# Nmap Changelog ($Id: CHANGELOG 11439 2008-12-19 21:51:53Z david $); -*-text-*- o A problem that caused OS detection to fail for most hosts in a certain was fixed. It happened when sending raw Ethernet frames (by default on Windows or on other platforms with --send-eth) to hosts on a switched LAN. The destination MAC address was wrong for most targets. The symptom was that only one out of each scan group of 20 or 30 hosts would have a meaningful OS fingerprint. Thanks go to Michael Head for running tests and especially Trent Snyder for testing and finding the cause of the problem. [David] o Fixed a division by zero error in the packet rate measuring code that could cause a display of infinity packets per seconds near the start of a scan. [Jah] o Complete re-write of the marshalling logic for Microsoft RPC calls. [Ron Bowes] o Added vulnerability checks for MS08-067 as well as an unfixed denial of service in the Windows 2000 registry service. [Ron Bowes] o Zenmap now runs ndiff to do its "Compare Results" function. This completely replaces the old diff view. ndiff is now required to do comparisons in Zenmap. [David] o Fixed a bug in the IP validation code which would have let a specially crafted reply sent from a host on the same LAN slip through and cause Nmap to segfault. Thanks to ithilgore of sock-raw.homeunix.org for the very detailed bug report. [Kris] o [Zenmap] The crash reporter is more respectful of user privacy. It shows all the information that will be submitted so you can edit it to remove identifying information such as the name of your home directory. If you provide an email address the report will be marked private so it will not appear on the public bug tracker. [David] o [Zenmap] Internationalization has been fixed [David]. Currently there are two partial translations: Brazilian Portuguese by Adriano Monteiro Marques German by Chris Leick o [NSE] host.os table is now properly a 1 based array (was 0). [Patrick] o [Zenmap] Zenmap now parses and records XSL stylesheet information from Nmap XML files, so files saved by Zenmap will be viewable in a web browser just like those produced by Nmap. [David] o A possible Lua stack overflow in dns.lua was fixed. [David] o The NSE registry now persists across host groups. [David] o Added a script that checks for ms08-067-vulnerable hosts (smb-check-vulns.nse) using the smb nselib. [Ron Bowes] o Added a Russian translation of the Nmap Reference Guide by Guz Alexander. We now have translations in 15 languages available from http://nmap.org/docs.html. More volunteer translaters are welcome, as we are still missing some important languages (particularly German!). Translation instructions are available from that docs.html page. o [Zenmap] Added a workaround for a crash GtkWarning: could not open display on Mac OS X 10.5. The problem is caused by setting the DISPLAY environment variable in one of your shell startup files; that shouldn't be done under 10.5 and removing it will make other X11-using applications work better. Zenmap will now handle the situation automatically. [David] o http-auth.nse now properly checks for default authentication credentials. A bug prevented it from working before. [Vlatko Kosturjak] o Renamed irc-zombie.nse to auth-spoof and improved its description and output a bit. [Fyodor] o Most script names were changed to make them more consistent. [Fyodor, David] o Removed ripeQuery.nse because we now have the much more robust whois.nse which handles all the major registries. [Fyodor] o Removed showSSHVersion.nse. Its only real claim to fame was the ability to trick some SSH servers (including at least OpenSSH 4.3p2-9etch3) into not logging the connection. This trick doesn't seem to work with newer versions of OpenSSH, as my openssh-server-4.7p1-4.fc8 does log the connection. Without the stealth advantage, the script has no real benefit over version detection or the upcoming banner grabbing script. [Fyodor] o NSE scripts that require a list of DNS servers (currently only ASN.nse) now work when IPv6 scanning. Previously it gave an error message: "Failed to send dns query. Response from dns.query(): 9". [Jah, David] o [Zenmap] Added a simple workaround for a bug in PyXML (an add-on Python XML library) that caused a crash. The crash would happen when loading an XML file and looked like "KeyError: 0". [David] o Removed some unecessary "demo" category NSE scripts: echoTest, chargenTest, showHTTPVersion, and showSMTPVersion.nse. Moved daytimeTest from the "demo" category to "discovery". Removed showHTMLTitle from the "demo" category, but it remains in the "default" and "safe" categories. This leaves just showSSHVersion and SMTP_openrelay in the undocumented "demo" category. [Fyodor] o A crash caused by an incorrect test condition was fixed. It would happen when running a ping scan other than a protocol ping, without debugging enabled, if an ICMP packet was received referring to a packet that was not TCP, UDP, or ICMP. Thanks to Brandon Enright and Matt Castelein for reporting the problem. [David] o [Zenmap] The keyboard shortcut for "Save to Directory" has been changed from Ctrl+v to Ctrl+Alt+s so as not to conflict with the usual paste shortcut [Jah, Michael]. o Nmap quits if you give a "backwards" port or protocol range like -p 20-10. The issue was noted by Arturo "Buanzo" Busleiman. [David] o Fixed a bug which caused Nmap to infer an improper distance against some hosts when performaing OS detection against a group whose distance varies between members. [David, Fyodor] o Added a new NSE OpenSSL library with functions for multiprecision integer arithmetics, hashing, HMAC, symmetric encryption and symmetric decryption. [Sven] o [Zenmap] Host information windows are now like any other windows, and will not become unclosable by having their controls offscreen. Thanks to Robert Mead for the bug report. o showHTMLTitle.nse can now follow (non-standard) relative redirects, and may do a DNS lookup to find if the redirected-to host has the same IP address as the scanned host. [Jah] o Enhanced the tohex() function in the NSE stdnse library to support strings and added options to control the formatting. [Sven] o The http NSE module tries to deal with non-standards-compliant HTTP traffic, particularly responses in which the header fields are separated by plain LF rather than CRLF. [Jah, Sven] o [Zenmap] The help function now properly converts the pathname of the local help file to a URL, for better compatibility with different web browsers. [David] This should fix the crash WindowsError: [Error 2] The system cannot find the file specified: 'file://C:\\Program Files\\Nmap\\zenmap\\share\\zenmap\\docs\\help.html' o The HTTP_open_proxy.nse script is updated to match Google Web Server's changed header field: "Server: gws" instead of "Server: GWS/". [Vlatko Kosturjak] o Enhanced the ssh service detection signatures to properly detect protocol version 2 services. [Matt Selsky] o [Zenmap] Nmap output is automatically scrolled. [David] o Reduced memory consumption for some longer running scans by removing completed hosts from the lists after two minutes. These hosts are kept around in case there is a late response, but this draws the line on how long we wait and hence keep this information in memory. See http://seclists.org/nmap-dev/2008/q3/0902.html for more. [Kris] o XML output now contains the full path to nmap.xml on Windows. The path is converted to a file:// URL to provide better compatibility across browsers. [Jah] o Zenmap no longer outputs XML elements and attributes that are not in the Nmap XML DTD. This was done mostly by removing things from Zenmap's output, and adding a few new optional things to the Nmap DTD. A scan's profile name, host comments, and interactive text output are what were added to nmap.dtd. The .usr filename extension for saved Zenmap files is deprecated in favor of the .xml extension commonly used with Nmap. Because of these changes the xmloutputversion has been increased to 1.03. [David] o Added the Ndiff utility, which compares the results of Nmap scans. See ndiff/README and http://nmap.org/ndiff/ for more information. [David] o Fixed an integer overflow that could cause the scan delay to grow large for no reason in some circumstances. [David] o Enhanced the AS Numbers script (ASN.nse) to better consolidate results and bail out if the DNS server doesn't support the ASN queries. [Jah] o Made DNS timeouts in NSE dependent on the timing template [Jah] o Added three new nselib modules: msrpc, netbios, and smb. As the names suggest, they contain common code for scripts using MSRPC, NetBIOS, and SMB. These modules allow scripts to extract a great deal of information from hosts running Windows, particularly Windows 2000. New or updated scripts using the modules are: nbstat.nse: get NetBIOS names and MAC address. smb-enumdomains.nse: enumerate domains and policies. smb-enumsessions.nse: enumerate logins and SMB sessions. smb-enumshares.nse: enumerate network shares. smb-enumusers.nse: enumerate users and information about them. smb-os-discovery.nse: get operating system over SMB (replaces netbios-smb-os-discovery.nse). smb-security-mode.nse: determine if a host uses user-level or share-level security, and what other security features it supports. smb-serverstats.nse: grab statistics such as network traffic counts. smb-systeminfo.nse: get lots of information from the registry. [Ron Bowes] o A script could be executed twice if it was given with the --script option, also in the "version" category, and version detection (-sV) was requested. This has been fixed. [David] o Fixed port number representation in some of Nmap's and all of Nsock's output. Incorrect conversion modifiers were being used which caused high ports to wrap around and be shown as negative values. [Kris] o Upgraded the shipped libdnet to 1.12. [Kris] o Upgraded the OpenSSL shipped for Windows to 0.9.8i. [Kris] o The SSLv2-support NSE script no longer prints duplicate cyphers if they exist in the server's supported cypher list. [Kris] o Updated IANA assignment IP list for random IP (-iR) generation. [Kris] Nmap 4.76 [2008-9-12] o There is a new "external" script category, for NSE scripts which rely on a third-party network resource. Scripts that send data to anywhere other than the target are placed in this category. Initial members are ASN.nse, dns-safe-recursion-port.nse, dns-safe-recursion-txid.nse, ripeQuery.nse, HTTP_open_proxy.nse, and whois.nse [David] o [Zenmap] A crash was fixed that affected Windows users with non-ASCII characters in their user names. [David] The error looked like this (with many variations): UnicodeDecodeError: 'utf8' codec can't decode byte 0x9c in position 28: unexpected code byte o [Zenmap] Several corner-case crashes were fixed: [David] File "radialnet\gui\NodeNotebook.pyo", line 429, in __create_widgets KeyError: 'tcp' File "radialnet\gui\RadialNet.pyo", line 1531, in __livens_up AttributeError: 'NoneType' object has no attribute 'get_nodes' File "zenmapGUI\MainWindow.pyo", line 308, in _create_ui_manager GError: Odd character '\' File "radialnet/gui/ControlWidget.py", line 104, in __create_widgets AttributeError: 'module' object has no attribute 'STOCK_INFO' File "radialnet\util\integration.pyo", line 385, in make_graph_from_hosts KeyError: 'hops' o [Zenmap] A crash was fixed that happened when opening the Hosts Viewer with an empty list of hosts. [David] The error message was File "radialnet\gui\HostsViewer.pyo", line 167, in __cursor_callback TypeError: GtkTreeModel.get_iter requires a tree path as its argument o Improved rpcinfo.nse to correctly parse a wider variety of server responses. [Sven Klemm] o [Zenmap] Fixed a data encoding bug which could cause the crash reporter itself to crash! [David] o Nmap's Windows self-installer now correctly registers/deletes the npf (WinPcap) service during install/uninstall. Also the silent install mode was improved to avoid a case where the WinPcap uninstaller was (non-silently) shown. [Rob Nicholls] o Nmap's Windows self-installer now checks whether the MS Visual C++ runtime components have already been installed to avoid running it again (which doesn't hurt anything, but slows down installation). [Rob Nicholls] o Fixed an assertion failure where raw TCP timing ping probes were wrongly used during a TCP connect scan: nmap: scan_engine.cc:2843: UltraProbe* sendIPScanProbe(UltraScanInfo*, HostScanStats*, const probespec*, u8, u8): Assertion `USI->scantype != CONNECT_SCAN' failed. Thanks to LevelZero for the report. [David] o Update the NSE bit library to replace deprecated use of luaL_openlib() with luaL_register(). This fixes a build error which occurred on systems which have Lua libraries installed but LUA_COMPAT_OPENLIB not defined [Sven] o [Zenmap] The automatic crash reporter no longer requires an email address. [David] o [Zenmap] Highlighting of hostnames was improved to avoid wrongful highlighting of certain elapsed times, byte counts, and other non-hostname data. The blue highlight effects are now more subtle (no longer bold, underlined, or italic) [David] o [Zenmap] A warning that would occur when a host had the same service running on more than one port was removed. Thanks to Toralf Förster for the bug report. [David] GtkWarning: gtk_box_pack_start: assertion `child->parent == NULL' failed self.pack_start(widget, expand=False, fill=False) Nmap 4.75 [2008-9-7] o [Zenmap] Added a new Scan Topology system. The idea is that if we are going to call Nmap the "Network Mapper", it should at least be able to draw you a map of the network! And that is what this new system does. It was achieved by integrating the RadialNet Nmap visualization tool (http://www.dca.ufrn.br/~joaomedeiros/radialnet), into Zenmap. Joao Medeiros has been developing RadialNet for more than a year. For details, complete with some of the most beautiful Zenmap screen shots ever, visit http://nmap.org/book/zenmap-topology.html. The integration work was done by SoC student Vladimir Mitrovic and his mentor David Fifield. o [Zenmap] Another exciting new Zenmap feature is Scan Aggregation. This allows you to visualize and analyze the results of multiple scans at once, as if they were from one Nmap execution. So you might scan one network, analyze the results a bit, then scan some of the machines more intensely or add a completely new subnet to the scan. The new results are seamlessly added to the old, as described at http://nmap.org/book/zenmap-scanning.html#aggregation. [David, Vladimir] o Expanded nmap-services to include information on how frequently each port number is found open. The results were generated by scanning tens of millions of IPs on the Internet this summer, and augmented with internal network data contributed by some large organizations. [Fyodor] o Nmap now scans the most common 1,000 ports by default in either protocol (UDP scan is still optional). This is a decrease from 1,715 TCP ports and 1,488 UDP ports in Nmap 4.68. So Nmap is faster by default and, since the port selection is better thanks to the port frequency data, it often finds more open ports as well. [Fyodor] o Nmap fast scan (-F) now scans the top 100 ports by default in either protocol. This is a decrease from 1,276 (TCP) and 1,017 (UDP) in Nmap 4.68. Port scanning time with -F is generally an order of magnitude faster than before, making -F worthy of its "fast scan" moniker. [Fyodor] o The --top-ports option lets you specify the number of ports you wish to scan in each protocol, and will pick the most popular ports for you based on the new frequency data. For both TCP and UDP, the top 10 ports gets you roughly half of the open ports. The top 1,000 (out of 65,536 possible) finds roughly 93% of the open TCP ports and more than 95% of the open UDP ports. [Fyodor, Doug Hoyte] o David integrated all of your OS detection fingerprint and correction submissions from March 11 until mid-July. In the process, we reached the 1500-signature milestone for the 2nd generation OS detection system. We can now detect the newest iPhones, Linux 2.6.25, OS X Darwin 9.2.2, Windows Vista SP1, and even the Nintendo Wii. Nmap now has 1,503 signatures, vs. 1,320 in 4.68. Integration is now faster and more pleasant thanks to the new OSassist application developed by Nmap SoC student Michael Pattrick. See http://seclists.org/nmap-dev/2008/q3/0089.html and http://seclists.org/nmap-dev/2008/q3/0139.html for more details. o Nmap now works with Windows 2000 again, after being broken by our IPv6 support improvements in version 4.65. A couple new dependencies are required to run on Win2K, as described at http://nmap.org/book/inst-windows.html#inst-win2k . o [Zenmap] Added a context-sensitive help system to the Profile Editor. You can now mouse-over options to learn more about what they are used for and their proper argument syntax. [Jurand Nogiec] o When Nmap finds a probe during ping scan which elicits a response, it now saves that information for the port scan and later phases. It can then "ping" the host with that probe as necessary to collect timing information even if the host is not responding to the normal port scan packets. Previously, Nmap's port scan timing pings could only use information gathered during that port scan itself. A number of other "port scan ping" system improvements were made at the same time to improve performance against firewalled hosts. For full details, see http://seclists.org/nmap-dev/2008/q3/0647.html [David, Michael, Fyodor] o --traceroute now uses the timing ping probe saved from host discovery and port scanning instead of finding its own probe. The timing ping probe is always the best probe Nmap knows about for eliciting a response from a target. This will have the most effect on traceroute after a ping scan, where traceroute would sometimes pick an ineffective probe and traceroute would fail even though the target was up. [David] o Added dns-safe-recursion-port and dns-safe-recursion-txid (non-default NSE scripts) which use the 3rd party dns-oarc.net lookup to test the source port and transaction ID randomness of discovered DNS servers (assuming they allow recursion at all). These scripts, which test for the "Kaminsky" DNS bugs, were contributed by Brandon Enright. o Added whois.nse, which queries the Regional Internet Registries (RIRs) to determine who the target IP addresses are assigned to. [Jah] o [Zenmap] Overhauled the default list of scan profiles based on nmap-dev discussion. Users now have a much more diverse and useful set of default profile options. And if they don't like any of those canned scan commands, they can easily create their own in the Profile Editor! [David] o Fyodor made a number of performance tweaks, such as: o increase host group sizes in many cases, so Nmap will now commonly scan 64 hosts at a time rather than 30 o align host groups with common network boundaries, such as /24 or /25 o Increase maximum per-target port-scan ping frequency to one every 1.25 seconds rather than every five. Port scan pings happen against heavily firewalled hosts and the like when Nmap is not receiving enough responses to normal scan to properly calculate timing variables and detect packet drops. o Added a new NSE binlib library, which offers bin.pack() and bin.unpack() functions for dealing with storing values in and extracting them from binary strings. For details, see http://nmap.org/book/nse-library.html#nse-binlib . [Philip Pickering] o Added a new NSE DNS library. See this thread: http://seclists.org/nmap-dev/2008/q3/0310.html [Philip Pickering] o Added new NSE libraries for base64 encoding, SNMP, and POP3 mail operations. They are described at http://seclists.org/nmap-dev/2008/q3/0233.html . [Philip Pickering] o Added NSE scripts popcapa (retrieves POP3 server capabilities) and brutePOP3 (brute force POP3 authentication cracker) which make use of the new POP3 library. [Philip Pickering] o Added the SNMPcommunitybrute NSE script, which is a brute force community string cracker. Also modified SNMPsysdescr to use the new SNMP library. [Philip Pickering] o Fixed the SMTPcommands script so that it can't return multiple values (which was causing problems). Thanks to Jah for tracking down the problem and sending a fix for SMTPcommands. Then Patrick fixed NSE so it can handle misbehaving scripts like this without causing mysterious side effects. o Added a new NSE Unpwdb (username/password database) library for easily obtaining usernames or passwords from a list. The functions usernames() and passwords() return a closure which returns a new list entry with every call, or nil when the list is exhausted. You can specify your own username and/or password lists via the script arguments userdb and passdb, respectively. [Kris] o Nmap's Nsock-utilizing subsystems (DNS, NSE, version detection) have been updated to support the -S and --ip-options flags. [Kris] o A new --max-rate option was added, which complements --min-rate. It allows you to specify the maximum byte rate that Nmap is allowed to send packets. [David] o Added --ip-options support for the connect() scan (-sT). [Kris] o Nsock now supports binding to a local address and setting IPv4 options with nsi_set_localaddr() and nsi_set_ipoptions(), respectively. [Kris] o Added IPProto Ping (-PO) support to Traceroute, and fixed support for IPProto Scan (-sO) and the ICMP Pings (-PE, -PP, -PM) in Traceroute as well. These could cause Nmap to hang during Traceroute. [Kris] o [Zenmap] Added a "Cancel" button for cancelling a scan in progress without losing any Nmap output obtained so far. [Jurand Nogiec] o Improve the netbios-smb-os-discovery NSE script to improve target port selection and to also decode the system's timestamp from an SMB response. [Ron at SkullSecurity] o Nmap now avoids collapsing large numbers of ports in open|filtered state (e.g. just printing that 500 ports are in that state rather than listing them individually) if verbosity or debugging levels are greater than two. See this thread: http://seclists.org/nmap-dev/2008/q3/0312.html . [Fyodor] o The NSE http library now supports chunked encoding. [Sven Klemm] o The NSE datafiles library now has generic file parsing routines, and the parsing of the standard nmap data files (e.g. nmap-services, nmap-protocols, etc.) now uses those generic routines. NSE scripts and libraries may find them useful for dealing with their own data files, such as password lists. [Jah] o Passed the big revision 10,000 milestone in the Nmap project SVN server: http://seclists.org/nmap-dev/2008/q3/0682.html o Added some Windows and MinGW compatibility patches submitted by Gisle Vanem. o Improved nse_init so that compilation/runtime errors in NSE scripts no longer cause the script engine to abort. [Patrick] o Fix a cosmetic bug in --script-trace hex dump output which resulting in bytes with the highest bit set being prefixed with ffffff. [Sven Klemm] o Removed the nselib-bin directory. The last remaining shared NSE module, bit, has been made static by Patrick. Shared modules were broken for static builds of Nmap, such as those in the RPMS. We also had the compilation problems (particularly on OpenBSD) with shared modules which lead us to make PCRE static a while back. [David] o Updated rpcinfo NSE script to use the new pack/unpack (binlib) functions, use the new tab library, include better documentation, and fix some bugs. [Sven Klemm] o Add useful details to the error message printed when an NSE script fails to load (due to syntax error, etc.) [Patrick] o Fix a bug in the NSE http library which would cause some scripts to give the error: SCRIPT ENGINE: C:\Program Files\Nmap\nselib/http.lua:77: attempt to call field 'parse' (a nil value) [Jah] o Fixed a Makefile problem (race condition) which could lead to build failures when launching make in parallel mode (e.g. -j4). [Michal Januszewski] o Added new addrow() function to NSE tab library. It allows developers to add a whole row at once rather than doing a separate add() call for each column in a row. [Sven Klemm] o Completion time estimates provided in verbose mode or when you hit a key during scanning are now more accurate thanks to algorithm improvements by David. o Fixed a number of NSE scripts which used print_debug() incorrectly. See http://seclists.org/nmap-dev/2008/q3/0470.html. [Sven Klemm]. o [Zenmap] The Ports/Hosts view now provides full version detection values rather than just a simple summary. [Jurand Nogiec] o [Zenmap] When you edit the command-entry field, then change the target selection, Nmap no longer blows away your edits in favor of using your current profile. [Jurand Nogiec] o Nsock now returns data from UDP packets individually, preserving the packet boundary, rather than concatenating the data from multiple packets into a single buffer. This fixes a problem related to our reverse-DNS system, which can only handle one DNS packet at a time. Thanks to Tim Adam of ManageSoft for debugging the problem and sending the patch. Doug Hoyte helped with testing, and it was applied by Fyodor. o [Zenmap] Fixed a crash which would occur when you try to compare two files, either of which has more than one extraports element. [David] o Added the undocumented (except here) --nogcc option which disables global/group congestion control algorithms and so each member of a scan group of machines is treated separately. This is just an experimental option for now. [Fyodor] o [Zenmap] The Ports/Hosts display now has different colors for open and closed ports. [Vladimir] o Fixed Zenmap so that it displays all Nmap errors. Previously, only stdout was redirected into the window, and not stderr. Now they are both redirected. [Vladimir] o NSE can now be used in combination with ping scan (e.g. "-sP --script") so that you can execute host scripts without needing to perform a port scan. [Kris] o [NSE] Category names are now case insensitive. [Patrick] o [NSE] Each thread for a script now gets its own action closure (and upvalues). See: http://seclists.org/nmap-dev/2008/q2/0549.html [Patrick] o [NSE] The script_scan_result structure has been changed to a class, ScriptResult, which now holds a Script's output in an std::string. This removes the need to use malloc and free to manage this memory. A similar change was made to the run_record structure. [Patrick] o [NSE] Fixed a socket exhaustion deadlock which could prevent a script scan from ever finishing. Now, rather than limit the total number of sockets which can be open, we limit the number of scripts which can have sockets open at once. And once a script has one socket opened, it is permitted to open as many more as it needs. [Patrick] o A hashing library (code from OpenSSL) was added to NSE. hashlib contains md5 and sha1 routines. [Philip Pickering] o Fixed host discovery probe matching when looking at the returned TCP data in an ICMP error message. This could formerly lead to incorrectly discarded responses and the debugging error message: "Bogus trynum or sequence number in ICMP error message" [Kris] o Fixed a segmentation fault in Nsock which occurred when calling nsock_write() with a data length of -1 (which means the data is a NUL-terminated string and Nsock should take the length itself) and the Nsock trace level was at least 2. [Kris] o The NSE Comm library now defaults to trying to read as many bytes as are available rather than lines if neither the "bytes" nor "lines" options are given. Thanks to Brandon for reporting a problem which he noticed in the dns-test-open-recursion script. [Kris] o Updated zoneTrans.nse to replace length bytes in returned domain names to periods itself rather than relying on NSE's old behavior of replacing non-printable characters with periods. Thanks to Rob Nicholls for reporting the problem. [Kris] o Some Zenmap crashes have been fixed: trying to "refresh" the output of a scan loaded from a file, and trying to re-save a file loaded from the command line in some circumstances. [David] o [Zenmap] The file selector now remembers what directory it was last looking at. [David] o Added an extra layer of validity checking to received packets (readip_pcap), just to be extra safe. See http://seclists.org/nmap-dev/2008/q3/0644.html . [Kris] o Zenmap defaults to showing files matching both *.xml and *.usr in the file selector. Previously it only showed those matching *.usr. The new combined format will be XML and .usr will be deprecated. See http://seclists.org/nmap-dev/2008/q3/0093.html . o Nmap avoids printing the sending rate in bytes per second during a TCP connect scan. Because the number of bytes per probe is not known, it used to print current sending rates: 11248.85 packets / s, 0.00 bytes / s. Now it will print simply print rates like "11248.85 packets / s". [David] o [Zenmap] Nmap's installation process now include .desktop files which install menu items for launching Zenmap as a privileged or non-privileged process on Linux. This will mainly affect people who install nmap and Zenmap directly from the source code. [Michael] o Improved performance of IP protocol scan by fixing a bug related to timing calculations on ICMP probe responses. See r8754 svn log for full details. [David] o Nmap --reason output no longer falsely reports a localhost-response during -PN scans. See http://seclists.org/nmap-dev/2008/q3/0188.html. [Michael] o [Zenmap] The higwidgets Python package has moved so it is now a subpackage of zenmapGUI. This avoids naming conflicts with Umit, which uses a slightly different version of higwidgets. [David] o A bug that could cause some host discovery probes to be incorrectly interpreted as drops was fixed. This occurred only when the IP protocol ping (-PO) option was combined with other ping types. [David] o A new scanflags attribute has been added to XML output, which lists all user specified --scanflags for the scan. nmap.dtd has been modified to account for this. [Michael] o The loading of the nmap-services file has been made much faster--roughly 9 times faster in common cases. This is important for the new (much larger) frequency augmented nmap-services file. [David] o Added a script (ASN.nse) which uses Team Cymru's DNS interface to determine the routing AS numbers of scanned IP addresses. They even set up a special domain just for Nmap queries. The script is still experimental and non-default. [Jah, Michael] o [Zenmap] Clicking "Cancel" in a file chooser in the diff interface no longer causes a crash. [David] o The shtool build helper script has been updated to version 2.0.8. An older version of shutil caused installation to fail when the locale was set to et_EE. Thanks to Michal Januszewski for the bug report. [David] o [Zenmap] Removed services.dmp and os_dmp.dmp and all the files that referred to them. They are not needed with the new search interface. Also removed an unused search progress bar. And some broken fingerprint submission code. Yay for de-bloating! [David] o [Zenmap] Added "%F" to the Exec link in the new Zenmap desktop file. We expect (hope) that this will allow dragging and dropping XML files onto the icon. [David] o [Zenmap] The -o[XGASN] options can now be specified, just as you can at the console. [Vladimir] o [Zenmap] You can now shrink the scan window below its default size thanks to NmapOutputViewer code enhancements. [David] o [Zenmap] Removed optional use of the Psyco Python optimizer since Zenmap is not the kind of CPU-bound application which benefits from Psyco. o [Zenmap] You can now select more than one host in the "Ports / Hosts" view by control-clicking them in the column at left. o [Zenmap] The profile editor now offers the --traceroute option. o Zenmap now uses Unicode objects pervasively when dealing with Nmap text output, though the only internationalized text Nmap currently outputs is the user's time zone. [David] o Unprintable characters in NSE script output (which really shouldn't happen anyway) are now printed like \xHH, where HH is the hexadecimal representation of the character. See http://seclists.org/nmap-dev/2008/q3/0180.html . [Patrick] o Nmap sometimes sent packets with incorrect IP checksums, particularly when sending the UDP probes in OS detection. This has been fixed. Thanks to Gisle Vanem for reporting and investigating the bug. [David] o Fixed the --without-liblua configure option so that it works again. [David] o In the interest of forward compatibility, the xmloutputversion attribute in Nmap XML output is no longer constrained to be a certain string ("1.02"). The xmloutputversion should be taken as merely advisory by authors of parsers. o Zenmap no longer leaves any temporary files lying around. [David] o Nmap only prints an uptime guess in verbose mode now, because in some situations it can be very inaccurate. See the discussion at http://seclists.org/nmap-dev/2008/q3/0392.html. [David] Nmap 4.68 [2008-6-28] o Doug integrated all of your version detection submissions and corrections for the year up to May 31. There were more than 1,000 new submissions and 18 corrections. Please keep them coming! And don't forget that corrections are very important, so do submit them if you ever catch Nmap making a version detection or OS detection mistake. The version detection DB has grown to 5,054 signatures representing 486 service protocols. Protocols span the gamut from abc, acap, access-remote-pc, activefax, and activemq, to zebedee, zebra, zenimaging, and zenworks. The most popular protocols are http (1,672 signatures), telnet (519), ftp (459), smtp (344), and pop3 (201). o Nmap compilation on Windows is now done with Visual C++ Express 2008 rather than 2005. Windows compilation instructions have been updated at http://nmap.org/book/inst-windows.html#inst-win-source . [Kris] o The Nmap Windows self-installer now automatically installs the MS Visual C++ 2008 runtime components if they aren't already installed on a system. These are some reasonably small DLLs that are generally necessary for applications compiled with Visual C++ (with dynamic linking). Many or most systems already have these installed from other software packages. The lack of these components led to the error message "The Application failed to initialize properly (0xc0150002)." with Nmap 4.65. A related change is that Nmap on Windows is now compiled with /MD rather than /MT so that it consistently uses these runtime libraries. The patch was created by Rob Nicholls. o Added advanced search functionality to Zenmap so that you can locate previous scans using criteria such as which ports were open, keywords in the target names, OS detection results. etc. Try it out with Ctrl-F or "Tools->Search Scan Results". [Vladimir] o Nmap's special WinPcap installer now handles 64-bit Windows machines by installing the proper 64-bit npf.sys. [Rob Nicholls] o Added a new NSE Comm (common communication) library for common network discovery tasks such as banner-grabbing (get_banner()) and making a quick exchange of data (exchange()). 16 scripts were updated to use this library. [Kris] o The Nmap Scripting Engine now supports mutexes for gracefully handling concurrency issues. Mutexes are documented at http://nmap.org/book/nse-api.html#nse-mutex . [Patrick] o Added a UDP SNMPv3 probe to version detection, along with 9 vendor match lines. The patch was from Tom Sellers, who contributed other probes and match lines to this release as well. o Added a new timing_level() function to NSE which reports the Nmap timing level from 0 to 5, as set by the Nmap -T option. The default is 3. [Thomas Buchanan] o Update the HTTP library to use the new timing_level functionality to set connection and response timeouts. An error preventing the new timing_level feature from working was also fixed. [Jah] o Optimized the doAnyOutstandingProbes() function to make Nmap a bit faster and more efficient. This makes a particularly big difference in cases where --min-rate is being used to specify a very high packet sending rate. [David] o Fixed an integer overflow which prevented a target specification of "*.*.*.*" from working. Support for the CIDR /0 is now also available for those times you wish to scan the entire Internet. [Kris] o The robots.nse script has been improved to print output more compactly and limit the number of entries of large robots.txt files based on Nmap verbosity and debugging levels. [Eddie Bell] o The Nmap NSE scripts have been re-categorized in a more logical fashion. The new categories are described at http://nmap.org/book/nse-usage.html#nse-categories . [Kris] o Improve AIX support by linking against -lodm and -lcfg on that platform. [David] o Updated showHTMLTitle NSE script to follow one HTTP redirect if necessary as long as it is on the same server. [Jah] o Michael Pattrick and David created a new OSassist application which streamlines the OS fingerprint submission integration process and prevents certain previously common errors. OSassist isn't part of Nmap, but the system was used to integrate some submissions for this release. 13 fingerprints were added during OSassist testing, and some existing fingerprints were improved as well. Expect many more fingerprints coming soon. o Improved the mapping from dnet device names (like eth0) and WinPcap names (like \Device\NPF_{28700713...}). You can see this mapping with --iflist, and the change should make Nmap more likely to work on Windows machines with unusual networking configurations. [David] o Service fingerprints in XML output are no longer be truncated to 2kb. [Michael] o Some laptops report the IP Family as NULL for disabled WiFi cards. This could lead to a crash with the "sin->sin_family == AF_INET6" assertion failure. Nmap no longer quits when this is encountered. [Michael] o On systems without the GNU getopt_long_only() function, Nmap has its own replacement. That replacement used to call the system's getopt() function if it exists. But the AIX and Solaris getopt() functions proved insufficient/buggy, so Nmap now always calls its own internal getopt() now from its getopt_long_only() replacement. [David] o Integrated several service match lines from Tom Sellers. o An error was fixed where Zenmap would crash when trying to load from the recent scans database a file containing non-ASCII characters. The error looked like pysqlite2.dbapi2.OperationalError: Could not decode to UTF-8 column 'nmap_xml_output' with text ' = 0.0" assertion failed. I think the problem was actually caused by SMP machines which didn't sync the clock time perfectly. This lead to gettimeofday() sometimes reporting that time decreased by some microseconds. Now Nmap is willing to tolerate decreases of up to 1 millisecond in this function. [Fyodor] o Nmap now returns correct values for --iflist in windows even if interface aliases have been set. Previously it would misreport the windevices and not list all interfaces. [Michael] o Nmap no longer crashes with an 'assert' error when its told to access a disabled WiFi NIC on some laptops. [Michael] o Upgraded the OpenSSL shipped for Windows to 0.9.8h. [Kris] o The NSE http library was updated to gracefully handle certain bogus (non-)http responses. [Jah] o The zoneTrans.nse script now takes a "domain" script argument to specify the desired domain name to transfer. You can narrow the scope down with the form "zoneTrans={domain=xxx}". [Kris] o Increase write buffer length for Nmap output on Windows. This should prevent error messages like: "log_vwrite: vnsprintf failed. Even after increasing bufferlen to 819200, Vsnprintf returned -1 (logt == 1)." Thanks to prozente0 for the report. [Fyodor] o Fixed the --script-updatedb command, which was claiming to be "Aborting database update" even when the update was performed perfectly. See http://seclists.org/nmap-dev/2008/q2/0623.html . Thanks to Jah for the report. Nmap 4.65 [2008-6-1] o A Mac OS X Nmap/Zenmap installer is now available from the Nmap download page! It is rather straightforward, but detailed instructions are available anyway at http://nmap.org/book/inst-macosx.html . As a universal installer, it works on both Intel and PPC Macs. It is distributed as a disk image file (.dmg) containing an mpkg package. The installed Nmap does include OpenSSL support. It also supports Authorization Services so that Zenmap can run as root. David created this installer. He wants to thank Benson Kalahar and Vlad Alexa for extensive testing of the nine test releases. o The Windows version of Nmap now supports OpenSSL just as the UNIX versions have for years. Both the .zip and executable installer binary packages we ship from the Nmap download page now include OpenSSL. [Kris, Thomas Buchanan] o We now compile in IPv6 support on Windows. In order to use this, you need to have IPv6 set up. It is installed by default on Vista, but must be downloaded from Microsoft for XP. See http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx . [Kris] o Seven Google-sponsored Summer of Code students began working on exciting Nmap projects full times. The winning students and their Nmap development projects are described at http://seclists.org/nmap-dev/2008/q2/0132.html . o Our WinPcap installer now starts the NPF driver running as a service immediately upon installation and after restarts. You can disable this with new check-boxes. This behavior is important for Vista and Windows Server 2008 machines when User Account Control (UAC) is enabled. [Rob Nicholls] o Nmap and Nmap-WinPcap silent installation now works. Nmap can be silently installed with the /S option to the installer. If you install Nmap from the zip file, you can install just WinPcap silently with the /S option to that installer. [Rob Nicholls] o Our WinPcap installer is now included with the Nmap Win32 zip file. [Fyodor] o Numerous miscellaneous improvements were made to our Win32 installer, such as using the "Modern" NSIS UI for WinPcap, improving the option description labels, and showing a finish page in all cases. [Rob Nicholls] o The nmap-dev and nmap-hackers mailing list RSS feeds at seclists.org now include message excerpts to make it easier to identify interesting messages and speed the process of reading through the list. Feeds for all other mailing lists archived at SecLists.Org have been similarly augmented. For details, see http://seclists.org/nmap-dev/2008/q2/0333.html . [David] o A new "default" Nmap Scripting Engine category was added. Only scripts in this category now run by default (except for "version" scripts which run when version detection was requested). Previously, any scripts in the "safe" or "intrusive" categories were run. 21 scripts are now in this default category. [Kris] o The NSE HTTP library now uses the host name specified on the command line when making requests, which improves script scanning against web servers with virtual hosts. Thanks to Sven Klemm for the patch. o Added some new and improved version detection signatures. [Brandon] o Fixed an OS detection bug that prevented the R1.UID test result from being recorded properly when scanning certain printers from little-endian computers. Updated nmap-os-db to compensate for signatures that had an incorrect U1.RID value. [Michael] o Updated to include the latest MAC Address prefixes from the IEEE in nmap-mac-prefixes [Fyodor] o Updated the SMTPcommands NSE script to work better against Postfix and reduce verbosity. [Jason DePriest, Fyodor] o Reorganized the way ping probes are handled internally. Rather than being stored in the NmapOps structure, they are now stored within the individual scan_lists structures. This is a cleaner organization. [Michael] o Fix grepable output's "Ignored State" reporting. Only one ignored state (the one with the highest numbers of ports) is shown. [David] o Update to Lua version 5.1.3 [Patrick] o Add NSE stdnse library to include tobinary, tooctal, and tohex functions. [Patrick] o Fixed a bug which caused the Zenmap crash reporter to, uh, crash. [David] o NSE engine was cleaned up significantly. nse_auxiliar was removed, and file system manipulation functions were moved from nse_init.cc into a new nse_fs.cc file. Numerous interfaces between Nmap and Lua were improved. Most of these functions are now callable directly by Lua. [Patrick] o Fixed a bug in the showOwner NSE script which caused it to try UDP ports instead of just TCP ports. This made it very slow in the common case where there are many UDP ports in the open|filtered state. Thanks to Jason DePriest for reporting the problem and Jah for tracking it down and fixing it. o Nbase now generates pseudo-random numbers itself rather than using /dev/urandom on Linux and the terrible rand() function on Windows. The new system uses ARC4 based on libdnet's implementation. [Brandon] o Made a number of updates and improvements to the Zenmap Users' Guide at http://nmap.org/book/zenmap.html . [David] o Fixed the way Zenmap handles command-line entry to prevent your custom command-line to be overwritten with the current profile's command just because you edited the target field. [Jurand] o Nsock was improved to better support reading from non-network descriptors such as stdin. This is important for the upcoming Ncat project Mixter is working on. [Mixter] o A bug was fixed that could cause Zenmap to crash when loading a results file that had multibyte characters in it. The error looked like: Gtk-ERROR **: file gtktextsegment.c: line 196 (_gtk_char_segment_new): assertion failed: (gtk_text_byte_begins_utf8_char (text)) [David] o Removed a superfluous test for the existence of the C++ compiler in the configure script. The test was not robust when configured with CXX="ccache g++". Thanks to Rainer Müller for the report. o Optimized cached DNS lookups so they are equally efficient when running on big-endian or little-endian systems. [Michael] o Fixed the nmap_command_path Zenmap configuration variable so that it is actually used to start the specified Nmap executable path. [Jurand Nogiec] o Nmap now reports scan start and end times for individual hosts within a larger scan. The information is added to the XML host element like so: [host starttime="1198292349" endtime="1198292370"] (but of course with angle brackets rather than square ones). It is also printed in normal output if -d or "-v -v" are specified. [Brandon, Kris, Fyodor] o "make uninstall" now uninstalls Zenmap as well as Nmap. The uninstall_zenmap script now deletes directories that were installed. [David] o Fixed a bug which caused Nmap to send bad checksums on Solaris 10 x86. This was due to a workaround for an Ancient Solaris 2.1 bug which activated when the OS string matched "solaris2.1*". The problem has now been resolved until Solaris 20 comes out and hits our "solaris2.2*" bug workarounds. Thanks to Nathan Bills for the problem report. Fixed by Fyodor. o Fixed a minor memory leak in getpts_simple which occurs when no ports are to be added to 'list'. 'porttbl' is now free'd regardless of how the function returns. [Michael] o Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs. On Windows, this ID has to be a numeric index. On Linux and some other OS's, this ID can instead be an interface name. Some examples of this syntax: fe80::20f:b0ff:fec6:15af%2 fe80::20f:b0ff:fec6:15af%eth0 [Kris] o The Zenmap installer and uninstaller are more careful about escaping filenames and dealing with an installation root (DESTDIR). [David] o Since assert() calls are used for various security-related tests, their safety is now ensured by keeping NDEBUG undefined throughout Nmap, Nbase and Nsock. [Kris] o Fix a couple bugs in the way the Nmap build system checked for an existing LUA library. A bashism caused one test to fail on system which don't use bash as /bin/sh, and another bug fixed --with-liblua configure option for specifying your own liblua. [Daniel Roethlisberger] o The NSE nmap.registry.args table is now available, albeit empty, when --script-args isn't used. Now scripts don't need to check if it's nil before attempting to index it. [Kris] o Changed SSLv2-support.nse so that it only enumerates the list of available ciphers with a verbosity level of at least two or with debugging enabled. [Kris] o Replaced kibuvDetection.nse with version detection match lines which work better than the script. [Kris, Brandon] o Removed mswindowsShell.nse as there is a version detection NULL probe match which does the same thing. [Brandon, Fyodor, Kris] o Updated IANA assignment IP list for random IP (-iR) generation. [Kris] Nmap 4.62 [2008-5-3] o Added a new --min-rate option that allows specifying a minimum rate at which to send packets. This allows you to override Nmap's congestion control algorithms and request that Nmap try to keep at least the rate you specify. The rate is given in packets per second. Read more in the Nmap man page (http://nmap.org/book/man-performance.html) [David] o Create /nmap/macosx directory in SVN with files necessary to build binary Mac OS X Nmap/Zenmap packages. We are trying to create binary installer packages which are as useful and easy to use as the Windows installer. This has involved a lot of work by David. We aren't quite yet distributing the results on the Nmap download page, but testing our beta versions is useful. You can find the latest universal (PPC and Intel) binary test version by looking at David Fifield's posts at http://seclists.org/nmap-dev/2008/q2/author.html. You can also read /nmap/macosx/README in svn for more info. o Nmap 2008 Summer of Code students have began working (though full time doesn't start until late May). Learn about the winners and their projects at http://seclists.org/nmap-dev/2008/q2/0132.html . o Brandon added/modified a whole bunch of version detection signatures based on systems discovered when scanning UCSD's network. o Reformat Nmap COPYING file (e.g. remove C comment markers, reduce line length) during Nmap windows build so that it looks much better when presented by the Windows executable (NSIS) installer. Thanks to Jah for the patch, which was modified slightly by Fyodor. o Added NSE Datafiles library which reads and parses Nmap's nmap-* data files for scripts. The functions (parse_protocols(), parse_rpc() and parse_services()) return tables with numbers (e.g. port numbers) indexing names (e.g. service names). The rpcinfo.nse script was also updated to use this library. [Kris] o Fixed a bug in the nbase random number generator (and the way it interacted with Nmap and MS Windows) which caused duplicates in some instances. Thanks to Jah for reporting the problem and working with Brandon Enright, Fyodor and Kris to fix it. o It turns out that hours contain 60 minutes, not 24. Fixed a scan status message which was rolling over the hours column prematurely. [David] o Added scripting options to Zenmap profile editor and command wizard to make use of NSE. [David] o Zenmap now prints an exception message rather than segfaulting when it can't open a display (such as when trying to connect to an X server as an unauthorized user). Thanks to Aaron Leininger for the initial report and Guilherme Polo for suggesting the fix. o Now ports in the "unfiltered" state can be selected for attention by NSE scripts. [Kris] o Nbase random number generation system now avoids having a high-bit of zero in every other byte on Windows due to Windows having such a low RAND_MAX. [Jah] o Added release dates for each Nmap version to this CHANGELOG going back to Nmap 3.00 (July 31, 2002). Dates are in MM/DD/YY format. If someone wants to track down dates for the last 22% of the file (pre-3.00), you are welcome to do so and send a patch. Searching Google for the version number and site:seclists.org seems to work well. [Fyodor] o Nmap RPM builds now use the versions of libdnet, libpcap, libpcre, and liblua included with Nmap rather than whatever happens to be installed on the build system. [David] o Zenmap can now be installed in and run in directories with a space in the name. [David] o Fixed an assertion failure ("Target.cc:396: void Target::stopTimeOutClock(const timeval*): Assertion 'htn.toclock_running == true' failed.")caused when a host had NSE scripts in multiple runlevels. This also fixes --host-timeout behavior in NSE. [Kris] o Reduce the maximum number of socket descriptors which Nmap is allowed to open concurrently. This resoles a bug which could cause "Too many open files" error on Mac OS X when not running as root. [David] o Canonicalized service names between nmap-service-probes (version detection DB) and nmap-services (port scanning DB). [Kris] o Removed the "class" attribute from the tcpsequence element in XML output. For a long time it had always been "unknown class" because Nmap doesn't calculate a class anymore. The XML output version has been increased from 1.01 to 1.02. [David] o Fixed a bug on Win32 which caused an infinite loop when Nmap encountered certain broadcast addresses. [Dudi Itzhakov] o Fix MingW compilation by adding a signal.h include to main.cc. [Gisle Vanem] o Fix the test in our build system to determine if liblua is already available or not. For example, the test needed to link with -lm since some systems require that. [David]. o Added TIMEVAL_BEFORE and TIMEVAL_AFTER macros to test whether one timeval is earlier than another while avoiding possible integer overflows in a naive approach we were using previously. [David] o Adjusted a bunch of code to avoid compilation warning messages on some Linux machines. [Andrew J. Bennieston] o Fixed the NmapArpCache so that it actually works. Previously, Nmap was always falling back to the system ARP cache. Of course this raises the question of whether NmapArpCache is needed in the first place. [Daniel Roethlisberger] o Fix a Zenmap bug which could cause the error message "zenmapCore.NmapOptions.OptionNotFound: No option named '' found!" if you create a new profile without checking any options then try to edit it. [David] o Zenmap now shows a more helpful error message when there is an error in executing Nmap. [David] o Zenmap now creates the directory ~/.zenmap-etc to store automatically generated GTK+ and Pango files. They used to go in the application bundle but that doesn't work on a read-only filesystem or disk image. This is what Wireshark does (~/.wireshark-etc), although the directory could be called anything. It doesn't have to persist across sessions. o Added a mechanism in Zenmap for including extra executable search paths on specific platforms, so we can include /usr/local/bin in PATH on Mac OS X by default and add the Nmap install directory on Windows. [David] o We now use --no-strip when building Zenmap Mac OS X packages to prevent many mysterious warnings which occur when the binary is stripped. [David] o When Zenmap invokes Nmap, it now copies the whole environment for the Nmap invocation rather than just providing $PATH. Windows may need this to do proper name resolution. [David] o Corrected uptime parsing and reporting in SNMPsysdesr.nse for an uptime of less than 46 hours. [Kris] o Modified the use of CXXFLAGS, CFLAGS, and CPPFLAGS in Nmap build system to work better when building Mac OS X universal binaries. [David] o Added many additional PCRE option flags to the list returned by the NSE pcre.flags() function. [Kris] o Changed the NSE function nmap.set_port_state() so that it checks to see if the requested port is already in the requested state. This prevents "Duplicate port" messages during the script scan and the inaccurate "script-set" state reason. [Kris] o Canonicalize NSE script license text--more than half did not even spell license correctly. They all still say that they are under Nmap's license, just with consistent capitalization and spelling, and now a link to Nmap legal page at http://nmap.org/man/man-legal.html. o Updated ripeQuery.nse to not print extraneous whitespace. [Kris] o Switched telnet brute force password cracking NSE (bruteTelnet.nse) to vulnerability category so it isn't executed by default. It can take too long to run. [Eddie] o NSE status messages now print host name and IP, rather than just the host name (which was blank when Nmap didn't know it). [Jah] o Allocate 128 characters for the idle scan ScanProgressMeter title. Previously it was 32 characters. The "idle scan against " and the \0 terminator take up 19 characters, leaving only 13, which isn't enough to represent all IP addresses, let alone host names. Bug reported by Stephan Fijneman, fixed by David. Nmap 4.60 [2008-3-15] o Nmap has moved. Everything at http://insecure.org/nmap/ can now be found at http://nmap.org . That should save your fingers from a little bit of typing. Even though transparent redirectors are in place for the old URLs, please update your links and bookmarks. And if you don't have a link to Nmap on your web site, now is a good time to add one :). o All of your OS detection fingerprints up until March 10, 2008 have now been integrated by David. The second generation database has grown from 1,085 fingerprints representing 421 operating systems/devices, to 1,304 fingerprints representing 478 systems. That is an increase of more than 20%. New fingerprints were added for Mac OS X Tiger, iPod Touch, the La Fonera WAP, FreeBSD 7.0, Linux 2.6.24, Windows 2008, Vista, OpenBSD 4.2, and of course hundreds of broadband routers, VoIP phones, printers, some crazy oscilloscope, etc. We get a ton of new fingerprint submissions, but not as many corrections. Please remember to visit http://nmap.org/submit/ if Nmap gives you bad results, whether they are completely wrong or just a slight mistake (like Nmap says Linux 2.6.20-2.6.23, but you're running 2.6.24). Of course you need to be certain you know exactly what is running on the target before you do this. o All of your service fingerprints and corrections submitted until January 14, 2008 have now been integrated by Doug. As usual, he has documented his adventures at http://hcsw.org/blog.pl/33 . More than a hundred signatures were added, growing the database to 4,645 signatures for 457 services. Corrections are welcome for service detection too -- visit http://nmap.org/submit/ if you get incorrect results. o Nmap now saves the target name (if any) specified on the command line, since this can differ from the reverse DNS results. It can be particularly important when doing HTTP tests against virtual hosts. The data can be accessed from target->TargetName() from Nmap proper and host.targetname from NSE scripts. The NSE HTTP library now uses this for the Host header. Thanks to Sven Klemm for adding this useful feature. o Added NSE HTTP library which allows scripts to easily fetch URLs with http.get_url() or create more complex requests with http.request(). There is also an http.get() function which takes components (hostname, port, and path) rather than a URL. The HTTPAuth, robots, and showHTMLTitle NSE scripts have been updated to use this library. Sven Klemm wrote all of this code. o Fixed an integer overflow in the DNS caching code that caused nmap to loop infinitely once it had expunging the cache of older entries. Thanks to David Moore for the report, and Eddie Bell for the fix. o Fixed another integer overflow in the DNS caching code which caused infinite loops. [David] o Added IPv6 host support to the RPC scan. Attempting this before (via -sV) caused a segmentation fault. Thanks to Will Cladek for the report. [Kris] o Fixed an event handling bug in NSE that could cause execution of some in-progress scripts to be excessively delayed. [Marek] o A new NSE table library (tab.lua) allows scripts to deliver better formatted output. The Zone transfer script (zoneTrans.nse) has been updated to use this new facility. [Eddie] o Rewrote HTTPpasswd.nse to use Sven's excellent HTTP library and to do some much-needed cleaning up. [Kris] o Added a new MsSQL version detection probe and a bunch of match lines developed by Tom Sellers. o Added a new service detection probe and signatures for the memcached service [Doug] o Added new service detection probes and signatures for the Beast Trojan and Firebird RDBMS. [Brandon Enright] o Fixed a crash in Zenmap which occurred when attempting to edit or create a new profile based on an existing one when there wasn't one selected. The error message was: 'NoneType' object has no attribute 'toolbar' Now a new Profile Editor is opened. Thanks to D1N (d1n@inbox.com) for the report. [Kris] o Fixed another crash in Zenmap which occurred when exiting the Profile Editor (while editing an existing profile) by clicking the "X", then going to edit the same profile again. The error message was: "No option named '' found!". Now the same window that appears when clicking Cancel comes up when clicking "X". Thanks to David for reporting this bug. [Kris] o Another Zenmap bug was fixed: ports consolidated into "extra ports" groups are now counted and shown in the "Host Details" tab. The closed, filtered and scanned port counts in this tab didn't contain this information before so they were usually very inaccurate. [Kris] o Another Zenmap bug was fixed: the --scan-delay and --max-scan-delay buttons ("amount of time between probes") under the Advanced tab in the Profile Editor were backwards. [Kris] o Added the UDP Scan (-sU) and IPProto Ping (-PO) to Zenmap's Profile Editor and Command Wizard. [Kris] o Reordered the UDP port selection for Traceroute: a closed port is now chosen before an open one. This is because an open UDP port is usually due to running version detection (-sV), so a Traceroute probe wouldn't elicit a response. [Kris] o Add Famtech Radmin remote control software probe and signatures to the Nmap version detection DB. [Tom Sellers, Fyodor] o Add "Connection: Close" header to requests from HTTP NSE scripts so that they finish faster. [Sven Klemm] o Update SSLv2-support NSE script to run against more services which are likely SSL. [Sven Klemm] o A bunch of service name canonicalization was done in the Nmap version detection file by Brandon Enright (e.g. capitalizing D-Link and Netgear consistently). o Upgraded the shipped LibPCRE from version 7.4 to 7.6. [Kris] o Updated to latest (as of 3/15) autoconf config.sub/config.guess files from http://cvs.savannah.gnu.org/viewvc/config/?root=config. [Fyodor] o We now escape newlines, carriage returns, and tabs (\n\r\t) in XML output. While those are allowed in XML attributes, they get normalized which can make formatting the output difficult for applications which parse Nmap XML. [Joao Medeiros, David, Fyodor] o The Zenmap man page is now installed on Unix when "make install" is run. This was supposed to work before, but didn't. [Kris] o Fixed a man page bug related to our DocBook to Nroff translation software producing incorrect Nroff output. The man page no longer uses the ".nse" string which was being confused with the Nroff no-space mode command. [Fyodor] o Fixed a bug in which some NSE error messages were improperly escaped so that a message including "c:\nmap" would end up with a newline between "c:" and "map". o Updated IANA assignment IP list for random IP (-iR) generation. [Kris] o The DocBook XML source code to the Nmap Scripting Engine docs (http://nmap.org/nse/) is now in SVN under docs/scripting.xml . 4.53 [2008-1-12] o Improved Windows executable installer by making uninstall work better on systems which changed the default install path. The shortcut is also now deleted properly on Vista. [Rob Nicholls] o Windows installer is now generated using NSIS 2.34 rather than 2.13. [Fyodor] o Added UPnP-info NSE script by Thomas Buchanan. It gathers information from the UPnP service (UDP port 1900) which listens on many network devices such as routers, printers, and networked media players. o Fixed a --traceroute bug (assertion failure crash) which occurred when the first hop of the first host in a tracegroup (reference trace) times out. Thanks to Sebastián García for the bug report and testing, and Eddie for the patch. o Fix a problem which prevented proper port number matching in NSE scripts (port_or_service function) due to a variable shadowing bug. [Sven Klemm] o Improved rpcinfo.nse to better sort and display available RPC services. [Sven Klemm] 4.52 [2008-1-1] o Fixed Nmap WinPcap installer to use CurrentVersion registry key on Windows rather than VersionNumber to more reliably detect Vista machines. This should prevent the XP version of Packet.dll from being installed on Vista. [Rob Nicholls] o The Nmap Scripting Engine (NSE) now supports run-time interaction and the Nmap --host-timeout option. [Doug] o Added nmap.fetchfile() function for scripts so they can easily find Nmap's nmap-* data files (such as the OS/version detection DBs, port number mapping, etc.) [Kris] o Updated rpcinfo.nse to use nmap.fetchfile() to read from nmap-rpc instead of having a huge table of RPC numbers. This reduced the script's size by nearly 75%. [Kris] o Fixed multiple NSE scripts that weren't always properly closing their sockets. The error message was: "bad argument #1 to 'close' (nsock expected, got no value)" [Kris] o Added a new version detection probe for the Trend Micro OfficeScan product line. [Tom Sellers, Doug] 4.51BETA [2007-12-21] o David wrote a detailed Zenmap guide: http://nmap.org/book/zenmap.html o Added rpcinfo.nse script, which contacts a listening RPC portmapper and reports the listening services and port information (like rpcinfo -p does). The script was written by Sven Klemm. Fyodor then enhanced the RPC number list with all of the entries from nmap-rpc. o Added a new NSE script (MySQLinfo) which prints MySQL server information such as the protocol and version numbers, status, thread id, capabilities, and password salt. [Kris] o Nmap's output options (-oA, -oX, etc.) now support strftime()-like conversions in the filename. %H, %M, %S, %m, %d, %y, and %Y are all the same as in strftime(). %T is the same as %H%M%S, %R is the same as %H%M, and %D is the same as %m%d%y. A % followed by any other character just yields that character (%% yields a %). This means that "-oX 'scan-%T-%D.xml'" uses an XML file in the form of "scan-144840-121307.xml". [Kris] o Fixed WinPcap installer to install the right version of Packet.dll on Windows Vista. [Fyodor] o Fixed our WinPcap installer so that it waits for a WinPcap uninstall (if needed) to complete before trying to install the new WinPcap. [Jah] o Fix a bunch of warning/error messages which contained an extra newline. [Brandon Enright] o Fixed an error when attempting to scan localhost as an unprivileged user on Windows (nmap --unprivileged localhost). The error was: "Skipping SYN Stealth Scan against localhost (127.0.0.1) because Windows does not support scanning your own machine (localhost) this way." Now connect scan is used instead of SYN scan. [David] o Fixed a bug that prevented the --resume option from working on Windows. The error message was: ..\utils.cc(996): CreateFileMapping(), file 'testresume', length 103, mflags 000 00006: The parameter is incorrect.(87) [Fixed by David, reported by Rob Nicholls] o Zenmap's new web page (http://nmap.org/zenmap/) is now shown in the Zenmap about dialogue. o On Windows, paths beginning with \ are now considered absolute when used with the --script option. jah (jah(a)zadkiel.plus.com) suggested this. [David] o Zenmap no longer double-spaces its output (by inadvertently duplicating newlines) when viewing scan results that were saved to a file. [Joao Medeiros] o Upgraded the shipped LibPCRE from version 7.2 to 7.4. [Kris] o Fixed Zenmap crash that occurred when selecting Help from the Compare Results window. [Kris] o Updated robots.nse to prevent printing robots.txt comments. [Kris] o Many version detection match lines were improved to match even when newlines appear in binary data returned by the service. [Fixed by Doug, suggested by Lionel Cons] 4.50 [2007-12-13] o Bumped up the version number to the big 10th anniversary 4.50 release! See http://insecure.org/stf/Nmap-4.50-Release.html . 4.49RC7 [2007-12-10] o A Zenmap crash was fixed. Scanning once, then scanning another target on the same scan tab caused an ImportError ("list index out of range") in zenmapGUI/ScanNotebook.py. Joao Medeiros reported the bug. [David] o Updated a couple of version detection signatures due to problem reports by Lionel Cons. [Doug] 4.49RC6 [2007-12-8] o NSE scripts can now be specified by absolute path to the --script option. This was supposed to work before, but didn't. [David] o Insert a path separator in returned paths in init_scandir on Windows. Otherwise options such as "--scripts=scripts" (where scripts is a directory) were failing with error messages about being unable to access things like "C:\Nmap\scriptsanonFTP.nse" (should be "C:\Nmap\scripts\anonFTP.nse"). [David] o Add some "local" declarations to xamppDefaultPass.nse to avoid errors like: "SCRIPT ENGINE: [string "Global Access"]:1: Attempted to change the global 'socket' ..." [David] o NSE "shortports" function now by default matches ports in the "open|filtered" state as well as "open" ones. [Diman] o Nsock msevent_new and msevent_delete calls fixed to handle NULL I/O descriptors. This should fix a reported bus error crash. [Diman] o Prevent old bit.dll and pcre.dll files from being installed in nselib directory by Windows executable installer. Bit.dll is still installed in nselib-bin where it belongs. Thanks to Rob Nicholls for reporting the problem. [Fyodor] 4.49RC5 [2007-12-8] o Don't install the orphaned and incomplete Zenmap HTML documentation. Instead point to the Nmap documentation site, which is provides more comprehensive and up-to-date Nmap docs. We're rapidly improving the online Zenmap docs as well. Of course the Nmap and (new!) Zenmap man pages are still installed on Unix. [Fyodor] o Fix mswin32/Makefile so that the new nselib-bin directory is properly included in the Nmap win32 zipfile distribution. Thanks to Rob Nicholls for reporting the problem. [Fyodor] o Fix host reason reported when the target is found to be "down" due to no response. Nmap now reports "no-response" rather than "unknown-reason" [Kris] 4.49RC4 [2007-12-7] o David did a huge OS fingerprint integration marathon, going through all of your submissions (more than 1600) since August 20. The 2nd generation database has grown more than 30% to 1,085 entries! Many of the existing fingerprints were improved as well. Notable new or greatly improved entries include the iPhone, iPod Touch, Mac OS X Leopard FreeBSD 7.0, Linux 2.6.23, Nokia cell phones (E61, E65, E70, E90, N95), and OpenBSD 4.2. Of course there were all manner of new printers, cable/DSL routers, switches, enterprise routers, IP phones, cell phones and a heap of obscure equipment such as the BeaconMedaes medical gas alarm. Windows Vista fingerprints were also improved significantly. Please keep those OS fingerprint submissions and corrections coming! o Doug integrated all of your version detection fingerprints and corrections since October 4. The DB now has an incredible 4,542 signatures for 449 service protocols. The service protocols with the most signatures are http (1,473), telnet (459), ftp (423), smtp (327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46) and nntp (44). o Included the netbios-smb-os-discovery.nse script which uses NetBIOS and SMB queries to guess OS version. This script was written by Judy Novak and contributed by Sourcefire. o Canonicalized the interface type numbers used internally by libdnet. Also Libdnet now recognizes devices with type INTF_TYPE_IEEE80211 as Ethernet devices. This ought to make wireless network scanning work on Windows Vista. For more background see http://seclists.org/nmap-dev/2007/q4/0391.html. [David] o Documented the "--script all" option in the man page and NSE article. This option executes all scripts in the NSE database regardless of category. [Fyodor] o NSE scripts can now be specified by name without the .nse extension. So instead of using "--script bruteTelnet.nse,HTTPpasswd.nse,SQLInject.nse,robots.nse", you can just pass "--script bruteTelnet,HTTPpasswd,SQLInject,robots". [Kris] o Removed some auto-generated files from the new nselib-bin directory as they could cause compatibility problems. Also updated mswin32/Makefile to reflect the new nselib-bin DLL location [David] o ripeQuery.nse was updated to avoid printing some useless information. [Kris] o Compatibility with systems that have the pcre.h header file in its own pcre directory should now be fixed for real. [Fyodor] o Enhanced the radmind service detection signature and added a deprecated radmind port to nmap-services. [Matt Selsky] o Zenmap now gives better errors to stdout when it can't even pop up a dialog box (such as when PyGTK can't be loaded). [David] o Fixed a Zenmap crash which occurred on Mac OS X and possibly other platforms. The error message said: "object of type 'ScanHostDetailsPage' has no len()". [David] o Fixed a crash which occurred when an NSE script called set_port_version() at times that version scanning was not enabled. [Diman] o Fixed the NSIS installer so that it does not include some excess files (mswin32/* and .svn). Thanks to Alan Jones for reporting the problem. [Fyodor] o Renamed some Zenmap Python packages to allow Zenmap and Umit to be installed at the same time. [David] o Updated nmap-mac-prefixes with the latest IEEE data. Also added back Cooperative Linux virtual NIC which was inadvertently removed in a previous release. [Fyodor] 4.23RC3 [2007-11-27] o Zenmap now has a man page! It isn't very long yet, but covers the basics. Thanks to David for writing this. o A new NSE script, promiscuous.nse, scans devices on a local network looking for sniffers (devices running in promiscuous mode). This script is from Marek Majkowski and is the first to use the NSE pcap extension system (which he also wrote). The script is only in the discovery category for now so it does not run by default. Specify it by name for now. We may make it default after the upcoming stable release. o Nmap can now handle IP aliases on Windows. A given device such as eth0 might have several IP addresses. Nmap will use the primary address, so you need to use -S if you want to specify a different one. [David] o An exception (rather than luaL_argerror) is now thrown when an SSL connection is attempted but OpenSSL isn't available. [David] o There is now an nmap.have_ssl NSE function so you can avoid doing NSE probes when SSL isn't available. [David] o Zenmap gives clearer error messages when an import error occurs or Zenmap's dump files aren't found. [David] o Zenmap now looks for its data files relative to the directory of the zenmap script to allow running from the build/svn directory. [David] o NSE C modules are now installed into an nselib-bin directory. This was needed to make the dns-test-open-recursion and zoneTrans NSE scripts work properly, since they use the NSE bit library (bit.so). [Diman, Fyodor] o Axillary autoconf scripts such as config.guess, config.sub, depcomp, install-sh, and ltmain.sh were deleted from Nmap subdirectories because configure is smart enough to use the ones from the parent directory. This decreases the Nmap source tarball and svn checkout sizes. [David] o Nmap now compiles on systems which have the libPCRE include file in pcre/pcre.h rather than just pcre.h. Thanks to Lionel Cons for the report. [Fyodor] o Nmap binary is now stripped again, but it now uses -x to avoid stripping dynamically loaded NSE functions on Mac OS X. [David] o Normalized Zenmap's handling of results files specified on the command line. In some cases, Zenmap would ignore specified results files just because some unrelated options were used. [David] o configure.ac now uses literal directory names rather than variable references in calls to AC_CONFIG_SUBDIRS. This removes an annoying warning message which has existed for years when you regenerate configure. [David] o Fixed a configure.ac error which prevented you from specifying an alternative libnsock directory. [David] o Check for Python in configure only if Zenmap is requested, and bail out if Zenmap is explicitly requested (--with-zenmap) and Python is not available. [David] o Removed some unimplemented Zenmap command-line options and function calls. [David] 4.23RC2 [2007-11-18] o Static code analysis company Coverity generously offered to scan the Nmap code base for flaws, and Kris volunteered to go through their report and fix the ones which were actual/possible problems rather than false positives. Their system proved quite useful, and about a dozen potential problems were fixed. For details, see Kris' 11/15/07 SVN commits. o Improved the Zenmap RPM file so that it should work on either Python 2.4 or Python 2.5 machines. It should also work on any platform (x86, x86_64, etc.) [David] o WinPcap updated from version 4.0.1 to the new 4.0.2 release. [David] o Added PPTP version detection NSE script (PPTPversion.nse) from Thomas Buchanan. Nmap now ships with 38 NSE scripts. o A number of Solaris compilation fixes were added. Hopefully it works for more Solaris users now. We also fixed an alignment issue which could cause a bus error on Solaris. [David] o When an NSE script changes the state of a port (e.g. from open|filtered to open), the --reason flag is now changed to "script-set". Also, the port state reason is now available to NSE scripts through a "reason" element in the port-table. Thanks to Matthew Boyle for the patch. o When version detection changes the state of a port, the reason field is now updated as well (to udp-response or tcp-response as applicable). Thanks to Thomas Buchanan for the patch. o Reworded an error message after a woman reported that it was "highly offensive and sexist". She also noted that "times have changed and many women now use your software" and "a sexist remark like the one above should have no place in software." The message was: "TCP/IP fingerprinting (for OS scan) requires root privileges. Sorry, dude.". I checked svn blame to call out the insensitive, chauvinistic jerk who wrote that error message, but it was me :). o We received a bug report through Debian entitled "Nmap is a clairvoyant" because when you run it with -v on September 1 1970, it reports "Happy -27th Birthday to Nmap, may it live to be 73!". We have decided that clairvoyance is a feature and ignored the report. o We no longer strip the Nmap binary before installing it, as that was leading to a runtime error on Mac OS X: "lazy symbol binding failed: Symbol not found: _luaL_openlib". Unfortunately, the unstripped Nmap binary can be much larger (e.g. 4MB vs. 800KB) so we are working on a better fix which allows us to continue stripping the binary on other platforms. o Zenmap configuration/customization files renamed from ~/.umit to ~/.zenmap and umit.conf to zenmap.conf, etc. [David] o Fixed a Zenmap bug where if you try to edit a profile and then click cancel, that profile ends up deleted. [Luis A. Bastiao] o The NSE shortport rules now allow for multiple matching states (e.g. open or open|filtered) to be specified. This silently failed before. [Eddie] o Regenerate configure scripts with Autoconf 2.61 and update config.guess and config.sub files with the latest versions from http://cvs.savannah.gnu.org/viewvc/config/?root=config . [David] 4.23RC1 [2007-11-10] o NmapFE is now gone. It had a good run as the default Nmap GUI for more than 8 years (since April 1999). But after two years of development, Zenmap is ready to take its place. Zenmap is portable and provides a much better interface to executing and (especially) viewing and analyzing Nmap results. David did the honors of removing NmapFE. o We have lost another old friend as well: 1st generation OS detection system. Nmap revolutionized OS detection when this was released in October 1998 and it served us well for more than 9 years as the database grew to 1,684 fingerprints. But the 2nd generation system incorporates everything we learned during all those years and has proven itself even more effective. I couldn't bear to kill this myself, so David did the dirty work. o There is no longer any artificial limit on the number of ports or protocols that can be used for host discovery. Port lists for ping scan now use the same syntax as the -p option except that T:, U:, and P: are not allowed. This means that you can do nmap -PS1-1000 target nmap -PAhttp,https target nmap -PU'[-]' target [David] o Zenmap is now available packaged in RPM format. Since Zenmap is written in Python, we no longer have to have separate x86 and x86_64 versions like we did with NmapFE (and like we still do with Nmap). [David] o Fixed a crash (assertion failure) which could occur during ARP Ping scan [Kris] o Fixed Zenmap so that it can handle asterisks in the command line (e.g. "nmap 192.168.*.*" or "nmap -phttp* localhost") [David] o Change the Zenmap bug report dialogue to now give instructions for reporting issues to nmap-dev. [David] o Modified higwidgets/higdialogs.py for compatibility with old versions of PyGTK. [David] o Updated IANA assignment IP list for random IP (-iR) generation. [Kris] o Fixed a number of spelling errors in the Reference Guide (man page) [Doug] 4.22SOC8 [2007-10-28] o Removed the old massping() system, since the functionality has now been migrated into the existing ultra_scan() system (which is used for port scanning too). Thanks to David for doing the migration, which involved a lot of work and testing. The new system is frequently faster and more accurate than massping(), and some of the new algorithms benefit port scans too. o Renamed Umit to Zenmap to reduce confusion between the version we ship with Nmap as the integrated GUI and the version maintained separately at umit.sourceforge.net. We are excited about Zenmap and expect to remove NmapFE in the near future o Integrated all of your Q3 service detection submissions! We have now surpassed 4500 signatures and are approaching 500 service protocols. Wow! Thanks to Doug for doing the integration. His notes on the crazy and interesting services discovered this quarter are at http://hcsw.org/blog.pl/31 . o Added a new ping type: IPProto Ping. Use -PO (that is the letter O as in prOtOcOl, not a zero). This is similar to protocol scan (-sO) in that it sends IP headers with different protocols in the hope of eliciting a response from targets. The default is to send with protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP tunnel), but you can specify different protocol numbers on the command line the same way you specify TCP/UDP ports to -PS or -PU. To reduce confusion, we now recommend that -PN be used when you don't want pings done rather than using the old -P0 (zero). [Kris] o The SMTPcommands.nse script was updated to support the HELP query in addition to EHLO [Jason DePriest] o Added --ttl support for connect() scans (-sT). [Kris] o Combine the Zenmap setup scripts into one portable setup.py rather than having separate versions for Windows, Unix, and Mac OS X. o Removed a bunch of unnecessary/incomplete code and data files from Zenmap. [ David] o In Nbase, switched from GNU's getopt() replacement functions to Ben Sittler's BSD-licensed (but GNU compatible) functions. [Kris] o Include nmap.h in portreasons.h. This fixes a compilation problem reported on OpenBSD. [David] o Change PCRE from an NSELib module back to statically linked code due to OpenBSD compilation problems. See http://seclists.org/nmap-dev/2007/q4/0085.html [David] o Fix a problem with --reason printing the wrong host discovery reasons when ICMP destination unreachable packets arrived. [Kris] o Nmap has better dependency tracking now such that it no longer builds the executable every time you type 'make'. This was causing problems where 'make; sudo make install' would create a root-owned nmap executable because it was rebuilt as part of 'make install'. [David] 4.22SOC7 [2007-10-11] o Integrated all of your OS detection new fingerprint submissions and correction reports. The grew more DB more than 18% to 825 fingerprints. Keep those submissions coming! [David] o Made a number of significant improvements to host discovery algorithms for better performance and reliability. [David] o Fixed a bug which prevented the first OS detection guess from being included in XML output. This only applies when no exact matches were found. Thanks to Martyn Tovey of Netcraft for reporting the problem and helping to track it down in the code. o Improve the script scan scheduling system to prevent the system from running out of sockets by executing too many scripts concurrently during large scans. Thanks to Brandon Enright for finding the bug and Stoiko for fixing it. o Added nmap.verbosity() and nmap.debugging() functions for scripts to determine the Nmap verbosity/debugging level. [Kris] o Fixed a crash (assertion error) which occurred when the first hop of the first system (reference trace) times out. [Eddie] o UMIT no longer rewrites a bunch of script files to replace variables such as VERSION and REVISION in the SVN working directory. [David, Adriano] o UMIT icon loading code simplified and made platform independent. [David] o Removed PIL dependency from UMIT package generation system. We now use GTK to put the version number in the splash screen. [Adriano] o UMIT no longer crashes just because documentation files are missing. [Adriano] o Removed unnecessary recent_scans.txt and target_list.txt files from UMIT. Some unnecessary copies of Nmap data files were removed as well. [David, Adriano] o Updated the *.dmp preprocessed Nmap data files used by UMIT, and also updated the scripts used to create them. [David] o WinPcap installer was updated so that on Windows Vista it uses a different Packet.dll and omits WanPacket.dll. [Eddie] o Unix installation now places NSELib dynamic libraries in 'libexec' rather than 'share' directories, since they are architecture dependent. Thanks to Christoph J. Thompson for the patch. o Fix bug related to users providing custom libpcre location to configure (reported by Daniel Johnson, fixed by Stoiko). A patch from Marek Majkowski which caps the number of sockets opened by NSE scripts was also applied. o The UMIT version number is automatically updated to be the same as the Nmap version number rather than always being 0.9.4. [David] o UMIT now sorts port numbers numerically rather than alphabetically [Adriano] o Three UMIT data files (options.xml, profile_editor.xml, and wizard.xml) are installed in the shared UMIT data directory (e.g. /usr/share/umit/misc) rather than in every user's ~/.umit directory. [David] o Added HTTPtrace demo NSE script by Kris, who also updated his HTTPpasswd script. o A bunch of capitalization/spelling canonicalization changes were made to Nmap output. For example: ftp to FTP and idlescan to idle scan. o Made some improvements to the nmap.xsl stylesheet for converting Nmap XML results to HTML reports. It now does a better job at removing empty sections and headers. Thanks to Henrik Lund Kramshoej for the patch. o Updated nmap-mac-prefixes with the latest IEEE data. o Disabled auto-generation of libpcre/pcre_chartables.c because that was useless for our purposes and could also cause some version control related problems. [David] o Updated IANA assignment IP list for random IP (-iR) generation. [Kris] 4.22SOC6 [2007-8-29] o Included David's major massping migration project. The same underlying engine is now uses for ping scanning as for port scanning. We hope this will lead to better performance and accuracy, as well as helping to de-bloat Nmap. Please test it out and report your results to nmap-dev! For more details, see http://seclists.org/nmap-dev/2007/q3/0277.html o Fixed UMIT bug which occurred when installing to a non-standard directory (e.g. a home directory). This caused Python to not be able to find the necessary files. [Kris] o Added an NSE script (HTTPpasswd.nse) for finding directory traversal problems and /etc/password files on web servers. [Kris] o Fixed an error related to version scans against SSL services on UNIX. The error said "nsock_connect_ssl called - but nsock was built w/o SSL support. QUITTING". Thanks to Jason DePriest for tracking down the problem and David Fifield for fixing it. o Removed win_dependencies cruft from UMIT directory. [Kris] o Upgraded Libpcap from version 0.9.4 to 0.9.7 [Kris] o Removed the effectively empty XML elements for traceroute hops which timed out. [Eddie] o Fixed (I hope) a problem with running Nmap on Mac OS X machines with VMWare Fusion running. The error message started with: "getinterfaces: Failed to open ethernet interface (vmnet8). A possible cause on BSD operating systems is running out of BPF devices ...." For more details, see http://seclists.org/nmap-dev/2007/q3/0254.html. o Check that --script arguments are reasonable when Nmap starts rather than potentially waiting for a bunch of port scanning to finish first. [Stoiko] o Fixed (we hope) a UMIT problem which resulted in the error message: "NameError: global name 'S_IRUSR' is not defined". [Adriano] o Removed an error message which used to appear when you quit UMIT on Windows. The message used to say "Errors occurred - See the logfile [filename] for details." [Adriano] o Fix permissions on files installed by Umit so that it should work even if you do 'make install' from an account with a 077 umask. o Add a feature to Umit that lets you search your unsaved scans. [Eddie] o Added back a previously removed feature which allows you to specify 'rnd' as one of your decoys (-D option) to let Nmap choose a random IP. You also use a format such as rnd:5 to generate five random decoys. [Kris] o Reference guide (man page) updates to the NSE section, and some general cleanup. o When Nmap finishes, it now says "Nmap done" rather than "Nmap run completed". No need to waste pixels on excess verbiage. 4.22SOC5 [2007-8-18] o The Windows installer should actually install UMIT properly now. o Remove umit.db from the installation process. Let Umit create a new one on its own when needed. o Fixed the UMIT portion of the Windows installer build system to detect certain heinous errors (like not being able to find Python) and bail out. [Kris] o Prevent scripts directory from containing .svn cruft when using the Win32 installer (thanks to David Fifield for the patch). 4.22SOC3 [2007-8-16] o Umit is now included in the Nmap Windows executable installer. Please give it a try and let us know what you think! Kris put a lot of work into getting this set up. o Added four new NSE scripts: HTTP proxy detection (Arturo 'Buanzo' Busleiman), DNS zone transfer attempt (Eddie), detecting SQL injection vulnerabilities on web sites (Eddie), and fetching and displaying portions of /robots.txt from web servers (Eddie). o All of your 2nd Quarter 2007 Nmap version detection fingerprints were integrated by Doug. The DB now contains 4,347 signatures for 439 service protocols. Doug describes the highlights (craziest services found) in his integration report at http://hcsw.org/blog.pl/29 . o NSE now supports raw IP packet sending and receiving thanks to a patch from Marek Majkowski. Diman handled testing and applied the patch. o Nmap now has Snprintf() and Vsnprintf() as safer alternatives to the standard version. The problem is that the Windows version of these functions (_snprintf, _vsnprintf) doesn't properly terminate strings when it has to truncate them. These wrappers ensure that the string written is always truncated. Thanks to Kris for doing the work. o Upgraded libpcre from version 6.7 to 7.2 [Kris] o Merged various Umit bug fixes from SourceForge trunk: "missing import webbrowser on umit", "Missing markup in 'OS Class' on HostDetailsPage", "some command line options are now working (target, profile, verbose, open result file and run an nmap command)", "removing unused functions import from os.path", "verbosity works on command line" o Eddie fixed several Umit bugs. Umit now sets the file save extension to .usr unless the user specifies something else. The details highlight regular expression was improved and an error message was added when no target was specified and -iR and -iL aren't used. o reason.cc/reason.h renamed to portreasons.cc/.h because a reason.h in the Windows platform SDK was causing conflicts. [Kris] o Fixed a bug in --iflist which would lead to crashes. Thanks to Michael Lawler for the report, and Eddie for the fix. o Finished updating WinPcap to 4.01 (a few static libraries were missed) [ Eddie ] o Added NSE support for buffered data reads. [Stoiko] o Added new --script-args option for passing arguments to NSE scripts [Stoiko] o Performed a bunch of OS fingerprint text canonicalization thanks to reports of dozens of capitalization inconsistencies from Suicidal Bob. o Fixed an assertion failure which could be experienced when script scan was requested without also requesting version scan. [Stoiko] o Fixed an output bug on systems like Windows which return -1 when vsnprintf is passed a too-small buffer rather than returning the size needed. Thanks to jah (jah(a)zadkiel.plus.com) for the report. o Added sys/types.h include to portreasons.h to help OpenBSD compilation. Thanks to Olivier Meyer for the patch. o Many hard coded function names and instances of __FUNCTION__ were changed to __func__ [Kris] o Configure scripts for Nmap, Nbase, and Nsock were optimized to remove redundant checks. This improves compilation time performance. [Eddie] o Updated IANA assignment IP list for random IP (-iR) generation. [Kris] 4.22SOC2 [2007-7-11] o NSE compilation fixes by Stoiko and Kris 4.22SOC1 [2007-7-8] o The UMIT graphical Nmap frontend is now included (as an ALPHA TEST release) with the Nmap tarball distribution. It isn't yet in the RPMs or the Windows distributions. UMIT is written with Python/GTK and has many huge advantages over NmapFE. It installs from the Nmap source tarballs as part of the "make install" process unless you specify --without-umit to configure. Please give UMIT a try (the executable is named umit) and let us know the results! We hope to include UMIT in the Windows Nmap distributions soon. o Added more Nmap Scripting Engine scripts, bringing the total to 31. The new ones are bruteTelnet (Eddie Bell), SMTPcommands (Jason DePriest), iax2Detect (Jason), nbstat (Brandon Enright), SNMPsysdescr (Thomas Buchanan), HTTPAuth (Thomas), finger (Eddie), ircServerInfo (Doug Hoyte), and MSSQLm (Thomas Buchanan). o Added the --reason option which explains WHY Nmap assigned a port status. For example, a port could be listed as "filtered" because no response was received, or because an ICMP network unreachable message was received. [ Eddie ] o Integrated all of your 2nd generation OS detection submissions, increasing the database size by 68% since 4.21ALPHA4 to 699 fingerprints. The 2nd generation database is now nearly half (42%) the size of the original. Please keep those submissions coming so that we can do another integration round before the SoC program ends on August 20! Thanks to David Fifield for doing most of the integration work! o Integrated version detection submissions. The database has grown by more than 350 signatures since 4.21ALPHA4. Nmap now has 4,236 signatures for 432 service protocols. As usual, Doug Hoyte deserves credit for the integration marathon, which he describes at http://hcsw.org/blog.pl . o Added the NSE library (NSELib) which is a library of useful functions (which can be implemented in LUA or as loadable C/C++ modules) for use by NSE scripts. We already have libraries for bit operations (bit), list operations (listop), URL fetching and manipulation (url), activation rules (shortport), and miscellaneous commonly useful functions (stdnse). Stoiko added the underlying functionality, though numerous people contributed to the library routines. o Added --servicedb and --versiondb command-line options which allow you to specify a custom Nmap services (port to port number translation and port frequency) file or version detection database. [ David Fifield ] o The build dependencies were dramatically reduced by removing unnecessary header includes and moving header includes from .h files to .cc as well as adding some forward declarations. This reduced the number of makefile.dep dependencies from 1469 to 605. This should make Nmap compilation faster and prevent some portability problems. [David Fifield] o Upgraded from WinPcap 3.1 to WinPcap 4.01 and fixed a WinPcap installer error. [Eddie] o In verbose mode, Nmap now reports where it obtains data files (such as nmap-services) from. [David Fifield] o Canonicalized a bunch of OS classes, device types, etc. in the OS detection and version scanning databases so they are named consistently. [Doug] o If we get a ICMP Protocol Unreachable from a host other than our target during a port scan, we set the state to 'filtered' rather than 'closed'. This is consistent with how port unreachable errors work for udp scan. [Kris] o Relocated OSScan warning message (could not find 1 closed and 1 open port). Now output.cc prints the warning along with a targets OSScan results. [Eddie] o Fixed a bug which caused port 0 to be improperly used for gen1 OS detection in some cases when your scan includes port 0 (it isn't included by default). Thanks to Sebastian Wolfgarten for the report and Kris Katterjohn for the fix. o The --iflist table now provides WinPcap device names on Windows. [Eddie] o The Nmap reference guide (man page) DocBook XML source is now in the SVN repository at svn://svn.insecure.org/nmap/docs/refguide.xml . o NSE now has garbage collection so that if you forget to close a socket before exiting a script, it is closed for you. [Stoiko] o The [portused] tag in XML output now provides the open TCP port used for OS detection as well as the closed TCP and UDP ports which were reported previously. [Kris] o XML output now has a [times] tag for reporting final time information which was already printed in normal output in verbose mode (round trip time, rtt variance, timeout, etc.) [Kris] o Changed the XML output format so that the [extrareasons] tag (part of Eddie's --reason patch) falls within the [extraports] tag. [Kris] o Nmap now provides more concise OS fingerprints for submission thanks to better merging. [David Fifield] o A number of changes were made to the Windows build system to handle version numbers, publisher field, add/remove program support, etc. [Eddie] o The Nmap -A option now enables the traceroute option too [Eddie] o Improved how the Gen1 OS Detection system selects which UDP ports to send probes to. [Kris] o Updated nmap-mac-prefixes to latest IEEE data as of 5/18/07. Also removed some high (greater than 0x80) characters from some company names because they were causing this error on Windows when Nmap is compiled in Debug mode: isctype.c Line 56: Expression: (unsigned)(c + 1) <= 256". Thanks to Sina Bahram for the initial report and Thomas Buchanan for tracking down the problem. o Added a SIP (IP phone) probe from Matt Selsky to nmap-service-probes. o Fixed a bug which prevented the NSE scripts directory from appearing in the Win32 .zip version of Nmap. o Fixed a bug in --traceroute output. It occurred when a traced host could be fully consolidated, but only the first hop number was outputted. [Kris] o The new "rnd" option to -D allows you to ask Nmap to generate random decoy IPs rather having to specify them all yourself. [Kris] o Fixed a Traceroute bug relating to scanning through the localhost interface on Windows (which previously caused a crash). Thanks to Alan Jones for the report and Eddie Bell for the fix. o Fixed a traceroute bug related to tracing between interfaces of a multi-homed host. Thanks to David Fifield for reporting the problem and Eddie Bell for the fix. o Service detection (-sV) and OS detection (-O) are now (rightfully) disabled when used with the IPProto Scan (-sO). Using the Service Scan like this led to premature exiting, and the OS Scan led to gross inaccuracies. [Kris] o Updated IANA assignment IP list for random IP (-iR) generation. [Kris] 4.21ALPHA4 [2007-3-20] o Performed another big OS detection run. The DB has grown almost 10% to 417 fingerprints. All submissions up to February 6 have been processed. Please keep them coming! o Fixed XML output so that the opening [os] tag is printed again. The line which prints this was somehow removed when NSE was integrated. Thanks to Joshua Abraham for reporting the problem. o Fixed a small bug in traceroute progress output which didn't properly indicate completion. [Kris] o Fixed a portability problem related to the new traceroute functionality so that it compiles on Mac OS X. Thanks to Christophe Thil for reporting the problem and sending the 1-line fix. o Updated nmap-mac-prefixes to include the latest MAC prefix (OUI) data from the IEEE as of March 20, 2007. 4.21ALPHA3 [2007-3-16] o Just fixed a packaging problem with the 4.21ALPHA2 release (thanks to Alan Jones for reporting it). 4.21ALPHA2 [2007-3-15] o Performed a huge OS detection submission integration marathon. More than 500 submissions were processed, increasing the 2nd generation OS DB size 65% to 381 fingerprints. And many of the existing ones were improved. We still have a bit more than 500 submissions (sent after January 16) to process. Please keep those submissions coming! o Integrated all of your Q32006 service fingerprint submissions. The nmap-service-probe DB grew from 3,671 signatures representing 415 service protocols to 3,877 signatures representing 426 services. Big thanks to version detection czar Doug Hoyte for doing this. Notable changes are described at http://hcsw.org/blog.pl?a=20&b=20 . o Nmap now has traceroute support, thanks to an excellent patch by Eddie Bell. The new system uses Nmap data to determine which sort of packets are most likely to slip through the target network and produce useful results. The system is well optimized for speed and bandwidth efficiency, and the clever output system avoids repeating the same initial hops for each target system. Enable this functionality by specifying --traceroute. o Nmap now has a public Subversion (SVN) source code repository. See the announcement at http://seclists.org/nmap-dev/2006/q4/0253.html and then the updated usage instructions at http://seclists.org/nmap-dev/2006/q4/0281.html . o Fixed a major accuracy bug in gen1 OS detection (some debugging code was accidentally left in). Thanks to Richard van den Berg for finding the problem. o Changed the IP protocol scan so that it sends proper IGMP headers when scanning that protocol. This makes it much more likely that the host will respond, proving that it's "open". [Kris] o Improved the algorithm for classifying the TCP timestamp frequency for OS detection. The new algorithm is described at http://nmap.org/osdetect/osdetect-methods.html#osdetect-ts . o Fixed the way Nmap detects whether one of its data files (such as nmap-services) exists and has permissions which allow it to be read. o Added a bunch of nmap-services port listings from Stephanie Wen. o Update IANA assignment IP list for random IP (-iR) generation. Thanks to Kris Katterjohn for the patch. o Fix nmap.xsl (the transform for rendering Nmap XML results as HTML) to fix some bugs related to OS detection output. Thanks to Tom Sellers for the patch. o Fixed a bug which prevented the --without-liblua compilation option from working. Thanks to Kris Katterjohn for the patch. o Fixed a bug which caused nmap --iflist to crash (and might have caused crashes in other circumstances too). Thanks to Kris Katterjohn for the report and Diman Todorov for the fix. o Applied a bunch of code cleanup patches from Kris Katterjohn. o Some scan types were fixed when used against localhost. The UDP Scan doesn't find it's own port, the TCP Scan won't print a message (with -d) about an unexpected packet (for the same reason), and the IPProto Scan won't list every port as "open" when using --data-length >= 8. [Kris] o The IPProto Scan should be more accurate when scanning protocol 17 (UDP). ICMP Port Unreachables are now checked for, and UDP is listed as "open" if it receives one rather than "open|filtered" or "filtered". [Kris] o The --scanflags option now also accepts "ECE", "CWR", "ALL" and "NONE" as arguments. [Kris] o The --packet-trace option was added to NmapFE. The Ordered Ports (-r) option in now available to non-root users on NmapFE as well. [Kris] 4.21ALPHA1 [2006-12-10] o Integrated the Nmap Scripting Engine (NSE) into mainline Nmap. Diman Todorov and I have been working on this for more than six months, and we hope it will expand Nmap's capabilities in many cool ways. We're accepting (and writing) general purpose scripts to put into Nmap proper, and you can also write personal scripts to deal with issues specific to your environment. The system is documented at http://nmap.org/nse/ . o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE (http://standards.ieee.org/regauth/oui/oui.txt) as of December 7. 4.20 [2006-12-7] o Integrated the latest OS fingerprint submissions. The 2nd generation DB size has grown to 231 fingerprints. Please keep them coming! New fingerprints include Mac OS X Server 10.5 pre-release, NetBSD 4.99.4, Windows NT, and much more. o Fixed a segmentation fault in the new OS detection system which was reported by Craig Humphrey and Sebastian Garcia. o Fixed a TCP sequence prediction difficulty indicator bug. The index is supposed to go from 0 ("trivial joke") to about 260 (OpenBSD). But some systems generated ISNs so insecurely that Nmap went berserk and reported a negative difficulty index. This generally only affects some printers, crappy cable modems, and Microsoft Windows (old versions). Thanks to Sebastian Garcia for helping me track down the problem. 4.20RC2 [2006-12-2] o Integrated all of your OS detection submissions since RC1. The DB has increased 13% to 214 fingerprints. Please keep them coming! New fingerprints include versions of z/OS, OpenBSD, Linux, AIX, FreeBSD, Cisco CatOS, IPSO firewall, and a slew of printers and misc. devices. We also got our first Windows 95 fingerprint, submitted anonymously of course :). o Fixed (I hope) the "getinterfaces: intf_loop() failed" error which was seen on Windows Vista. The problem was apparently in intf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX to MAX_IF_TYPE rather than 32). Thanks to Dan Griffin (dan(a)jwsecure.com) for tracking this down! o Applied a couple minor bug fixes for IP options support and packet tracing. Thanks to Michal Luczaj (regenrecht(a)o2.pl) for reporting them. o Incorporated SLNP (Simple Library Network Protocol) version detection support. Thanks to Tibor Csogor (tibi(a)tiborius.net) for the patch. 4.20RC1 [2006-11-20] o Fixed (I hope) a bug related to Pcap capture on Mac OS X. Thanks to Christophe Thil for reporting the problem and to Kurt Grutzmacher and Diman Todorov for helping to track it down. o Integrated all of your OS detection submissions since ALPHA11. The DB has increased 27% to 189 signatures. Notable additions include the Apple Airport Express, Windows Vista RC1, OpenBSD 4.0, a Sony TiVo device, and tons of broadband routers, printers, switches, and Linux kernels. Keep those submissions coming! o Upgraded the included LibPCRE from version 6.4 to 6.7. Thanks to Jochen Voss (voss(a)seehuhn.de) for the suggestion (he found some bugs in 6.4) 4.20ALPHA11 [2006-11-2] o Integrated all of your OS detection submissions, bringing the database up to 149 fingerprints. This is an increase of 28% from ALPHA10. Notable additions include FreeBSD 6.1, a bunch of HP LaserJet printers, and HP-UX 11.11. We also got a bunch of more obscure submissions like Minix 3.1.2a and "Ember InSight Adapter for programming EM2XX-family embedded devices". Who doesn't have a few of those laying around? I'm hoping that all the obscure submissions mean that more of the mainstream systems are being detected out of the box! Please keep those submissions (obscure or otherwise) coming! 4.20ALPHA10 [2006-10-23] o Integrated tons of new OS fingerprints. The DB now contains 116 fingerprints, which is up 63% since the previous version. Please keep the submissions coming! 4.20ALPHA9 [2006-10-13] o Integrated the newly submitted OS fingerprints. The DB now contains 71 fingerprints, up 27% from 56 in ALPHA8. Please keep them coming! We still only have 4.2% as many fingerprints as the gen1 database. o Added the --open option, which causes Nmap to show only open ports. Ports in the states "open|closed" and "unfiltered" might be open, so those are shown unless the host has an overwhelming number of them. o Nmap gen2 OS detection used to always do 2 retries if it fails to find a match. Now it normally does just 1 retry, but does 4 retries if conditions are good enough to warrant fingerprint submission. This should speed things up on average. A new --max-os-tries option lets you specify a higher lower maximum number of tries. o Added --unprivileged option, which is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful for testing, debugging, or when the raw network functionality of your operating system is somehow broken. o Fixed a confusing error message which occurred when you specified a ping scan or list scan, but also specified -p (which is only used for port scans). Thanks to Thomas Buchanan for the patch. o Applied some small cleanup patches from Kris Katterjohn 4.20ALPHA8 [2006-9-30] o Integrated the newly submitted OS fingerprints. The DB now contains 56, up 33% from 42 in ALPHA7. Please keep them coming! We still only have 3.33% as many signatures as the gen1 database. o Nmap 2nd generation OS detection now has a more sophisticated mechanism for guessing a target OS when there is no exact match in the database (see http://nmap.org/osdetect/osdetect-guess.html ) o Rewrote mswin32/nmap.rc to remove cruft and hopefully reduce some MFC-related compilation problems we've seen. Thanks to KX (kxmail(a)gmail.com) for doing this. o NmapFE now uses a spin button for verbosity and debugging options so that you can specify whatever verbosity (-v) or debugging (-d) level you desire. The --randomize-hosts option was also added to NmapFE. Thanks to Kris Katterjohn for the patches. o A dozen or so small patches to Nmap and NmapFE by Kris Katterjohn. o Removed libpcap/Win32 and libpcap/msdos as Nmap doesn't use them. This reduces the Nmap tar.bz2 by about 50K. Thanks to Kris Katterjohn for the suggestion. 4.20ALPHA7 [2006-9-12] o Did a bunch of Nmap 2nd generation fingerprint integration work. Thanks to everyone who sent some in, though we still need a lot more. Also thanks to Zhao for a bunch of help with the integration tools. 4.20ALPHA6 had 12 fingerprints, this new version has 42. The old DB (still included) has 1,684. o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE (http://standards.ieee.org/regauth/oui/oui.txt) as of September 6, 2006. Also added the unregistered PearPC virtual NIC prefix, as suggested by Robert Millan (rmh(a)aybabtu.com). o Applied some small internal cleanup patches by Kris Katterjohn. 4.20ALPHA6 [2006-9-2] o Fixed a bug in 2nd generation OS detection which would (usually) prevent fingerprints from being printed when systems don't respond to the 1st ICMP echo probe (the one with bogus code value of 9). Thanks to Brandon Enright for reporting and helping me debug the problem. o Fixed some problematic Nmap version detection signatures which could cause warning messages. Thanks to Brandon Enright for the initial patch. 4.20ALPHA5 [2006-8-31] o Worked with Zhao to improve the new OS detection system with better algorithms, probe changes, and bug fixes. We're now ready to start growing the new database! If Nmap gives you fingerprints, please submit them at the given URL. The DB is still extremely small. The new system is extensively documented at http://nmap.org/osdetect/ . o Nmap now supports IP options with the new --ip-options flag. You can specify any options in hex, or use "R" (record route), "T" (record timestamp), "U") (record route & timestamp), "S [route]" (strict source route), or "L [route]" (loose source route). Specify --packet-trace to display IP options of responses. For further information and examples, see http://nmap.org/man/ and http://seclists.org/nmap-dev/2006/q3/0052.html . Thanks to Marek Majkowski for writing and sending the patch. o Integrated all 2nd quarter service detection fingerprint submissions. Please keep them coming! We now have 3,671 signatures representing 415 protocols. Thanks to version detection czar Doug Hoyte for doing this. o Nmap now uses the (relatively) new libpcap pcap_get_selectable_fd API on systems which support it. This means that we no longer need to hack the included Pcap to better support Linux. So Nmap will now link with an existing system libpcap by default on that platform if one is detected. Thanks to Doug Hoyte for the patch. o Updated the included libpcap from 0.9.3 to 0.9.4. The changes I made are in libpcap/NMAP_MODIFICATIONS . By default, Nmap will now use the included libpcap unless version 0.9.4 or greater is already installed on the system. o Applied some nsock bugfixes from Diman Todorov. These don't affect the current version of Nmap, but are important for his Nmap Scripting Engine, which I hope to integrate into mainline Nmap in September. o Fixed a bug which would occasionally cause Nmap to crash with the message "log_vwrite: write buffer not large enough". I thought I conquered it in a previous release -- thanks to Doug Hoyte for finding a corner case which proved me wrong. o Fixed a bug in the rDNS system which prevented us from querying certain authoritative DNS servers which have recursion explicitly disabled. Thanks to Doug Hoyte for the patch. o --packet-trace now reports TCP options (thanks to Zhao Lei for the patch). Thanks to the --ip-options addition also found in this release, IP options are printed too. o Cleaned up Nmap DNS reporting to be a little more useful and concise. Thanks to Doug Hoyte for the patch. o Applied a bunch of small internal cleanup patches by Kris Katterjohn (katterjohn(a)gmail.com). o Fixed the 'distclean' make target to be more comprehensive. Thanks to Thomas Buchanan (Thomas.Buchanan(a)thecompassgrp.net) for the patch. Nmap 4.20ALPHA4 [2006-7-4] o Nmap now provides progress statistics in the XML output in verbose mode. Here are some examples of the format (etc is "estimated time until completion) and times are in UNIX time_t (seconds since 1970) format. Angle braces have been replaced by square braces: [taskbegin task="SYN Stealth Scan" time="1151384685" /] [taskprogress task="SYN Stealth Scan" time="1151384715" percent="13.85" remaining="187" etc="1151384902" /] [taskend task="SYN Stealth Scan" time="1151384776" /] [taskbegin task="Service scan" time="1151384776" /] [taskend task="Service scan" time="1151384788" /] Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch. o Updated the Windows installer to give an option checkbox for performing the Nmap performance registry changes. The default is to do so. Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch. o Applied several code cleanup patches from Marek Majkowski. o Added --release-memory option, which causes Nmap to release all accessible memory buffers before quitting (rather than let the OS do it). This is only useful for debugging memory leaks. o Fixed a bug related to bogus completion time estimates when you request an estimate (through runtime interaction) right when Nmap is starting a subsystem (such as a port scan or version detection). Thanks to Diman Todorov for reporting the problem and Doug Hoyte for writing a fix. o Nmap no longer gets random numbers from OpenSSL when it is available because that turned out to be slower than Nmap's other methods (e.g. /dev/urandom on Linux, /dev/arandom on OpenBSD, etc.). Thanks to Marek Majkowski for reporting the problem. o Updated the Windows binary distributions (self-installer and .zip) to include the new 2nd generation OS detection DB (nmap-os-db). Thanks to Sina Bahram for reporting the problem. o Fixed the --max-retries option, which wasn't being honored. Thanks to Jon Passki (jon.passki(a)hursk.com) for the patch. Nmap 4.20ALPHA3 [2006-6-29] o Added back Win32 support thanks to a patch by KX o Fixed the English translation of TCP sequence difficulty reported by Brandon Enright, and also removed fingerprint printing for 1st generation fingerprints (I don't really want to deal with those anymore). Thanks to Zhao Lei for writing this patch. o Fix a problem which caused OS detection to be done in some cases even if the user didn't request it. Thanks to Diman Todorov for the fix. Nmap 4.20ALPHA2 [2006-6-24] o Included nmap-os-db (the new OS detection DB) within the release. Oops! Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for catching this problem with 4.20ALPHA1. o Added a fix for the crash in the new OS detection which would come with the message "Probe doesn't exist! Probe type: 1. Probe subid: 1" Nmap 4.20ALPHA1 [2006-6-24] o Integrated initial 2nd generation OS detection patch! The system is documented at http://nmap.org/osdetect/ . Thanks to Zhao Lei for helping with the coding and design. o portlist.cc was refactored to remove some code duplication. Thanks to Diman Todorov for the patch. Nmap 4.11 [2006-6-23] o Added a dozens of more detailed SSH version detection signatures, thanks to a SSH huge survey and integration effort by Doug Hoyte. The results of his large-scale SSH scan are posted at http://seclists.org/nmap-dev/2006/Apr-Jun/0393.html . o Fixed the Nmap Makefile (actually Makefile.in) to correctly handle include file dependencies. So if a .h file is changed, all of the .cc files which depend on it will be recompiled. Thanks to Diman Todorov (diman(a)xover.mud.at) for the patch. o Fixed a compilation problem on solaris and possibly other platforms. The error message looked like "No rule to make target `inet_aton.o', needed by `libnbase.a'". Thanks to Matt Selsky (selsky(a)columbia.edu) for the patch. o Applied a patch which helps with HP-UX compilation by linking in the nm library (-lnm). Thanks to Zakharov Mikhail (zmey20000(a)yahoo.com) for the patch. o Added version detection probes for detecting the Nessus daemon. Thanks to Adam Vartanian (flooey(a)gmail.com) for sending the patch. Nmap 4.10 [2006-6-12] o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE (http://standards.ieee.org/regauth/oui/oui.txt) as of May 31, 2006. Also added a couple unregistered OUI's (for QEMU and Bochs) suggested by Robert Millan (rmh(a)aybabtu.com). o Fixed a bug which could cause false "open" ports when doing a UDP scan of localhost. This usually only happened when you scan tens of thousands of ports (e.g. -p- option). o Fixed a bug in service detection which could lead to a crash when "--version-intensity 0" was used with a UDP scan. Thanks to Makoto Shiotsuki (shio(a)st.rim.or.jp) for reporting the problem and Doug Hoyte for producing a patch. o Made some AIX and HP-UX portability fixes to Libdnet and NmapFE. These were sent in by Peter O'Gorman (nmap-dev(a)mlists.thewrittenword.com). o When you do a UDP+TCP scan, the TCP ports are now shown first (in numerical order), followed by the UDP ports (also in order). This contrasts with the old format which showed all ports together in numerical order, regardless of protocol. This was at first a "bug", but then I started thinking this behavior may be better. If you have a preference for one format or the other, please post your reasons to nmap-dev. o Changed mass_dns system to print a warning if it can't find any available DNS servers, but not quit like it used to. Thanks to Doug Hoyte for the patch. Nmap 4.04BETA1 [2006-5-31] o Integrated all of your submissions (about a thousand) from the first quarter of this year! Please keep 'em coming! The DB has increased from 3,153 signatures representing 381 protocols in 4.03 to 3,441 signatures representing 401 protocols. No other tool comes close! Many of the already existing match lines were improved too. Thanks to Version Detection Czar Doug Hoyte for doing this. o Nmap now allows multiple ignored port states. If a 65K-port scan had, 64K filtered ports, 1K closed ports, and a few dozen open ports, Nmap used to list the dozen open ones among a thousand lines of closed ports. Now Nmap will give reports like "Not shown: 64330 filtered ports, 1000 closed ports" or "All 2051 scanned ports on 192.168.0.69 are closed (1051) or filtered (1000)", and omit all of those ports from the table. Open ports are never ignored. XML output can now have multiple [extraports] directive (one for each ignored state). The number of ports in a single state before it is consolidated defaults to 26 or more, though that number increases as you add -v or -d options. With -d3 or higher, no ports will be consolidated. The XML output should probably be augmented to give the extraports directive 'ip', 'tcp', and 'udp' attributes which specify the corresponding port numbers in the given state in the same listing format as the nmaprun.scaninfo.services attribute, but that part hasn't yet been implemented. If you absoultely need the exact port numbers for each state in the XML, use -d3 for now. o Nmap now ignores certain ICMP error message rate limiting (rather than slowing down to accomidate it) in cases such as SYN scan where an ICMP message and no response mean the same thing (port filtered). This is currently only done at timing level Aggressive (-T4) or higher, though we may make it the default if we don't hear problems with it. In addition, the --defeat-rst-ratelimit option has been added, which causes Nmap not to slow down to accomidate RST rate limits when encountered. For a SYN scan, this may cause closed ports to be labeled 'filtered' becuase Nmap refused to slow down enough to correspond to the rate limiting. Learn more about this new option at http://nmap.org/man/ . Thanks to Martin Macok (martin.macok(a)underground.cz) for writing the patch that these changes were based on. o Moved my Nmap development environment to Visual C++ 2005 Express edition. In typical "MS Upgrade Treadmill" fashion, Visual Studio 2003 users will no longer be able to compile Nmap using the new solution files. The compilation, installation, and execution instructions at http://nmap.org/install/inst-windows.html have been upgraded. o Automated my Windows build system so that I just have to type a single make command in the mswin32 directory. Thanks to Scott Worley (smw(a)pobox.com>, Shane & Jenny Walters (yfisaqt(a)waltersinamerica.com), and Alex Prinsier (aphexer(a)mailhaven.com) for reading my appeal in the 4.03 CHANGELOG and assisting. o Changed the PortList class to use much more efficient data structures and algorithms which take advantage of Nmap-specific behavior patterns. Thanks to Marek Majkowski (majek(a)forest.one.pl) for the patch. o Fixed a bug which prevented certain TCP+UDP scan commands, such as "nmap -sSU -p1-65535 localhost" from scanning both TCP and UDP. Instead they gave the error message "WARNING: UDP scan was requested, but no udp ports were specified. Skipping this scan type". Thanks to Doug Hoyte for the patch. o Nmap has traditionally required you to specify -T* timing options before any more granular options like --max-rtt-timeout, otherwise the general timing option would overwrite the value from your more specific request. This has now been fixed so that the more specific options always have precendence. Thanks to Doug Hoyte for this patch. o Fixed a couple possible memory leaks reported by Ted Kremenek (kremenek(a)cs.stanford.edu) from the Stanford University sofware static analysis lab ("Checker" project). o Nmap now prints a warning when you specify a target name which resolves to multiple IP addresses. Nmap proceeds to scan only the first of those addresses (as it always has done). Thanks to Doug Hoyte for the patch. The warning looks like this: Warning: Hostname google.com resolves to 3 IPs. Using 66.102.7.99. o Disallow --host-timeout values of less than 1500ms, print a warning for values less than 15s. o Changed all instances of inet_aton() into calls to inet_pton() instead. This allowed us to remove inet_aton.c from nbase. Thanks to KX (kxmail(a)gmail.com) for the patch. o When debugging (-d) is specified, Nmap now prints a report on the timing variables in use. Thanks to Doug Hoyte for the patch. The report loos like this: ---------- Timing report ---------- hostgrou