Nmap v7.10 Released

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for network inventory, managing service upgrade schedules, monitoring host or service uptime, and many other tasks. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping)

Changelog v7.10 and v7.01:

• [NSE] Added 12 NSE scripts from 7 authors, bringing the total up t527!They are all listed at https://nmap.org/nsedoc/, and the summaries arebelow (authors are listed in brackets):

— [GH#322] http-apache-server-status parses the server status page ofApache’s mod_status. [Eric Gershman]

— http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerabilityin AllegrRomPager web server. Alsadded a fingerprint for detectingCVE-2014-4019 thttp-fingerprints.lua. [VlatkKosturjak]

— [GH#226] http-vuln-cve2014-3704 detects and exploits the “Drupalgeddon”pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]

— imap-ntlm-infextracts hostname and sometimes OS version fromNTLM-auth-enabled IMAP services. [Justin Cacak]

— ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLDprobes. The discovery is the same as targets-ipv6-multicast-mld, but thesubscribed addresses are decoded and listed.—[Alexandru Geana, DanielMiller]

— ms-sql-ntlm-infextracts OS version and sometimes hostname from MS SQLServer instances via the NTLM challenge message. [Justin Cacak]

— nntp-ntlm-infextracts hostname and sometimes OS version fromNTLM-auth-enabled NNTP services. [Justin Cacak]

— pop3-ntlm-infextracts hostname and sometimes OS version fromNTLM-auth-enabled POP3 services. [Justin Cacak]

— rusers retrieves information about logged-on users from the rusersd RPCservice. [Daniel Miller]
— [GH#333] shodan-api queries the Shodan API (https://www.shodan.io) andretrieves open port and service inffrom their Internet-wide scan data.[Glenn Wilkinson]

— smtp-ntlm-infextracts hostname and sometimes OS version fromNTLM-auth-enabled SMTP and submission services. [Justin Cacak]

— telnet-ntlm-infextracts hostname and sometimes OS version fromNTLM-auth-enabled Telnet services. [Justin Cacak]

• Integrated all of your IPv4 OS fingerprint submissions from October toJanuary (536 of them). Added 104 fingerprints, bringing the new total to5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]
• Integrated all of your service/version detection fingerprints submittedfrom October tJanuary (508 of them). The signature count went up 2.2% to10532. We now detect 1108 protocols, from icy, finger, and rtsp tipfs,basestation, and minecraft-pe. Highlights:http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]
• Integrated all 12 of your IPv6 OS fingerprint submissions from October toJanuary. The classifier added 3 new groups, including new and expandedgroups for OS X, bringing the new total t96. Highlights:http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]
• [NSE] Upgrade thttp-form-brute allowing correct handling of token-basedCSRF protections and cookies. Also, a simple database of common login formssupports Django, WordPress, MediaWiki, Joomla, and others. [Daniel Miller]
• [Zenmap] [GH#247] Remember window geometry (position and size) from theprevious time Zenmap was run. [isjing]
• New service probe for CORBA GIOP (General Inter-ORB Protocol) detectionshould elicit a not-found exception from GIOP services that dnot respondtnon-GIOP probes. [Quentin Hardy]
• [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes weregiven /32 netmasks regardless of actual netmask configured, resulting infailed routing. Reported by Martin Gysi. [Daniel Miller]
• [GH#272][GH#269] Give option parsing errors after the usage statement, oravoid printing the usage statement in some cases. The options summary hasgrown quite large, requiring users tscroll tthe top tsee the errormessage. [Abhishek Singh]
• [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap’sSlow Comprehensive Scan profile.—In the case of unknown OpenSSL errors,ERR_reason_error_string would return NULL, which could not be printed withthe “%s” format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]
• [GH#293][Zenmap] Fix a regression in our build that caused copy-and-pastetnot work in Zenmap on Windows.
• Changed Nmap’s idea of reserved and private IP addresses tinclude169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, inlibnetutil’s isipprivate function, is used tfilter -iR randomly generatedtargets. The newly-valid address ranges belong tthe U.S. Department ofDefense, susers wanting tavoid those ranges should use their ownexclusion lists with –exclude or –exclude-file.—[Bill Parker, DanielMiller]
• Allow the -4 option for Nmap tindicate IPv4 address family. This is thedefault, and using the option doesn’t change anything, but does make itmore explicit which address family you want tscan. Using -4 with -6 is anerror. [Daniel Miller]
• [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output anytext tthe screen. This happens at the time of argument parsing, stheusual meaning of “verbosity 0” is preserved. [isjing]
• [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5
• andSSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order tmatchthedraft specification from Mozilla. [Bertrand Bonnefoy-Claudet]
• [NSE][GH#320] Add STARTTLS support tsslv2 tenable SSLv2 detectionagainst services that are not TLS encrypted by default but that supportpost connection upgrade. This will enable more
• comprehensive detection ofSSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]
• [NSE][GH#301] Added default credential checks for RICOH Web Image Monitorand BeEF thttp-default-accounts. [nnposter]
• Properly display Next-hop MTU value from ICMP Type 3 Code 4 FragmentationRequired messages when tracing packets or in Nping output. Improper offsetmeant we were printing the total IP length. [Sławomir Demeszko]
• [NSE] Added support for DHCP options “TFTP server name” and “Bootfilename” tdhcp.lua and enabled checking for options with a code above 61 bydefault. [Mike Rykowski]
• [NSE] whois-ip: Don’t request a remote IANA assignments data file whenthe local filesystem will not permit the file tcached in a local file.[jah]
• [NSE] Updated http-php-version hash database tcover all versions fromPHP 4.1.0 tPHP 5.4.45. Based on scans of a few thousand PHP web serverspulled from Shodan API (https://www.shodan.io/) [Daniel Miller]
• Use the same ScanProgressMeter for FTP bounce scan (-b) as for the otherscan types, allowing periodic status updates with –stats-every or keypressevents.—[Daniel Miller]
• [GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we dforOS X, old FreeBSD, and Solaris, which use BPF for packet capture and dnothave properly select-able fds. Fix by OpenBSD port maintainer [DavidCarlier]
• Print service infin grepable output for ports which are not listed innmap-services when a service tunnel (SSL) is detected. Previously, theservice inf(“ssl|unknown”) was not printed unless the service inside thetunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260[Daniel Miller]
• [NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent.[Tom Sellers]

Nmap 7.01 [2015-12-09]

• Switch tusing gtk-mac-bundler and jhbuild for building the OS Xinstaller. This promises treduce a lot of the problems we’ve had withlocal paths and dependencies using the py2app and macports build system.[Daniel Miller]
• The Windows installer is now built with NSIS 2.47 which featuresLoadLibrary security hardening tprevent DLL hijacking and other unsafeuse of temporary directories. Thanks tStefan Kanthak for reporting theissue tNSIS and tus and the many other projects that use it.
• Updated the OpenSSL shipped with our binary builds (Windows, OS X, andRPM) t1.0.2e.
• [Zenmap] [GH#235] Fix several failures tlaunch Zenmap on OS X. The newbuild process eliminates these errors:— IOError: [Errn2] Nsuch file or directory:’/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in’LSOpenURLsWithRole() failed for the application /Applications/Zenmap.appwith error -10810.
• [NSE] [GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers tomatch the one in nmap-service-probes, which was fixed previously tcorrecta length calculation error. [Daniel Miller]
• [NSE] [GH#251] Correct false positives and unexpected behavior in http-*scripts which used http.identify_404 tdetermine when a file was not foundon the target. The function was following redirects, which could be anindication of a soft-404 response. [Tom Sellers]
• [NSE] [GH#241] Fix a false-positive in hnap-infwhen the target respondswith 200 OK tany request. [Tom Sellers]
• [NSE] [GH#244] Fix an error response in xmlrpc-methods when run against anon-HTTP service. The expected behavior is noutput. [Niklaus Schiess]
• [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett.

[button size=medium style=round color=red align=none url=https://nmap.org/download.html ]Download Nmap v7.10[/button]