Nmap Defcon Release: Version 5.35DC1

[Fyodor <fyodor () insecure org>]

Hi folks.  It has been 3.5 months since the last Nmap release
(5.30BETA1 on March 29), and anyone following the nmap-dev list knows
that we've been very busy during that time.  So I'm pleased to release
Nmap version 5.35DC1 containing the fruits of that labor.  The Defcon
name is because that conference is awesome!  And also because David
Fifield and I have an exciting Nmap talk planned there and at Black
Hat in a couple weeks (see http://seclists.org/nmap-dev/2010/q3/108).

This release includes 131 NSE scripts (17 new), 6,622 version
detection signatures, 2,608 OS fingerprints, and more.  I'm
particularly excited about the new db2 and ms-sql scripts, and nfs-ls
really makes NFS discovery easy!  We also added Eugene Alexeev's
clever new dns-cache-snoop script.  Nping and Ncat were significantly
improved as well.

The Nmap 5.35DC1 source code and packages for Linux, Mac OS X, and
Windows are available for download at the usual place:

http://nmap.org/download.html

This is a BETA release, but we hope it works well for you. If not (or
if you have any suggestions for improvement), please let us know on
nmap-dev as described at http://nmap.org/book/man-bugs.html.

Here are the 83 most significant changes in this release:

o [NSE] Added 17 scripts, bringing the total to 131! They are
  described individually in the CHANGELOG, but here is the list of new
  ones:
   afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
   http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
   ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
   ms-sql-query, ms-sql-tables ms-sql-xp-cmdshell, nfs-ls ntp-monlist
  Learn more about any of these at: http://nmap.org/nsedoc/

o Performed a major OS detection integration run. The database has
  grown to 2,608 fingerprints (an increase of 262) and many of the
  existing fingerprints were improved. These include the Apple iPad
  and Cisco IOS 15.X devices. We also received many fingerprints for
  ancient Microsoft systems including MS-DOS with MS Networking Client
  3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
  integration work at http://seclists.org/nmap-dev/2010/q2/283.

o Performed a large version detection integration run. The number of
  signatures has grown to 6,622 (an increase of 279). New signatures
  include a remote administrative backdoor that a school famously used
  to spy on its students, an open source digital currency scheme named
  Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
  Frozen Bubble. You can read David's highlights at
  http://seclists.org/nmap-dev/2010/q2/385.

o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
  attributes. The nfs-acls and nfs-dirlist scripts were deleted 
  because all their features are supported by this script. [Djalal]

o [NSE] Add new DB2 library and two scripts
  - db2-brute.nse uses the unpwdb library to guess credentials for DB2
  - db2-info.nse re-write of Tom Sellers script to use the new library
  [Patrik]

o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
  scripts are:
  - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
  - ms-sql-config retrieves various configuration details from the server               
  - ms-sql-empty-password checks if the sa account has an empty password
  - ms-sql-hasdbaccess lists database access per user
  - ms-sql-query add support for running custom queries against the database
  - ms-sql-tables lists databases, tables, columns and datatypes with optional
    keyword filtering
  - ms-sql-xp-cmdshell adds support for OS command execution to privileged
    users
  [Patrik]

o [NSE] Added the afp-serverinfo script that gets a hostname, IP
  addresses, and other configuration information from an AFP server.
  The script, and a patch to the afp library, were contributed by
  Andrew Orr and subsequently enhanced by Patrik and David.

o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
  The Windows RAS RPC service vulnerability MS06-025
  (http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)
  and the Windows DNS Server RPC vuln MS07-029
  (http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).
  Note that these are only run if you specify the "unsafe" script arg
  because the implemented test crashes vulnerable services. [Drazen]

o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs
  cache snooping by either sending non-recursive queries or by measuring
  response times.

o [Zenmap] Added the ability to print Nmap output to a
  printer. [David]

o [Nmap, Ncat, Nping] The default unit for time specifications is now
  seconds, not milliseconds, and times may have a decimal point. 1000
  now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.
  Floating point values such as 1.5 are now allowed.  This affects the
  following options:
  Nmap:
    --host-timeout
    --max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout
    --scan-delay --max-scan-delay
    --stats-every
  Ncat:
    -d --delay
    -i --idle-timeout
    -w --wait
  Nping:
    --delay
    --host-timeout
    --icmp-orig-time --icmp-recv-time --icmp-trans-time
  Some sanity checks have been added to catch what looks like an
  attempt to use the old millisecond defaults. For example,
  --host-timeout 10000 yields
    Since April 2010, the default unit for --host-timeout is seconds,
    so your time of "10000" is 2.8 hours. If this is what you want,
    use "10000s".
    QUITTING!
  You can always disable the warning by giving an explicit unit.

o [NSE] Scripts which take an argument for a time duration can now
  have the duration be a number followed by a unit, like elsewhere in
  Nmap. An example is "10m" for 10 minutes. The units understood are
  "ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for
  hours.  Seconds are the default if no unit is specified. The new
  function stdnse.parse_timespec does the parsing of these
  formats. The qscan.delay script argument, which formerly interpreted
  its argument as being in milliseconds, now defaults to seconds;
  append "ms" to continue using the same numbers. [David]

o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor
  that was in UnrealIRCd source code distributions between November
  2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826.
  [Vlatko Kosturjak, Ron, David]

o Ports are now considered open during a SYN scan if a SYN packet
  (without the ACK flag) is received in response. This can be due to
  an extremely rare TCP feature known as a simultaneous open or split
  handshake connection. see http://bit.ly/tcp-sh and
  http://seclists.org/nmap-dev/2010/q2/723. [Jah]

o [Ncat] In listen mode, the --exec and --sh-exec options now accept a
  single connection and then exit, just like in normal listen mode.
  Use the --keep-open option to get the old default inetd-like
  behavior. This was suggested by David Millis. [David]

o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an
  off-by-one stack overflow vulnerability in libopie by giving the FTP
  service an overly long name. See
  http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
  details.

o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and
  client hosts associated with a scanned target by sending NTPv2
  Private Mode 'monitor' and 'peers' commands to the target. [Jah]

o [NSE] Added http-php-version.nse from Gutek. This script retrieves
  version-specific pages through a couple of magic PHP queries, which
  can identify the PHP version even when a server doesn't advertise
  it.

o [NSE] New script dns-fuzz launches a fuzzing attack against DNS
  servers. Added a new category - fuzzer - for scripts like this.
  [Michael Pattrick]

o David made many improvements to the NSEDoc for individual scripts,
  including adding @output sections to scripts which didn't have them.
  He also improved the generated HTML with features like
  auto-generating usage strings if the scripts don't include their own
  and allowing the giant sidebar lists of scripts/libraries to expand
  and contract.  See http://nmap.org/nsedoc/.

o UDP payloads are now stored in an external data file, nmap-payloads,
  instead of being hard-coded in the executable. This makes it easier
  to add your own payloads or disable those you find problematic. [Jay
  Fink, David]

o The Windows executable installer now uses LZMA compression instead
  of zlib, making it about 15% smaller. See
  http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David]

o Open XML elements are now closed in case of a fatal error, so the
  output should at least be well-formed. There are new attributes
  "exit" and "errormsg" in the finished element. "exit" is "success"
  or "error". When it is "error", the "errormsg" attribute contains
  the error message. Thanks to Grant Bartlett, who found a typo in the
  new output. [David]

o Fixed name resolution in environments where gethostbyname can return
  IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
  would wrongly use the first four bytes of the IPv6 address as an
  IPv4 address. You could force this, at least on Debian, by adding
  the line "options inet6" to /etc/resolv.conf or by running with
  RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik
  Andersson, who also suggested the fix. [David]

o Fixed the assignment of interface aliases to directly connected
  routes on Linux, which was broken in 5.30BETA1 (it always assigned
  the base interface instead of the alias). This was visible in the
  host.interface variable passed to NSE scripts. The bug was reported
  Victor Rudnev. [David]

o When Nmap is passed a hostname such as google.com which resolves to
  several IP addresses, Nmap now prints each IP address.  It still
  only scans the first one in the returned list. [David]

o Nmap now works if you specify several target host names which
  resolve to the same IP address.  This can be useful when you are
  scanning virtual-hosted web servers and want to see NSE results
  specific to each site name even though they reside on the same
  machine. [David]

o Made a list of current Nmap SVN committers:
  http://nmap.org/svn/docs/committers.txt

o Added a new library, libnetutil, which contains about 2,700 lines of
  networking related code which is now shared between Nmap and Nping
  (it was previously duplicated by each tool). [Luis, David]

o [NSE] http-passwd.nse now also checks for boot.ini to support
  Windows targets. [Gutek]

o Removed --interactive mode, a miniature shell whose primary purpose
  was to hide command line arguments from the process list. It had
  been broken (would segfault during the second scan) for at least 9
  months and was rarely used. The fact that it was broken was reported
  by Juan Carlos Castro. [David]

o Added a version probe, match line, and UDP payload for the
  serialnumberd service of Mac OS X Server. This service overrides
  firewall settings to make itself visible, so it's useful for host
  discovery. [Patrik]

o Improved service detection match lines for:
  o Oracle Enterprise Manager Agent and mupdate by Matt Selsky
  o Twisted web server, Apple Filing Protocol, Apple Mac OS X Password
    Server, XAVi XG6546p Wireless Gateway, Sun GlassFish
    Communications Server, and Comdasys, SIParator and Glassfish SIP
    by Patrik
  o PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring
    HTTPd by Tom Sellers

o Improved our brute force password guessing list by mixing in some
  data sent in by Solar Designer of John the Ripper fame.

o [Zenmap] IP addresses are now sorted by octet rather than their
  string representation. For example, 10.1.1.2 is now sorted before
  10.1.1.10. This problem was reported by Norris Carden. [David]

o [NSE] Added UDP header parsing support to packet.lua. [jah]

o Fixed a bug in Libpcap which lead to Nmap hanging forever in some
  cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3.  The fix was
  actually already available in upstream Libpcap, just not released.
  We also had to make Nmap build with its own Libpcap on 64-bit OS X
  if an already-installed system Libpcap has this bug. [David]

o Updated our Winpcap to the new 4.1.2 release [Rob Nicholls]

o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence
  level of 0.9995 was used.  Thanks to Marcin Hoffmann for noticing
  the problem. [Kris]

o [libpcap] Added a --disable-packet-ring option to force the use of
  an older, slower packet capture mechanism on Linux. Before Linux
  2.6.27, the packet ring mechanism uses different-sized kernel
  structures on 32- and 64-bit architectures, so a 32-bit program will
  not run correctly on a 64-bit kernel. The older mechanism does not
  have this flaw.

o Fixed some errors in nmap-os-db, probably caused by incorrect string
  replacement during integration. This patch is from James Cook.

o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that
  allows setting the SO_BROADCAST option on sockets. Ncat now sets
  this option unconditionally in connect mode to allow connections to
  broadcast addresses (useful in UDP mode). [Daniel Miller]

o Nmap now works with "teamed" network interfaces on Windows. In order
  to distinguish the interfaces, their textual descriptions are now
  compared in addition to their MAC addresses. Without this, Nmap
  would send on the wrong interface and not receive any replies. A
  symptom of this problem was all scans failing except when
  --unprivileged was used. Norris Carden reported this bug. [David]

o [Ncat] When receiving a connection/datagram in listen mode, Ncat now
  prints the connecting source port along with the IP address (when
  verbosity is enabled). [Rebellis]

o Fixed a problem where the time variable used in some port scanning
  algorithms (for probe timeouts, etc) could vary based on the
  debugging level. [Kris]

o Moved the parse_long function from ncat to nbase for better reuse,
  and used it to simplify netmask parsing code. [William Pursell]

o Added EPROTO to the list of known error codes in service scan. Daniel
  Miller reported that an EPROTO was causing Nmap to exit after sending
  the Sqlping probe during service scan. The error message was
  "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
  error)". We suspect this was caused by a forged ICMP packet sent by an
  active firewall. [David]

o [NSE] Improved smtp-commands.nse to work against more mail servers,
  made it take an smtp-commands.domain script argument, and rewrote it
  in the style of other smtp scripts. [Jason DePriest]

o [NSE] Made smtp-commands run for the services smtp, smtps,
  submission rather than just smtp.  The other smtp scripts already do
  this. [David]

o [NSE] The dns-recursion script now marks the port as open when it
  gets a response. [Olivier M]

o [Nping] A big correctness and code cleanliness audit was performed
  which resulted in many bugs being fixed and much more code being
  shared with Nmap rather than duplicated. A structured testing
  script system was also created. [Luis, David]

o [Nping] A big correctness and code cleanliness audit was performed
  which resulted in many bugs being fixed and much more code being
  shared with Nmap rather than duplicated. A structured testing
  script system was also created. [Luis, David]

o [Nping] Now allows a --count value of zero to run almost
  indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]

o [Nping] Fixed --data argument parsing. The value passed was not
  actually making it into outgoing packets. Reported by Tim
  Poth. [Luis]

o [Nping] When a RST packet is received in response to a connection
  attempt in TCP-Connect mode, Nping now properly prints "Connection
  refused" rather than "Operation now in progress". [Luis]

o [Nping] Fixed a bug which caused failure when the first supplied
  target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com
  tcpdump.com). [Luis]

o [Nping] Fixed some bugs in the BPF filter creation to avoid capture
  and printing of packets Nping sent or which are destined for another
  process. [Luis]

o [Nping] Fixed a bug which prevented ARP replies from being displayed
  properly. [Luis]

o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to
  be set in host byte order rather than proper network byte
  order. [Luis]

o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek]

o The Mac OS X installer is now built with MacPorts 1.9.1 rather than
  1.8.2. Among other changes, this fixes a segmentation fault reported
  by some OS X 10.6.3 users.

o Nsock now supports an option to remove its Pcap support.  This
  allows the same Nsock to be shared with Nmap (which needs that
  support) and Ncrack (which doesn't.) Pcap support can be disabled by
  specifying --disable-pcap at configure time on UNIX, or by selecting
  the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on
  Windows.

o Sped up compilation by not building both shared and static libdnet
  libraries--we only use the static one. [David]

o [NSE] Improved error handling and reporting and re-designed communication
  class in RPC library with patch from Djalal Harouni. [Patrik]

o Upgraded the included libpcap to version 1.1.1. [David]

o [NSE] Add some special-use IPv4 addresses to isPrivate which are
  described in RFC 5736 and RFC 5737, published in Jan 2010. Improve
  performance of isPrivate for IPv4 addresses by using ip_in_range
  less frequently. Add an extra return value to isPrivate - when the
  first return value is true, the second return value will now be a
  string representing the special use assignment in which the supplied
  address is located. [jah]

o Fix compilation on OpenSolaris.  We had to make the libdnet autoconf
  check for PF_PACKET Linux-specific.  Recent versions of OpenSolaris
  support PF_PACKET, but not in a way which is entirely compatible
  with the Linux approach. This problem was reported by Darren Reed. A
  few other minor compatibility changes were made as well. [David]

o [NSE] Added script arguments "username" and "password" to ftp-bounce
  to override the default anonymous:IEUser@ login combination. [Kris]

o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik]

o [NSE] Added an snmpWalk() function to the SNMP library and updated
  scripts to use it.  [Patrik]

o [NSE] Fixed this dns.lua error reported by Eugene Alexeev:
  nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value)
  [Jah]

o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13.

o Updated IANA IP address space assignment list for random IP (-iR)
  generation. [Kris]

o Created a new directory for storing todo lists for Nmap and related
  projects.  You can see what we're working on and planning by
  visiting http://nmap.org/svn/todo/.

o [NSE] Removed explicit time limit checking from ms-sql-brute,
  pgsql-brute, mysql-brute, ldap-brute, and afp-brute. The unpwdb
  library does this automatically now. [David]

o [NSE] Correct global access errors in afp.lua reported by Patrick Donnelly
  [Patrik]

o [NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis"
  name in the MySQL library. [Kris]

o Cleaned up our Winpcap header file directory, and also updated to
  the latest files from the official developer pack
  (WpdPack_4_1_1.zip). [Fyodor]

o [NSE] Fixed a bug which would prevent rpcinfo.nse from returning any
  results for RPC programs which could not be matched to a
  name. [Patrik]

o [NSE] The ftp-anon script is now much smarter about parsing server
  responses and detecting successful (or not) logins.  It now knows
  how to send the ACCT command where appropriate as well. [Rob
  Nicholls]

o Normalized a bunch of version detection entries with "webserver" in
  the description.  In most cases this was changed to "httpd".

o [Ncat] Fixed the --crlf option not to insert an extra \r byte in the
  case that one system read ends with \r and the next begins with \n
  (should be rare). [David]

o [NSE] Fixed bug in rpc.lua library that incorrectly required file handles
  to be 32 octets when calling the ReadDir function. The bug was reported by
  Djalal Harouni. [Patrik]

Enjoy the new release, and I hope to see you at Defcon!
-Fyodor


_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-hackers
Archived at http://seclists.org/nmap-hackers/