Nmap 7.10 released: 12 new scripts, hundreds of OS/version fingerprints, bug fixes, and more!

[Fyodor <fyodor () nmap org>]

Hi Folks!  Before I tell you about today's new Nmap release, I wanted to
share some Summer of Code news:

Google posted a fantastic story by one of our Summer of Code alumni about
how the program helped take him from rural China to a full-ride scholarship
at the University of Virginia graduate school! His mentor David and I had
the chance to meet him in San Francisco:

http://google-opensource.blogspot.com/2016/02/coming-to-america-how-google-summer-of.html

Way to go, Weilin!

Also, applications are now open for GSoC 2016.  But only until next
Friday.  We've also added several new project ideas.  So if you know any
college/grad students (or are one!) interested in earning $5,500 writing
open source Nmap code this summer, please point them here:

https://nmap.org/soc/

And now for the main news: I'm pleased to announce the release of Nmap 7.10
with many great improvements!  It's got 12 new NSE scripts, hundreds of new
OS/version fingerprints, and dozens if smaller improvements and bug fixes.
And that's not even counting the changes in Nmap 7.01, which we released in
December but I never got around to announcing because I suck at marketing.
Nmap 7.10 source code and binary packages for Linux, Windows, and Mac are
available for free download from the usual spot:

https://nmap.org/download.html

If you find any bugs in this release, please let us know on the Nmap Dev
list or bug tracker as described at https://nmap.org/book/man-bugs.html.

Here is the full list of material changes in 7.10 and 7.01:

o [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):

  + [GH#322] http-apache-server-status parses the server status page of
Apache's mod_status. [Eric Gershman]

  + http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability
in Allegro RomPager web server. Also added a fingerprint for detecting
CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]

  + [GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon"
pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]

  + imap-ntlm-info extracts hostname and sometimes OS version from
NTLM-auth-enabled IMAP services. [Justin Cacak]

  + ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD
probes. The discovery is the same as targets-ipv6-multicast-mld, but the
subscribed addresses are decoded and listed.  [Alexandru Geana, Daniel
Miller]

  + ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL
Server instances via the NTLM challenge message. [Justin Cacak]

  + nntp-ntlm-info extracts hostname and sometimes OS version from
NTLM-auth-enabled NNTP services. [Justin Cacak]

  + pop3-ntlm-info extracts hostname and sometimes OS version from
NTLM-auth-enabled POP3 services. [Justin Cacak]

  + rusers retrieves information about logged-on users from the rusersd RPC
service. [Daniel Miller]

  + [GH#333] shodan-api queries the Shodan API (https://www.shodan.io) and
retrieves open port and service info from their Internet-wide scan data.
[Glenn Wilkinson]

  + smtp-ntlm-info extracts hostname and sometimes OS version from
NTLM-auth-enabled SMTP and submission services. [Justin Cacak]

  + telnet-ntlm-info extracts hostname and sometimes OS version from
NTLM-auth-enabled Telnet services. [Justin Cacak]

o Integrated all of your IPv4 OS fingerprint submissions from October to
January (536 of them). Added 104 fingerprints, bringing the new total to
5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.
Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted
from October to January (508 of them). The signature count went up 2.2% to
10532. We now detect 1108 protocols, from icy, finger, and rtsp to ipfs,
basestation, and minecraft-pe. Highlights:
http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]

o Integrated all 12 of your IPv6 OS fingerprint submissions from October to
January. The classifier added 3 new groups, including new and expanded
groups for OS X, bringing the new total to 96. Highlights:
http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]

o [NSE] Upgrade to http-form-brute allowing correct handling of token-based
CSRF protections and cookies. Also, a simple database of common login forms
supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller]

o [Zenmap] [GH#247] Remember window geometry (position and size) from the
previous time Zenmap was run. [isjing]

o New service probe for CORBA GIOP (General Inter-ORB Protocol) detection
should elicit a not-found exception from GIOP services that do not respond
to non-GIOP probes. [Quentin Hardy]

o [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were
given /32 netmasks regardless of actual netmask configured, resulting in
failed routing. Reported by Martin Gysi. [Daniel Miller]

o [GH#272][GH#269] Give option parsing errors after the usage statement, or
avoid printing the usage statement in some cases. The options summary has
grown quite large, requiring users to scroll to the top to see the error
message. [Abhishek Singh]

o [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's
Slow Comprehensive Scan profile.  In the case of unknown OpenSSL errors,
ERR_reason_error_string would return NULL, which could not be printed with
the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]

o [GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste
to not work in Zenmap on Windows.

o Changed Nmap's idea of reserved and private IP addresses to include
169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in
libnetutil's isipprivate function, is used to filter -iR randomly generated
targets. The newly-valid address ranges belong to the U.S. Department of
Defense, so users wanting to avoid those ranges should use their own
exclusion lists with --exclude or --exclude-file.  [Bill Parker, Daniel
Miller]

o Allow the -4 option for Nmap to indicate IPv4 address family. This is the
default, and using the option doesn't change anything, but does make it
more explicit which address family you want to scan. Using -4 with -6 is an
error. [Daniel Miller]

o [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any
text to the screen. This happens at the time of argument parsing, so the
usual meaning of "verbosity 0" is preserved. [isjing]

o [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and
SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match
thedraft specification from Mozilla. [Bertrand Bonnefoy-Claudet]

o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection
against services that are not TLS encrypted by default but that support
post connection upgrade. This will enable more comprehensive detection of
SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]

o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor
and BeEF to http-default-accounts. [nnposter]

o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation
Required messages when tracing packets or in Nping output. Improper offset
meant we were printing the total IP length. [Sławomir Demeszko]

o [NSE] Added support for DHCP options "TFTP server name" and "Bootfile
name" to dhcp.lua and enabled checking for options with a code above 61 by
default. [Mike Rykowski]

o [NSE] whois-ip: Don't request a remote IANA assignments data file when
the local filesystem will not permit the file to cached in a local file.
[jah]

o [NSE] Updated http-php-version hash database to cover all versions from
PHP 4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers
pulled from Shodan API (https://www.shodan.io/) [Daniel Miller]

o Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other
scan types, allowing periodic status updates with --stats-every or keypress
events.  [Daniel Miller]

o [GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for
OS X, old FreeBSD, and Solaris, which use BPF for packet capture and do not
have properly select-able fds. Fix by OpenBSD port maintainer [David
Carlier]

o Print service info in grepable output for ports which are not listed in
nmap-services when a service tunnel (SSL) is detected. Previously, the
service info ("ssl|unknown") was not printed unless the service inside the
tunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260
[Daniel Miller]

o [NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent.
[Tom Sellers]

Nmap 7.01 [2015-12-09]

o Switch to using gtk-mac-bundler and jhbuild for building the OS X
installer. This promises to reduce a lot of the problems we've had with
local paths and dependencies using the py2app and macports build system.
[Daniel Miller]

o The Windows installer is now built with NSIS 2.47 which features
LoadLibrary security hardening to prevent DLL hijacking and other unsafe
use of temporary directories. Thanks to Stefan Kanthak for reporting the
issue to NSIS and to us and the many other projects that use it.

o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and
RPM) to 1.0.2e.

o [Zenmap] [GH#235] Fix several failures to launch Zenmap on OS X. The new
build process eliminates these errors:
    IOError: [Errno 2] No such file or directory:
'/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in'
LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app
with error -10810.

o [NSE] [GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers to
match the one in nmap-service-probes, which was fixed previously to correct
a length calculation error. [Daniel Miller]

o [NSE] [GH#251] Correct false positives and unexpected behavior in http-*
scripts which used http.identify_404 to determine when a file was not found
on the target. The function was following redirects, which could be an
indication of a soft-404 response. [Tom Sellers]

o [NSE] [GH#241] Fix a false-positive in hnap-info when the target responds
with 200 OK to any request. [Tom Sellers]

o [NSE] [GH#244] Fix an error response in xmlrpc-methods when run against a
non-HTTP service. The expected behavior is no output. [Niklaus Schiess]

o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett.

Enjoy the new release!
-Fyodor
_______________________________________________
Sent through the announce mailing list
https://nmap.org/mailman/listinfo/announce
Archived at http://seclists.org/nmap-hackers/