Nmap 7.90 Released! First release since August 2019.

[Gordon Fyodor Lyon <fyodor () nmap org>]

Hello everyone.  Hot on the heels of the big Npcap 1.00 release (
https://seclists.org/nmap-announce/2020/0), we're delighted to announce a
new Nmap--version 7.90! It's the first Nmap release since Defcon 2019, even
though we've made 16 Npcap releases since then. Raw packets are so
fundamental to Nmap that we really wanted to get it right.  With the
production-ready and highly performant Npcap 1.00 driver included, we can
finally recommend Nmap on Windows as a true peer to the traditional Linux
builds.

While Npcap gets top billing for this release, there are many other
improvements.  We integrated about 1,200 of your fingerprint submissions
for better OS and service/version detection.  We're still a bit behind,
thanks to all of your glorious submissions, so you can expect more
integrations coming soon.  We also have new NSE scripts, protocol
libraries, and payloads for host discovery, port scanning and version
detection.  We also did some long-needed license cleanup and gave the
license a name (Nmap Public Source License) to avoid the previous confusion
of Nmap being under "GPLv2 with various clarifications and exceptions".
The NPSL is still based on the GPLv2, but brings in terms from some other
popular open source licenses. See https://nmap.org/npsl

We also created a special "Nmap OEM Edition" for the companies who license
Nmap to handle host discovery within their products.  We have been selling
such licenses for more than 20 years and it's about time OEM's have an
installer more customized to their needs.  More details are at
https://nmap.org/oem.

Nmap 7.90 also includes 70+ smaller bug fixes and improvements that have
collected over the year (full list below), as well as various build system
upgrades and code quality improvements.  Dan addressed over 250 issues
identified by the LGTM.com static analyzer, bringing our LGTM code quality
grade from "C" to "A+".

I'd especially like to thank nnposter, who was credited for 29 improvements
in this release alone!  And of course Dan Miller was amazing as always.
Those 1,200 fingerprint integrations were all him!  And he spent weeks
debugging some really hairy Npcap concurrency problems that only happened
under very heavy load systems with multiple 10Gbps network interfaces.  And
since this is a driver running in kernel mode, you don't get the
user-friendly debugging ability that we take for granted with normal
applications.  Instead the whole system just crashes or hangs.  It was also
great to see former Nmap co-maintainer David Fifield come back to fix a
couple issues.

Speaking of appreciation, I forgot to mention Guy Harris in my Npcap 1.00
announcement. Guy has been extraordinary through all of these years of
Npcap development.  He's one of the maintainers of Libpcap (
https://www.tcpdump.org/), the cross-platform API that Npcap implements.
It's a large and critical piece of Npcap's infrastructure, and Guy has
always been generous with his time whenever we have questions or problems.
He's also a Wireshark developer and helped to make their Npcap integration
such a success!

With Npcap now stable, we're excited to turn more of our attention back to
Nmap proper!  This 7.90 release is just the start of it.  We have many big
improvements that we want to make, but we forced ourselves to hold back
while we focused on stabilizing the codebase for this 7.90 release.  But
now we're headed full steam ahead for the next one!

Nmap 7.90 source code and binary packages for Linux, Windows, and Mac are
available for free download from the usual spot:

https://nmap.org/download.html

If you find any bugs in this release, please let us know on the bug tracker
or dev list as described at https://nmap.org/book/man-bugs.html.

Here is the full list of significant changes:

• [Windows] Upgraded Npcap, our Windows packet capturing (and sending)
library to the milestone 1.00 release! It's the culmination of 7 years of
development with 170 public pre-releases. This includes dozens of
performance improvements, bug fixes, and feature enhancements described at
https://npcap.org/changelog.

• Integrated over 800 service/version detection fingerprints submitted
since August 2017. The signature count went up 1.8% to 11,878, including 17
new softmatches.  We now detect 1237 protocols from airmedia-audio,
banner-ivu, and control-m to insteon-plm, pi-hole-stats, and
ums-webviewer.  A significant number of submissions remain to be integrated
in the next release.

• Integrated over 330 of the most-frequently-submitted IPv4 OS fingerprints
since August 2017. Added 26 fingerprints, bringing the new total to 5,678.
Additions include iOS 12 & 13, macOS Catalina & Mojave, Linux 5.4, FreeBSD
13, and more.

• Integrated all 67 of your IPv6 OS fingerprint submissions from August
2017 to September 2020. Added new groups for FreeBSD 12, Linux 5.4, and
Windows 10, and consolidated several weak groups to improve classification
accuracy.

•  [NSE] Added 3 NSE scripts, from 2 authors, bringing the total up to 601!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:

• dicom-brute attempts to brute force the called Application Entity Title
of DICOM servers. [Paulino Calderon]

• dicom-ping discovers DICOM servers and determines if any Application
Entity Title is allowed to connect. [Paulino Calderon]

• uptime-agent-info collects system information from an Idera
Uptime Infrastructure Monitor agent. [Daniel Miller]

• [GH#1834] Addressed over 250 code quality issues identified by LGTM.com,
improving our code quality score from "C" to "A+"

• Released Npcap OEM Edition. For more than 20 years, the Nmap Project has
been funded by selling licenses for companies to distribute Nmap with their
products, along with commercial support. Hundreds of commercial products
now use Nmap for network discovery tasks like port scanning, host
discovery, OS detection, service/version detection, and of course the Nmap
Scripting Engine (NSE). Until now they have just used standard Nmap, but
this new OEM Edition is customized for use within other Windows software.
Nmap OEM contains the OEM version of our Npcap driver, which allows for
silent installation. It also removes the Zenmap GUI, which cuts the
installer size by more than half. And it reports itself as Nmap OEM so
customers know it's a properly licensed Nmap. See https://nmap.org/oem for
more details.

• Upgraded the Nmap license form a sort of hacked-up version of GPLv2 to a
cleaner and better organized version (still based on GPLv2) now called the
Nmap Public Source License to avoid confusion. See https://nmap.org/npsl/
for more details and annotated license text. This NPSL project was started
in 2006 (community discussion here:
https://seclists.org/nmap-dev/2006/q4/126) and then it lost momentum for
7 years until it was restarted in 2013 (
https://seclists.org/nmap-dev/2013/q1/399) and then we got distracted
by development again. We still have some ideas for improving the NPSL,
but it's already much better than the current license, so we're applying
NPSL Version 0.92 to the code now and can make improvements later
if needed. This does not change the license of previous Nmap releases.

• Removed nmap-update. This program was intended to provide a way to update
data files and NSE scripts, but the infrastructure was never fielded. It
depended on Subversion version control and would have required maintaining
separate versions of NSE scripts for compatibility.

• Removed the silent-install command-line option (/S) from the Windows
installer. It causes several problems and there were no objections when we
proposed removing it in 2016 (https://seclists.org/nmap-dev/2016/q4/168).
It will remain in Nmap OEM since its main use was for customers who
redistribute Nmap with other software. If anyone else has a strong need for
an Nmap silent installer, please contact sales () nmap com and we'll see what
we can do.

• [GH#1860] 23 new UDP payloads and dozens more default ports for existing
payloads developed for Rapid7's InsightVM scan engine. These speed up and
ensure detection of open UDP services. [Paul Miseiko, Rapid7]

• Added a UDP payload for STUN (Session Traversal Utilities for NAT).
[David Fifield]

• [NSE] Fixed an off-by-one bug in the stun.lua library that prevented
parsing a server response. [David Fifield]

• [GH#2051] Restrict Nmap's search path for scripts and data files.
NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
searched on Windows, where it was previously defined as C:\Nmap .
Additionally, the --script option will not interpret names as directory
names unless they are followed by a '/'. [Daniel Miller]

• [GH#1764] Fix an assertion failure when unsolicited ARP response is
received:
     nmap: Target.cc:503: void Target::stopTimeOutClock(const timeval*):
Assertion `htn.toclock_running == true' failed.

• [NSE] New outlib library consolidates functions related to NSE output,
both string formatting conventions and structured output. [Daniel Miller]

• [NSE] New dicom library implements the DICOM protocol used for storing
and transfering medical images. [Paulino Calderon]

• [GH#92] Fix a regression in ARP host discovery left over from the move
from massping to ultra_scan in Nmap 4.22SOC8 (2007) that sometimes resulted
in missing ARP responses from targets near the end of a scan. Accuracy and
speed are both improved. [Daniel Miller]

• [GH#2051] Restrict Nmap's search path for scripts and data files.
NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
searched on Windows, where it was previously defined as C:\Nmap .
Additionally, the --script option will not interpret names as directory
names unless they are followed by a '/'. [Daniel Miller]

• [GH#2126] Fix the "iocp" Nsock engine for Windows to be able to correctly
handle PCAP read events. This engine is now the default for Windows, which
should greatly improve performance over the previous default, the "poll"
engine. [Daniel Miller]

• [GH#2050] Reduced CPU usage of OS scan by 50% by avoiding string copy
operations and removing undocumented fingerprint syntax unused in
nmap-os-db ('&' and '+' in expressions). [Daniel Miller]

• [GH#1859] Allow multiple UDP payloads to be specified for a port in
nmap-payloads. If the first payload does not get a response, the
remaining payloads are tried round-robin. [Paul Miseiko, Rapid7]

• [GH#1616] New option --discovery-ignore-rst tells Nmap to ignore TCP RST
responses when determining if a target is up. Useful when firewalls are
spoofing RST packets. [Tom Sellers, Rapid7]

• [Ncat][GH#2087][GH#1927][GH#1928][GH#1974] It is now possible to override
the value of TLS SNI via --ssl-servername [Hank Leininger, nnposter]

• [GH#2104] Fixed parsing of TCP options which would hang (infinite loop)
if an option had an explicit length of 0. Affects Nmap 7.80 only. [Daniel
Miller, Imed Mnif]

• [NSE][GH#1460] Script ssh2-enum-algos would fail if the server initiated
the key exchange before completing the protocol version exchange [Scott
Ellis, nnposter]

• [NSE][GH#2105] Fetching of SSH2 keys might fail because of key exchange
confusion [nnposter]

• [NSE][GH#2098] Performance of script afp-ls has been dramatically
improved [nnposter]

• [NSE][GH#2091] Parsing of AFP FPGetFileDirParms and
FPEnumerateExt2FPEnumerateExt2 responses was not working correctly
[nnposter]

• [NSE][GH#2089] Eliminated false positives in script http-shellshock
caused by simple reflection of HTTP request data [Anders Kaseorg]

• [NSE][GH#1473] SNMP scripts are now enabled on non-standard ports where
SNMP has been detected [usd-markus, nnposter]

• [NSE][GH#2084] MQTT library was using incorrect position when parsing
received responses [tatulea]

• [NSE][GH#2086] IPMI library was using incorrect position when parsing
received responses [Star Salzman]

• [NSE][GH#2086] Scripts ipmi-brute and deluge-rpc-brute were not capturing
successfully brute-forced credentials [Star Salzman]

• Allow resuming IPv6 scans with --resume. The address parsing was assuming
IPv4 addresses, leading to "Unable to parse ip" error. In a related fix,
MAC addresses will not be parsed as IP addresses when resuming from XML.
[Daniel Miller]

• [GH#1622][GH#2068] Fix reverse-DNS handling of PTR records that are not
lowercase. Nmap was failing to identify reverse-DNS names when the DNS
server delivered them like ".IN-ADDR.ARPA". [Lucas Nussbaum, Richard
Schütz, Daniel Miller]

• [NSE][GH#1999][GH#2005] IKE library was not properly populating the
protocol number in aggressive mode requests. [luc-x41]

• [GH#1963] Added service fingerprinting for MySQL 8.x, Microsoft SQL
Server 2019, MariaDB, and Crate.io CrateDB. Updated PostreSQL coverage and
added specific detection of recent versions running in Docker. [Tom Sellers]

• New XML output "hosthint" tag emitted during host discovery when a target
is found to be up. This gives earlier notification than waiting for the
hostgroup to finish all scan phases. [Paul Miseiko]

• [GH#917] New UDP payloads for GPRS Tunneling Protocol (GTP) on ports
2123, 2152, and 3386. [Guillaume Teissier]

• [NSE][GH#1825] SSH scripts now run on several ports likely to be SSH
based on empirical data from Shodan.io, as well as the netconf-ssh service.
[Lim Shi Min Jonathan, Daniel Miller]

• [Zenmap][GH#1777] Stop creating a debugging output file 'tmp.txt' on the
desktop in macOS. [Roland Linder]

• [Nping] Address build failure under libc++ due to "using namespace std;"
in several headers, resulting in conflicting definitions of bind().
Reported by StormBytePP and Rosen Penev. [Daniel Miller]

• [Ncat][GH#1868] Fix a fatal error when connecting to a Linux VM socket
with verbose output enabled. [Stefano Garzarella]

• [Ncat][GH#2060] Proxy credentials can be alternatively passed onto Ncat
by setting environment variable NCAT_PROXY_AUTH, which reduces the risk of
the credentials getting captured in process logs. [nnposter]

• [NSE][GH#1723] Fixed a crash on Windows when processing a GZIP-encoded
HTTP body. [Daniel Miller]

• Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities.

• Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API.

• [GH#1717][GH#1718] Processing of IP address CIDR blocks was not working
correctly on ppc64, ppc64le, and s390x architectures. [rfrohl, nnposter]

• [Windows] Add support for the new loopback behavior in Npcap 0.9983 and
later. This enables Nmap to scan localhost on Windows without needing the
Npcap Loopback Adapter to be installed, which was a source of problems for
some users.  [Daniel Miller]

• [NSE] MS SQL library has improved version resolution, from service pack
level to individual cumulative updates [nnposter]

• [NSE][GH#2077] With increased verbosity, script http-default-accounts now
reports matched target fingerprints even if no default credentials were
found [nnposter]

• [NSE][GH#2063] IPP request object conversion to string was not working
correctly [nnposter]

• [NSE][GH#2063] IPP response parser was not correctly processing
end-of-attributes-tag [nnposter]

• [NSE] Script cups-info was failing due to erroneous double-decoding of
the IPP printer status [nnposter]

• [NSE][GH#2010] Oracle TNS parser was incorrectly unmarshalling DALC byte
arrays [nnposter]

• [NSE] The password hashing function for Oracle 10g was not working
correctly for non-alphanumeric characters [nnposter]

• [NSE] Virtual host probing list, vhosts-full.lst, was missing numerous
entries present in vhosts-default.lst [nnposter]

• [NSE][GH#1931][GH#1932] Script http-grep was not correctly calculating
Luhn checksum [Colleen Li, nnposter]

• [NSE][GH#1838] Scripts dhcp-discover and broadcast-dhcp-discover now
support new argument "mac" to force a specific client MAC address [nnposter]

• [NSE] Code improvements in RPC Dump, benefitting NFS-related scripts
[nnposter]

• [NSE] RPC code was using incorrect port range, which was causing some
calls, such as NFS mountd, to fail intermittently [nnposter]

• [NSE][GH#1876] XML output from script ssl-cert now includes RSA key
modulus and exponent [nnposter]

• [NSE][GH#1837] Nmap no longer crashes when SMB scripts, such as smb-ls,
call smb.find_files [nnposter]

• [NSE][GH#1802] The MongoDB library was causing errors when assembling
protocol payloads. [nnposter]

• [NSE][GH#1781][GH#1796] The RTSP library was not correctly generating
request strings. [nnposter]

• [NSE][GH#1706] VNC handshakes were failing with insert position out of
bounds error. [nnposter]

• [NSE][GH#1720] Function marshall_dom_sid2 in library msrpctypes was not
correctly populating ID Authority. [nnposter]

• [NSE][GH#1720] Unmarshalling functions in library msrpctypes were
attempting arithmetic on a nil argument. [Ivan Ivanov, nnposter]

• [NSE][GH#1720] Functions lsa_lookupnames2 and lsa_lookupsids2 in library
msrpc were incorrectly referencing function strjoin when called with debug
level 2 or higher. [Ivan Ivanov]

• [NSE][GH#1755][GH#2096] Added HTTP default account fingerprints for
Tomcat Host Manager and Dell iDRAC9. [Clément Notin]

• [NSE][GH#1476][GH#1707] A MS-SMB spec non-compliance in Samba was causing
protocol negotiation to fail with data string too short error. [Clément
Notin, nnposter]

• [NSE][GH#1480][GH#1713][GH#1714] A bug in SMB library was causing scripts
to fail with bad format argument error. [Ivan Ivanov]

• [NSE][GH#1665] The HTTP library no longer crashes when code requests
digest authentication but the server does not provide the necessary
authentication header. [nnposter]

• [NSE] Fixed a bug in http-wordpress-users.nse that could cause extraneous
output to be captured as part of a username. [Duarte Silva]

Enjoy this new release and please do let us know if you find any problems!
Download link: https://nmap.org/download.html

Cheers,
Gordon "Fyodor" Lyon
_______________________________________________
Sent through the announce mailing list
https://nmap.org/mailman/listinfo/announce
Archived at http://seclists.org/nmap-hackers/