proxy users. Only the insecure (not encrypted) Basic authentication
 8594   method is supported. [David]
 8596 o Ndiff's text output has been redone to look more like Nmap output
 8597   and be easier to read. See the Ndiff README file for an example. The
 8598   XML output is now based on Nmap's XML output as well. Zenmap's diff
 8599   viewer now shows the new output with syntax highlighting. [David]
 8601 o The new versions of the Conficker Internet worm ban infected systems
 8602   from visiting Insecure.Org and Nmap.Org.  We take that as a
 8603   compliment to the effectiveness of our remote Conficker scanner.
 8604   They also ban DNS substrings "honey" (for the Honeynet Project),
 8605   "doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable
 8606   Security, "coresecur" for Core Security Technologies, and
 8607   "iv.cs.uni" for those meddlesome (to the Conficker authors)
 8608   researchers at the University of Bonn.  For people who can't reach
 8609   nmap.org due to infection, I've mirrored this release at
 8610   http://sectools.org/nmap/. [Fyodor]
 8612 o New Conficker versions eliminate the loophole we were using to
 8613   detect them with smb-check-vulns,nse, so we've added new methods
 8614   which work with the newest variants. Here are the Conficker-related
 8615   improvements since BETA7:
 8616   - Added new p2p-conficker script which detects Conficker using its
 8617     P2P update ports rather than MSRPC.  This is based on some new
 8618     research by Symantec. See
 8619     https://nmap.org/nsedoc/scripts/p2p-conficker.html [Ron]
 8620   - Since new Conficker variants prevent detection by our previous
 8621     MSRPC check in smb-check-vulns, we've added a new check which still
 8622     works. It involves calling netpathcanonicalize on "\" rather than
 8623     "\..\" and checking for a different return value.  It was discovered
 8624     by Felix Leder and Tillmann Werner. [Ron]
 8625   - Improved smb-check-vulns Conficker error message text to be more
 8626     useful. [David]
 8627   - smb-check-vulns now defaults to using basic login rather than
 8628     extended logins as this seems to work better on some
 8629     machines. [Ron]
 8630   - Recommended command for a fast Conficker scan (combine into 1 line):
 8631     nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns
 8632     --script-args checkconficker=1,safe=1 -T4 [target networks]
 8633   - Recommended command for a more comprehensive (but slower) scan:
 8634     nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p-
 8635     --script-args checkall=1,safe=1 -T4 [target networks]
 8637 o [NSE] The Nmap Script Engine core (C++) was rewritten in Lua for
 8638   code simplicity and extensibility. See
 8639   http://seclists.org/nmap-dev/2009/q2/0090.html and
 8640   http://seclists.org/nmap-dev/2009/q1/0047.html . [Patrick]
 8642 o [Zenmap] The "Cancel" button has been restored to the main screen.
 8643   It will cancel the scan that is currently being displayed. [David]
 8645 o Fixed an SMB library bug which could case a nil-pointer exception
 8646   when scanning broken SMB implementations. Reported by Steve
 8647   Horejsi. [Ron]
 8649 o [Ndiff] The setup.py installation script now suggests installing the
 8650   python-dev package in a certain error situation. Previously the
 8651   error message it printed was misleading:
 8652     error: invalid Python installation: unable to open
 8653     /usr/lib/python2.6/config/Makefile (No such file or directory)
 8654   The change was suggested by Aaron Leininger. [David]
 8656 o [Nbase] The checksum functions now have an nbase_ prefix.  This
 8657   should prevent name collisions with internal but exported functions
 8658   in shared libraries Nmap links against (e.g. adler32() in zlib).
 8659   Such collisions seem to confuse the runtime linker on some platforms.
 8660   [Daniel Roethlisberger]
 8662 o Fixed banner.nse to remove surrounding whitespace from banners. For
 8663   example, this avoids a superfluous carriage return and newline at the
 8664   end of SSH greetings. [Patrick]
 8666 o Expanded and tweaked the product/version/info of service scans in an
 8667   attempt to reduce the number of warnings like "Warning: Servicescan
 8668   failed to fill info_template...".  Parts of this change include:
 8669   - Improved the text of the warning to be less confusing
 8670   - Increased the internal version info buffer to 256 chars from 128
 8671   - Increased the final version string length to 160 from 128 chars
 8672   - Changed the behavior when constructing the final version string so
 8673     that if it runs out of space, rather than dropping the output of that
 8674     template it truncates the template with ...
 8675   - Fixed the printing of unneeded spaces between templates when one of the
 8676     templates isn't going to be printed at all.
 8677   [Brandon]
 8679 o Improved the service scan DB to remove certain problematic regex
 8680   patterns which could lead to PCRE_MATCHLIMIT errors. For example,
 8681   instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to
 8682   ".*" as long as the DOTALL (/s) modifier was set. [Brandon]
 8684 o Changed some error() calls (which were more informational than error
 8685   messages) to use log_write() instead, and changed a few f?printf()
 8686   calls into error() or log_write(). [Brandon]
 8688 o [Ncat] Fixed a bug in the resolve() function which could cause Ncat
 8689   to resolve names using the wrong address family (such as AF_INET
 8690   rather than AF_INET6) in some rare cases. [Daniel Roethlisberger]
 8692 o [Zenmap] Worked around a GTK+ bug on Windows reported by Henry Nymann.
 8693   It caused a crash when opening the Hosts Viewer on a host that had OS
 8694   information. A window appeared saying simply "Runtime Error!". [David]
 8696 o [Zenmap] Gracefully handle unrecognized port states in the hosts
 8697   viewer. Apparently old versions of Nmap can return a state of
 8698   "unknown". This prevents this crash:
 8699       File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__
 8700       File "radialnet\gui\NodeNotebook.pyo", line 257, in __create_widgets
 8701     KeyError: u'unknown'
 8702   [David]
 8704 o Rewrote the debugging error message "Found whacked packet protocol
 8705   17 in get_ping_pcap_result" because we decided that receiving a UDP
 8706   packet during TCP ping scan is not egregious enough to qualify as
 8707   "whacked". [David]
 8709 Nmap 4.85BETA7 [2009-04-1]
 8711 o Improvements to the Conficker detection script (smb-check-vulns):
 8712   - Reduce false negative rate.  We (and all the other scanners) used
 8713     to require the 0x57 return code as well as a canonicalized path
 8714     string including 0x5c450000.  Tenable confirmed an infected system
 8715     which returned a 0x00000000 path, so we now treat any hosting
 8716     returning code 0x57 as likely infected. [Ron]
 8717   - Add workaround for crash in older versions of OpenSSL which would
 8718     occur when we received a blank authentication challenge string
 8719     from the server.  The error looked like: evp_enc.c(282): OpenSSL
 8720     internal error, assertion failed: inl > 0". [Ron]
 8721   - Add helpful text for the two most common errors seen in the
 8722     Conficker check in smb-check-vulns.nse.  So instead of saying
 8723     things like "Error: NT_STATUS_ACCESS_DENIED", output is like:
 8724     |  Conficker: Likely CLEAN; access was denied.
 8725     |  |  If you have a login, try using --script-args=smbuser=xxx,smbpass=yyy
 8726     |  |  (replace xxx and yyy with your username and password). Also try
 8727     |  |_ smbdomain=zzz if you know the domain. (Error NT_STATUS_ACCESS_DENIED)
 8728     The other improved message is for
 8731 o The NSEDoc portal at https://nmap.org/nsedoc/ now provides download
 8732   links from the script and module pages to browse or download recent versions
 8733   of the code.  It isn't quite as up-to-date as obtaining them from
 8734   svn directly, but may be more convenient. For an example, see
 8735   https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html . [David, Fyodor]
 8737 o A copy of the Nmap public svn repository (/nmap, plus its zenmap,
 8738   nsock, nbase, and ncat externals) is now available at
 8739   https://nmap.org/svn/.  We'll be updating this regularly, but it may
 8740   be slightly behind the SVN version.  This is particularly useful
 8741   when you need to link to files in the tree, since browsers generally
 8742   don't handle svn:// repository links. [Fyodor]
 8744 o Declare a couple msrpc.lua variables as local to avoid a potential
 8745   deadlock between smb-server-stats.nse instances. [Ron]
 8747 Nmap 4.85BETA6 [2009-03-31]
 8749 o Fixed some bugs with the Conficker detection script
 8750   (smb-check-vulns) [Ron]:
 8751   - SMB response timeout raised to 20s from 5s to compensate for
 8752     slow/overloaded systems and networks.
 8753   - MSRPC now only signs messages if OpenSSL is available (avoids an
 8754     error).
 8755   - Better error checking for MS08-067 patch
 8756   - Fixed forgotten endian-modifier (caused problems on big-endian
 8757     systems such as Solaris on SPARC).
 8759 o Host status messages (up/down) are now uniform between ping scanning
 8760   and port scanning and include more information. They used to vary
 8761   slightly, but now all look like
 8762     Host <host> is up (Xs latency).
 8763     Host <host> is down.
 8764   The new latency information is Nmap's estimate of the round trip
 8765   time. In addition, the reason for a host being up is now printed for
 8766   port scans just as for ping scans, with the --reason option. [David]
 8768 o Version detection now has a generic match line for SSLv3 servers,
 8769   which matches more servers than the already-existing set of specific
 8770   match lines. The match line found 13% more SSL servers in a test.
 8771   Note that Nmap will not be able to do SSL scan-through against a
 8772   small fraction of these servers, those that are SSLv3-only or
 8773   TLSv1-only, because that ability is not yet built into Nsock. There
 8774   is also a new version detection probe that works against SSLv2-only
 8775   servers. These have shown themselves to be very rare, so that probe
 8776   is not sent by default. Kristof Boeynaems provided the patch and did
 8777   the testing.
 8779 o [Zenmap] A typo that led to a crash if the ndiff subprocess
 8780   terminated with an error was fixed. [David] The message was
 8781       File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
 8782     UnboundLocalError: local variable 'error_test' referenced before assignment
 8784 o [Zenmap] A crash was fixed:
 8785       File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed
 8786     KeyError: "Syst\xc3\xa8me d'Exploitation"
 8787   The text could be different, because the error was caused by
 8788   translating a string that was also being used as an index into an
 8789   internal data structure. The string will be untranslated until that
 8790   part of the code can be rewritten. [David]
 8792 o [Zenmap] A bug was fixed that caused a crash when doing a keyword:
 8793   or target: search over hosts that had a MAC address. [David]
 8794   The crash output was
 8795       File "zenmapCore\SearchResult.pyo", line 86, in match_keyword
 8796       File "zenmapCore\SearchResult.pyo", line 183, in match_target
 8797     TypeError: argument of type 'NoneType' is not iterable
 8799 o Fixed a bug which prevented all comma-separated --script arguments
 8800   from being shown in Nmap normal and XML output files where they show
 8801   the original Nmap command. [David]
 8803 o Fixed ping scanner's runtime statistics system so that instead of
 8804   saying "0 undergoing Ping Scan" it gives the actual number of hosts in
 8805   the group (e.g. 4096). [David]
 8807 o [Zenmap] A crash was fixed in displaying the "Error creating the
 8808   per-user configuration directory" dialog:
 8809       File "zenmap", line 104, in <module>
 8810       File "zenmapGUI\App.pyo", line 129, in run
 8811     UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
 8812                         invalid data
 8813   The crash would only happen to users with paths containing
 8814   multibyte characters in a non-UTF-8 locale, who also had some error
 8815   preventing the creation of the directory. [David]
 8817 Nmap 4.85BETA5 [2009-03-30]
 8819 o Ron (in just a few hours of furious coding) added remote detection
 8820   of the Conficker worm to smb-check-vulns. It is based on new
 8821   research by Tillmann Werner and Felix Leder.  You can scan your
 8822   network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
 8823   -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
 8825 o Ndiff now includes service (version detection) and OS detection
 8826   differences. [David]
 8828 o [Ncat] The --exec and --sh-exec options now work in UDP mode like
 8829   they do in TCP mode: the server handles multiple concurrent clients
 8830   and doesn't have to be restarted after each one. Marius Sturm
 8831   provided the patch.
 8833 o [Ncat] The -v option (used alone) no longer floods the screen with
 8834   debugging messages. With just -v, we now only print the most
 8835   important status messages such as "Connected to ...", a startup
 8836   banner, and error messages.  At -vv, minor debugging messages are
 8837   enabled, such as what command is being executed by --sh-exec.  With
 8838   -vvv you get detailed debugging messages. [David]
 8840 o [Ncat] Chat mode now lets other participants know when someone
 8841   connects or disconnects, and it also broadcasts a current list of
 8842   participants at such times. [David]
 8844 o [Ncat] Fixed a socket handling bug which could occur when you
 8845   redirect Ncat stdin, such as "ncat -l --chat < /dev/null".  The next
 8846   user to connect would end up with file descriptor 0 (which is
 8847   normally stdin) and thus confuse Ncat. [David]
 8849 o [Zenmap] The "Scan Output" expanders in the diff window now behave
 8850   more naturally. Some strange behavior on Windows was noted by Jah.
 8851   [David]
 8853 o The following OS detection tests are no longer included in OS
 8854   fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
 8855   and SI were found not be helpful in distinguishing operating systems
 8856   because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
 8857   but now they are not included in prints at all. [David]
 8859 o The compile-time Nmap ASCII dragon is now more ferocious thanks to
 8860   better teeth alignment. [David]
 8862 o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI
 8863   test that could cause a closed-port IP ID to be written into the
 8864   array for the SEQ.TI test and cause erroneous results. The bug was
 8865   found and fixed by Guillaume Prigent.
 8867 o Nbase has grown routines for calculating Adler32 and CRC32C
 8868   checksums. This is needed for future SCTP support. [Daniel
 8869   Roethlisberger]
 8871 o [Zenmap] Zenmap no longer shows an error message when running Nmap
 8872   with options that cause a zero-length XML file to be produced (like
 8873   --iflist). [David]
 8875 o Fixed an off-by-one error in printableSize() which could cause Nmap
 8876   to crash while reporting NSE results. Also, NmapOutputTable's memory
 8877   allocation strategy was improved to conserve memory. [Brandon,
 8878   Patrick]
 8880 o [Zenmap] We now give the --force option to setup.py for installation
 8881   to ensure that it replaces all files. [David]
 8883 o Nmap's --packet-trace, --version-trace, and --script-trace now use
 8884   an Nsock trace level of 2 rather than 5.  This removes some
 8885   superfluous lines which can flood the screen. [David]
 8887 o [Zenmap] Fixed a crash which could occur when loading the help URL
 8888   if the path contains multibyte characters. [David]
 8890 o [Ncat] The version number is now matched to the Nmap release it came
 8891   with rather than always being 0.2. [David]
 8893 o Fixed a strtok issue between load_exclude and
 8894   TargetGroup::parse_expr that caused only the first exclude on
 8895   a line to be loaded as well as an invalid read into free()'d
 8896   memory in load_exclude(). [Brandon, David]
 8898 o NSE's garbage collection system (for cleaning up sockets from
 8899   completed threads, etc.) has been improved. [Patrick]
 8901 Nmap 4.85BETA4 [2009-3-15]
 8903 o Added two new SMB/MSRPC NSE scripts by Ron Bowes:
 8904   - smb-brute.nse: Bruteforce to discover SMB accounts. Has advanced
 8905     features, such as lockout detection, username validation, username
 8906     enumeration, and optimized case detection.
 8907   - smb-pwdump.nse: Uses executables from the Pwdump6 project to dump
 8908     password hashes from a remote machine (and optionally crack them
 8909     with Rainbow Crack). Pwdump6 files have to be downloaded
 8910     separately
 8912 o [Ncat] The --exec and --sh-exec options now work on Windows. This
 8913   was a big job, considering that Windows doesn't even have a fork()
 8914   call and has all sorts of socket idiosyncrasies. [David]
 8916 o Doug performed one of the largest version detection integration runs
 8917   ever, processing 1,746 submissions and 18 corrections.  We are now
 8918   current with all submissions up to February 3.  Keep them coming.
 8919   The version detection database has grown to 5,476 signatures for 510
 8920   application protocols. Doug posted his notes on the integration at
 8921   http://hcsw.org/blog.pl/37.  We now have 1,868 http server
 8922   signatures, and the number of gopher signatures has bumped up from 5
 8923   to 6.
 8925 o Released the new Ncat guide which contains practical real-life Ncat
 8926   usage examples for Ncat's major features.  It complements the more
 8927   option-centric man page.  Read it here: https://nmap.org/ncat/guide/
 8928   [David, Fyodor]
 8930 o Ndiff is now included in the Windows zip distribution. For space
 8931   reasons, it is not an executable compiled with py2exe as in the
 8932   executable installer, rather it is the Ndiff source code (ndiff.py)
 8933   and a batch file wrapper (ndiff.bat). Because it's not precompiled,
 8934   it's necessary to have a Python interpreter installed. [David]
 8936 o The new --stats-every option takes a time interval that controls how
 8937   often timing status updates are printed. It's intended to be used
 8938   when Nmap is run by another program as a subprocess. Thanks to
 8939   Aleksandar Petrinic for the initial implementation. [David]
 8941 o [NSE] A new function stdnse.sleep allows a script to sleep for a
 8942   given time (and yield control to other scripts). [David]
 8944 o [Ncat] In --chat mode (formerly --talk), the server now announces to
 8945   everyone when someone connects or disconnects. Besides letting you
 8946   know who's connected, this also informs you of your "user name" as
 8947   soon as you connect. [David]
 8949 o [Ncat] Ncat now works interactively on Windows. Before,
 8950   peculiarities in the way Windows handles reading from the keyboard
 8951   meant that typing interactively into Ncat would cause it to quit
 8952   with a write timeout. [David]
 8954 o Refactored SMB and MSRPC NSE scripts significantly, moving much of
 8955   the code into the smb.lua and msrpc.lua modules where it can be
 8956   leveraged by other scripts. For example, the user enumeration
 8957   functions are used by smb-brute.nse. [Ron Bowes]
 8959 o [Ncat] The syntax accepted by the --allow, --deny, --allowfile, and
 8960   --denyfile options is now the same as Nmap's target specifications.
 8961   Additionally any errors in the allow or deny specifications are
 8962   reported when the program starts, not deferred until a connection is
 8963   received. [David]
 8965 o You can now use '-' by itself in a target IP specification to mean
 8966   0-255, so you could scan 192.168.-.-.  An asterisk can also still be
 8967   used as an octet wildcard, but then you have to deal with shell
 8968   escaping on many platforms. [David]
 8970 o Nmap was discovered in another movie!  In the Russian film
 8971   Khottabych, teenage hacker Gena uses Nmap (and telnet) to hack
 8972   Microsoft.  In response, MS sends a pretty female hacker to flush
 8973   him out.  More details and screenshots: https://nmap.org/movies/#khottabych .
 8975 o Improved operating system support for the smb-enum-sessions NSE
 8976   script; previous revisions worked on Windows 2003 or Windows 2000,
 8977   but never both.  Currently, it is tested and working on both
 8978   versions.  [Ron Bowes]
 8980 o Implemented file-management functions in SMB, including file upload,
 8981   file download, and file delete. Only leverages by smb-pwdump.nse at
 8982   the moment, these functions give scripts the ability to perform
 8983   checks against the filesystem of a server. [Ron Bowes]
 8985 o [Zenmap] A crash was fixed that occurred when you ran a scan
 8986   that didn't produce any host output (like "nmap --iflist") and then
 8987   tried to remove it from the inventory. [David]
 8988   The crash looked like
 8989     ValueError: list.remove(x): x not in list
 8991 o [Ncat] In --chat mode, the server escapes potentially dangerous
 8992   control characters (in octal) before sending them to
 8993   clients. [David]
 8995 o [Ndiff] Added a workaround for a bug in PyXML. The bug would cause a
 8996   crash that looked like "KeyError: 0". [David]
 8998 o [Zenmap] Fixed a crash when something that looked like a format
 8999   specifier (like %y) appeared in a profile. The error message was
 9000     ValueError: unsupported format character 'y' (0x79)
 9001   [David]
 9003 o A bug was fixed in route finding on BSD Unix. The libdnet function
 9004   addr_stob didn't handle the special case of the sa_len member of
 9005   struct sockaddr being equal to 0 and accessed unrelated memory past
 9006   the end of the sockaddr. A symptom of this was the fatal error
 9007     nexthost: failed to determine route to ...
 9008   which was caused by the default route being assigned a netmask other
 9009   than [David]
 9011 o Added bindings for the service control (SVCCTL) and at service (ATSVC)
 9012   services. These are both related to running processes on the remote
 9013   system (identical to how PsExec-style scripts work). These bindings
 9014   are used by smb-pwdump.nse. [Ron Bowes]
 9016 o Refactored SMB authentication code into its own module, smbauth.lua.
 9017   Improved scripts' ability to store and retrieve login information
 9018   discovered by modules such as smb-brute.nse. [Ron Bowes]
 9020 o Added message signing to SMB. Connections will no longer fail if the
 9021   server requires message signatures. This is a rare case, but comes up
 9022   on occasion. If a server allows but doesn't require message signing,
 9023   smb.lua will negotiate signing. This improves security by preventing
 9024   man in the middle attacks. [Ron Bowes]
 9026 o Fixed the daytime.nse script to work for UDP again (it was checking
 9027   a "proto" field when the field name is actually "protocol"). [Jah]
 9029 o Implemented extended security negotiations in the NSE SMB
 9030   module. Creates no noticeable change from the user's perspective,
 9031   but it's a more modern protocol. [Ron Bowes]
 9033 o Nmap wins LinuxQuestions.Org Network Security Application of the
 9034   Year for the sixth year in a row! See
 9035   http://seclists.org/nmap-dev/2009/q1/0395.html .
 9037 o [Zenmap] Removed some unnecessary (mostly GTK+-related) files from
 9038   the Windows installer--nmap-4.85BETA4-setup.exe is now smaller than
 9039   it has ever been since Nmap 4.22SOC6, which was released in August
 9040   2007! [David]
 9042 o Fixed the install-zenmap make target for Solaris portability.
 9043   Solaris /bin/sh does not have test(1) -e. [Daniel Roethlisberger]
 9045 o Version detection used to omit the "ssl/" service name prefix if an
 9046   SSL-tunneled port didn't respond to any version probes. Now it keeps
 9047   "ssl/" as an indication that SSL was discovered, even if the service
 9048   behind it wasn't identified. Kristof Boeynaems reported the problem
 9049   and contributed a patch. [David]
 9051 o [Ncat] The --talk option has been renamed --chat. --talk remains as an
 9052   undocumented alias.
 9054 o There is a new OS detection test named SEQ.CI. Like TI and II, CI
 9055   classifies the target's IP ID sequence generation algorithm. CI is
 9056   based on the responses received to the probes sent to a closed port.
 9057   The algorithm for closed ports has been observed to differ from that
 9058   for open ports on some operating systems (though we don't yet know
 9059   which ones).  The new test won't have an effect until new
 9060   fingerprints containing it are added to nmap-os-db. We got the idea
 9061   from some notes sent in by Dario Ciccarone. [David, Fyodor]
 9063 o OS fingerprints now include the SEQ.II test (ICMP IP ID sequence
 9064   generation) even if there are no other SEQ test results. The
 9065   previous omission of SEQ.II in that case was a bug. [David]
 9067 o [Ncat] The --send-only and --recv-only options now work in listen
 9068   mode as well as connect mode. [David]
 9070 o [Ncat] An error in formatting bytes with the high bit set in hex
 9071   dump output was fixed. [David]
 9073 o [Zenmap] New translation: Croatian (contributed by Vlatko Kosturjak).
 9075 o Fixed a DNS decoding bug in dns-zone-transfer.nse that created
 9076   garbage output and could crash Zenmap by including 0x0C bytes in XML
 9077   files. The Zenmap crash looked like
 9078     SAXParseException: .../zenmap-XXXXXX.xml:39:290: not well-formed
 9079     (invalid token)
 9080   Thanks to Anino Belan and Eric Nickel for sending in affected log
 9081   files. [David]
 9083 o [NSEDoc] Scripts that use modules automatically have the script
 9084   arguments defined by those modules included in their documentation.
 9085   It's no longer necessary to manually supply @args for the arguments
 9086   in the modules you use. For those who haven't seen the NSEDoc portal
 9087   yet, check out https://nmap.org/nsedoc/. [David]
 9089 o An integer overflow in the scan progress meter was fixed. It caused
 9090   nonsense output like
 9091     UDP Scan Timing: About 11.34% done; ETC: 03:21 (-688:-41:-48 remaining)
 9092   during very long scans. [Henri Doreau]
 9094 o [Zenmap] A better method of detecting the system locale is used, so
 9095   it should not be necessary to set the LANG environment variable on
 9096   Windows to get internationalized text. Thanks to Dirk Loss for the
 9097   suggestion. [David]
 9099 o [Ncat] Added a number of automated tests for ensuring that Ncat is
 9100   working correctly.  They are in /ncat/test in SVN. [David]
 9102 o [Ncat] Now builds again when using the --without-openssl
 9103   option. [David]
 9105 o [Zenmap] Fix auto-scroll behavior while Nmap is producing output, as
 9106   that previously failed in some cases involving wide lines in
 9107   output. [David]
 9109 o [Zenmap] The network topology feature (Radialnet) has been
 9110   internationalized so its strings will be localized as well (as soon
 9111   as the relevant language's translation files are updated.  To help
 9112   out, see https://nmap.org/book/zenmap-lang.html . Some remaining search
 9113   interface elements were internationalized as well. [David]
 9115 o Improved the efficiency of the xml_convert() routine which handles
 9116   XML escaping.  It was so inefficient that this stupid little routine
 9117   was noticeably slowing Nmap down in some cases. [David]
 9119 o Removed 9 OS detection device types which only had one or two
 9120   instances in our whole database (ATM, TV, oscilloscope, etc.) and
 9121   made some other cleanups as well. We plan to enhance this even
 9122   further for the next release. [Fyodor, David, Doug]
 9124 o [Zenmap] Removed some unnecessary GTK+ files from the files
 9125   installed by the Windows executable installer. [David]
 9127 o [Zenmap] Tweaked the file format of the topology icons
 9128   (firewall.png, padlock.png, etc.) in an attempt to improve
 9129   compatibility with some versions of GTK+. This may fix a crash like
 9130     File "radialnet/gui/Image.py", line 53, in get_pixbuf
 9131       self.__cache[icon + image_type] = gtk.gdk.pixbuf_new_from_file(file)
 9132     GError: Couldn't recognize the image file format for file 'radialnet/padlock.png'
 9133   Thanks to Trevor Bain for a report and help debugging. [David]
 9135 o Removed a bunch of unnecessary files (mostly GTK related) from the
 9136   Win32 exe installer to reduce its size. [David]
 9138 o Fixed an NSE crash (assertion error) which looked like
 9139   "nsock_core.c:293: handle_connect_result: Assertion `0'
 9140   failed". Brandon reported the bug, which was fixed by Doug and
 9141   David.  See http://seclists.org/nmap-dev/2009/q1/0546.html .
 9143 Nmap 4.85BETA3 [2009-2-2]
 9145 o Revert the temporary GTK DLL workaround (r11899) which added
 9146   duplicate DLL files to the distribution.  David found that using a
 9147   different GTK download fixed the problem (see
 9148   docs/win32-installer-zenmap-buildguide.txt) and Fyodor was able to
 9149   reproduce and implement.
 9151 o The conditions for printing OS fingerprints to XML output are now
 9152   the same as are used to decide whether to print them in the other
 9153   formats. So they will be printed if submission is desirable,
 9154   otherwise they are only printed if debugging is enabled or verbosity
 9155   is 2 or higher. [Tom Sellers]
 9157 o Removed some Brazilian poetry/lyrics from Zenmap source code
 9158   (NmapOutputViewer.py). We've seen enough of it in the debug logs. "E
 9159   nao se entrega, nao".
 9161 o Fix Ncat compilation with the MingW windows compiler. [Gisle Vanem]
 9163 o Corrected some NSE libraries (datafiles, tab) which were using the
 9164   old arg table interface. [Patrick]
 9166 o [Zenmap] Fixed a crash that happened when running a scan directly
 9167   from the command wizard without saving a profile [David]:
 9168     NmapParser.py", line 417, in set_target
 9169       self.ops.target_specs = target.split()
 9170     AttributeError: 'NoneType' object has no attribute 'split'
 9172 o Fixed an NSE pop3 library error which gave a message such as:
 9173   SCRIPT ENGINE (506.424s): ./scripts/pop3-capabilities.nse against
 9174   a.b.1.47:995 ended with error: ./scripts/pop3-capabilities.nse:32:
 9175   bad argument #1 to 'pairs' (table expected, got string) [Jah]
 9177 o Upgraded the OpenSSL binaries shipped in our Windows installer to
 9178   version 0.9.8j. [Kris]
 9180 o Updated IANA assignment IP list for random IP (-iR)
 9181   generation. [Kris]
 9183 Nmap 4.85BETA2 [2009-1-29]
 9185 o Added some duplicate GTK DLLs to Windows installer, as a temporary
 9186   fix for this issue: http://seclists.org/nmap-dev/2009/q1/0207.html
 9187   The problem caused a warning message complaining of problems finding
 9188   librsvg-2-2.dll to pop up 32 times before Zenmap would start.  We're
 9189   still looking for a better fix. [Fyodor, Rob, Jah]
 9191 o Made a few improvements to nmap.xsl (details:
 9192   http://seclists.org/nmap-dev/2009/q1/0210.html) [Tom Sellers]
 9194 o [Zenmap] New translation: French (contributed by Gutek)
 9196 o Updated the mswin32 installer build guide and posted it to
 9197   https://svn.nmap.org/nmap/docs/win32-installer-zenmap-buildguide.txt [Fyodor]
 9199 o The xampp-default-auth.nse script was renamed to ftp-brute.nse since
 9200   it has become more general.
 9202 Nmap 4.85BETA1 [2009-1-23]
 9204 o Added Ncat, a much-improved reimplementation of the venerable Netcat
 9205   tool which adds modern features and makes use of Nmap's efficient
 9206   networking libraries.  Features include SSL support, proxy
 9207   connections (client or server, socks4 or connect-based, with or
 9208   without authentication, optionally chained), TCP and UDP connection
 9209   redirection, connection brokering (facilitating connections between
 9210   machines which are behind NAT gateways), and much more.  It is
 9211   cross-platform (Linux, Windows, Mac, etc.) and supports IPv6 as well
 9212   as standard IPv4.  See https://nmap.org/ncat/ for details.  It is now
 9213   included in our binary packages (Windows, Linux, and Mac OS X), and
 9214   built by default.  You can skip it with the --without-ncat configure
 9215   option.  Thanks to Kris and David for their great work on this!
 9217 o Added the Ndiff utility, which compares the results of two Nmap
 9218   scans and describes the new/removed hosts, newly open/closed ports,
 9219   changed operating systems, etc.  This makes it trivial to scan your
 9220   networks on a regular basis and create a report (XML or text format)
 9221   on all the changes.  See https://nmap.org/ndiff/ and ndiff/README for
 9222   more information. Ndiff is included in our binary packages and built
 9223   by default, though you can prevent it from being built by specifying
 9224   the --without-ndiff configure flag.  Thanks to David and Michael
 9225   Pattrick for their great work on this.
 9227 o Released Nmap Network Scanning: The Official Nmap Project Guide to
 9228   Network Discovery and Security Scanning.  From explaining port
 9229   scanning basics for novices to detailing low-level packet crafting
 9230   methods used by advanced hackers, this book suits all levels of
 9231   security and networking professionals. A 42-page reference guide
 9232   documents every Nmap feature and option, while the rest of the book
 9233   demonstrates how to apply those features to quickly solve real-world
 9234   tasks.  It was briefly the #1 selling computer book on Amazon.
 9235   Translations to the German, Korean, and Brazilian Portuguese
 9236   languages are forthcoming.  More than half of the book is already
 9237   free online.  For more, see https://nmap.org/book/.
 9239 o David spent more than a month working on algorithms to improve port
 9240   scan performance while retaining or improving accuracy.  The changes
 9241   are described at http://seclists.org/nmap-dev/2009/q1/0054.html . He
 9242   was able to reduce our "benchmark scan time" (which involves many
 9243   different scan types from many source networks to many targets) from
 9244   1879 seconds to 1321 without harming accuracy.  That is a 30% time
 9245   reduction!
 9247 o Introduced the NSE documentation portal, which documents every NSE
 9248   script and library included with Nmap. See https://nmap.org/nsedoc/.
 9249   Script documentation was improved substantially in the process.
 9250   Scripts and libraries must use the new NSEDoc format, which is
 9251   described at https://nmap.org/book/nsedoc.html .  Thanks to Patrick
 9252   and David for their great work on this.
 9254 o The 2nd Generation OS Detection System was dramatically improved for
 9255   improved accuracy.  After substantial testing, David and Fyodor made
 9256   the following changes:
 9257   - The "T" (TTL test) result ranges were widened to prevent minor
 9258     routing (and device hardware inconsistency) variations from causing
 9259     so many matches to fail.
 9260   - The TG (TTL guess) results were canonicalized. Nmap is only
 9261     capable of assigning the values 0x20, 0x40, 0x80, and 0xFF for
 9262     these tests, yet many fingerprints had different values.  This was
 9263     due to bugs in our fingerprint integration tools.
 9264   - The U1.TOS and IE.TOSI tests (both having to do with the IP Type
 9265     of Service field) have been effectively eliminated (MatchPoints
 9266     set to 0).  These proved particularly susceptible to false results
 9267     due to networking hardware along the packet route manipulating the
 9268     TOS header field.
 9269   - An important bug in OS detection's congestion control algorithms
 9270     was fixed.  It could lead to Nmap sending packets much too quickly
 9271     in some cases, which hurt accuracy.
 9273 o Integrated all of your OS detection fingerprint submissions and
 9274   corrections up to January 8.  The DB has grown more than 17% to
 9275   1,761 fingerprints.  Newly detected services include Mac OS X
 9276   10.5.6, Linux 2.6.28, iPhone 2.1, and all manner of WAPs, VoIP
 9277   phones, routers, oscilloscopes, employee timeclocks, etc. Keep those
 9278   submissions coming!
 9280 o Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmap
 9281   to interrogate Windows machines much more completely.  He added
 9282   three new nselib modules: msrpc, netbios, and smb. As the names
 9283   suggest, they contain common code for scripts using MSRPC, NetBIOS,
 9284   and SMB. These modules allow scripts to extract a great deal of
 9285   information from hosts running Windows, particularly Windows
 9286   2000. New or updated scripts using the modules are:
 9287   - nbstat.nse: get NetBIOS names and MAC address.
 9288   - smb-enum-domains.nse: enumerate domains and policies.
 9289   - smb-enum-processes.nse: allows a user with administrator
 9290     credentials to view a tree of the processes running on the
 9291     remote system (uses HKEY_PERFORMANCE_DATA hive).
 9292   - smb-enum-sessions.nse: enumerate logins and SMB sessions.
 9293   - smb-enum-shares.nse: enumerate network shares.
 9294   - smb-enum-users.nse: enumerate users and information about them.
 9295   - smb-os-discovery.nse: get operating system over SMB (replaces
 9296     netbios-smb-os-discovery.nse).
 9297   - smb-security-mode.nse: determine if a host uses user-level or
 9298     share-level security, and what other security features it
 9299     supports.
 9300   - smb-server-stats.nse: grab statistics such as network traffic
 9301     counts.
 9302   - smb-system-info.nse: get lots of information from the registry.
 9304 o A problem that caused OS detection to fail for most hosts in a
 9305   certain case was fixed. It happened when sending raw Ethernet frames
 9306   (by default on Windows or on other platforms with --send-eth) to
 9307   hosts on a switched LAN. The destination MAC address was wrong for
 9308   most targets. The symptom was that only one out of each scan group
 9309   of 20 or 30 hosts would have a meaningful OS fingerprint. Thanks go
 9310   to Michael Head for running tests and especially Trent Snyder for
 9311   testing and finding the cause of the problem. [David]
 9313 o Zenmap now runs ndiff to for its "Compare Results" function. This
 9314   completely replaces the old diff view. The diff window size is now
 9315   more flexible for user resizing as well. [David]
 9317 o Added a Russian translation of the Nmap Reference Guide by Guz
 9318   Alexander. We now have translations in 15 languages available from
 9319   https://nmap.org/docs.html . More volunteer translators are welcome,
 9320   as we are still missing some important languages. Translation
 9321   instructions are available from that docs.html page.
 9323 o Update Windows installer to handle Windows 7 (tested with the Beta
 9324   build 7000) [Rob Nicholls]
 9326 o Improved port scan performance by changing the list of high priority
 9327   ports which Nmap shifts closer to the beginning of scans because
 9328   they are more likely to be responsive.  We based the change on
 9329   empirical data from large-scale scanning.  The new port list is:
 9330     21, 22, 23, 25, 53, 80, 110, 111, 113, 135, 139, 143, 199, 256,
 9331     443, 445, 554, 587, 993, 995, 1025, 1720, 1723, 3306, 3389, 5900,
 9332     8080, 8888
 9333   [Fyodor, David]
 9335 o [NSE] Almost all scripts were renamed to be more consistent.  They
 9336   are now all lowercase and most of them start with the name of the
 9337   service name they query.  Words are separated by hyphens. [David,
 9338   Fyodor]
 9340 o [NSE] Now that scripts are better named, the "Id" field has been
 9341   removed and the script name (sans the .nse or directory path
 9342   information) is used in script output instead. [David]
 9344 o [NSE] Added banner.nse, a simple script which connects to open TCP
 9345   ports and prints out anything sent in the first five seconds by the
 9346   listening service. [Jah]
 9348 o [NSE] Added a new OpenSSL library with functions for multiprecision
 9349   integer arithmetic, hashing, HMAC, symmetric encryption and
 9350   symmetric decryption. [Sven]
 9352 o [Zenmap] Internationalization has been fixed [David]. Currently
 9353   Zenmap has two translations:
 9354     - German by Chris Leick
 9355     - Brazilian Portuguese by Adriano Monteiro Marques (partial)
 9356   For details on using an existing translation or localizing Zenmap
 9357   into your own native language, see
 9358   https://nmap.org/book/zenmap-lang.html . [David]
 9360 o Zenmap no longer outputs XML elements and attributes that are not in
 9361   the Nmap XML DTD. This was done mostly by removing things from
 9362   Zenmap's output, and adding a few new optional things to the Nmap
 9363   DTD. A scan's profile name, host comments, and interactive text
 9364   output are what were added to nmap.dtd. The .usr filename extension
 9365   for saved Zenmap files is deprecated in favor of the .xml extension
 9366   commonly used with Nmap. Because of these changes the
 9367   xmloutputversion has been increased to 1.03. [David]
 9369 o The NSE registry now persists across host groups so that values
 9370   stored in it will remain until they are explicitly removed or Nmap
 9371   execution ends. [David]
 9373 o Enhanced the AS Numbers script (ASN.nse) to better consolidate
 9374   results and bail out if the DNS server doesn't support the ASN
 9375   queries. [Jah]
 9377 o Complete re-write of the marshaling logic for Microsoft RPC calls.
 9378   [Ron Bowes]
 9380 o Added a script that checks for ms08-067-vulnerable hosts
 9381   (smb-check-vulns.nse) using the smb nselib. It also checks for an
 9382   unfixed denial of service vulnerability Ron discovered in the
 9383   Windows 2000 registry service. [Ron Bowes]
 9385 o [Zenmap] Text size is larger on Mac OS X thanks to a new included
 9386   gtkrc file. [David]
 9388 o Reduced memory consumption for some longer-running scans by removing
 9389   completed hosts from the lists after two minutes.  These hosts are
 9390   kept around in case there is a late response, but this draws the
 9391   line on how long we wait and hence keep this information in memory.
 9392   See http://seclists.org/nmap-dev/2008/q3/0902.html for more. [Kris]
 9394 o The Windows installer now uses Zenmap binaries built using Python
 9395   2.6.1 rather than 2.5.1 [Fyodor]
 9397 o When a system route can't be matched up directly with an interface
 9398   by comparing addresses, Nmap now tries to match the route through
 9399   another route. This helps for instance with a PPP connection where
 9400   the default route's gateway address is routed through a different
 9401   route, the one associated with the address of the PPP device. The
 9402   problem would show itself as an inability to scan through the
 9403   default route and the error message
 9404     WARNING: Unable to find appropriate interface for system route to ...
 9405   [David]
 9407 o Removed a code comment which simply declared /* WANKER ALERT! */ for
 9408   no good reason. [Fyodor]
 9410 o NSE prints messages in debugging mode whenever a script starts or
 9411   finishes. [Patrick, David]
 9413 o [Ncat] The -l option can now be specified w/o a port number to
 9414   listen on Ncat's default port number (31337).
 9416 o [Zenmap] The Nmap output window now scrolls automatically as a scan
 9417   progresses. [David]
 9419 o [NSE] We now have a canonical way for scripts to check for
 9420   dependency libraries such as OpenSSL.  This allows them to handle
 9421   the issue gracefully (by exiting or doing some of their work if
 9422   possible) rather than flooding the console with error messages as
 9423   before. See https://nmap.org/nsedoc/lib/openssl.html . [Pattrick,
 9424   David, Fyodor]
 9426 o Nmap now reports a proper error message when you combine an IPv6
 9427   scan (-6) with random IPv4 address selection (-iR). [Henri Doreau]
 9429 o Nmap now builds with the _FORTIFY_SOURCE=2 define.  With modern
 9430   versions of GCC, this adds extra buffer overflow protection and
 9431   other security checks.  It is described at
 9432   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html . [David,
 9433   Doug]
 9435 o The --excludefile option correctly handles files with no terminating
 9436   newline instead of claiming "Exclude file line 0 was too long to
 9437   read." [Henri Doreau]
 9439 o [NSE] Changed the datafiles library to remove constraining input
 9440   checks, move nmap.fetch_file() to read_from_file(), and make
 9441   get_array() and get_assoc_array() into normal functions. [Sven]
 9443 o [NSE] Fixed some bugs and typos in the datafiles library. [Jah]
 9445 o Nsock handles a certain Windows connect error, WSAEADDRNOTAVAIL
 9446   (errno 10049), preventing an assertion failure that looked like
 9447     Strange connect error from (10049): No such file or directory
 9448     Assertion failed: 0, file .\src\nsock_core.c, line 290
 9449   The error could be seen by running a version scan against a
 9450   broadcast address. Thanks to Tilo Köppe and James Liu for reporting
 9451   the problem. [David]
 9453 o An "elapsed" attribute has been added to the XML output (in the
 9454   "finished" tag), representing the total Nmap scanning time in
 9455   seconds (floating point). [Kris]
 9457 o Fixed a division by zero error in the packet rate measuring code
 9458   that could cause a display of infinity packets per seconds near the
 9459   start of a scan. [Jah]
 9461 o Substantially updated the Nmap Scripting Engine guide/chapter
 9462   (https://nmap.org/book/nse.html) so that it is up-to-date with all
 9463   the latest NSE improvements.
 9465 o Fixed a bug in the IP validation code which would have let a specially
 9466   crafted reply sent from a host on the same LAN slip through and cause
 9467   Nmap to segfault.  Thanks to ithilgore of sock-raw.homeunix.org for
 9468   the very detailed bug report. [Kris]
 9470 o [Zenmap] The crash reporter further enhances user privacy by showing
 9471   all the information that will be submitted so you can edit it to
 9472   remove identifying information such as the name of your home
 9473   directory. If you provide an email address the report will be marked
 9474   private so it will not appear on the public bug tracker. [David]
 9476 o [Zenmap] Zenmap now parses and records XSL stylesheet information
 9477   from Nmap XML files, so files saved by Zenmap will be viewable in a
 9478   web browser just like those produced by Nmap. [David]
 9480 o A possible Lua stack overflow in the DNS module was fixed. Lua detects
 9481   these sorts of overflows and quits. [David]
 9483 o [NSE] Improved html-title script to support http-alt and https-alt
 9484   (with SSL) and to handle a wider variety of redirects. [Jah]
 9486 o NSE scripts that require a list of DNS servers (currently only
 9487   ASN.nse) now work when IPv6 scanning. Previously it gave an error
 9488   message: "Failed to send dns query.  Response from dns.query(): 9".
 9489   [Jah, David]
 9491 o [Zenmap] Added a workaround for a crash
 9492     GtkWarning: could not open display
 9493   on Mac OS X 10.5. The problem is caused by setting the DISPLAY
 9494   environment variable in one of your shell startup files; that
 9495   shouldn't be done under 10.5 and removing it will make other
 9496   X11-using applications work better. Zenmap will now handle the
 9497   situation automatically. [David]
 9499 o http-auth.nse now properly checks for default authentication
 9500   credentials. A bug prevented it from working before. [Vlatko
 9501   Kosturjak]
 9503 o Renamed irc-zombie.nse to auth-spoof and improved its description
 9504   and output a bit. [Fyodor]
 9506 o Removed some unnecessary "demo" category NSE scripts: echoTest,
 9507   chargenTest, showHTTPVersion, and showSMTPVersion.nse.  Moved
 9508   daytimeTest from the "demo" category to "discovery".  Removed
 9509   showHTMLTitle from the "demo" category, but it remains in the
 9510   "default" and "safe" categories. This leaves just smtp-open-relay in
 9511   the undocumented "demo" category. [Fyodor]
 9513 o [NSE] Removed ripeQuery.nse because we now have the much more robust
 9514   whois.nse which handles all the major registries. [Fyodor]
 9516 o [NSE] Removed showSSHVersion.nse. Its only real claim to fame was
 9517   the ability to trick some SSH servers (including at least OpenSSH
 9518   4.3p2-9etch3) into not logging the connection.  This trick doesn't
 9519   seem to work with newer versions of OpenSSH, as my
 9520   openssh-server-4.7p1-4.fc8 does log the connection. Without the
 9521   stealth advantage, the script has no real benefit over version
 9522   detection or the upcoming banner grabbing script. [Fyodor]
 9524 o [Zenmap] Profile updates: The -sS option was added to the "Intense
 9525   scan plus UDP" and "Slow comprehensive scan" profiles.  The -PN (ping
 9526   only) option was added to "Quick traceroute". [David]
 9528 o [NSE] The smtp-commands script output is now more compact. [Jasey
 9529   DePriest, David]
 9531 o [Zenmap] Added a simple workaround for a bug in PyXML (an add-on
 9532   Python XML library) that caused a crash. The crash would happen when
 9533   loading an XML file and looked like "KeyError: 0". [David]
 9535 o A crash caused by an incorrect test condition was fixed. It would
 9536   happen when running a ping scan other than a protocol ping, without
 9537   debugging enabled, if an ICMP packet was received referring to a
 9538   packet that was not TCP, UDP, or ICMP. Thanks to Brandon Enright and
 9539   Matt Castelein for reporting the problem. [David]
 9541 o [Zenmap] The keyboard shortcut for "Save to Directory" has been
 9542   changed from Ctrl+v to Ctrl+Alt+s so as not to conflict with the
 9543   usual paste shortcut. [Jah, Michael]
 9545 o Nmap now quits if you give a "backwards" port or protocol range like
 9546   -p 20-10. The issue was noted by Arturo "Buanzo" Busleiman. [David]
 9548 o Fixed a bug which caused Nmap to infer an improper distance against
 9549   some hosts when performing OS detection against a group whose
 9550   distance varies between members. [David, Fyodor]
 9552 o [Zenmap] Host information windows are now like any other windows,
 9553   and will not become unclosable by having their controls offscreen.
 9554   Thanks to Robert Mead for the bug report.
 9556 o [NSE] showHTMLTitle can now follow (non-standard) relative
 9557   redirects, and may do a DNS lookup to find if the redirected-to host
 9558   has the same IP address as the scanned host. [Jah]
 9560 o [NSE] Enhanced the tohex() function in the stdnse library to support
 9561   strings and added options to control the formatting. [Sven]
 9563 o [NSE] The http module tries to deal with non-standards-compliant
 9564   HTTP traffic, particularly responses in which the header fields are
 9565   separated by plain LF rather than CRLF. [Jah, Sven]
 9567 o [Zenmap] The help function now properly converts the pathname of the
 9568   local help file to a URL, for better compatibility with different
 9569   web browsers. [David]
 9570   This should fix the crash
 9571   WindowsError: [Error 2] The system cannot find the file specified:
 9572   'file://C:\\Program Files\\Nmap\\zenmap\\share\\zenmap\\docs\\help.html'
 9574 o [NSE] Fixed a number of small bugs in the Nmap library
 9575   (nse_nmaplib.cc), as described at
 9576   http://seclists.org/nmap-dev/2008/q4/0663.html [Patrick]
 9578 o The HTTP_open_proxy.nse script was updated to match Google Web
 9579   Server's changed header field: "Server: gws" instead of
 9580   "Server: GWS/".  [Vlatko Kosturjak]
 9582 o Enhanced the ssh service detection signatures to properly
 9583   detect protocol version 2 services. [Matt Selsky]
 9585 o Nsock now uses fselect() to work around problems with select() not
 9586   working properly on non-socket descriptors on Windows.  This was
 9587   needed for Ncat to work properly on that platform. See
 9588   http://seclists.org/nmap-dev/2008/q3/0766.html . [Kris]
 9590 o Removed trailing null bytes from Ncat's responses in HTTP proxy
 9591   mode. [David]
 9593 o [NSE] daytime.nse now runs against TCP ports in addition to the UDP
 9594   ports it already handled. The output format was also
 9595   improved. [David]
 9597 o XML output now contains the full path to nmap.xml on Windows. The
 9598   path is converted to a file:// URL to provide better compatibility
 9599   across browsers. [Jah]
 9601 o Made DNS timeouts in NSE a bit more aggressive at higher timing
 9602   levels such as -T4 and -T5. [Jah]
 9604 o A script could be executed twice if it was given with the --script
 9605   option, also in the "version" category, and version detection (-sV)
 9606   was requested. This has been fixed. [David]
 9608 o Fixed port number representation in some Nmap and Nsock message
 9609   output.  Incorrect conversion modifiers caused high ports to wrap
 9610   around and be shown as negative values. [Kris]
 9612 o Upgraded the shipped libdnet library to version 1.12 (with our
 9613   modifications). [Kris]
 9615 o Upgraded the OpenSSL binaries shipped in our Windows installer to
 9616   version 0.9.8i. [Kris]
 9618 o [NSE] The SSLv2-support script no longer prints duplicate cyphers if
 9619   they exist in the server's supported cypher list. [Kris]
 9621 o Fix compilation w/IPv6 support on Solaris by checking for inet_addr
 9622   in -lnsr before using APR_CHECK_WORKING_GETNAMEINFO in
 9623   configure. [David]
 9625 o Removed the nbase_md5.* and nbase_sha1.* files because our
 9626   new nse_openssl library includes that functionality. [David]
 9628 o The robots.txt NSE script is now silent when there are no
 9629   interesting results, rather than printing that robots.txt "is empty
 9630   or has no disallowed entries". [Kris]
 9632 o Fixed a file (socket) descriptor leak which could occur when connect
 9633   scan probes receive certain unusual error messages (including
 9634   EHOSTUNREACH, and EHOSTDOWN). This led to error messages such as
 9635   "Socket creation in sendConnectScanProbe: Too many open files (24)"
 9636   [David]
 9638 o [Zenmap] Made floating host details windows into normal top-level
 9639   windows. This avoids a problem where the edge of a window could be
 9640   off the edge of a screen and it would not be closable. The bug was
 9641   reported by Robert Mead. [David]
 9643 o Use TIMEVAL_AFTER(...) instead of TIMEVAL_SUBTRACT(...) > 0 when
 9644   deciding whether a probe response counts as a drop for scan delay
 9645   purposes.  This prevents an integer overflow which could
 9646   substantially degrade scan performance. [David]
 9648 o Reorganized macosx/Makefile to make it easier to add in new packages
 9649   such as Ncat and Ndiff. Also removed the bogus clean-nmap and
 9650   clean-zenmap targets. [David]
 9652 o [Zenmap] Fixed a crash related to the use of NmapOptions in
 9653   ScanNotebook.py using the old interface (ops.num_random_targes,
 9654   ops.input_filename) rather than the newer dict-style
 9655   interface. [Jah]
 9657 o Split parallel DNS resolution and system DNS resolution into
 9658   separate functions. Previously system DNS resolution was encapsulated
 9659   inside the parallel DNS function, inside a big if block. Now the if
 9660   is on the outside and decides which of the two functions to
 9661   call. [David]
 9663 o [NSE] Remove "\r\r" in script output. If you print "\r\n", the
 9664   Windows C library will transform it to "\r\r\n". So we just print
 9665   "\n" with no special case for Windows.  Also fixed
 9666   showSMTPversion.nse so that it doesn't print "\r\r" in the first
 9667   place. [David]
 9669 o Updated IANA assignment IP list for random IP (-iR)
 9670   generation. [Kris]
 9672 o OS scan point matching code can now handle tests worth zero
 9673   points. We now assign zero points to ignore a couple tests which
 9674   proved ineffective. [David]
 9676 o [Zenmap] Catch the exceptions that are caused when there's no XML
 9677   output file, an empty one, or one that's half-complete. You can
 9678   cause these three situations, respectively, with: "nmap -V", "nmap
 9679   --iflist", or "nmap 0".  Also remove the target requirement for scans
 9680   because you should be able to run commands such as "nmap --iflist"
 9681   from Zenmap. [David]
 9683 o [Zenmap] Guard against the topology graph becoming empty in the
 9684   middle of an animation.  This could happen if you removed a scan
 9685   from the list of scans during an animation. The error looked like:
 9686     File "usr/lib/python2.5/site-packages/radialnet/gui/RadialNet.py",
 9687     line 1533, in __livens_up AttributeError: 'NoneType' object has no
 9688     attribute 'get_nodes'
 9689   [David]
 9691 o [Zenmap] Fixed a crash which could occur when you entered a command
 9692   containing only whitespace.  David fixed various other possible
 9693   crashes found in the crash report tracker too.  Zenmap users really
 9694   are capable of finding every possible edge case which could cause a
 9695   crash :).
 9697 Nmap 4.76 [2008-9-12]
 9699 o There is a new "external" script category, for NSE scripts which
 9700   rely on a third-party network resource. Scripts that send data to
 9701   anywhere other than the target are placed in this category. Initial
 9702   members are ASN.nse, dns-safe-recursion-port.nse,
 9703   dns-safe-recursion-txid.nse, ripeQuery.nse, HTTP_open_proxy.nse, and
 9704   whois.nse [David]
 9706 o [Zenmap] A crash was fixed that affected Windows users with
 9707   non-ASCII characters in their user names. [David]
 9708   The error looked like this (with many variations):
 9709     UnicodeDecodeError: 'utf8' codec can't decode byte 0x9c in position 28:
 9710     unexpected code byte
 9712 o [Zenmap] Several corner-case crashes were fixed: [David]
 9713     File "radialnet\gui\NodeNotebook.pyo", line 429, in __create_widgets
 9714     KeyError: 'tcp'
 9715     File "radialnet\gui\RadialNet.pyo", line 1531, in __livens_up
 9716     AttributeError: 'NoneType' object has no attribute 'get_nodes'
 9717     File "zenmapGUI\MainWindow.pyo", line 308, in _create_ui_manager
 9718     GError: Odd character '\'
 9719     File "radialnet/gui/ControlWidget.py", line 104, in __create_widgets
 9720     AttributeError: 'module' object has no attribute 'STOCK_INFO'
 9721     File "radialnet\util\integration.pyo", line 385, in make_graph_from_hosts
 9722     KeyError: 'hops'
 9724 o [Zenmap] A crash was fixed that happened when opening the Hosts
 9725   Viewer with an empty list of hosts. [David]
 9726   The error message was
 9727     File "radialnet\gui\HostsViewer.pyo", line 167, in __cursor_callback
 9728     TypeError: GtkTreeModel.get_iter requires a tree path as its argument
 9730 o Improved rpcinfo.nse to correctly parse a wider variety of server
 9731   responses. [Sven Klemm]
 9733 o [Zenmap] Fixed a data encoding bug which could cause the crash
 9734   reporter itself to crash! [David]
 9736 o Nmap's Windows self-installer now correctly registers/deletes the
 9737   npf (WinPcap) service during install/uninstall. Also the silent
 9738   install mode was improved to avoid a case where the WinPcap
 9739   uninstaller was (non-silently) shown. [Rob Nicholls]
 9741 o Nmap's Windows self-installer now checks whether the MS Visual C++
 9742   runtime components have already been installed to avoid running it
 9743   again (which doesn't hurt anything, but slows down
 9744   installation). [Rob Nicholls]
 9746 o Fixed an assertion failure where raw TCP timing ping probes were
 9747   wrongly used during a TCP connect scan:
 9748   nmap: scan_engine.cc:2843: UltraProbe* sendIPScanProbe(UltraScanInfo*,
 9749     HostScanStats*, const probespec*, u8, u8):
 9750     Assertion `USI->scantype != CONNECT_SCAN' failed.
 9751   Thanks to LevelZero for the report. [David]
 9753 o Update the NSE bit library to replace deprecated use of
 9754   luaL_openlib() with luaL_register(). This fixes a build error which
 9755   occurred on systems which have Lua libraries installed but
 9756   LUA_COMPAT_OPENLIB not defined [Sven]
 9758 o [Zenmap] The automatic crash reporter no longer requires an email
 9759   address. [David]
 9761 o [Zenmap] Highlighting of hostnames was improved to avoid wrongful
 9762   highlighting of certain elapsed times, byte counts, and other
 9763   non-hostname data. The blue highlight effects are now more subtle
 9764   (no longer bold, underlined, or italic) [David]
 9766 o [Zenmap] A warning that would occur when a host had the same service
 9767   running on more than one port was removed. Thanks to Toralf Förster
 9768   for the bug report. [David]
 9769     GtkWarning: gtk_box_pack_start: assertion `child->parent == NULL' failed
 9770       self.pack_start(widget, expand=False, fill=False)
 9772 Nmap 4.75 [2008-9-7]
 9774 o [Zenmap] Added a new Scan Topology system. The idea is that if we
 9775   are going to call Nmap the "Network Mapper", it should at least be
 9776   able to draw you a map of the network!  And that is what this new
 9777   system does. It was achieved by integrating the RadialNet Nmap
 9778   visualization tool (http://www.dca.ufrn.br/~joaomedeiros/radialnet),
 9779   into Zenmap. Joao Medeiros has been developing RadialNet for more
 9780   than a year. For details, complete with some of the most beautiful
 9781   Zenmap screen shots ever, visit
 9782   https://nmap.org/book/zenmap-topology.html . The integration work was
 9783   done by SoC student Vladimir Mitrovic and his mentor David Fifield.
 9785 o [Zenmap] Another exciting new Zenmap feature is Scan Aggregation.
 9786   This allows you to visualize and analyze the results of multiple
 9787   scans at once, as if they were from one Nmap execution. So you might
 9788   scan one network, analyze the results a bit, then scan some of the
 9789   machines more intensely or add a completely new subnet to the
 9790   scan. The new results are seamlessly added to the old, as described
 9791   at https://nmap.org/book/zenmap-scanning.html#aggregation. [David,
 9792   Vladimir]
 9794 o Expanded nmap-services to include information on how frequently each
 9795   port number is found open.  The results were generated by scanning
 9796   tens of millions of IPs on the Internet this summer, and augmented
 9797   with internal network data contributed by some large
 9798   organizations. [Fyodor]
 9800 o Nmap now scans the most common 1,000 ports by default in either
 9801   protocol (UDP scan is still optional).  This is a decrease from
 9802   1,715 TCP ports and 1,488 UDP ports in Nmap 4.68.  So Nmap is faster
 9803   by default and, since the port selection is better thanks to the
 9804   port frequency data, it often finds more open ports as
 9805   well. [Fyodor]
 9807 o Nmap fast scan (-F) now scans the top 100 ports by default in either
 9808   protocol.  This is a decrease from 1,276 (TCP) and 1,017 (UDP) in
 9809   Nmap 4.68. Port scanning time with -F is generally an order of
 9810   magnitude faster than before, making -F worthy of its "fast scan"
 9811   moniker. [Fyodor]
 9813 o The --top-ports option lets you specify the number of ports you wish
 9814   to scan in each protocol, and will pick the most popular ports for
 9815   you based on the new frequency data.  For both TCP and UDP, the top
 9816   10 ports gets you roughly half of the open ports.  The top 1,000
 9817   (out of 65,536 possible) finds roughly 93% of the open TCP ports and
 9818   more than 95% of the open UDP ports. [Fyodor, Doug Hoyte]
 9820 o David integrated all of your OS detection fingerprint and correction
 9821   submissions from March 11 until mid-July.  In the process, we
 9822   reached the 1500-signature milestone for the 2nd generation OS
 9823   detection system. We can now detect the newest iPhones, Linux
 9824   2.6.25, OS X Darwin 9.2.2, Windows Vista SP1, and even the Nintendo
 9825   Wii. Nmap now has 1,503 signatures, vs. 1,320 in 4.68. Integration
 9826   is now faster and more pleasant thanks to the new OSassist
 9827   application developed by Nmap SoC student Michael Pattrick. See
 9828   http://seclists.org/nmap-dev/2008/q3/0089.html and
 9829   http://seclists.org/nmap-dev/2008/q3/0139.html for more details.
 9831 o Nmap now works with Windows 2000 again, after being broken by our
 9832   IPv6 support improvements in version 4.65. A couple new dependencies
 9833   are required to run on Win2K, as described at
 9834   https://nmap.org/book/inst-windows.html#inst-win2k .
 9836 o [Zenmap] Added a context-sensitive help system to the Profile
 9837   Editor.  You can now mouse-over options to learn more about what
 9838   they are used for and their proper argument syntax. [Jurand Nogiec]
 9840 o When Nmap finds a probe during ping scan which elicits a response,
 9841   it now saves that information for the port scan and later phases.
 9842   It can then "ping" the host with that probe as necessary to collect
 9843   timing information even if the host is not responding to the normal
 9844   port scan packets. Previously, Nmap's port scan timing pings could
 9845   only use information gathered during that port scan itself.  A
 9846   number of other "port scan ping" system improvements were made at
 9847   the same time to improve performance against firewalled hosts. For
 9848   full details, see http://seclists.org/nmap-dev/2008/q3/0647.html
 9849   [David, Michael, Fyodor]
 9851 o --traceroute now uses the timing ping probe saved from host
 9852   discovery and port scanning instead of finding its own probe. The
 9853   timing ping probe is always the best probe Nmap knows about for
 9854   eliciting a response from a target. This will have the most effect
 9855   on traceroute after a ping scan, where traceroute would sometimes
 9856   pick an ineffective probe and traceroute would fail even though the
 9857   target was up. [David]
 9859 o Added dns-safe-recursion-port and dns-safe-recursion-txid
 9860   (non-default NSE scripts) which use the 3rd party dns-oarc.net
 9861   lookup to test the source port and transaction ID randomness of
 9862   discovered DNS servers (assuming they allow recursion at all).
 9863   These scripts, which test for the "Kaminsky" DNS bugs, were
 9864   contributed by Brandon Enright.
 9866 o Added whois.nse, which queries the Regional Internet Registries
 9867   (RIRs) to determine who the target IP addresses are assigned
 9868   to. [Jah]
 9870 o [Zenmap] Overhauled the default list of scan profiles based on
 9871   nmap-dev discussion.  Users now have a much more diverse and useful
 9872   set of default profile options. And if they don't like any of those
 9873   canned scan commands, they can easily create their own in the
 9874   Profile Editor! [David]
 9876 o Fyodor made a number of performance tweaks, such as:
 9877   - increase host group sizes in many cases, so Nmap will now commonly
 9878     scan 64 hosts at a time rather than 30
 9879   - align host groups with common network boundaries, such as /24 or
 9880     /25
 9881   - Increase maximum per-target port-scan ping frequency to one every
 9882     1.25 seconds rather than every five. Port scan pings happen
 9883     against heavily firewalled hosts and the like when Nmap is not
 9884     receiving enough responses to normal scan to properly calculate
 9885     timing variables and detect packet drops.
 9887 o Added a new NSE binlib library, which offers bin.pack() and
 9888   bin.unpack() functions for dealing with storing values in and
 9889   extracting them from binary strings.  For details, see
 9890   https://nmap.org/book/nse-library.html#nse-binlib . [Philip
 9891   Pickering]
 9893 o Added a new NSE DNS library. See this thread:
 9894   http://seclists.org/nmap-dev/2008/q3/0310.html [Philip Pickering]
 9896 o Added new NSE libraries for base64 encoding, SNMP, and POP3 mail
 9897   operations.  They are described at
 9898   http://seclists.org/nmap-dev/2008/q3/0233.html . [Philip Pickering]
 9900 o Added NSE scripts popcapa (retrieves POP3 server capabilities) and
 9901   brutePOP3 (brute force POP3 authentication cracker) which make use
 9902   of the new POP3 library. [Philip Pickering]
 9904 o Added the SNMPcommunitybrute NSE script, which is a brute force
 9905   community string cracker. Also modified SNMPsysdescr to use the new
 9906   SNMP library. [Philip Pickering]
 9908 o Fixed the SMTPcommands script so that it can't return multiple
 9909   values (which was causing problems). Thanks to Jah for tracking down
 9910   the problem and sending a fix for SMTPcommands. Then Patrick fixed
 9911   NSE so it can handle misbehaving scripts like this without causing
 9912   mysterious side effects.
 9914 o Added a new NSE Unpwdb (username/password database) library for
 9915   easily obtaining usernames or passwords from a list.  The functions
 9916   usernames() and passwords() return a closure which returns a new
 9917   list entry with every call, or nil when the list is exhausted.  You
 9918   can specify your own username and/or password lists via the script
 9919   arguments userdb and passdb, respectively. [Kris]
 9921 o Nmap's Nsock-utilizing subsystems (DNS, NSE, version detection) have
 9922   been updated to support the -S and --ip-options flags. [Kris]
 9924 o A new --max-rate option was added, which complements --min-rate. It
 9925   allows you to specify the maximum byte rate that Nmap is allowed to
 9926   send packets. [David]
 9928 o Added --ip-options support for the connect() scan (-sT). [Kris]
 9930 o Nsock now supports binding to a local address and setting IPv4
 9931   options with nsi_set_localaddr() and nsi_set_ipoptions(),
 9932   respectively. [Kris]
 9934 o Added IPProto Ping (-PO) support to Traceroute, and fixed support for
 9935   IPProto Scan (-sO) and the ICMP Pings (-PE, -PP, -PM) in Traceroute
 9936   as well.  These could cause Nmap to hang during Traceroute. [Kris]
 9938 o [Zenmap] Added a "Cancel" button for cancelling a scan in progress
 9939   without losing any Nmap output obtained so far. [Jurand Nogiec]
 9941 o Improve the netbios-smb-os-discovery NSE script to improve target
 9942   port selection and to also decode the system's timestamp from an SMB
 9943   response. [Ron at SkullSecurity]
 9945 o Nmap now avoids collapsing large numbers of ports in open|filtered
 9946   state (e.g. just printing that 500 ports are in that state rather
 9947   than listing them individually) if verbosity or debugging levels are
 9948   greater than two.  See this thread:
 9949   http://seclists.org/nmap-dev/2008/q3/0312.html . [Fyodor]
 9951 o The NSE http library now supports chunked encoding. [Sven Klemm]
 9953 o The NSE datafiles library now has generic file parsing routines, and
 9954   the parsing of the standard nmap data files (e.g. nmap-services,
 9955   nmap-protocols, etc.) now uses those generic routines.  NSE scripts
 9956   and libraries may find them useful for dealing with their own data
 9957   files, such as password lists. [Jah]
 9959 o Passed the big revision 10,000 milestone in the Nmap project SVN
 9960   server: http://seclists.org/nmap-dev/2008/q3/0682.html
 9962 o Added some Windows and MinGW compatibility patches submitted by
 9963   Gisle Vanem.
 9965 o Improved nse_init so that compilation/runtime errors in NSE scripts
 9966   no longer cause the script engine to abort. [Patrick]
 9968 o Fix a cosmetic bug in --script-trace hex dump output which resulting
 9969   in bytes with the highest bit set being prefixed with ffffff. [Sven
 9970   Klemm]
 9972 o Removed the nselib-bin directory. The last remaining shared NSE
 9973   module, bit, has been made static by Patrick. Shared modules were
 9974   broken for static builds of Nmap, such as those in the RPMS. We also
 9975   had the compilation problems (particularly on OpenBSD) with shared
 9976   modules which lead us to make PCRE static a while back. [David]
 9978 o Updated rpcinfo NSE script to use the new pack/unpack (binlib)
 9979   functions, use the new tab library, include better documentation, and
 9980   fix some bugs. [Sven Klemm]
 9982 o Add useful details to the error message printed when an NSE script
 9983   fails to load (due to syntax error, etc.) [Patrick]
 9985 o Fix a bug in the NSE http library which would cause some scripts to
 9986   give the error: SCRIPT ENGINE: C:\Program
 9987   Files\Nmap\nselib/http.lua:77: attempt to call field 'parse' (a nil
 9988   value) [Jah]
 9990 o Fixed a couple of Makefile problems (race condition) which could
 9991   lead to build failures when launching make in parallel mode (e.g.
 9992   -j4). [Michal Januszewski, Chris Clements]
 9994 o Added new addrow() function to NSE tab library.  It allows
 9995   developers to add a whole row at once rather than doing a separate
 9996   add() call for each column in a row. [Sven Klemm]
 9998 o Completion time estimates provided in verbose mode or when you hit a
 9999   key during scanning are now more accurate thanks to algorithm
10000   improvements by David.
10002 o Fixed a number of NSE scripts which used print_debug()
10003   incorrectly. See
10004   http://seclists.org/nmap-dev/2008/q3/0470.html . [Sven Klemm]
10006 o [Zenmap] The Ports/Hosts view now provides full version detection
10007   values rather than just a simple summary. [Jurand Nogiec]
10009 o [Zenmap] When you edit the command-entry field, then change the
10010   target selection, Nmap no longer blows away your edits in favor of
10011   using your current profile. [Jurand Nogiec]
10013 o Nsock now returns data from UDP packets individually, preserving the
10014   packet boundary, rather than concatenating the data from multiple
10015   packets into a single buffer.  This fixes a problem related to our
10016   reverse-DNS system, which can only handle one DNS packet at a time.
10017   Thanks to Tim Adam of ManageSoft for debugging the problem and
10018   sending the patch.  Doug Hoyte helped with testing, and it was
10019   applied by Fyodor.
10021 o [Zenmap] Fixed a crash which would occur when you try to compare two
10022   files, either of which has more than one extraports element. [David]
10024 o Added the undocumented (except here) --nogcc option which disables
10025   global/group congestion control algorithms and so each member of a
10026   scan group of machines is treated separately.  This is just an
10027   experimental option for now. [Fyodor]
10029 o [Zenmap] The Ports/Hosts display now has different colors for open
10030   and closed ports. [Vladimir]
10032 o Fixed Zenmap so that it displays all Nmap errors.  Previously, only
10033   stdout was redirected into the window, and not stderr.  Now they are
10034   both redirected. [Vladimir]
10036 o NSE can now be used in combination with ping scan (e.g. "-sP
10037   --script") so that you can execute host scripts without needing to
10038   perform a port scan. [Kris]
10040 o [NSE] Category names are now case insensitive. [Patrick]
10042 o [NSE] Each thread for a script now gets its own action closure (and
10043   upvalues). See: http://seclists.org/nmap-dev/2008/q2/0549.html
10044   [Patrick]
10046 o [NSE] The script_scan_result structure has been changed to a class,
10047   ScriptResult, which now holds a Script's output in an std::string.
10048   This removes the need to use malloc and free to manage this memory.
10049   A similar change was made to the run_record structure. [Patrick]
10051 o [NSE] Fixed a socket exhaustion deadlock which could prevent a
10052   script scan from ever finishing. Now, rather than limit the total
10053   number of sockets which can be open, we limit the number of scripts
10054   which can have sockets open at once.  And once a script has one
10055   socket opened, it is permitted to open as many more as it
10056   needs. [Patrick]
10058 o A hashing library (code from OpenSSL) was added to NSE.  hashlib
10059   contains md5 and sha1 routines. [Philip Pickering]
10061 o Fixed host discovery probe matching when looking at the returned TCP
10062   data in an ICMP error message.  This could formerly lead to
10063   incorrectly discarded responses and the debugging error message:
10064   "Bogus trynum or sequence number in ICMP error message" [Kris]
10066 o Fixed a segmentation fault in Nsock which occurred when calling
10067   nsock_write() with a data length of -1 (which means the data is a
10068   NUL-terminated string and Nsock should take the length itself) and
10069   the Nsock trace level was at least 2. [Kris]
10071 o The NSE Comm library now defaults to trying to read as many bytes as
10072   are available rather than lines if neither the "bytes" nor "lines"
10073   options are given.  Thanks to Brandon for reporting a problem which
10074   he noticed in the dns-test-open-recursion script. [Kris]
10076 o Updated zoneTrans.nse to replace length bytes in returned domain
10077   names to periods itself rather than relying on NSE's old behavior of
10078   replacing non-printable characters with periods.  Thanks to Rob
10079   Nicholls for reporting the problem. [Kris]
10081 o Some Zenmap crashes have been fixed: trying to "refresh" the output
10082   of a scan loaded from a file, and trying to re-save a file loaded
10083   from the command line in some circumstances. [David]
10085 o [Zenmap] The file selector now remembers what directory it was last
10086   looking at. [David]
10088 o Added an extra layer of validity checking to received packets
10089   (readip_pcap), just to be extra safe. See
10090   http://seclists.org/nmap-dev/2008/q3/0644.html . [Kris]
10092 o Zenmap defaults to showing files matching both *.xml and *.usr in
10093   the file selector. Previously it only showed those matching *.usr.
10094   The new combined format will be XML and .usr will be deprecated.
10095   See http://seclists.org/nmap-dev/2008/q3/0093.html .
10097 o Nmap avoids printing the sending rate in bytes per second during a
10098   TCP connect scan. Because the number of bytes per probe is not
10099   known, it used to print current sending rates: 11248.85 packets / s,
10100   0.00 bytes / s.  Now it will print simply print rates like "11248.85
10101   packets / s". [David]
10103 o [Zenmap] Nmap's installation process now include .desktop files
10104   which install menu items for launching Zenmap as a privileged or
10105   non-privileged process on Linux. This will mainly affect people who
10106   install nmap and Zenmap directly from the source code. [Michael]
10108 o Improved performance of IP protocol scan by fixing a bug related to
10109   timing calculations on ICMP probe responses.  See r8754 svn log for
10110   full details. [David]
10112 o Nmap --reason output no longer falsely reports a localhost-response
10113   during -PN scans. See
10114   http://seclists.org/nmap-dev/2008/q3/0188.html . [Michael]
10116 o [Zenmap] The higwidgets Python package has moved so it is now a
10117   subpackage of zenmapGUI. This avoids naming conflicts with Umit,
10118   which uses a slightly different version of higwidgets. [David]
10120 o A bug that could cause some host discovery probes to be incorrectly
10121   interpreted as drops was fixed. This occurred only when the IP
10122   protocol ping (-PO) option was combined with other ping
10123   types. [David]
10125 o A new scanflags attribute has been added to XML output, which lists
10126   all user specified --scanflags for the scan. nmap.dtd has been
10127   modified to account for this. [Michael]
10129 o The loading of the nmap-services file has been made much
10130   faster--roughly 9 times faster in common cases.  This is important
10131   for the new (much larger) frequency augmented nmap-services
10132   file. [David]
10134 o Added a script (ASN.nse) which uses Team Cymru's DNS interface to
10135   determine the routing AS numbers of scanned IP addresses.  They even
10136   set up a special domain just for Nmap queries.  The script is still
10137   experimental and non-default. [Jah, Michael]
10139 o [Zenmap] Clicking "Cancel" in a file chooser in the diff interface
10140   no longer causes a crash. [David]
10142 o The shtool build helper script has been updated to version 2.0.8. An
10143   older version of shutil caused installation to fail when the locale
10144   was set to et_EE. Thanks to Michal Januszewski for the bug
10145   report. [David]
10147 o [Zenmap] Removed services.dmp and os_dmp.dmp and all the files that
10148   referred to them. They are not needed with the new search
10149   interface. Also removed an unused search progress bar.  And some
10150   broken fingerprint submission code.  Yay for de-bloating! [David]
10152 o [Zenmap] Added "%F" to the Exec link in the new Zenmap desktop
10153   file. We expect (hope) that this will allow dragging and dropping
10154   XML files onto the icon. [David]
10156 o [Zenmap] The -o[XGASN] options can now be specified, just as you can
10157   at the console. [Vladimir]
10159 o [Zenmap] You can now shrink the scan window below its default
10160   size thanks to NmapOutputViewer code enhancements. [David]
10162 o [Zenmap] Removed optional use of the Psyco Python optimizer since
10163   Zenmap is not the kind of CPU-bound application which benefits from
10164   Psyco.
10166 o [Zenmap] You can now select more than one host in the "Ports /
10167   Hosts" view by control-clicking them in the column at left.
10169 o [Zenmap] The profile editor now offers the --traceroute option.
10171 o Zenmap now uses Unicode objects pervasively when dealing with Nmap
10172   text output, though the only internationalized text Nmap currently
10173   outputs is the user's time zone. [David]
10175 o Unprintable characters in NSE script output (which really shouldn't
10176   happen anyway) are now printed like \xHH, where HH is the
10177   hexadecimal representation of the character. See
10178   http://seclists.org/nmap-dev/2008/q3/0180.html . [Patrick]
10180 o Nmap sometimes sent packets with incorrect IP checksums,
10181   particularly when sending the UDP probes in OS detection. This has
10182   been fixed. Thanks to Gisle Vanem for reporting and investigating the
10183   bug. [David]
10185 o Fixed the --without-liblua configure option so that it works
10186   again. [David]
10188 o In the interest of forward compatibility, the xmloutputversion
10189   attribute in Nmap XML output is no longer constrained to be a
10190   certain string ("1.02"). The xmloutputversion should be taken as
10191   merely advisory by authors of parsers.
10193 o Zenmap no longer leaves any temporary files lying around. [David]
10195 o Nmap only prints an uptime guess in verbose mode now, because in
10196   some situations it can be very inaccurate. See the discussion at
10197   http://seclists.org/nmap-dev/2008/q3/0392.html . [David]
10199 Nmap 4.68 [2008-6-28]
10201 o Doug integrated all of your version detection submissions and
10202   corrections for the year up to May 31.  There were more than 1,000
10203   new submissions and 18 corrections.  Please keep them coming!  And
10204   don't forget that corrections are very important, so do submit them
10205   if you ever catch Nmap making a version detection or OS detection
10206   mistake.  The version detection DB has grown to 5,054 signatures
10207   representing 486 service protocols.  Protocols span the gamut from
10208   abc, acap, access-remote-pc, activefax, and activemq, to zebedee,
10209   zebra, zenimaging, and zenworks.  The most popular protocols are
10210   http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
10211   pop3 (201).
10213 o Nmap compilation on Windows is now done with Visual C++ Express 2008
10214   rather than 2005.  Windows compilation instructions have been
10215   updated at https://nmap.org/book/inst-windows.html#inst-win-source .
10216   [Kris]
10218 o The Nmap Windows self-installer now automatically installs the MS
10219   Visual C++ 2008 runtime components if they aren't already installed
10220   on a system.  These are some reasonably small DLLs that are
10221   generally necessary for applications compiled with Visual C++ (with
10222   dynamic linking).  Many or most systems already have these installed
10223   from other software packages.  The lack of these components led to
10224   the error message "The Application failed to initialize properly
10225   (0xc0150002)." with Nmap 4.65.  A related change is that Nmap on
10226   Windows is now compiled with /MD rather than /MT so that it
10227   consistently uses these runtime libraries.  The patch was created by
10228   Rob Nicholls.
10230 o Added advanced search functionality to Zenmap so that you can locate
10231   previous scans using criteria such as which ports were open, keywords
10232   in the target names, OS detection results, etc.  Try it out with
10233   Ctrl-F or "Tools->Search Scan Results". [Vladimir]
10235 o Nmap's special WinPcap installer now handles 64-bit Windows machines
10236   by installing the proper 64-bit npf.sys. [Rob Nicholls]
10238 o Added a new NSE Comm (common communication) library for common
10239   network discovery tasks such as banner-grabbing (get_banner()) and
10240   making a quick exchange of data (exchange()).  16 scripts were
10241   updated to use this library. [Kris]
10243 o The Nmap Scripting Engine now supports mutexes for gracefully
10244   handling concurrency issues.  Mutexes are documented at
10245   https://nmap.org/book/nse-api.html#nse-mutex . [Patrick]
10247 o Added a UDP SNMPv3 probe to version detection, along with 9 vendor
10248   match lines. The patch was from Tom Sellers, who contributed other
10249   probes and match lines to this release as well.
10251 o Added a new timing_level() function to NSE which reports the Nmap
10252   timing level from 0 to 5, as set by the Nmap -T option.  The default
10253   is 3. [Thomas Buchanan]
10255 o Update the HTTP library to use the new timing_level functionality to
10256   set connection and response timeouts. An error preventing the new
10257   timing_level feature from working was also fixed.  [Jah]
10259 o Optimized the doAnyOutstandingProbes() function to make Nmap a bit
10260   faster and more efficient.  This makes a particularly big difference
10261   in cases where --min-rate is being used to specify a very high
10262   packet sending rate. [David]
10264 o Fixed an integer overflow which prevented a target specification of
10265   "*.*.*.*" from working.  Support for the CIDR /0 is now also
10266   available for those times you wish to scan the entire
10267   Internet. [Kris]
10269 o The robots.nse script has been improved to print output more
10270   compactly and limit the number of entries of large robots.txt files
10271   based on Nmap verbosity and debugging levels. [Eddie Bell]
10273 o The Nmap NSE scripts have been re-categorized in a more logical
10274   fashion.  The new categories are described at
10275   https://nmap.org/book/nse-usage.html#nse-categories . [Kris]
10277 o Improve AIX support by linking against -lodm and -lcfg on that
10278   platform. [David]
10280 o Updated showHTMLTitle NSE script to follow one HTTP redirect if
10281   necessary as long as it is on the same server. [Jah]
10283 o Michael Pattrick and David created a new OSassist application which
10284   streamlines the OS fingerprint submission integration process and
10285   prevents certain previously common errors.  OSassist isn't part of
10286   Nmap, but the system was used to integrate some submissions for this
10287   release.  13 fingerprints were added during OSassist testing, and
10288   some existing fingerprints were improved as well.  Expect many more
10289   fingerprints coming soon.
10291 o Improved the mapping from dnet device names (like eth0) and WinPcap
10292   names (like \Device\NPF_{28700713...}).  You can see this mapping
10293   with --iflist, and the change should make Nmap more likely to work
10294   on Windows machines with unusual networking configurations. [David]
10296 o Service fingerprints in XML output are no longer be truncated to
10297   2kb.  [Michael]
10299 o Some laptops report the IP Family as NULL for disabled WiFi cards.
10300   This could lead to a crash with the "sin->sin_family == AF_INET6"
10301   assertion failure.  Nmap no longer quits when this is
10302   encountered. [Michael]
10304 o On systems without the GNU getopt_long_only() function, Nmap has its
10305   own replacement.  That replacement used to call the system's
10306   getopt() function if it exists.  But the AIX and Solaris getopt()
10307   functions proved insufficient/buggy, so Nmap now always calls its
10308   own internal getopt() now from its getopt_long_only()
10309   replacement. [David]
10311 o Integrated several service match lines from Tom Sellers.
10313 o An error was fixed where Zenmap would crash when trying to load from
10314   the recent scans database a file containing non-ASCII
10315   characters. The error looked like
10316     pysqlite2.dbapi2.OperationalError: Could not decode to UTF-8 column
10317       'nmap_xml_output' with text
10318     '<?xml version="1.0" encoding="iso-8859-1"?>
10319     <nmaprun profile="nmap -T Aggressive -n -v %s" scanner="nmap" hint=""
10320   The error would be seen when such a scan was found in using the
10321   search interface. [David]
10323 o Fix a Zenmap crash which occurred when local.getpreferredencoding()
10324   returns "None".  Similarly, deal with the case when a "X-MAC-KOREAN"
10325   is returned by this function.  Both problems were found with the
10326   Zenmap crash reporter. [David]
10328 o A whole bunch of internal Zenmap cleanup was done by David to make
10329   the code more logical and remove dead code.
10331 o Install icons and pixmaps under /usr/share/zenmap/{icons,pixmaps} so
10332   they don't get mixed in with the files in
10333   /usr/share/{icons,pixmaps}.  [Jurand Nogiec]
10335 o Fixed a Zenmap command entry problem where Zenmap would lose a
10336   custom command you had entered into the command entry field if you
10337   changed the target field after entering the custom command. [Jurand
10338   Nogiec]
10340 o The Zenmap crash reporter now includes a stack trace rather than
10341   just the exception name. [David]
10343 o Zenmap now executes the proper Nmap command by honoring the
10344   nmap_command_path variable in zenmap.conf. [Jurand Nogiec]
10346 o Fixed a bug which caused -PN to erroneously bail out for
10347   unprivileged users.  Thanks to Jabra (jabra(a)spl0it.org) for the
10348   report. [Kris]
10350 o Fixed several Nmap NSE memory leaks found with Valgrind. [Kris]
10352 o Migrated some stray malloc()/realloc() calls to the Nbase
10353   safe_malloc()/safe_realloc() versions which guard against certain
10354   errors.
10356 o Fixed a bunch of subtle bugs, some of which could have resulted in
10357   a crash, reported by Ilja van Sprundel. [Kris]
10359 o Fixed several byte-order bugs in Traceroute. [Kris]
10361 o Fixed a crash in RateMeter::update() which could lead to an error
10362   saying "diff >= 0.0" assertion failed.  I think the problem was
10363   actually caused by SMP machines which didn't sync the clock time
10364   perfectly.  This lead to gettimeofday() sometimes reporting that
10365   time decreased by some microseconds.  Now Nmap is willing to
10366   tolerate decreases of up to 1 millisecond in this function. [Fyodor]
10368 o Nmap now returns correct values for --iflist in windows even
10369   if interface aliases have been set. Previously it would misreport
10370   the windevices and not list all interfaces. [Michael]
10372 o Nmap no longer crashes with an 'assert' error when its told to
10373   access a disabled WiFi NIC on some laptops. [Michael]
10375 o Upgraded the OpenSSL shipped for Windows to 0.9.8h. [Kris]
10377 o The NSE http library was updated to gracefully handle certain bogus
10378   (non-)http responses. [Jah]
10380 o The zoneTrans.nse script now takes a "domain" script argument to
10381   specify the desired domain name to transfer.  You can narrow the
10382   scope down with the form "zoneTrans={domain=xxx}". [Kris]
10384 o Increase write buffer length for Nmap output on Windows. This should
10385   prevent error messages like: "log_vwrite: vsnprintf failed.  Even
10386   after increasing bufferlen to 819200, Vsnprintf returned -1 (logt ==
10387   1)."  Thanks to prozente0 for the report. [Fyodor]
10389 o Fixed the --script-updatedb command, which was claiming to be
10390   "Aborting database update" even when the update was performed
10391   perfectly.  See http://seclists.org/nmap-dev/2008/q2/0623.html .
10392   Thanks to Jah for the report.
10394 Nmap 4.65 [2008-6-1]
10396 o A Mac OS X Nmap/Zenmap installer is now available from the Nmap
10397   download page!  It is rather straightforward, but detailed
10398   instructions are available anyway at
10399   https://nmap.org/book/inst-macosx.html .  As a universal installer,
10400   it works on both Intel and PPC Macs. It is distributed as a disk
10401   image file (.dmg) containing an mpkg package.  The installed Nmap
10402   does include OpenSSL support.  It also supports Authorization
10403   Services so that Zenmap can run as root.  David created this
10404   installer.  He wants to thank Benson Kalahar and Vlad Alexa for
10405   extensive testing of the nine test releases.
10407 o The Windows version of Nmap now supports OpenSSL just as the UNIX
10408   versions have for years.  Both the .zip and executable installer
10409   binary packages we ship from the Nmap download page now include
10410   OpenSSL. [Kris, Thomas Buchanan]
10412 o We now compile in IPv6 support on Windows.  In order to use this,
10413   you need to have IPv6 set up.  It is installed by default on Vista,
10414   but must be downloaded from Microsoft for XP.  See
10415   http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx . [Kris]
10417 o Seven Google-sponsored Summer of Code students began working on
10418   exciting Nmap projects full times.  The winning students and their
10419   Nmap development projects are described at
10420   http://seclists.org/nmap-dev/2008/q2/0132.html .
10422 o Our WinPcap installer now starts the NPF driver running as a
10423   service immediately upon installation and after restarts. You can
10424   disable this with new check-boxes. This behavior is important for
10425   Vista and Windows Server 2008 machines when User Account
10426   Control (UAC) is enabled. [Rob Nicholls]
10428 o Nmap and Nmap-WinPcap silent installation now works.  Nmap can
10429   be silently installed with the /S option to the installer.
10430   If you install Nmap from the zip file, you can install just
10431   WinPcap silently with the /S option to that
10432   installer. [Rob Nicholls]
10434 o Our WinPcap installer is now included with the Nmap Win32 zip
10435   file. [Fyodor]
10437 o Numerous miscellaneous improvements were made to our Win32
10438   installer, such as using the "Modern" NSIS UI for WinPcap,
10439   improving the option description labels, and showing a finish
10440   page in all cases. [Rob Nicholls]
10442 o The nmap-dev and nmap-hackers mailing list RSS feeds at seclists.org
10443   now include message excerpts to make it easier to identify
10444   interesting messages and speed the process of reading through the
10445   list.  Feeds for all other mailing lists archived at SecLists.Org
10446   have been similarly augmented.  For details, see
10447   http://seclists.org/nmap-dev/2008/q2/0333.html . [David]
10449 o A new "default" Nmap Scripting Engine category was added.  Only
10450   scripts in this category now run by default (except for "version"
10451   scripts which run when version detection was requested).
10452   Previously, any scripts in the "safe" or "intrusive" categories were
10453   run.  21 scripts are now in this default category. [Kris]
10455 o The NSE HTTP library now uses the host name specified on the command
10456   line when making requests, which improves script scanning against
10457   web servers with virtual hosts. Thanks to Sven Klemm for the patch.
10459 o Added some new and improved version detection signatures. [Brandon]
10461 o Fixed an OS detection bug that prevented the R1.UID test result from
10462   being recorded properly when scanning certain printers from
10463   little-endian computers. Updated nmap-os-db to compensate for
10464   signatures that had an incorrect U1.RID value.  [Michael]
10466 o Updated to include the latest MAC Address prefixes from the IEEE in
10467   nmap-mac-prefixes [Fyodor]
10469 o Updated the SMTPcommands NSE script to work better against Postfix
10470   and reduce verbosity. [Jasey DePriest, Fyodor]
10472 o Reorganized the way ping probes are handled internally.  Rather than
10473   being stored in the NmapOps structure, they are now stored within
10474   the individual scan_lists structures.  This is a cleaner
10475   organization. [Michael]
10477 o Fix grepable output's "Ignored State" reporting.  Only one ignored
10478   state (the one with the highest numbers of ports) is shown. [David]
10480 o Update to Lua version 5.1.3 [Patrick]
10482 o Add NSE stdnse library to include tobinary, tooctal, and tohex
10483   functions. [Patrick]
10485 o Fixed a bug which caused the Zenmap crash reporter to, uh,
10486   crash. [David]
10488 o NSE engine was cleaned up significantly.  nse_auxiliar was removed,
10489   and file system manipulation functions were moved from nse_init.cc
10490   into a new nse_fs.cc file.  Numerous interfaces between Nmap and Lua
10491   were improved.  Most of these functions are now callable directly by
10492   Lua. [Patrick]
10494 o Fixed a bug in the showOwner NSE script which caused it to try UDP
10495   ports instead of just TCP ports.  This made it very slow in the
10496   common case where there are many UDP ports in the open|filtered
10497   state.  Thanks to Jasey DePriest for reporting the problem and Jah
10498   for tracking it down and fixing it.
10500 o Nbase now generates pseudo-random numbers itself rather than using
10501   /dev/urandom on Linux and the terrible rand() function on Windows.
10502   The new system uses ARC4 based on libdnet's
10503   implementation. [Brandon]
10505 o Made a number of updates and improvements to the Zenmap Users' Guide
10506   at https://nmap.org/book/zenmap.html . [David]
10508 o Fixed the way Zenmap handles command-line entry to prevent your
10509   custom command-line to be overwritten with the current profile's
10510   command just because you edited the target field. [Jurand]
10512 o Nsock was improved to better support reading from non-network
10513   descriptors such as stdin.  This is important for the upcoming Ncat
10514   project Mixter is working on. [Mixter]
10516 o A bug was fixed that could cause Zenmap to crash when loading a
10517   results file that had multibyte characters in it. The error looked
10518   like:
10519   Gtk-ERROR **: file gtktextsegment.c: line 196
10520   (_gtk_char_segment_new): assertion failed:
10521   (gtk_text_byte_begins_utf8_char (text))
10522   [David]
10524 o Removed a superfluous test for the existence of the C++ compiler in
10525   the configure script. The test was not robust when configured with
10526   CXX="ccache g++". Thanks to Rainer Müller for the report.
10528 o Optimized cached DNS lookups so they are equally efficient when
10529   running on big-endian or little-endian systems. [Michael]
10531 o Fixed the nmap_command_path Zenmap configuration variable so that it
10532   is actually used to start the specified Nmap executable
10533   path. [Jurand Nogiec]
10535 o Nmap now reports scan start and end times for individual hosts
10536   within a larger scan. The information is added to the XML host
10537   element like so: <host starttime="1198292349" endtime="1198292370">
10538   It is also printed in normal output if -d or "-v -v" are
10539   specified. [Brandon, Kris, Fyodor]
10541 o "make uninstall" now uninstalls Zenmap as well as Nmap. The
10542   uninstall_zenmap script now deletes directories that were
10543   installed. [David]
10545 o Fixed a bug which caused Nmap to send bad checksums on Solaris 10
10546   x86.  This was due to a workaround for an Ancient Solaris 2.1 bug
10547   which activated when the OS string matched "solaris2.1*".  The
10548   problem has now been resolved until Solaris 20 comes out and hits
10549   our "solaris2.2*" bug workarounds. Thanks to Nathan Bills for the
10550   problem report.  Fixed by Fyodor.
10552 o Fixed a minor memory leak in getpts_simple which occurs when no
10553   ports are to be added to 'list'. 'porttbl' is now free'd regardless
10554   of how the function returns. [Michael]
10556 o Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs.
10557   On Windows, this ID has to be a numeric index.  On Linux and some
10558   other OS's, this ID can instead be an interface name.  Some examples
10559   of this syntax:
10560     fe80::20f:b0ff:fec6:15af%2
10561     fe80::20f:b0ff:fec6:15af%eth0
10562   [Kris]
10564 o The Zenmap installer and uninstaller are more careful about escaping
10565   filenames and dealing with an installation root (DESTDIR). [David]
10567 o Since assert() calls are used for various security-related tests,
10568   their safety is now ensured by keeping NDEBUG undefined throughout
10569   Nmap, Nbase and Nsock. [Kris]
10571 o Fix a couple bugs in the way the Nmap build system checked for an
10572   existing LUA library.  A bashism caused one test to fail on system
10573   which don't use bash as /bin/sh, and another bug fixed --with-liblua
10574   configure option for specifying your own liblua. [Daniel
10575   Roethlisberger]
10577 o The NSE nmap.registry.args table is now available, albeit empty,
10578   when --script-args isn't used.  Now scripts don't need to check if
10579   it's nil before attempting to index it. [Kris]
10581 o Changed SSLv2-support.nse so that it only enumerates the list of
10582   available ciphers with a verbosity level of at least two or with
10583   debugging enabled. [Kris]
10585 o Replaced kibuvDetection.nse with version detection match lines which
10586   work better than the script. [Kris, Brandon]
10588 o Removed mswindowsShell.nse as there is a version detection NULL
10589   probe match which does the same thing. [Brandon, Fyodor, Kris]
10591 o Updated IANA assignment IP list for random IP (-iR)
10592   generation. [Kris]
10594 Nmap 4.62 [2008-5-3]
10596 o Added a new --min-rate option that allows specifying a minimum rate
10597   at which to send packets. This allows you to override Nmap's
10598   congestion control algorithms and request that Nmap try to keep at
10599   least the rate you specify.  The rate is given in packets per
10600   second. Read more in the Nmap man page
10601   (https://nmap.org/book/man-performance.html) [David]
10603 o Create /nmap/macosx directory in SVN with files necessary to build
10604   binary Mac OS X Nmap/Zenmap packages.  We are trying to create
10605   binary installer packages which are as useful and easy to use as the
10606   Windows installer.  This has involved a lot of work by David.  We
10607   aren't quite yet distributing the results on the Nmap download page,
10608   but testing our beta versions is useful.  You can find the latest
10609   universal (PPC and Intel) binary test version by looking at David
10610   Fifield's posts at http://seclists.org/nmap-dev/2008/q2/author.html .
10611   You can also read /nmap/macosx/README in svn for more info.
10613 o Nmap 2008 Summer of Code students have began working (though full
10614   time doesn't start until late May).  Learn about the winners and
10615   their projects at http://seclists.org/nmap-dev/2008/q2/0132.html .
10617 o Brandon added/modified a whole bunch of version detection signatures
10618   based on systems discovered when scanning UCSD's network.
10620 o Reformat Nmap COPYING file (e.g. remove C comment markers, reduce
10621   line length) during Nmap windows build so that it looks much better
10622   when presented by the Windows executable (NSIS) installer.  Thanks
10623   to Jah for the patch, which was modified slightly by Fyodor.
10625 o Added NSE Datafiles library which reads and parses Nmap's nmap-*
10626   data files for scripts.  The functions (parse_protocols(),
10627   parse_rpc() and parse_services()) return tables with numbers
10628   (e.g. port numbers) indexing names (e.g. service names).  The
10629   rpcinfo.nse script was also updated to use this library. [Kris]
10631 o Fixed a bug in the nbase random number generator (and the way it
10632   interacted with Nmap and MS Windows) which caused duplicates in some
10633   instances.  Thanks to Jah for reporting the problem and working with
10634   Brandon Enright, Fyodor and Kris to fix it.
10636 o It turns out that hours contain 60 minutes, not 24.  Fixed a scan
10637   status message which was rolling over the hours column
10638   prematurely. [David]
10640 o Added scripting options to Zenmap profile editor and command wizard
10641   to make use of NSE. [David]
10643 o Zenmap now prints an exception message rather than segfaulting when
10644   it can't open a display (such as when trying to connect to an X
10645   server as an unauthorized user). Thanks to Aaron Leininger for the
10646   initial report and Guilherme Polo for suggesting the fix.
10648 o Now ports in the "unfiltered" state can be selected for attention by
10649   NSE scripts. [Kris]
10651 o Nbase random number generation system now avoids having a high-bit
10652   of zero in every other byte on Windows due to Windows having such a
10653   low RAND_MAX. [Jah]
10655 o Added release dates for each Nmap version to this CHANGELOG going
10656   back to Nmap 3.00 (July 31, 2002).  Dates are in MM/DD/YY format.
10657   If someone wants to track down dates for the last 22% of the file
10658   (pre-3.00), you are welcome to do so and send a patch.  Searching
10659   Google for the version number and site:seclists.org seems to work
10660   well. [Fyodor]
10662 o Nmap RPM builds now use the versions of libdnet, libpcap, libpcre,
10663   and liblua included with Nmap rather than whatever happens to be
10664   installed on the build system. [David]
10666 o Zenmap can now be installed in and run in directories with a space
10667   in the name. [David]
10669 o Fixed an assertion failure ("Target.cc:396: void
10670   Target::stopTimeOutClock(const timeval*): Assertion
10671   'htn.toclock_running == true' failed.") caused when a host had NSE
10672   scripts in multiple runlevels.  This also fixes --host-timeout
10673   behavior in NSE. [Kris]
10675 o Reduce the maximum number of socket descriptors which Nmap is
10676   allowed to open concurrently.  This resoles a bug which could cause
10677   "Too many open files" error on Mac OS X when not running as
10678   root. [David]
10680 o Canonicalized service names between nmap-service-probes (version
10681   detection DB) and nmap-services (port scanning DB). [Kris]
10683 o Removed the "class" attribute from the tcpsequence element in XML
10684   output. For a long time it had always been "unknown class" because
10685   Nmap doesn't calculate a class anymore. The XML output version has
10686   been increased from 1.01 to 1.02. [David]
10688 o Fixed a bug on Win32 which caused an infinite loop when Nmap
10689   encountered certain broadcast addresses. [Dudi Itzhakov]
10691 o Fix MingW compilation by adding a signal.h include to
10692   main.cc. [Gisle Vanem]
10694 o Fix the test in our build system to determine if liblua is already
10695   available or not. For example, the test needed to link with -lm
10696   since some systems require that. [David]
10698 o Added TIMEVAL_BEFORE and TIMEVAL_AFTER macros to test whether one
10699   timeval is earlier than another while avoiding possible integer
10700   overflows in a naive approach we were using previously. [David]
10702 o Adjusted a bunch of code to avoid compilation warning messages on
10703   some Linux machines. [Andrew J. Bennieston]
10705 o Fixed the NmapArpCache so that it actually works. Previously, Nmap
10706   was always falling back to the system ARP cache. Of course this
10707   raises the question of whether NmapArpCache is needed in the first
10708   place. [Daniel Roethlisberger]
10710 o Fix a Zenmap bug which could cause the error message
10711   "zenmapCore.NmapOptions.OptionNotFound: No option named '' found!"
10712   if you create a new profile without checking any options then try to
10713   edit it. [David]
10715 o Zenmap now shows a more helpful error message when there is an error
10716   in executing Nmap. [David]
10718 o Zenmap now creates the directory ~/.zenmap-etc to store
10719   automatically generated GTK+ and Pango files. They used to go in the
10720   application bundle but that doesn't work on a read-only file system
10721   or disk image. This is what Wireshark does (~/.wireshark-etc),
10722   although the directory could be called anything. It doesn't have to
10723   persist across sessions.
10725 o Added a mechanism in Zenmap for including extra executable search
10726   paths on specific platforms, so we can include /usr/local/bin in
10727   PATH on Mac OS X by default and add the Nmap install directory on
10728   Windows. [David]
10730 o We now use --no-strip when building Zenmap Mac OS X packages to
10731   prevent many mysterious warnings which occur when the binary is
10732   stripped. [David]
10734 o When Zenmap invokes Nmap, it now copies the whole environment for
10735   the Nmap invocation rather than just providing $PATH.  Windows may
10736   need this to do proper name resolution. [David]
10738 o Corrected uptime parsing and reporting in SNMPsysdesr.nse for an
10739   uptime of less than 46 hours. [Kris]
10741 o Modified the use of CXXFLAGS, CFLAGS, and CPPFLAGS in Nmap build
10742   system to work better when building Mac OS X universal
10743   binaries. [David]
10745 o Added many additional PCRE option flags to the list returned by the
10746   NSE pcre.flags() function. [Kris]
10748 o Changed the NSE function nmap.set_port_state() so that it checks to
10749   see if the requested port is already in the requested state.  This
10750   prevents "Duplicate port" messages during the script scan and the
10751   inaccurate "script-set" state reason. [Kris]
10753 o Canonicalize NSE script license text--more than half did not even
10754   spell license correctly. They all still say that they are under
10755   Nmap's license, just with consistent capitalization and spelling,
10756   and now a link to Nmap legal page at
10757   https://nmap.org/book/man-legal.html .
10759 o Updated ripeQuery.nse to not print extraneous whitespace. [Kris]
10761 o Switched telnet brute force password cracking NSE (bruteTelnet.nse)
10762   to vulnerability category so it isn't executed by default.  It can
10763   take too long to run. [Eddie]
10765 o NSE status messages now print host name and IP, rather than just the
10766   host name (which was blank when Nmap didn't know it). [Jah]
10768 o Allocate 128 characters for the idle scan ScanProgressMeter
10769   title. Previously it was 32 characters. The "idle scan against " and
10770   the \0 terminator take up 19 characters, leaving only 13, which
10771   isn't enough to represent all IP addresses, let alone host
10772   names. Bug reported by Stephan Fijneman, fixed by David.
10774 Nmap 4.60 [2008-3-15]
10776 o Nmap has moved.  Everything at http://insecure.org/nmap/ can now be
10777   found at https://nmap.org .  That should save your fingers from a
10778   little bit of typing.  Even though transparent redirectors are in
10779   place for the old URLs, please update your links and bookmarks. And
10780   if you don't have a link to Nmap on your web site, now is a good
10781   time to add one :).
10783 o All of your OS detection fingerprints up until March 10, 2008 have
10784   now been integrated by David.  The second generation database has
10785   grown from 1,085 fingerprints representing 421 operating
10786   systems/devices, to 1,304 fingerprints representing 478 systems.
10787   That is an increase of more than 20%.  New fingerprints were added
10788   for Mac OS X Tiger, iPod Touch, the La Fonera WAP, FreeBSD 7.0,
10789   Linux 2.6.24, Windows 2008, Vista, OpenBSD 4.2, and of course
10790   hundreds of broadband routers, VoIP phones, printers, some crazy
10791   oscilloscope, etc.  We get a ton of new fingerprint submissions, but
10792   not as many corrections.  Please remember to visit
10793   https://nmap.org/submit/ if Nmap gives you bad results, whether they
10794   are completely wrong or just a slight mistake (like Nmap says Linux
10795   2.6.20-2.6.23, but you're running 2.6.24).  Of course you need to be
10796   certain you know exactly what is running on the target before you do
10797   this.
10799 o All of your service fingerprints and corrections submitted until
10800   January 14, 2008 have now been integrated by Doug.  As usual, he has
10801   documented his adventures at http://hcsw.org/blog.pl/33 .  More than
10802   a hundred signatures were added, growing the database to 4,645
10803   signatures for 457 services.  Corrections are welcome for service
10804   detection too -- visit https://nmap.org/submit/ if you get incorrect results.
10806 o Nmap now saves the target name (if any) specified on the command
10807   line, since this can differ from the reverse DNS results.  It can be
10808   particularly important when doing HTTP tests against virtual hosts.
10809   The data can be accessed from target->TargetName() from Nmap proper
10810   and host.targetname from NSE scripts.  The NSE HTTP library now uses
10811   this for the Host header.  Thanks to Sven Klemm for adding this
10812   useful feature.
10814 o Added NSE HTTP library which allows scripts to easily fetch URLs
10815   with http.get_url() or create more complex requests with
10816   http.request().  There is also an http.get() function which takes
10817   components (hostname, port, and path) rather than a URL.  The
10818   HTTPAuth, robots, and showHTMLTitle NSE scripts have been updated to
10819   use this library. Sven Klemm wrote all of this code.
10821 o Fixed an integer overflow in the DNS caching code that caused nmap
10822   to loop infinitely once it had expunging the cache of older
10823   entries.  Thanks to David Moore for the report, and Eddie Bell for
10824   the fix.
10826 o Fixed another integer overflow in the DNS caching code which caused
10827   infinite loops. [David]
10829 o Added IPv6 host support to the RPC scan.  Attempting this before
10830   (via -sV) caused a segmentation fault.  Thanks to Will Cladek for
10831   the report. [Kris]
10833 o Fixed an event handling bug in NSE that could cause execution of
10834   some in-progress scripts to be excessively delayed. [Marek]
10836 o A new NSE table library (tab.lua) allows scripts to deliver better
10837   formatted output.  The Zone transfer script (zoneTrans.nse) has been
10838   updated to use this new facility. [Eddie]
10840 o Rewrote HTTPpasswd.nse to use Sven's excellent HTTP library and to
10841   do some much-needed cleaning up. [Kris]
10843 o Added a new MsSQL version detection probe and a bunch of match lines
10844   developed by Tom Sellers.
10846 o Added a new service detection probe and signatures for the memcached
10847   service [Doug]
10849 o Added new service detection probes and signatures for the Beast
10850   Trojan and Firebird RDBMS. [Brandon Enright]
10852 o Fixed a crash in Zenmap which occurred when attempting to edit or
10853   create a new profile based on an existing one when there wasn't one
10854   selected.  The error message was:
10855     'NoneType' object has no attribute 'toolbar'
10856   Now a new Profile Editor is opened.  Thanks to D1N (d1n@inbox.com)
10857   for the report. [Kris]
10859 o Fixed another crash in Zenmap which occurred when exiting the
10860   Profile Editor (while editing an existing profile) by clicking the
10861   "X", then going to edit the same profile again.  The error message
10862   was: "No option named '' found!".  Now the same window that appears
10863   when clicking Cancel comes up when clicking "X".  Thanks to David
10864   for reporting this bug. [Kris]
10866 o Another Zenmap bug was fixed: ports consolidated into "extra ports"
10867   groups are now counted and shown in the "Host Details" tab.  The
10868   closed, filtered and scanned port counts in this tab didn't contain
10869   this information before so they were usually very inaccurate. [Kris]
10871 o Another Zenmap bug was fixed: the --scan-delay and --max-scan-delay
10872   buttons ("amount of time between probes") under the Advanced tab in
10873   the Profile Editor were backwards. [Kris]
10875 o Added the UDP Scan (-sU) and IPProto Ping (-PO) to Zenmap's Profile
10876   Editor and Command Wizard. [Kris]
10878 o Reordered the UDP port selection for Traceroute: a closed port is
10879   now chosen before an open one.  This is because an open UDP port is
10880   usually due to running version detection (-sV), so a Traceroute
10881   probe wouldn't elicit a response. [Kris]
10883 o Add Famtech Radmin remote control software probe and signatures to
10884   the Nmap version detection DB. [Tom Sellers, Fyodor]
10886 o Add "Connection: Close" header to requests from HTTP NSE scripts so
10887   that they finish faster. [Sven Klemm]
10889 o Update SSLv2-support NSE script to run against more services which
10890   are likely SSL. [Sven Klemm]
10892 o A bunch of service name canonicalization was done in the Nmap
10893   version detection file by Brandon Enright (e.g. capitalizing D-Link
10894   and Netgear consistently).
10896 o Upgraded the shipped LibPCRE from version 7.4 to 7.6. [Kris]
10898 o Updated to latest (as of 3/15) autoconf config.sub/config.guess
10899   files from http://cvs.savannah.gnu.org/viewvc/config/?root=config.
10900   [Fyodor]
10902 o We now escape newlines, carriage returns, and tabs (\n\r\t) in XML
10903   output.  While those are allowed in XML attributes, they get
10904   normalized which can make formatting the output difficult for
10905   applications which parse Nmap XML. [Joao Medeiros, David, Fyodor]
10907 o The Zenmap man page is now installed on Unix when "make install" is
10908   run.  This was supposed to work before, but didn't. [Kris]
10910 o Fixed a man page bug related to our DocBook to Nroff translation
10911   software producing incorrect Nroff output.  The man page no longer
10912   uses the ".nse" string which was being confused with the Nroff
10913   no-space mode command. [Fyodor]
10915 o Fixed a bug in which some NSE error messages were improperly escaped
10916   so that a message including "c:\nmap" would end up with a newline
10917   between "c:" and "map".
10919 o Updated IANA assignment IP list for random IP (-iR)
10920   generation. [Kris]
10922 o The DocBook XML source code to the Nmap Scripting Engine docs
10923   (https://nmap.org/book/nse.html) is now in SVN under docs/scripting.xml .
10925 Nmap 4.53 [2008-1-12]
10927 o Improved Windows executable installer by making uninstall work better
10928   on systems which changed the default install path.  The shortcut is
10929   also now deleted properly on Vista. [Rob Nicholls]
10931 o Windows installer is now generated using NSIS 2.34 rather than
10932   2.13. [Fyodor]
10934 o Added UPnP-info NSE script by Thomas Buchanan. It gathers
10935   information from the UPnP service (UDP port 1900) which listens on
10936   many network devices such as routers, printers, and networked media
10937   players.
10939 o Fixed a --traceroute bug (assertion failure crash) which occurred
10940   when the first hop of the first host in a tracegroup (reference
10941   trace) times out.  Thanks to Sebastián García for the bug report and
10942   testing, and Eddie for the patch.
10944 o Fix a problem which prevented proper port number matching in
10945   NSE scripts (port_or_service function) due to a variable
10946   shadowing bug. [Sven Klemm]
10948 o Improved rpcinfo.nse to better sort and display available RPC
10949   services. [Sven Klemm]
10951 Nmap 4.52 [2008-1-1]
10953 o Fixed Nmap WinPcap installer to use CurrentVersion registry key on
10954   Windows rather than VersionNumber to more reliably detect Vista
10955   machines.  This should prevent the XP version of Packet.dll from
10956   being installed on Vista. [Rob Nicholls]
10958 o The Nmap Scripting Engine (NSE) now supports run-time interaction
10959   and the Nmap --host-timeout option. [Doug]
10961 o Added nmap.fetchfile() function for scripts so they can easily find
10962   Nmap's nmap-* data files (such as the OS/version detection DBs, port
10963   number mapping, etc.) [Kris]
10965 o Updated rpcinfo.nse to use nmap.fetchfile() to read from nmap-rpc
10966   instead of having a huge table of RPC numbers.  This reduced the
10967   script's size by nearly 75%. [Kris]
10969 o Fixed multiple NSE scripts that weren't always properly closing their
10970   sockets.  The error message was:
10971   "bad argument #1 to 'close' (nsock expected, got no value)" [Kris]
10973 o Added a new version detection probe for the Trend Micro OfficeScan
10974   product line. [Tom Sellers, Doug]
10976 Nmap 4.51BETA [2007-12-21]
10978 o David wrote a detailed Zenmap guide: https://nmap.org/book/zenmap.html
10980 o Added rpcinfo.nse script, which contacts a listening RPC portmapper
10981   and reports the listening services and port information (like
10982   rpcinfo -p does).  The script was written by Sven Klemm.  Fyodor
10983   then enhanced the RPC number list with all of the entries from
10984   nmap-rpc.
10986 o Added a new NSE script (MySQLinfo) which prints MySQL server information
10987   such as the protocol and version numbers, status, thread id, capabilities,
10988   and password salt. [Kris]
10990 o Nmap's output options (-oA, -oX, etc.) now support strftime()-like
10991   conversions in the filename.  %H, %M, %S, %m, %d, %y, and %Y are
10992   all the same as in strftime().  %T is the same as %H%M%S, %R is the
10993   same as %H%M, and %D is the same as %m%d%y.  A % followed by any
10994   other character just yields that character (%% yields a %).  This
10995   means that "-oX 'scan-%T-%D.xml'" uses an XML file in the form of
10996   "scan-144840-121307.xml". [Kris]
10998 o Fixed WinPcap installer to install the right version of Packet.dll
10999   on Windows Vista. [Fyodor]
11001 o Fixed our WinPcap installer so that it waits for a WinPcap uninstall
11002   (if needed) to complete before trying to install the new WinPcap.
11003   [Jah]
11005 o Fix a bunch of warning/error messages which contained an extra
11006   newline. [Brandon Enright]
11008 o Fixed an error when attempting to scan localhost as an unprivileged
11009   user on Windows (nmap --unprivileged localhost). The error was:
11010     Skipping SYN Stealth Scan against localhost ( because
11011     Windows does not support scanning your own machine (localhost) this
11012     way.
11013   Now connect scan is used instead of SYN scan. [David]
11015 o Fixed a bug that prevented the --resume option from working on
11016   Windows. The error message was:
11017   ..\utils.cc(996): CreateFileMapping(), file 'testresume', length 103,
11018   mflags 000 00006: The parameter is incorrect.(87)
11019   [Fixed by David, reported by Rob Nicholls]
11021 o Zenmap's new web page (https://nmap.org/zenmap/) is now shown in the
11022   Zenmap about dialogue.
11024 o On Windows, paths beginning with \ are now considered absolute when
11025   used with the --script option. jah (jah(a)zadkiel.plus.com) suggested
11026   this. [David]
11028 o Zenmap no longer double-spaces its output (by inadvertently
11029   duplicating newlines) when viewing scan results that were saved to a
11030   file. [Joao Medeiros]
11032 o Upgraded the shipped LibPCRE from version 7.2 to 7.4. [Kris]
11034 o Fixed Zenmap crash that occurred when selecting Help from the Compare
11035   Results window. [Kris]
11037 o Updated robots.nse to prevent printing robots.txt comments. [Kris]
11039 o Many version detection match lines were improved to match even when
11040   newlines appear in binary data returned by the service. [Fixed by
11041   Doug, suggested by Lionel Cons]
11043 Nmap 4.50 [2007-12-13]
11045 o Bumped up the version number to the big 10th anniversary 4.50
11046   release!  See http://insecure.org/stf/Nmap-4.50-Release.html .
11048 Nmap 4.49RC7 [2007-12-10]
11050 o A Zenmap crash was fixed. Scanning once, then scanning another target
11051   on the same scan tab caused an ImportError ("list index out of range")
11052   in zenmapGUI/ScanNotebook.py. Joao Medeiros reported the
11053   bug. [David]
11055 o Updated a couple of version detection signatures due to problem
11056   reports by Lionel Cons. [Doug]
11058 Nmap 4.49RC6 [2007-12-8]
11060 o NSE scripts can now be specified by absolute path to the --script
11061   option.  This was supposed to work before, but didn't. [David]
11063 o Insert a path separator in returned paths in init_scandir on
11064   Windows.  Otherwise options such as "--scripts=scripts" (where
11065   scripts is a directory) were failing with error messages about being
11066   unable to access things like "C:\Nmap\scriptsanonFTP.nse" (should be
11067   "C:\Nmap\scripts\anonFTP.nse"). [David]
11069 o Add some "local" declarations to xamppDefaultPass.nse to avoid
11070   errors like: "SCRIPT ENGINE: [string "Global Access"]:1: Attempted
11071   to change the global 'socket' ..." [David]
11073 o NSE "shortports" function now by default matches ports in the
11074   "open|filtered" state as well as "open" ones. [Diman]
11076 o Nsock msevent_new and msevent_delete calls fixed to handle NULL I/O
11077   descriptors.  This should fix a reported bus error crash. [Diman]
11079 o Prevent old bit.dll and pcre.dll files from being installed in
11080   nselib directory by Windows executable installer.  Bit.dll is still
11081   installed in nselib-bin where it belongs.  Thanks to Rob Nicholls for
11082   reporting the problem. [Fyodor]
11085 Nmap 4.49RC5 [2007-12-8]
11087 o Don't install the orphaned and incomplete Zenmap HTML documentation.
11088   Instead point to the Nmap documentation site, which is provides more
11089   comprehensive and up-to-date Nmap docs.  We're rapidly improving the
11090   online Zenmap docs as well.  Of course the Nmap and (new!) Zenmap
11091   man pages are still installed on Unix. [Fyodor]
11093 o Fix mswin32/Makefile so that the new nselib-bin directory is
11094   properly included in the Nmap win32 zipfile distribution.  Thanks
11095   to Rob Nicholls for reporting the problem. [Fyodor]
11097 o Fix host reason reported when the target is found to be "down" due
11098   to no response. Nmap now reports "no-response" rather than
11099   "unknown-reason" [Kris]
11101 Nmap 4.49RC4 [2007-12-7]
11103 o David did a huge OS fingerprint integration marathon, going through
11104   all of your submissions (more than 1600) since August 20.  The 2nd
11105   generation database has grown more than 30% to 1,085 entries!  Many
11106   of the existing fingerprints were improved as well.  Notable new or
11107   greatly improved entries include the iPhone, iPod Touch, Mac OS X
11108   Leopard FreeBSD 7.0, Linux 2.6.23, Nokia cell phones (E61, E65, E70,
11109   E90, N95), and OpenBSD 4.2.  Of course there were all manner of new
11110   printers, cable/DSL routers, switches, enterprise routers, IP
11111   phones, cell phones and a heap of obscure equipment such as the
11112   BeaconMedaes medical gas alarm.  Windows Vista fingerprints were
11113   also improved significantly.  Please keep those OS fingerprint
11114   submissions and corrections coming!
11116 o Doug integrated all of your version detection fingerprints and
11117   corrections since October 4.  The DB now has an incredible 4,542
11118   signatures for 449 service protocols.  The service protocols with
11119   the most signatures are http (1,473), telnet (459), ftp (423), smtp
11120   (327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46)
11121   and nntp (44).
11123 o Included the netbios-smb-os-discovery.nse script which uses NetBIOS
11124   and SMB queries to guess OS version.  This script was written by
11125   Judy Novak and contributed by Sourcefire.
11127 o Canonicalized the interface type numbers used internally by
11128   libdnet. Also Libdnet now recognizes devices with type
11129   INTF_TYPE_IEEE80211 as Ethernet devices.  This ought to make
11130   wireless network scanning work on Windows Vista. For more background
11131   see http://seclists.org/nmap-dev/2007/q4/0391.html . [David]
11133 o Documented the "--script all" option in the man page and NSE
11134   article.  This option executes all scripts in the NSE database
11135   regardless of category. [Fyodor]
11137 o NSE scripts can now be specified by name without the .nse
11138   extension.  So instead of using "--script
11139   bruteTelnet.nse,HTTPpasswd.nse,SQLInject.nse,robots.nse", you can
11140   just pass "--script bruteTelnet,HTTPpasswd,SQLInject,robots". [Kris]
11142 o Removed some auto-generated files from the new nselib-bin directory
11143   as they could cause compatibility problems. Also updated
11144   mswin32/Makefile to reflect the new nselib-bin DLL location [David]
11146 o ripeQuery.nse was updated to avoid printing some useless
11147   information. [Kris]
11149 o Compatibility with systems that have the pcre.h header file in its
11150   own pcre directory should now be fixed for real. [Fyodor]
11152 o Enhanced the radmind service detection signature and added a
11153   deprecated radmind port to nmap-services. [Matt Selsky]
11155 o Zenmap now gives better errors to stdout when it can't even pop up a
11156   dialog box (such as when PyGTK can't be loaded). [David]
11158 o Fixed a Zenmap crash which occurred on Mac OS X and possibly other
11159   platforms.  The error message said: "object of type
11160   'ScanHostDetailsPage' has no len()". [David]
11162 o Fixed a crash which occurred when an NSE script called
11163   set_port_version() at times that version scanning was not
11164   enabled. [Diman]
11166 o Fixed the NSIS installer so that it does not include some excess
11167   files (mswin32/* and .svn).  Thanks to Alan Jones for reporting the
11168   problem. [Fyodor]
11170 o Renamed some Zenmap Python packages to allow Zenmap and Umit to be
11171   installed at the same time. [David]
11173 o Updated nmap-mac-prefixes with the latest IEEE data.  Also added
11174   back Cooperative Linux virtual NIC which was inadvertently removed in
11175   a previous release. [Fyodor]
11177 Nmap 4.23RC3 [2007-11-27]
11179 o Zenmap now has a man page!  It isn't very long yet, but covers the
11180   basics.  Thanks to David for writing this.
11182 o A new NSE script, promiscuous.nse, scans devices on a local network
11183   looking for sniffers (devices running in promiscuous mode).  This
11184   script is from Marek Majkowski and is the first to use the NSE pcap
11185   extension system (which he also wrote).  The script is only in the
11186   discovery category for now so it does not run by default.  Specify
11187   it by name for now.  We may make it default after the upcoming
11188   stable release.
11190 o Nmap can now handle IP aliases on Windows.  A given device such as
11191   eth0 might have several IP addresses.  Nmap will use the primary
11192   address, so you need to use -S if you want to specify a different
11193   one. [David]
11195 o An exception (rather than luaL_argerror) is now thrown when an SSL
11196   connection is attempted but OpenSSL isn't available. [David]
11198 o There is now an nmap.have_ssl NSE function so you can avoid doing
11199   NSE probes when SSL isn't available. [David]
11201 o Zenmap gives clearer error messages when an import error occurs or
11202   Zenmap's dump files aren't found. [David]
11204 o Zenmap now looks for its data files relative to the directory of the
11205   zenmap script to allow running from the build/svn directory. [David]
11207 o NSE C modules are now installed into an nselib-bin directory.  This
11208   was needed to make the dns-test-open-recursion and zoneTrans NSE
11209   scripts work properly, since they use the NSE bit library
11210   (bit.so). [Diman, Fyodor]
11212 o Axillary autoconf scripts such as config.guess, config.sub,
11213   depcomp, install-sh, and ltmain.sh were deleted from Nmap
11214   subdirectories because configure is smart enough to use the ones from
11215   the parent directory.  This decreases the Nmap source tarball and svn
11216   checkout sizes. [David]
11218 o Nmap now compiles on systems which have the libPCRE include file in
11219   pcre/pcre.h rather than just pcre.h.  Thanks to Lionel Cons for the
11220   report. [Fyodor]
11222 o Nmap binary is now stripped again, but it now uses -x to avoid
11223   stripping dynamically loaded NSE functions on Mac OS X. [David]
11225 o Normalized Zenmap's handling of results files specified on the
11226   command line.  In some cases, Zenmap would ignore specified results
11227   files just because some unrelated options were used. [David]
11229 o configure.ac now uses literal directory names rather than variable
11230   references in calls to AC_CONFIG_SUBDIRS.  This removes an annoying
11231   warning message which has existed for years when you regenerate
11232   configure. [David]
11234 o Fixed a configure.ac error which prevented you from specifying an
11235   alternative libnsock directory. [David]