# Nmap Changelog ($Id: CHANGELOG 11439 2008-12-19 21:51:53Z david $); -*-text-*-
o A problem that caused OS detection to fail for most hosts in a
certain was fixed. It happened when sending raw Ethernet frames
(by default on Windows or on other platforms with --send-eth) to
hosts on a switched LAN. The destination MAC address was wrong for
most targets. The symptom was that only one out of each scan group
of 20 or 30 hosts would have a meaningful OS fingerprint. Thanks go
to Michael Head for running tests and especially Trent Snyder for
testing and finding the cause of the problem. [David]
o Fixed a division by zero error in the packet rate measuring code
that could cause a display of infinity packets per seconds near the
start of a scan. [Jah]
o Complete re-write of the marshalling logic for Microsoft RPC calls.
[Ron Bowes]
o Added vulnerability checks for MS08-067 as well as an unfixed
denial of service in the Windows 2000 registry service.
[Ron Bowes]
o Zenmap now runs ndiff to do its "Compare Results" function. This
completely replaces the old diff view. ndiff is now required to do
comparisons in Zenmap. [David]
o Fixed a bug in the IP validation code which would have let a specially
crafted reply sent from a host on the same LAN slip through and cause
Nmap to segfault. Thanks to ithilgore of sock-raw.homeunix.org for
the very detailed bug report. [Kris]
o [Zenmap] The crash reporter is more respectful of user privacy. It
shows all the information that will be submitted so you can edit it
to remove identifying information such as the name of your home
directory. If you provide an email address the report will be marked
private so it will not appear on the public bug tracker. [David]
o [Zenmap] Internationalization has been fixed [David]. Currently
there are two partial translations:
Brazilian Portuguese by Adriano Monteiro Marques
German by Chris Leick
o [NSE] host.os table is now properly a 1 based array (was 0). [Patrick]
o [Zenmap] Zenmap now parses and records XSL stylesheet information
from Nmap XML files, so files saved by Zenmap will be viewable in a
web browser just like those produced by Nmap. [David]
o A possible Lua stack overflow in dns.lua was fixed. [David]
o The NSE registry now persists across host groups. [David]
o Added a script that checks for ms08-067-vulnerable hosts
(smb-check-vulns.nse) using the smb nselib. [Ron Bowes]
o Added a Russian translation of the Nmap Reference Guide by Guz
Alexander. We now have translations in 15 languages available from
http://nmap.org/docs.html. More volunteer translaters are welcome,
as we are still missing some important languages (particularly
German!). Translation instructions are available from that docs.html
page.
o [Zenmap] Added a workaround for a crash
GtkWarning: could not open display
on Mac OS X 10.5. The problem is caused by setting the DISPLAY
environment variable in one of your shell startup files; that
shouldn't be done under 10.5 and removing it will make other
X11-using applications work better. Zenmap will now handle the
situation automatically. [David]
o http-auth.nse now properly checks for default authentication
credentials. A bug prevented it from working before. [Vlatko
Kosturjak]
o Renamed irc-zombie.nse to auth-spoof and improved its description
and output a bit. [Fyodor]
o Most script names were changed to make them more consistent.
[Fyodor, David]
o Removed ripeQuery.nse because we now have the much more robust
whois.nse which handles all the major registries. [Fyodor]
o Removed showSSHVersion.nse. Its only real claim to fame was the
ability to trick some SSH servers (including at least OpenSSH
4.3p2-9etch3) into not logging the connection. This trick doesn't
seem to work with newer versions of OpenSSH, as my
openssh-server-4.7p1-4.fc8 does log the connection. Without the
stealth advantage, the script has no real benefit over version
detection or the upcoming banner grabbing script. [Fyodor]
o NSE scripts that require a list of DNS servers (currently only
ASN.nse) now work when IPv6 scanning. Previously it gave an error
message: "Failed to send dns query. Response from dns.query(): 9".
[Jah, David]
o [Zenmap] Added a simple workaround for a bug in PyXML (an add-on
Python XML library) that caused a crash. The crash would happen when
loading an XML file and looked like "KeyError: 0". [David]
o Removed some unecessary "demo" category NSE scripts: echoTest,
chargenTest, showHTTPVersion, and showSMTPVersion.nse. Moved
daytimeTest from the "demo" category to "discovery". Removed
showHTMLTitle from the "demo" category, but it remains in the
"default" and "safe" categories. This leaves just showSSHVersion and
SMTP_openrelay in the undocumented "demo" category. [Fyodor]
o A crash caused by an incorrect test condition was fixed. It would
happen when running a ping scan other than a protocol ping, without
debugging enabled, if an ICMP packet was received referring to a
packet that was not TCP, UDP, or ICMP. Thanks to Brandon Enright and
Matt Castelein for reporting the problem. [David]
o [Zenmap] The keyboard shortcut for "Save to Directory" has been
changed from Ctrl+v to Ctrl+Alt+s so as not to conflict with the
usual paste shortcut [Jah, Michael].
o Nmap quits if you give a "backwards" port or protocol range like
-p 20-10. The issue was noted by Arturo "Buanzo" Busleiman. [David]
o Fixed a bug which caused Nmap to infer an improper distance against
some hosts when performaing OS detection against a group whose
distance varies between members. [David, Fyodor]
o Added a new NSE OpenSSL library with functions for multiprecision
integer arithmetics, hashing, HMAC, symmetric encryption and symmetric
decryption. [Sven]
o [Zenmap] Host information windows are now like any other windows,
and will not become unclosable by having their controls offscreen.
Thanks to Robert Mead for the bug report.
o showHTMLTitle.nse can now follow (non-standard) relative redirects,
and may do a DNS lookup to find if the redirected-to host has the
same IP address as the scanned host. [Jah]
o Enhanced the tohex() function in the NSE stdnse library to support strings
and added options to control the formatting. [Sven]
o The http NSE module tries to deal with non-standards-compliant HTTP
traffic, particularly responses in which the header fields are
separated by plain LF rather than CRLF. [Jah, Sven]
o [Zenmap] The help function now properly converts the pathname of the
local help file to a URL, for better compatibility with different
web browsers. [David]
This should fix the crash
WindowsError: [Error 2] The system cannot find the file specified:
'file://C:\\Program Files\\Nmap\\zenmap\\share\\zenmap\\docs\\help.html'
o The HTTP_open_proxy.nse script is updated to match Google Web
Server's changed header field: "Server: gws" instead of
"Server: GWS/". [Vlatko Kosturjak]
o Enhanced the ssh service detection signatures to properly
detect protocol version 2 services. [Matt Selsky]
o [Zenmap] Nmap output is automatically scrolled. [David]
o Reduced memory consumption for some longer running scans by removing
completed hosts from the lists after two minutes. These hosts are
kept around in case there is a late response, but this draws the
line on how long we wait and hence keep this information in memory.
See http://seclists.org/nmap-dev/2008/q3/0902.html for more. [Kris]
o XML output now contains the full path to nmap.xml on Windows. The
path is converted to a file:// URL to provide better compatibility
across browsers. [Jah]
o Zenmap no longer outputs XML elements and attributes that are not in
the Nmap XML DTD. This was done mostly by removing things from
Zenmap's output, and adding a few new optional things to the Nmap
DTD. A scan's profile name, host comments, and interactive text
output are what were added to nmap.dtd. The .usr filename extension
for saved Zenmap files is deprecated in favor of the .xml extension
commonly used with Nmap. Because of these changes the
xmloutputversion has been increased to 1.03. [David]
o Added the Ndiff utility, which compares the results of Nmap scans.
See ndiff/README and http://nmap.org/ndiff/ for more
information. [David]
o Fixed an integer overflow that could cause the scan delay to grow
large for no reason in some circumstances. [David]
o Enhanced the AS Numbers script (ASN.nse) to better consolidate
results and bail out if the DNS server doesn't support the ASN
queries. [Jah]
o Made DNS timeouts in NSE dependent on the timing template [Jah]
o Added three new nselib modules: msrpc, netbios, and smb. As the
names suggest, they contain common code for scripts using MSRPC,
NetBIOS, and SMB. These modules allow scripts to extract a great
deal of information from hosts running Windows, particularly Windows
2000. New or updated scripts using the modules are:
nbstat.nse: get NetBIOS names and MAC address.
smb-enumdomains.nse: enumerate domains and policies.
smb-enumsessions.nse: enumerate logins and SMB sessions.
smb-enumshares.nse: enumerate network shares.
smb-enumusers.nse: enumerate users and information about them.
smb-os-discovery.nse: get operating system over SMB (replaces
netbios-smb-os-discovery.nse).
smb-security-mode.nse: determine if a host uses user-level or
share-level security, and what other security features it
supports.
smb-serverstats.nse: grab statistics such as network traffic
counts.
smb-systeminfo.nse: get lots of information from the registry.
[Ron Bowes]
o A script could be executed twice if it was given with the --script
option, also in the "version" category, and version detection (-sV)
was requested. This has been fixed. [David]
o Fixed port number representation in some of Nmap's and all of Nsock's
output. Incorrect conversion modifiers were being used which caused
high ports to wrap around and be shown as negative values. [Kris]
o Upgraded the shipped libdnet to 1.12. [Kris]
o Upgraded the OpenSSL shipped for Windows to 0.9.8i. [Kris]
o The SSLv2-support NSE script no longer prints duplicate cyphers if
they exist in the server's supported cypher list. [Kris]
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
Nmap 4.76 [2008-9-12]
o There is a new "external" script category, for NSE scripts which
rely on a third-party network resource. Scripts that send data to
anywhere other than the target are placed in this category. Initial
members are ASN.nse, dns-safe-recursion-port.nse,
dns-safe-recursion-txid.nse, ripeQuery.nse, HTTP_open_proxy.nse, and
whois.nse [David]
o [Zenmap] A crash was fixed that affected Windows users with
non-ASCII characters in their user names. [David]
The error looked like this (with many variations):
UnicodeDecodeError: 'utf8' codec can't decode byte 0x9c in position 28:
unexpected code byte
o [Zenmap] Several corner-case crashes were fixed: [David]
File "radialnet\gui\NodeNotebook.pyo", line 429, in __create_widgets
KeyError: 'tcp'
File "radialnet\gui\RadialNet.pyo", line 1531, in __livens_up
AttributeError: 'NoneType' object has no attribute 'get_nodes'
File "zenmapGUI\MainWindow.pyo", line 308, in _create_ui_manager
GError: Odd character '\'
File "radialnet/gui/ControlWidget.py", line 104, in __create_widgets
AttributeError: 'module' object has no attribute 'STOCK_INFO'
File "radialnet\util\integration.pyo", line 385, in make_graph_from_hosts
KeyError: 'hops'
o [Zenmap] A crash was fixed that happened when opening the Hosts
Viewer with an empty list of hosts. [David]
The error message was
File "radialnet\gui\HostsViewer.pyo", line 167, in __cursor_callback
TypeError: GtkTreeModel.get_iter requires a tree path as its argument
o Improved rpcinfo.nse to correctly parse a wider variety of server
responses. [Sven Klemm]
o [Zenmap] Fixed a data encoding bug which could cause the crash
reporter itself to crash! [David]
o Nmap's Windows self-installer now correctly registers/deletes the
npf (WinPcap) service during install/uninstall. Also the silent
install mode was improved to avoid a case where the WinPcap
uninstaller was (non-silently) shown. [Rob Nicholls]
o Nmap's Windows self-installer now checks whether the MS Visual C++
runtime components have already been installed to avoid running it
again (which doesn't hurt anything, but slows down
installation). [Rob Nicholls]
o Fixed an assertion failure where raw TCP timing ping probes were
wrongly used during a TCP connect scan:
nmap: scan_engine.cc:2843: UltraProbe* sendIPScanProbe(UltraScanInfo*,
HostScanStats*, const probespec*, u8, u8):
Assertion `USI->scantype != CONNECT_SCAN' failed.
Thanks to LevelZero for the report. [David]
o Update the NSE bit library to replace deprecated use of
luaL_openlib() with luaL_register(). This fixes a build error which
occurred on systems which have Lua libraries installed but
LUA_COMPAT_OPENLIB not defined [Sven]
o [Zenmap] The automatic crash reporter no longer requires an email
address. [David]
o [Zenmap] Highlighting of hostnames was improved to avoid wrongful
highlighting of certain elapsed times, byte counts, and other
non-hostname data. The blue highlight effects are now more subtle
(no longer bold, underlined, or italic) [David]
o [Zenmap] A warning that would occur when a host had the same service
running on more than one port was removed. Thanks to Toralf Förster
for the bug report. [David]
GtkWarning: gtk_box_pack_start: assertion `child->parent == NULL' failed
self.pack_start(widget, expand=False, fill=False)
Nmap 4.75 [2008-9-7]
o [Zenmap] Added a new Scan Topology system. The idea is that if we
are going to call Nmap the "Network Mapper", it should at least be
able to draw you a map of the network! And that is what this new
system does. It was achieved by integrating the RadialNet Nmap
visualization tool (http://www.dca.ufrn.br/~joaomedeiros/radialnet),
into Zenmap. Joao Medeiros has been developing RadialNet for more
than a year. For details, complete with some of the most beautiful
Zenmap screen shots ever, visit
http://nmap.org/book/zenmap-topology.html. The integration work was
done by SoC student Vladimir Mitrovic and his mentor David Fifield.
o [Zenmap] Another exciting new Zenmap feature is Scan Aggregation.
This allows you to visualize and analyze the results of multiple
scans at once, as if they were from one Nmap execution. So you might
scan one network, analyze the results a bit, then scan some of the
machines more intensely or add a completely new subnet to the
scan. The new results are seamlessly added to the old, as described
at http://nmap.org/book/zenmap-scanning.html#aggregation. [David,
Vladimir]
o Expanded nmap-services to include information on how frequently each
port number is found open. The results were generated by scanning
tens of millions of IPs on the Internet this summer, and augmented
with internal network data contributed by some large
organizations. [Fyodor]
o Nmap now scans the most common 1,000 ports by default in either
protocol (UDP scan is still optional). This is a decrease from
1,715 TCP ports and 1,488 UDP ports in Nmap 4.68. So Nmap is faster
by default and, since the port selection is better thanks to the
port frequency data, it often finds more open ports as
well. [Fyodor]
o Nmap fast scan (-F) now scans the top 100 ports by default in either
protocol. This is a decrease from 1,276 (TCP) and 1,017 (UDP) in
Nmap 4.68. Port scanning time with -F is generally an order of
magnitude faster than before, making -F worthy of its "fast scan"
moniker. [Fyodor]
o The --top-ports option lets you specify the number of ports you wish
to scan in each protocol, and will pick the most popular ports for
you based on the new frequency data. For both TCP and UDP, the top
10 ports gets you roughly half of the open ports. The top 1,000
(out of 65,536 possible) finds roughly 93% of the open TCP ports and
more than 95% of the open UDP ports. [Fyodor, Doug Hoyte]
o David integrated all of your OS detection fingerprint and correction
submissions from March 11 until mid-July. In the process, we
reached the 1500-signature milestone for the 2nd generation OS
detection system. We can now detect the newest iPhones, Linux
2.6.25, OS X Darwin 9.2.2, Windows Vista SP1, and even the Nintendo
Wii. Nmap now has 1,503 signatures, vs. 1,320 in 4.68. Integration
is now faster and more pleasant thanks to the new OSassist
application developed by Nmap SoC student Michael Pattrick. See
http://seclists.org/nmap-dev/2008/q3/0089.html and
http://seclists.org/nmap-dev/2008/q3/0139.html for more details.
o Nmap now works with Windows 2000 again, after being broken by our
IPv6 support improvements in version 4.65. A couple new dependencies
are required to run on Win2K, as described at
http://nmap.org/book/inst-windows.html#inst-win2k .
o [Zenmap] Added a context-sensitive help system to the Profile
Editor. You can now mouse-over options to learn more about what
they are used for and their proper argument syntax. [Jurand Nogiec]
o When Nmap finds a probe during ping scan which elicits a response,
it now saves that information for the port scan and later phases.
It can then "ping" the host with that probe as necessary to collect
timing information even if the host is not responding to the normal
port scan packets. Previously, Nmap's port scan timing pings could
only use information gathered during that port scan itself. A
number of other "port scan ping" system improvements were made at
the same time to improve performance against firewalled hosts. For
full details, see http://seclists.org/nmap-dev/2008/q3/0647.html
[David, Michael, Fyodor]
o --traceroute now uses the timing ping probe saved from host
discovery and port scanning instead of finding its own probe. The
timing ping probe is always the best probe Nmap knows about for
eliciting a response from a target. This will have the most effect
on traceroute after a ping scan, where traceroute would sometimes
pick an ineffective probe and traceroute would fail even though the
target was up. [David]
o Added dns-safe-recursion-port and dns-safe-recursion-txid
(non-default NSE scripts) which use the 3rd party dns-oarc.net
lookup to test the source port and transaction ID randomness of
discovered DNS servers (assuming they allow recursion at all).
These scripts, which test for the "Kaminsky" DNS bugs, were
contributed by Brandon Enright.
o Added whois.nse, which queries the Regional Internet Registries
(RIRs) to determine who the target IP addresses are assigned
to. [Jah]
o [Zenmap] Overhauled the default list of scan profiles based on
nmap-dev discussion. Users now have a much more diverse and useful
set of default profile options. And if they don't like any of those
canned scan commands, they can easily create their own in the
Profile Editor! [David]
o Fyodor made a number of performance tweaks, such as:
o increase host group sizes in many cases, so Nmap will now commonly
scan 64 hosts at a time rather than 30
o align host groups with common network boundaries, such as /24 or
/25
o Increase maximum per-target port-scan ping frequency to one every
1.25 seconds rather than every five. Port scan pings happen
against heavily firewalled hosts and the like when Nmap is not
receiving enough responses to normal scan to properly calculate
timing variables and detect packet drops.
o Added a new NSE binlib library, which offers bin.pack() and
bin.unpack() functions for dealing with storing values in and
extracting them from binary strings. For details, see
http://nmap.org/book/nse-library.html#nse-binlib . [Philip
Pickering]
o Added a new NSE DNS library. See this thread:
http://seclists.org/nmap-dev/2008/q3/0310.html [Philip Pickering]
o Added new NSE libraries for base64 encoding, SNMP, and POP3 mail
operations. They are described at
http://seclists.org/nmap-dev/2008/q3/0233.html . [Philip Pickering]
o Added NSE scripts popcapa (retrieves POP3 server capabilities) and
brutePOP3 (brute force POP3 authentication cracker) which make use
of the new POP3 library. [Philip Pickering]
o Added the SNMPcommunitybrute NSE script, which is a brute force
community string cracker. Also modified SNMPsysdescr to use the new
SNMP library. [Philip Pickering]
o Fixed the SMTPcommands script so that it can't return multiple
values (which was causing problems). Thanks to Jah for tracking down
the problem and sending a fix for SMTPcommands. Then Patrick fixed
NSE so it can handle misbehaving scripts like this without causing
mysterious side effects.
o Added a new NSE Unpwdb (username/password database) library for
easily obtaining usernames or passwords from a list. The functions
usernames() and passwords() return a closure which returns a new
list entry with every call, or nil when the list is exhausted. You
can specify your own username and/or password lists via the script
arguments userdb and passdb, respectively. [Kris]
o Nmap's Nsock-utilizing subsystems (DNS, NSE, version detection) have
been updated to support the -S and --ip-options flags. [Kris]
o A new --max-rate option was added, which complements --min-rate. It
allows you to specify the maximum byte rate that Nmap is allowed to
send packets. [David]
o Added --ip-options support for the connect() scan (-sT). [Kris]
o Nsock now supports binding to a local address and setting IPv4
options with nsi_set_localaddr() and nsi_set_ipoptions(),
respectively. [Kris]
o Added IPProto Ping (-PO) support to Traceroute, and fixed support for
IPProto Scan (-sO) and the ICMP Pings (-PE, -PP, -PM) in Traceroute
as well. These could cause Nmap to hang during Traceroute. [Kris]
o [Zenmap] Added a "Cancel" button for cancelling a scan in progress
without losing any Nmap output obtained so far. [Jurand Nogiec]
o Improve the netbios-smb-os-discovery NSE script to improve target
port selection and to also decode the system's timestamp from an SMB
response. [Ron at SkullSecurity]
o Nmap now avoids collapsing large numbers of ports in open|filtered
state (e.g. just printing that 500 ports are in that state rather
than listing them individually) if verbosity or debugging levels are
greater than two. See this thread:
http://seclists.org/nmap-dev/2008/q3/0312.html . [Fyodor]
o The NSE http library now supports chunked encoding. [Sven Klemm]
o The NSE datafiles library now has generic file parsing routines, and
the parsing of the standard nmap data files (e.g. nmap-services,
nmap-protocols, etc.) now uses those generic routines. NSE scripts
and libraries may find them useful for dealing with their own data
files, such as password lists. [Jah]
o Passed the big revision 10,000 milestone in the Nmap project SVN
server: http://seclists.org/nmap-dev/2008/q3/0682.html
o Added some Windows and MinGW compatibility patches submitted by
Gisle Vanem.
o Improved nse_init so that compilation/runtime errors in NSE scripts
no longer cause the script engine to abort. [Patrick]
o Fix a cosmetic bug in --script-trace hex dump output which resulting
in bytes with the highest bit set being prefixed with ffffff. [Sven
Klemm]
o Removed the nselib-bin directory. The last remaining shared NSE
module, bit, has been made static by Patrick. Shared modules were
broken for static builds of Nmap, such as those in the RPMS. We also
had the compilation problems (particularly on OpenBSD) with shared
modules which lead us to make PCRE static a while back. [David]
o Updated rpcinfo NSE script to use the new pack/unpack (binlib)
functions, use the new tab library, include better documentation, and
fix some bugs. [Sven Klemm]
o Add useful details to the error message printed when an NSE script
fails to load (due to syntax error, etc.) [Patrick]
o Fix a bug in the NSE http library which would cause some scripts to
give the error: SCRIPT ENGINE: C:\Program
Files\Nmap\nselib/http.lua:77: attempt to call field 'parse' (a nil
value) [Jah]
o Fixed a Makefile problem (race condition) which could lead to build
failures when launching make in parallel mode (e.g. -j4). [Michal
Januszewski]
o Added new addrow() function to NSE tab library. It allows
developers to add a whole row at once rather than doing a separate
add() call for each column in a row. [Sven Klemm]
o Completion time estimates provided in verbose mode or when you hit a
key during scanning are now more accurate thanks to algorithm
improvements by David.
o Fixed a number of NSE scripts which used print_debug()
incorrectly. See
http://seclists.org/nmap-dev/2008/q3/0470.html. [Sven Klemm].
o [Zenmap] The Ports/Hosts view now provides full version detection
values rather than just a simple summary. [Jurand Nogiec]
o [Zenmap] When you edit the command-entry field, then change the
target selection, Nmap no longer blows away your edits in favor of
using your current profile. [Jurand Nogiec]
o Nsock now returns data from UDP packets individually, preserving the
packet boundary, rather than concatenating the data from multiple
packets into a single buffer. This fixes a problem related to our
reverse-DNS system, which can only handle one DNS packet at a time.
Thanks to Tim Adam of ManageSoft for debugging the problem and
sending the patch. Doug Hoyte helped with testing, and it was
applied by Fyodor.
o [Zenmap] Fixed a crash which would occur when you try to compare two
files, either of which has more than one extraports element. [David]
o Added the undocumented (except here) --nogcc option which disables
global/group congestion control algorithms and so each member of a
scan group of machines is treated separately. This is just an
experimental option for now. [Fyodor]
o [Zenmap] The Ports/Hosts display now has different colors for open
and closed ports. [Vladimir]
o Fixed Zenmap so that it displays all Nmap errors. Previously, only
stdout was redirected into the window, and not stderr. Now they are
both redirected. [Vladimir]
o NSE can now be used in combination with ping scan (e.g. "-sP
--script") so that you can execute host scripts without needing to
perform a port scan. [Kris]
o [NSE] Category names are now case insensitive. [Patrick]
o [NSE] Each thread for a script now gets its own action closure (and
upvalues). See: http://seclists.org/nmap-dev/2008/q2/0549.html
[Patrick]
o [NSE] The script_scan_result structure has been changed to a class,
ScriptResult, which now holds a Script's output in an std::string.
This removes the need to use malloc and free to manage this memory.
A similar change was made to the run_record structure. [Patrick]
o [NSE] Fixed a socket exhaustion deadlock which could prevent a
script scan from ever finishing. Now, rather than limit the total
number of sockets which can be open, we limit the number of scripts
which can have sockets open at once. And once a script has one
socket opened, it is permitted to open as many more as it
needs. [Patrick]
o A hashing library (code from OpenSSL) was added to NSE. hashlib
contains md5 and sha1 routines. [Philip Pickering]
o Fixed host discovery probe matching when looking at the returned TCP
data in an ICMP error message. This could formerly lead to
incorrectly discarded responses and the debugging error message:
"Bogus trynum or sequence number in ICMP error message" [Kris]
o Fixed a segmentation fault in Nsock which occurred when calling
nsock_write() with a data length of -1 (which means the data is a
NUL-terminated string and Nsock should take the length itself) and
the Nsock trace level was at least 2. [Kris]
o The NSE Comm library now defaults to trying to read as many bytes as
are available rather than lines if neither the "bytes" nor "lines"
options are given. Thanks to Brandon for reporting a problem which
he noticed in the dns-test-open-recursion script. [Kris]
o Updated zoneTrans.nse to replace length bytes in returned domain
names to periods itself rather than relying on NSE's old behavior of
replacing non-printable characters with periods. Thanks to Rob
Nicholls for reporting the problem. [Kris]
o Some Zenmap crashes have been fixed: trying to "refresh" the output
of a scan loaded from a file, and trying to re-save a file loaded
from the command line in some circumstances. [David]
o [Zenmap] The file selector now remembers what directory it was last
looking at. [David]
o Added an extra layer of validity checking to received packets
(readip_pcap), just to be extra safe. See
http://seclists.org/nmap-dev/2008/q3/0644.html . [Kris]
o Zenmap defaults to showing files matching both *.xml and *.usr in
the file selector. Previously it only showed those matching *.usr.
The new combined format will be XML and .usr will be deprecated.
See http://seclists.org/nmap-dev/2008/q3/0093.html .
o Nmap avoids printing the sending rate in bytes per second during a
TCP connect scan. Because the number of bytes per probe is not
known, it used to print current sending rates: 11248.85 packets / s,
0.00 bytes / s. Now it will print simply print rates like "11248.85
packets / s". [David]
o [Zenmap] Nmap's installation process now include .desktop files
which install menu items for launching Zenmap as a privileged or
non-privileged process on Linux. This will mainly affect people who
install nmap and Zenmap directly from the source code. [Michael]
o Improved performance of IP protocol scan by fixing a bug related to
timing calculations on ICMP probe responses. See r8754 svn log for
full details. [David]
o Nmap --reason output no longer falsely reports a localhost-response
during -PN scans. See
http://seclists.org/nmap-dev/2008/q3/0188.html. [Michael]
o [Zenmap] The higwidgets Python package has moved so it is now a
subpackage of zenmapGUI. This avoids naming conflicts with Umit,
which uses a slightly different version of higwidgets. [David]
o A bug that could cause some host discovery probes to be incorrectly
interpreted as drops was fixed. This occurred only when the IP
protocol ping (-PO) option was combined with other ping
types. [David]
o A new scanflags attribute has been added to XML output, which lists
all user specified --scanflags for the scan. nmap.dtd has been
modified to account for this. [Michael]
o The loading of the nmap-services file has been made much
faster--roughly 9 times faster in common cases. This is important
for the new (much larger) frequency augmented nmap-services
file. [David]
o Added a script (ASN.nse) which uses Team Cymru's DNS interface to
determine the routing AS numbers of scanned IP addresses. They even
set up a special domain just for Nmap queries. The script is still
experimental and non-default. [Jah, Michael]
o [Zenmap] Clicking "Cancel" in a file chooser in the diff interface
no longer causes a crash. [David]
o The shtool build helper script has been updated to version 2.0.8. An
older version of shutil caused installation to fail when the locale
was set to et_EE. Thanks to Michal Januszewski for the bug
report. [David]
o [Zenmap] Removed services.dmp and os_dmp.dmp and all the files that
referred to them. They are not needed with the new search
interface. Also removed an unused search progress bar. And some
broken fingerprint submission code. Yay for de-bloating! [David]
o [Zenmap] Added "%F" to the Exec link in the new Zenmap desktop
file. We expect (hope) that this will allow dragging and dropping
XML files onto the icon. [David]
o [Zenmap] The -o[XGASN] options can now be specified, just as you can
at the console. [Vladimir]
o [Zenmap] You can now shrink the scan window below its default
size thanks to NmapOutputViewer code enhancements. [David]
o [Zenmap] Removed optional use of the Psyco Python optimizer since
Zenmap is not the kind of CPU-bound application which benefits from
Psyco.
o [Zenmap] You can now select more than one host in the "Ports /
Hosts" view by control-clicking them in the column at left.
o [Zenmap] The profile editor now offers the --traceroute option.
o Zenmap now uses Unicode objects pervasively when dealing with Nmap
text output, though the only internationalized text Nmap currently
outputs is the user's time zone. [David]
o Unprintable characters in NSE script output (which really shouldn't
happen anyway) are now printed like \xHH, where HH is the
hexadecimal representation of the character. See
http://seclists.org/nmap-dev/2008/q3/0180.html . [Patrick]
o Nmap sometimes sent packets with incorrect IP checksums,
particularly when sending the UDP probes in OS detection. This has
been fixed. Thanks to Gisle Vanem for reporting and investigating the
bug. [David]
o Fixed the --without-liblua configure option so that it works
again. [David]
o In the interest of forward compatibility, the xmloutputversion
attribute in Nmap XML output is no longer constrained to be a
certain string ("1.02"). The xmloutputversion should be taken as
merely advisory by authors of parsers.
o Zenmap no longer leaves any temporary files lying around. [David]
o Nmap only prints an uptime guess in verbose mode now, because in
some situations it can be very inaccurate. See the discussion at
http://seclists.org/nmap-dev/2008/q3/0392.html. [David]
Nmap 4.68 [2008-6-28]
o Doug integrated all of your version detection submissions and
corrections for the year up to May 31. There were more than 1,000
new submissions and 18 corrections. Please keep them coming! And
don't forget that corrections are very important, so do submit them
if you ever catch Nmap making a version detection or OS detection
mistake. The version detection DB has grown to 5,054 signatures
representing 486 service protocols. Protocols span the gamut from
abc, acap, access-remote-pc, activefax, and activemq, to zebedee,
zebra, zenimaging, and zenworks. The most popular protocols are
http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
pop3 (201).
o Nmap compilation on Windows is now done with Visual C++ Express 2008
rather than 2005. Windows compilation instructions have been
updated at http://nmap.org/book/inst-windows.html#inst-win-source .
[Kris]
o The Nmap Windows self-installer now automatically installs the MS
Visual C++ 2008 runtime components if they aren't already installed
on a system. These are some reasonably small DLLs that are
generally necessary for applications compiled with Visual C++ (with
dynamic linking). Many or most systems already have these installed
from other software packages. The lack of these components led to
the error message "The Application failed to initialize properly
(0xc0150002)." with Nmap 4.65. A related change is that Nmap on
Windows is now compiled with /MD rather than /MT so that it
consistently uses these runtime libraries. The patch was created by
Rob Nicholls.
o Added advanced search functionality to Zenmap so that you can locate
previous scans using criteria such as which ports were open, keywords
in the target names, OS detection results. etc. Try it out with
Ctrl-F or "Tools->Search Scan Results". [Vladimir]
o Nmap's special WinPcap installer now handles 64-bit Windows machines
by installing the proper 64-bit npf.sys. [Rob Nicholls]
o Added a new NSE Comm (common communication) library for common
network discovery tasks such as banner-grabbing (get_banner()) and
making a quick exchange of data (exchange()). 16 scripts were
updated to use this library. [Kris]
o The Nmap Scripting Engine now supports mutexes for gracefully
handling concurrency issues. Mutexes are documented at
http://nmap.org/book/nse-api.html#nse-mutex . [Patrick]
o Added a UDP SNMPv3 probe to version detection, along with 9 vendor
match lines. The patch was from Tom Sellers, who contributed other
probes and match lines to this release as well.
o Added a new timing_level() function to NSE which reports the Nmap
timing level from 0 to 5, as set by the Nmap -T option. The default
is 3. [Thomas Buchanan]
o Update the HTTP library to use the new timing_level functionality to
set connection and response timeouts. An error preventing the new
timing_level feature from working was also fixed. [Jah]
o Optimized the doAnyOutstandingProbes() function to make Nmap a bit
faster and more efficient. This makes a particularly big difference
in cases where --min-rate is being used to specify a very high
packet sending rate. [David]
o Fixed an integer overflow which prevented a target specification of
"*.*.*.*" from working. Support for the CIDR /0 is now also
available for those times you wish to scan the entire
Internet. [Kris]
o The robots.nse script has been improved to print output more
compactly and limit the number of entries of large robots.txt files
based on Nmap verbosity and debugging levels. [Eddie Bell]
o The Nmap NSE scripts have been re-categorized in a more logical
fashion. The new categories are described at
http://nmap.org/book/nse-usage.html#nse-categories . [Kris]
o Improve AIX support by linking against -lodm and -lcfg on that
platform. [David]
o Updated showHTMLTitle NSE script to follow one HTTP redirect if
necessary as long as it is on the same server. [Jah]
o Michael Pattrick and David created a new OSassist application which
streamlines the OS fingerprint submission integration process and
prevents certain previously common errors. OSassist isn't part of
Nmap, but the system was used to integrate some submissions for this
release. 13 fingerprints were added during OSassist testing, and
some existing fingerprints were improved as well. Expect many more
fingerprints coming soon.
o Improved the mapping from dnet device names (like eth0) and WinPcap
names (like \Device\NPF_{28700713...}). You can see this mapping
with --iflist, and the change should make Nmap more likely to work
on Windows machines with unusual networking configurations. [David]
o Service fingerprints in XML output are no longer be truncated to
2kb. [Michael]
o Some laptops report the IP Family as NULL for disabled WiFi cards.
This could lead to a crash with the "sin->sin_family == AF_INET6"
assertion failure. Nmap no longer quits when this is
encountered. [Michael]
o On systems without the GNU getopt_long_only() function, Nmap has its
own replacement. That replacement used to call the system's
getopt() function if it exists. But the AIX and Solaris getopt()
functions proved insufficient/buggy, so Nmap now always calls its
own internal getopt() now from its getopt_long_only()
replacement. [David]
o Integrated several service match lines from Tom Sellers.
o An error was fixed where Zenmap would crash when trying to load from
the recent scans database a file containing non-ASCII
characters. The error looked like
pysqlite2.dbapi2.OperationalError: Could not decode to UTF-8 column
'nmap_xml_output' with text
'
= 0.0" assertion failed. I think the problem was
actually caused by SMP machines which didn't sync the clock time
perfectly. This lead to gettimeofday() sometimes reporting that
time decreased by some microseconds. Now Nmap is willing to
tolerate decreases of up to 1 millisecond in this function. [Fyodor]
o Nmap now returns correct values for --iflist in windows even
if interface aliases have been set. Previously it would misreport
the windevices and not list all interfaces. [Michael]
o Nmap no longer crashes with an 'assert' error when its told to
access a disabled WiFi NIC on some laptops. [Michael]
o Upgraded the OpenSSL shipped for Windows to 0.9.8h. [Kris]
o The NSE http library was updated to gracefully handle certain bogus
(non-)http responses. [Jah]
o The zoneTrans.nse script now takes a "domain" script argument to
specify the desired domain name to transfer. You can narrow the
scope down with the form "zoneTrans={domain=xxx}". [Kris]
o Increase write buffer length for Nmap output on Windows. This should
prevent error messages like: "log_vwrite: vnsprintf failed. Even
after increasing bufferlen to 819200, Vsnprintf returned -1 (logt ==
1)." Thanks to prozente0 for the report. [Fyodor]
o Fixed the --script-updatedb command, which was claiming to be
"Aborting database update" even when the update was performed
perfectly. See http://seclists.org/nmap-dev/2008/q2/0623.html .
Thanks to Jah for the report.
Nmap 4.65 [2008-6-1]
o A Mac OS X Nmap/Zenmap installer is now available from the Nmap
download page! It is rather straightforward, but detailed
instructions are available anyway at
http://nmap.org/book/inst-macosx.html . As a universal installer,
it works on both Intel and PPC Macs. It is distributed as a disk
image file (.dmg) containing an mpkg package. The installed Nmap
does include OpenSSL support. It also supports Authorization
Services so that Zenmap can run as root. David created this
installer. He wants to thank Benson Kalahar and Vlad Alexa for
extensive testing of the nine test releases.
o The Windows version of Nmap now supports OpenSSL just as the UNIX
versions have for years. Both the .zip and executable installer
binary packages we ship from the Nmap download page now include
OpenSSL. [Kris, Thomas Buchanan]
o We now compile in IPv6 support on Windows. In order to use this,
you need to have IPv6 set up. It is installed by default on Vista,
but must be downloaded from Microsoft for XP. See
http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx . [Kris]
o Seven Google-sponsored Summer of Code students began working on
exciting Nmap projects full times. The winning students and their
Nmap development projects are described at
http://seclists.org/nmap-dev/2008/q2/0132.html .
o Our WinPcap installer now starts the NPF driver running as a
service immediately upon installation and after restarts. You can
disable this with new check-boxes. This behavior is important for
Vista and Windows Server 2008 machines when User Account
Control (UAC) is enabled. [Rob Nicholls]
o Nmap and Nmap-WinPcap silent installation now works. Nmap can
be silently installed with the /S option to the installer.
If you install Nmap from the zip file, you can install just
WinPcap silently with the /S option to that
installer. [Rob Nicholls]
o Our WinPcap installer is now included with the Nmap Win32 zip
file. [Fyodor]
o Numerous miscellaneous improvements were made to our Win32
installer, such as using the "Modern" NSIS UI for WinPcap,
improving the option description labels, and showing a finish
page in all cases. [Rob Nicholls]
o The nmap-dev and nmap-hackers mailing list RSS feeds at seclists.org
now include message excerpts to make it easier to identify
interesting messages and speed the process of reading through the
list. Feeds for all other mailing lists archived at SecLists.Org
have been similarly augmented. For details, see
http://seclists.org/nmap-dev/2008/q2/0333.html . [David]
o A new "default" Nmap Scripting Engine category was added. Only
scripts in this category now run by default (except for "version"
scripts which run when version detection was requested).
Previously, any scripts in the "safe" or "intrusive" categories were
run. 21 scripts are now in this default category. [Kris]
o The NSE HTTP library now uses the host name specified on the command
line when making requests, which improves script scanning against
web servers with virtual hosts. Thanks to Sven Klemm for the patch.
o Added some new and improved version detection signatures. [Brandon]
o Fixed an OS detection bug that prevented the R1.UID test result from
being recorded properly when scanning certain printers from
little-endian computers. Updated nmap-os-db to compensate for
signatures that had an incorrect U1.RID value. [Michael]
o Updated to include the latest MAC Address prefixes from the IEEE in
nmap-mac-prefixes [Fyodor]
o Updated the SMTPcommands NSE script to work better against Postfix
and reduce verbosity. [Jason DePriest, Fyodor]
o Reorganized the way ping probes are handled internally. Rather than
being stored in the NmapOps structure, they are now stored within
the individual scan_lists structures. This is a cleaner
organization. [Michael]
o Fix grepable output's "Ignored State" reporting. Only one ignored
state (the one with the highest numbers of ports) is shown. [David]
o Update to Lua version 5.1.3 [Patrick]
o Add NSE stdnse library to include tobinary, tooctal, and tohex
functions. [Patrick]
o Fixed a bug which caused the Zenmap crash reporter to, uh,
crash. [David]
o NSE engine was cleaned up significantly. nse_auxiliar was removed,
and file system manipulation functions were moved from nse_init.cc
into a new nse_fs.cc file. Numerous interfaces between Nmap and Lua
were improved. Most of these functions are now callable directly by
Lua. [Patrick]
o Fixed a bug in the showOwner NSE script which caused it to try UDP
ports instead of just TCP ports. This made it very slow in the
common case where there are many UDP ports in the open|filtered
state. Thanks to Jason DePriest for reporting the problem and Jah
for tracking it down and fixing it.
o Nbase now generates pseudo-random numbers itself rather than using
/dev/urandom on Linux and the terrible rand() function on Windows.
The new system uses ARC4 based on libdnet's
implementation. [Brandon]
o Made a number of updates and improvements to the Zenmap Users' Guide
at http://nmap.org/book/zenmap.html . [David]
o Fixed the way Zenmap handles command-line entry to prevent your
custom command-line to be overwritten with the current profile's
command just because you edited the target field. [Jurand]
o Nsock was improved to better support reading from non-network
descriptors such as stdin. This is important for the upcoming Ncat
project Mixter is working on. [Mixter]
o A bug was fixed that could cause Zenmap to crash when loading a
results file that had multibyte characters in it. The error looked
like:
Gtk-ERROR **: file gtktextsegment.c: line 196
(_gtk_char_segment_new): assertion failed:
(gtk_text_byte_begins_utf8_char (text))
[David]
o Removed a superfluous test for the existence of the C++ compiler in
the configure script. The test was not robust when configured with
CXX="ccache g++". Thanks to Rainer Müller for the report.
o Optimized cached DNS lookups so they are equally efficient when
running on big-endian or little-endian systems. [Michael]
o Fixed the nmap_command_path Zenmap configuration variable so that it
is actually used to start the specified Nmap executable
path. [Jurand Nogiec]
o Nmap now reports scan start and end times for individual hosts
within a larger scan. The information is added to the XML host
element like so: [host starttime="1198292349" endtime="1198292370"]
(but of course with angle brackets rather than square ones). It is
also printed in normal output if -d or "-v -v" are
specified. [Brandon, Kris, Fyodor]
o "make uninstall" now uninstalls Zenmap as well as Nmap. The
uninstall_zenmap script now deletes directories that were
installed. [David]
o Fixed a bug which caused Nmap to send bad checksums on Solaris 10
x86. This was due to a workaround for an Ancient Solaris 2.1 bug
which activated when the OS string matched "solaris2.1*". The
problem has now been resolved until Solaris 20 comes out and hits
our "solaris2.2*" bug workarounds. Thanks to Nathan Bills for the
problem report. Fixed by Fyodor.
o Fixed a minor memory leak in getpts_simple which occurs when no
ports are to be added to 'list'. 'porttbl' is now free'd regardless
of how the function returns. [Michael]
o Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs.
On Windows, this ID has to be a numeric index. On Linux and some
other OS's, this ID can instead be an interface name. Some examples
of this syntax:
fe80::20f:b0ff:fec6:15af%2
fe80::20f:b0ff:fec6:15af%eth0
[Kris]
o The Zenmap installer and uninstaller are more careful about escaping
filenames and dealing with an installation root (DESTDIR). [David]
o Since assert() calls are used for various security-related tests,
their safety is now ensured by keeping NDEBUG undefined throughout
Nmap, Nbase and Nsock. [Kris]
o Fix a couple bugs in the way the Nmap build system checked for an
existing LUA library. A bashism caused one test to fail on system
which don't use bash as /bin/sh, and another bug fixed --with-liblua
configure option for specifying your own liblua. [Daniel
Roethlisberger]
o The NSE nmap.registry.args table is now available, albeit empty,
when --script-args isn't used. Now scripts don't need to check if
it's nil before attempting to index it. [Kris]
o Changed SSLv2-support.nse so that it only enumerates the list of
available ciphers with a verbosity level of at least two or with
debugging enabled. [Kris]
o Replaced kibuvDetection.nse with version detection match lines which
work better than the script. [Kris, Brandon]
o Removed mswindowsShell.nse as there is a version detection NULL
probe match which does the same thing. [Brandon, Fyodor, Kris]
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
Nmap 4.62 [2008-5-3]
o Added a new --min-rate option that allows specifying a minimum rate
at which to send packets. This allows you to override Nmap's
congestion control algorithms and request that Nmap try to keep at
least the rate you specify. The rate is given in packets per
second. Read more in the Nmap man page
(http://nmap.org/book/man-performance.html) [David]
o Create /nmap/macosx directory in SVN with files necessary to build
binary Mac OS X Nmap/Zenmap packages. We are trying to create
binary installer packages which are as useful and easy to use as the
Windows installer. This has involved a lot of work by David. We
aren't quite yet distributing the results on the Nmap download page,
but testing our beta versions is useful. You can find the latest
universal (PPC and Intel) binary test version by looking at David
Fifield's posts at http://seclists.org/nmap-dev/2008/q2/author.html.
You can also read /nmap/macosx/README in svn for more info.
o Nmap 2008 Summer of Code students have began working (though full
time doesn't start until late May). Learn about the winners and
their projects at http://seclists.org/nmap-dev/2008/q2/0132.html .
o Brandon added/modified a whole bunch of version detection signatures
based on systems discovered when scanning UCSD's network.
o Reformat Nmap COPYING file (e.g. remove C comment markers, reduce
line length) during Nmap windows build so that it looks much better
when presented by the Windows executable (NSIS) installer. Thanks
to Jah for the patch, which was modified slightly by Fyodor.
o Added NSE Datafiles library which reads and parses Nmap's nmap-*
data files for scripts. The functions (parse_protocols(),
parse_rpc() and parse_services()) return tables with numbers
(e.g. port numbers) indexing names (e.g. service names). The
rpcinfo.nse script was also updated to use this library. [Kris]
o Fixed a bug in the nbase random number generator (and the way it
interacted with Nmap and MS Windows) which caused duplicates in some
instances. Thanks to Jah for reporting the problem and working with
Brandon Enright, Fyodor and Kris to fix it.
o It turns out that hours contain 60 minutes, not 24. Fixed a scan
status message which was rolling over the hours column
prematurely. [David]
o Added scripting options to Zenmap profile editor and command wizard
to make use of NSE. [David]
o Zenmap now prints an exception message rather than segfaulting when
it can't open a display (such as when trying to connect to an X
server as an unauthorized user). Thanks to Aaron Leininger for the
initial report and Guilherme Polo for suggesting the fix.
o Now ports in the "unfiltered" state can be selected for attention by
NSE scripts. [Kris]
o Nbase random number generation system now avoids having a high-bit
of zero in every other byte on Windows due to Windows having such a
low RAND_MAX. [Jah]
o Added release dates for each Nmap version to this CHANGELOG going
back to Nmap 3.00 (July 31, 2002). Dates are in MM/DD/YY format.
If someone wants to track down dates for the last 22% of the file
(pre-3.00), you are welcome to do so and send a patch. Searching
Google for the version number and site:seclists.org seems to work
well. [Fyodor]
o Nmap RPM builds now use the versions of libdnet, libpcap, libpcre,
and liblua included with Nmap rather than whatever happens to be
installed on the build system. [David]
o Zenmap can now be installed in and run in directories with a space
in the name. [David]
o Fixed an assertion failure ("Target.cc:396: void
Target::stopTimeOutClock(const timeval*): Assertion
'htn.toclock_running == true' failed.")caused when a host had NSE
scripts in multiple runlevels. This also fixes --host-timeout
behavior in NSE. [Kris]
o Reduce the maximum number of socket descriptors which Nmap is
allowed to open concurrently. This resoles a bug which could cause
"Too many open files" error on Mac OS X when not running as
root. [David]
o Canonicalized service names between nmap-service-probes (version
detection DB) and nmap-services (port scanning DB). [Kris]
o Removed the "class" attribute from the tcpsequence element in XML
output. For a long time it had always been "unknown class" because
Nmap doesn't calculate a class anymore. The XML output version has
been increased from 1.01 to 1.02. [David]
o Fixed a bug on Win32 which caused an infinite loop when Nmap
encountered certain broadcast addresses. [Dudi Itzhakov]
o Fix MingW compilation by adding a signal.h include to
main.cc. [Gisle Vanem]
o Fix the test in our build system to determine if liblua is already
available or not. For example, the test needed to link with -lm
since some systems require that. [David].
o Added TIMEVAL_BEFORE and TIMEVAL_AFTER macros to test whether one
timeval is earlier than another while avoiding possible integer
overflows in a naive approach we were using previously. [David]
o Adjusted a bunch of code to avoid compilation warning messages on
some Linux machines. [Andrew J. Bennieston]
o Fixed the NmapArpCache so that it actually works. Previously, Nmap
was always falling back to the system ARP cache. Of course this
raises the question of whether NmapArpCache is needed in the first
place. [Daniel Roethlisberger]
o Fix a Zenmap bug which could cause the error message
"zenmapCore.NmapOptions.OptionNotFound: No option named '' found!"
if you create a new profile without checking any options then try to
edit it. [David]
o Zenmap now shows a more helpful error message when there is an error
in executing Nmap. [David]
o Zenmap now creates the directory ~/.zenmap-etc to store
automatically generated GTK+ and Pango files. They used to go in the
application bundle but that doesn't work on a read-only filesystem
or disk image. This is what Wireshark does (~/.wireshark-etc),
although the directory could be called anything. It doesn't have to
persist across sessions.
o Added a mechanism in Zenmap for including extra executable search
paths on specific platforms, so we can include /usr/local/bin in
PATH on Mac OS X by default and add the Nmap install directory on
Windows. [David]
o We now use --no-strip when building Zenmap Mac OS X packages to
prevent many mysterious warnings which occur when the binary is
stripped. [David]
o When Zenmap invokes Nmap, it now copies the whole environment for
the Nmap invocation rather than just providing $PATH. Windows may
need this to do proper name resolution. [David]
o Corrected uptime parsing and reporting in SNMPsysdesr.nse for an
uptime of less than 46 hours. [Kris]
o Modified the use of CXXFLAGS, CFLAGS, and CPPFLAGS in Nmap build
system to work better when building Mac OS X universal
binaries. [David]
o Added many additional PCRE option flags to the list returned by the
NSE pcre.flags() function. [Kris]
o Changed the NSE function nmap.set_port_state() so that it checks to
see if the requested port is already in the requested state. This
prevents "Duplicate port" messages during the script scan and the
inaccurate "script-set" state reason. [Kris]
o Canonicalize NSE script license text--more than half did not even
spell license correctly. They all still say that they are under
Nmap's license, just with consistent capitalization and spelling,
and now a link to Nmap legal page at
http://nmap.org/man/man-legal.html.
o Updated ripeQuery.nse to not print extraneous whitespace. [Kris]
o Switched telnet brute force password cracking NSE (bruteTelnet.nse)
to vulnerability category so it isn't executed by default. It can
take too long to run. [Eddie]
o NSE status messages now print host name and IP, rather than just the
host name (which was blank when Nmap didn't know it). [Jah]
o Allocate 128 characters for the idle scan ScanProgressMeter
title. Previously it was 32 characters. The "idle scan against " and
the \0 terminator take up 19 characters, leaving only 13, which
isn't enough to represent all IP addresses, let alone host
names. Bug reported by Stephan Fijneman, fixed by David.
Nmap 4.60 [2008-3-15]
o Nmap has moved. Everything at http://insecure.org/nmap/ can now be
found at http://nmap.org . That should save your fingers from a
little bit of typing. Even though transparent redirectors are in
place for the old URLs, please update your links and bookmarks. And
if you don't have a link to Nmap on your web site, now is a good
time to add one :).
o All of your OS detection fingerprints up until March 10, 2008 have
now been integrated by David. The second generation database has
grown from 1,085 fingerprints representing 421 operating
systems/devices, to 1,304 fingerprints representing 478 systems.
That is an increase of more than 20%. New fingerprints were added
for Mac OS X Tiger, iPod Touch, the La Fonera WAP, FreeBSD 7.0,
Linux 2.6.24, Windows 2008, Vista, OpenBSD 4.2, and of course
hundreds of broadband routers, VoIP phones, printers, some crazy
oscilloscope, etc. We get a ton of new fingerprint submissions, but
not as many corrections. Please remember to visit
http://nmap.org/submit/ if Nmap gives you bad results, whether they
are completely wrong or just a slight mistake (like Nmap says Linux
2.6.20-2.6.23, but you're running 2.6.24). Of course you need to be
certain you know exactly what is running on the target before you do
this.
o All of your service fingerprints and corrections submitted until
January 14, 2008 have now been integrated by Doug. As usual, he has
documented his adventures at http://hcsw.org/blog.pl/33 . More than
a hundred signatures were added, growing the database to 4,645
signatures for 457 services. Corrections are welcome for service
detection too -- visit http://nmap.org/submit/ if you get incorrect results.
o Nmap now saves the target name (if any) specified on the command
line, since this can differ from the reverse DNS results. It can be
particularly important when doing HTTP tests against virtual hosts.
The data can be accessed from target->TargetName() from Nmap proper
and host.targetname from NSE scripts. The NSE HTTP library now uses
this for the Host header. Thanks to Sven Klemm for adding this
useful feature.
o Added NSE HTTP library which allows scripts to easily fetch URLs
with http.get_url() or create more complex requests with
http.request(). There is also an http.get() function which takes
components (hostname, port, and path) rather than a URL. The
HTTPAuth, robots, and showHTMLTitle NSE scripts have been updated to
use this library. Sven Klemm wrote all of this code.
o Fixed an integer overflow in the DNS caching code that caused nmap
to loop infinitely once it had expunging the cache of older
entries. Thanks to David Moore for the report, and Eddie Bell for
the fix.
o Fixed another integer overflow in the DNS caching code which caused
infinite loops. [David]
o Added IPv6 host support to the RPC scan. Attempting this before
(via -sV) caused a segmentation fault. Thanks to Will Cladek for
the report. [Kris]
o Fixed an event handling bug in NSE that could cause execution of
some in-progress scripts to be excessively delayed. [Marek]
o A new NSE table library (tab.lua) allows scripts to deliver better
formatted output. The Zone transfer script (zoneTrans.nse) has been
updated to use this new facility. [Eddie]
o Rewrote HTTPpasswd.nse to use Sven's excellent HTTP library and to
do some much-needed cleaning up. [Kris]
o Added a new MsSQL version detection probe and a bunch of match lines
developed by Tom Sellers.
o Added a new service detection probe and signatures for the memcached
service [Doug]
o Added new service detection probes and signatures for the Beast
Trojan and Firebird RDBMS. [Brandon Enright]
o Fixed a crash in Zenmap which occurred when attempting to edit or
create a new profile based on an existing one when there wasn't one
selected. The error message was:
'NoneType' object has no attribute 'toolbar'
Now a new Profile Editor is opened. Thanks to D1N (d1n@inbox.com)
for the report. [Kris]
o Fixed another crash in Zenmap which occurred when exiting the
Profile Editor (while editing an existing profile) by clicking the
"X", then going to edit the same profile again. The error message
was: "No option named '' found!". Now the same window that appears
when clicking Cancel comes up when clicking "X". Thanks to David
for reporting this bug. [Kris]
o Another Zenmap bug was fixed: ports consolidated into "extra ports"
groups are now counted and shown in the "Host Details" tab. The
closed, filtered and scanned port counts in this tab didn't contain
this information before so they were usually very inaccurate. [Kris]
o Another Zenmap bug was fixed: the --scan-delay and --max-scan-delay
buttons ("amount of time between probes") under the Advanced tab in
the Profile Editor were backwards. [Kris]
o Added the UDP Scan (-sU) and IPProto Ping (-PO) to Zenmap's Profile
Editor and Command Wizard. [Kris]
o Reordered the UDP port selection for Traceroute: a closed port is
now chosen before an open one. This is because an open UDP port is
usually due to running version detection (-sV), so a Traceroute
probe wouldn't elicit a response. [Kris]
o Add Famtech Radmin remote control software probe and signatures to
the Nmap version detection DB. [Tom Sellers, Fyodor]
o Add "Connection: Close" header to requests from HTTP NSE scripts so
that they finish faster. [Sven Klemm]
o Update SSLv2-support NSE script to run against more services which
are likely SSL. [Sven Klemm]
o A bunch of service name canonicalization was done in the Nmap
version detection file by Brandon Enright (e.g. capitalizing D-Link
and Netgear consistently).
o Upgraded the shipped LibPCRE from version 7.4 to 7.6. [Kris]
o Updated to latest (as of 3/15) autoconf config.sub/config.guess
files from http://cvs.savannah.gnu.org/viewvc/config/?root=config.
[Fyodor]
o We now escape newlines, carriage returns, and tabs (\n\r\t) in XML
output. While those are allowed in XML attributes, they get
normalized which can make formatting the output difficult for
applications which parse Nmap XML. [Joao Medeiros, David, Fyodor]
o The Zenmap man page is now installed on Unix when "make install" is
run. This was supposed to work before, but didn't. [Kris]
o Fixed a man page bug related to our DocBook to Nroff translation
software producing incorrect Nroff output. The man page no longer
uses the ".nse" string which was being confused with the Nroff
no-space mode command. [Fyodor]
o Fixed a bug in which some NSE error messages were improperly escaped
so that a message including "c:\nmap" would end up with a newline
between "c:" and "map".
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
o The DocBook XML source code to the Nmap Scripting Engine docs
(http://nmap.org/nse/) is now in SVN under docs/scripting.xml .
4.53 [2008-1-12]
o Improved Windows executable installer by making uninstall work better
on systems which changed the default install path. The shortcut is
also now deleted properly on Vista. [Rob Nicholls]
o Windows installer is now generated using NSIS 2.34 rather than
2.13. [Fyodor]
o Added UPnP-info NSE script by Thomas Buchanan. It gathers
information from the UPnP service (UDP port 1900) which listens on
many network devices such as routers, printers, and networked media
players.
o Fixed a --traceroute bug (assertion failure crash) which occurred
when the first hop of the first host in a tracegroup (reference
trace) times out. Thanks to Sebastián García for the bug report and
testing, and Eddie for the patch.
o Fix a problem which prevented proper port number matching in
NSE scripts (port_or_service function) due to a variable
shadowing bug. [Sven Klemm]
o Improved rpcinfo.nse to better sort and display available RPC
services. [Sven Klemm]
4.52 [2008-1-1]
o Fixed Nmap WinPcap installer to use CurrentVersion registry key on
Windows rather than VersionNumber to more reliably detect Vista
machines. This should prevent the XP version of Packet.dll from
being installed on Vista. [Rob Nicholls]
o The Nmap Scripting Engine (NSE) now supports run-time interaction
and the Nmap --host-timeout option. [Doug]
o Added nmap.fetchfile() function for scripts so they can easily find
Nmap's nmap-* data files (such as the OS/version detection DBs, port
number mapping, etc.) [Kris]
o Updated rpcinfo.nse to use nmap.fetchfile() to read from nmap-rpc
instead of having a huge table of RPC numbers. This reduced the
script's size by nearly 75%. [Kris]
o Fixed multiple NSE scripts that weren't always properly closing their
sockets. The error message was:
"bad argument #1 to 'close' (nsock expected, got no value)" [Kris]
o Added a new version detection probe for the Trend Micro OfficeScan
product line. [Tom Sellers, Doug]
4.51BETA [2007-12-21]
o David wrote a detailed Zenmap guide: http://nmap.org/book/zenmap.html
o Added rpcinfo.nse script, which contacts a listening RPC portmapper
and reports the listening services and port information (like
rpcinfo -p does). The script was written by Sven Klemm. Fyodor
then enhanced the RPC number list with all of the entries from
nmap-rpc.
o Added a new NSE script (MySQLinfo) which prints MySQL server information
such as the protocol and version numbers, status, thread id, capabilities,
and password salt. [Kris]
o Nmap's output options (-oA, -oX, etc.) now support strftime()-like
conversions in the filename. %H, %M, %S, %m, %d, %y, and %Y are
all the same as in strftime(). %T is the same as %H%M%S, %R is the
same as %H%M, and %D is the same as %m%d%y. A % followed by any
other character just yields that character (%% yields a %). This
means that "-oX 'scan-%T-%D.xml'" uses an XML file in the form of
"scan-144840-121307.xml". [Kris]
o Fixed WinPcap installer to install the right version of Packet.dll
on Windows Vista. [Fyodor]
o Fixed our WinPcap installer so that it waits for a WinPcap uninstall
(if needed) to complete before trying to install the new WinPcap.
[Jah]
o Fix a bunch of warning/error messages which contained an extra
newline. [Brandon Enright]
o Fixed an error when attempting to scan localhost as an unprivileged
user on Windows (nmap --unprivileged localhost). The error was:
"Skipping SYN Stealth Scan against localhost (127.0.0.1) because
Windows does not support scanning your own machine (localhost) this
way."
Now connect scan is used instead of SYN scan. [David]
o Fixed a bug that prevented the --resume option from working on
Windows. The error message was:
..\utils.cc(996): CreateFileMapping(), file 'testresume', length 103,
mflags 000 00006: The parameter is incorrect.(87)
[Fixed by David, reported by Rob Nicholls]
o Zenmap's new web page (http://nmap.org/zenmap/) is now shown in the
Zenmap about dialogue.
o On Windows, paths beginning with \ are now considered absolute when
used with the --script option. jah (jah(a)zadkiel.plus.com) suggested
this. [David]
o Zenmap no longer double-spaces its output (by inadvertently
duplicating newlines) when viewing scan results that were saved to a
file. [Joao Medeiros]
o Upgraded the shipped LibPCRE from version 7.2 to 7.4. [Kris]
o Fixed Zenmap crash that occurred when selecting Help from the Compare
Results window. [Kris]
o Updated robots.nse to prevent printing robots.txt comments. [Kris]
o Many version detection match lines were improved to match even when
newlines appear in binary data returned by the service. [Fixed by
Doug, suggested by Lionel Cons]
4.50 [2007-12-13]
o Bumped up the version number to the big 10th anniversary 4.50
release! See http://insecure.org/stf/Nmap-4.50-Release.html .
4.49RC7 [2007-12-10]
o A Zenmap crash was fixed. Scanning once, then scanning another target
on the same scan tab caused an ImportError ("list index out of range")
in zenmapGUI/ScanNotebook.py. Joao Medeiros reported the
bug. [David]
o Updated a couple of version detection signatures due to problem
reports by Lionel Cons. [Doug]
4.49RC6 [2007-12-8]
o NSE scripts can now be specified by absolute path to the --script
option. This was supposed to work before, but didn't. [David]
o Insert a path separator in returned paths in init_scandir on
Windows. Otherwise options such as "--scripts=scripts" (where
scripts is a directory) were failing with error messages about being
unable to access things like "C:\Nmap\scriptsanonFTP.nse" (should be
"C:\Nmap\scripts\anonFTP.nse"). [David]
o Add some "local" declarations to xamppDefaultPass.nse to avoid
errors like: "SCRIPT ENGINE: [string "Global Access"]:1: Attempted
to change the global 'socket' ..." [David]
o NSE "shortports" function now by default matches ports in the
"open|filtered" state as well as "open" ones. [Diman]
o Nsock msevent_new and msevent_delete calls fixed to handle NULL I/O
descriptors. This should fix a reported bus error crash. [Diman]
o Prevent old bit.dll and pcre.dll files from being installed in
nselib directory by Windows executable installer. Bit.dll is still
installed in nselib-bin where it belongs. Thanks to Rob Nicholls for
reporting the problem. [Fyodor]
4.49RC5 [2007-12-8]
o Don't install the orphaned and incomplete Zenmap HTML documentation.
Instead point to the Nmap documentation site, which is provides more
comprehensive and up-to-date Nmap docs. We're rapidly improving the
online Zenmap docs as well. Of course the Nmap and (new!) Zenmap
man pages are still installed on Unix. [Fyodor]
o Fix mswin32/Makefile so that the new nselib-bin directory is
properly included in the Nmap win32 zipfile distribution. Thanks
to Rob Nicholls for reporting the problem. [Fyodor]
o Fix host reason reported when the target is found to be "down" due
to no response. Nmap now reports "no-response" rather than
"unknown-reason" [Kris]
4.49RC4 [2007-12-7]
o David did a huge OS fingerprint integration marathon, going through
all of your submissions (more than 1600) since August 20. The 2nd
generation database has grown more than 30% to 1,085 entries! Many
of the existing fingerprints were improved as well. Notable new or
greatly improved entries include the iPhone, iPod Touch, Mac OS X
Leopard FreeBSD 7.0, Linux 2.6.23, Nokia cell phones (E61, E65, E70,
E90, N95), and OpenBSD 4.2. Of course there were all manner of new
printers, cable/DSL routers, switches, enterprise routers, IP
phones, cell phones and a heap of obscure equipment such as the
BeaconMedaes medical gas alarm. Windows Vista fingerprints were
also improved significantly. Please keep those OS fingerprint
submissions and corrections coming!
o Doug integrated all of your version detection fingerprints and
corrections since October 4. The DB now has an incredible 4,542
signatures for 449 service protocols. The service protocols with
the most signatures are http (1,473), telnet (459), ftp (423), smtp
(327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46)
and nntp (44).
o Included the netbios-smb-os-discovery.nse script which uses NetBIOS
and SMB queries to guess OS version. This script was written by
Judy Novak and contributed by Sourcefire.
o Canonicalized the interface type numbers used internally by
libdnet. Also Libdnet now recognizes devices with type
INTF_TYPE_IEEE80211 as Ethernet devices. This ought to make
wireless network scanning work on Windows Vista. For more background
see http://seclists.org/nmap-dev/2007/q4/0391.html. [David]
o Documented the "--script all" option in the man page and NSE
article. This option executes all scripts in the NSE database
regardless of category. [Fyodor]
o NSE scripts can now be specified by name without the .nse
extension. So instead of using "--script
bruteTelnet.nse,HTTPpasswd.nse,SQLInject.nse,robots.nse", you can
just pass "--script bruteTelnet,HTTPpasswd,SQLInject,robots". [Kris]
o Removed some auto-generated files from the new nselib-bin directory
as they could cause compatibility problems. Also updated
mswin32/Makefile to reflect the new nselib-bin DLL location [David]
o ripeQuery.nse was updated to avoid printing some useless
information. [Kris]
o Compatibility with systems that have the pcre.h header file in its
own pcre directory should now be fixed for real. [Fyodor]
o Enhanced the radmind service detection signature and added a
deprecated radmind port to nmap-services. [Matt Selsky]
o Zenmap now gives better errors to stdout when it can't even pop up a
dialog box (such as when PyGTK can't be loaded). [David]
o Fixed a Zenmap crash which occurred on Mac OS X and possibly other
platforms. The error message said: "object of type
'ScanHostDetailsPage' has no len()". [David]
o Fixed a crash which occurred when an NSE script called
set_port_version() at times that version scanning was not
enabled. [Diman]
o Fixed the NSIS installer so that it does not include some excess
files (mswin32/* and .svn). Thanks to Alan Jones for reporting the
problem. [Fyodor]
o Renamed some Zenmap Python packages to allow Zenmap and Umit to be
installed at the same time. [David]
o Updated nmap-mac-prefixes with the latest IEEE data. Also added
back Cooperative Linux virtual NIC which was inadvertently removed in
a previous release. [Fyodor]
4.23RC3 [2007-11-27]
o Zenmap now has a man page! It isn't very long yet, but covers the
basics. Thanks to David for writing this.
o A new NSE script, promiscuous.nse, scans devices on a local network
looking for sniffers (devices running in promiscuous mode). This
script is from Marek Majkowski and is the first to use the NSE pcap
extension system (which he also wrote). The script is only in the
discovery category for now so it does not run by default. Specify
it by name for now. We may make it default after the upcoming
stable release.
o Nmap can now handle IP aliases on Windows. A given device such as
eth0 might have several IP addresses. Nmap will use the primary
address, so you need to use -S if you want to specify a different
one. [David]
o An exception (rather than luaL_argerror) is now thrown when an SSL
connection is attempted but OpenSSL isn't available. [David]
o There is now an nmap.have_ssl NSE function so you can avoid doing
NSE probes when SSL isn't available. [David]
o Zenmap gives clearer error messages when an import error occurs or
Zenmap's dump files aren't found. [David]
o Zenmap now looks for its data files relative to the directory of the
zenmap script to allow running from the build/svn directory. [David]
o NSE C modules are now installed into an nselib-bin directory. This
was needed to make the dns-test-open-recursion and zoneTrans NSE
scripts work properly, since they use the NSE bit library
(bit.so). [Diman, Fyodor]
o Axillary autoconf scripts such as config.guess, config.sub,
depcomp, install-sh, and ltmain.sh were deleted from Nmap
subdirectories because configure is smart enough to use the ones from
the parent directory. This decreases the Nmap source tarball and svn
checkout sizes. [David]
o Nmap now compiles on systems which have the libPCRE include file in
pcre/pcre.h rather than just pcre.h. Thanks to Lionel Cons for the
report. [Fyodor]
o Nmap binary is now stripped again, but it now uses -x to avoid
stripping dynamically loaded NSE functions on Mac OS X. [David]
o Normalized Zenmap's handling of results files specified on the
command line. In some cases, Zenmap would ignore specified results
files just because some unrelated options were used. [David]
o configure.ac now uses literal directory names rather than variable
references in calls to AC_CONFIG_SUBDIRS. This removes an annoying
warning message which has existed for years when you regenerate
configure. [David]
o Fixed a configure.ac error which prevented you from specifying an
alternative libnsock directory. [David]
o Check for Python in configure only if Zenmap is requested, and bail
out if Zenmap is explicitly requested (--with-zenmap) and Python is
not available. [David]
o Removed some unimplemented Zenmap command-line options and function
calls. [David]
4.23RC2 [2007-11-18]
o Static code analysis company Coverity generously offered to scan the
Nmap code base for flaws, and Kris volunteered to go through their
report and fix the ones which were actual/possible problems rather
than false positives. Their system proved quite useful, and about a
dozen potential problems were fixed. For details, see Kris'
11/15/07 SVN commits.
o Improved the Zenmap RPM file so that it should work on either Python
2.4 or Python 2.5 machines. It should also work on any platform (x86,
x86_64, etc.) [David]
o WinPcap updated from version 4.0.1 to the new 4.0.2 release. [David]
o Added PPTP version detection NSE script (PPTPversion.nse) from
Thomas Buchanan. Nmap now ships with 38 NSE scripts.
o A number of Solaris compilation fixes were added. Hopefully it
works for more Solaris users now. We also fixed an alignment issue
which could cause a bus error on Solaris. [David]
o When an NSE script changes the state of a port (e.g. from
open|filtered to open), the --reason flag is now changed to
"script-set". Also, the port state reason is now available to NSE
scripts through a "reason" element in the port-table. Thanks to
Matthew Boyle for the patch.
o When version detection changes the state of a port, the reason field
is now updated as well (to udp-response or tcp-response as
applicable). Thanks to Thomas Buchanan for the patch.
o Reworded an error message after a woman reported that it was "highly
offensive and sexist". She also noted that "times have changed and
many women now use your software" and "a sexist remark like the one
above should have no place in software." The message was: "TCP/IP
fingerprinting (for OS scan) requires root privileges. Sorry,
dude.". I checked svn blame to call out the insensitive,
chauvinistic jerk who wrote that error message, but it was me :).
o We received a bug report through Debian entitled "Nmap is a
clairvoyant" because when you run it with -v on September 1 1970, it
reports "Happy -27th Birthday to Nmap, may it live to be 73!". We
have decided that clairvoyance is a feature and ignored the report.
o We no longer strip the Nmap binary before installing it, as that was
leading to a runtime error on Mac OS X: "lazy symbol binding failed:
Symbol not found: _luaL_openlib". Unfortunately, the unstripped
Nmap binary can be much larger (e.g. 4MB vs. 800KB) so we are
working on a better fix which allows us to continue stripping the
binary on other platforms.
o Zenmap configuration/customization files renamed from ~/.umit to
~/.zenmap and umit.conf to zenmap.conf, etc. [David]
o Fixed a Zenmap bug where if you try to edit a profile and then
click cancel, that profile ends up deleted. [Luis A. Bastiao]
o The NSE shortport rules now allow for multiple matching states
(e.g. open or open|filtered) to be specified. This silently failed
before. [Eddie]
o Regenerate configure scripts with Autoconf 2.61 and update
config.guess and config.sub files with the latest versions from
http://cvs.savannah.gnu.org/viewvc/config/?root=config . [David]
4.23RC1 [2007-11-10]
o NmapFE is now gone. It had a good run as the default Nmap GUI
for more than 8 years (since April 1999). But after two years of
development, Zenmap is ready to take its place. Zenmap is portable
and provides a much better interface to executing and (especially)
viewing and analyzing Nmap results. David did the honors of
removing NmapFE.
o We have lost another old friend as well: 1st generation OS
detection system. Nmap revolutionized OS detection when this was
released in October 1998 and it served us well for more than 9 years
as the database grew to 1,684 fingerprints. But the 2nd generation
system incorporates everything we learned during all those years and
has proven itself even more effective. I couldn't bear to kill this
myself, so David did the dirty work.
o There is no longer any artificial limit on the number of ports or
protocols that can be used for host discovery. Port lists for ping
scan now use the same syntax as the -p option except that T:, U:,
and P: are not allowed. This means that you can do
nmap -PS1-1000 target
nmap -PAhttp,https target
nmap -PU'[-]' target
[David]
o Zenmap is now available packaged in RPM format. Since Zenmap is
written in Python, we no longer have to have separate x86 and x86_64
versions like we did with NmapFE (and like we still do with
Nmap). [David]
o Fixed a crash (assertion failure) which could occur during ARP Ping
scan [Kris]
o Fixed Zenmap so that it can handle asterisks in the command line
(e.g. "nmap 192.168.*.*" or "nmap -phttp* localhost") [David]
o Change the Zenmap bug report dialogue to now give instructions for
reporting issues to nmap-dev. [David]
o Modified higwidgets/higdialogs.py for compatibility with old
versions of PyGTK. [David]
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
o Fixed a number of spelling errors in the Reference Guide (man page)
[Doug]
4.22SOC8 [2007-10-28]
o Removed the old massping() system, since the functionality has now
been migrated into the existing ultra_scan() system (which is used
for port scanning too). Thanks to David for doing the migration,
which involved a lot of work and testing. The new system is
frequently faster and more accurate than massping(), and some of the
new algorithms benefit port scans too.
o Renamed Umit to Zenmap to reduce confusion between the version we
ship with Nmap as the integrated GUI and the version maintained
separately at umit.sourceforge.net. We are excited about Zenmap and
expect to remove NmapFE in the near future
o Integrated all of your Q3 service detection submissions! We have
now surpassed 4500 signatures and are approaching 500 service
protocols. Wow! Thanks to Doug for doing the integration. His
notes on the crazy and interesting services discovered this quarter
are at http://hcsw.org/blog.pl/31 .
o Added a new ping type: IPProto Ping. Use -PO (that is the letter O
as in prOtOcOl, not a zero). This is similar to protocol scan (-sO)
in that it sends IP headers with different protocols in the hope of
eliciting a response from targets. The default is to send with
protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP tunnel), but you can
specify different protocol numbers on the command line the same way
you specify TCP/UDP ports to -PS or -PU. To reduce confusion, we now
recommend that -PN be used when you don't want pings done rather
than using the old -P0 (zero). [Kris]
o The SMTPcommands.nse script was updated to support the HELP query in
addition to EHLO [Jason DePriest]
o Added --ttl support for connect() scans (-sT). [Kris]
o Combine the Zenmap setup scripts into one portable setup.py rather
than having separate versions for Windows, Unix, and Mac OS X.
o Removed a bunch of unnecessary/incomplete code and data files from
Zenmap. [ David]
o In Nbase, switched from GNU's getopt() replacement functions to
Ben Sittler's BSD-licensed (but GNU compatible) functions. [Kris]
o Include nmap.h in portreasons.h. This fixes a compilation problem
reported on OpenBSD. [David]
o Change PCRE from an NSELib module back to statically linked code due
to OpenBSD compilation problems. See
http://seclists.org/nmap-dev/2007/q4/0085.html [David]
o Fix a problem with --reason printing the wrong host discovery
reasons when ICMP destination unreachable packets arrived. [Kris]
o Nmap has better dependency tracking now such that it no longer
builds the executable every time you type 'make'. This was causing
problems where 'make; sudo make install' would create a root-owned
nmap executable because it was rebuilt as part of 'make
install'. [David]
4.22SOC7 [2007-10-11]
o Integrated all of your OS detection new fingerprint submissions and
correction reports. The grew more DB more than 18% to 825
fingerprints. Keep those submissions coming! [David]
o Made a number of significant improvements to host discovery
algorithms for better performance and reliability. [David]
o Fixed a bug which prevented the first OS detection guess from being
included in XML output. This only applies when no exact matches
were found. Thanks to Martyn Tovey of Netcraft for reporting the
problem and helping to track it down in the code.
o Improve the script scan scheduling system to prevent the system from
running out of sockets by executing too many scripts concurrently
during large scans. Thanks to Brandon Enright for finding the bug
and Stoiko for fixing it.
o Added nmap.verbosity() and nmap.debugging() functions for scripts to
determine the Nmap verbosity/debugging level. [Kris]
o Fixed a crash (assertion error) which occurred when the first hop of
the first system (reference trace) times out. [Eddie]
o UMIT no longer rewrites a bunch of script files to replace variables
such as VERSION and REVISION in the SVN working directory. [David,
Adriano]
o UMIT icon loading code simplified and made platform
independent. [David]
o Removed PIL dependency from UMIT package generation system. We now
use GTK to put the version number in the splash screen. [Adriano]
o UMIT no longer crashes just because documentation files are
missing. [Adriano]
o Removed unnecessary recent_scans.txt and target_list.txt files from
UMIT. Some unnecessary copies of Nmap data files were removed as
well. [David, Adriano]
o Updated the *.dmp preprocessed Nmap data files used by UMIT, and
also updated the scripts used to create them. [David]
o WinPcap installer was updated so that on Windows Vista it uses a
different Packet.dll and omits WanPacket.dll. [Eddie]
o Unix installation now places NSELib dynamic libraries in 'libexec'
rather than 'share' directories, since they are architecture
dependent. Thanks to Christoph J. Thompson for the patch.
o Fix bug related to users providing custom libpcre location to
configure (reported by Daniel Johnson, fixed by Stoiko). A patch
from Marek Majkowski which caps the number of sockets opened by NSE
scripts was also applied.
o The UMIT version number is automatically updated to be the same as
the Nmap version number rather than always being 0.9.4. [David]
o UMIT now sorts port numbers numerically rather than alphabetically
[Adriano]
o Three UMIT data files (options.xml, profile_editor.xml, and
wizard.xml) are installed in the shared UMIT data directory
(e.g. /usr/share/umit/misc) rather than in every user's ~/.umit
directory. [David]
o Added HTTPtrace demo NSE script by Kris, who also updated his
HTTPpasswd script.
o A bunch of capitalization/spelling canonicalization changes were
made to Nmap output. For example: ftp to FTP and idlescan to
idle scan.
o Made some improvements to the nmap.xsl stylesheet for converting
Nmap XML results to HTML reports. It now does a better job at
removing empty sections and headers. Thanks to Henrik Lund Kramshoej
for the patch.
o Updated nmap-mac-prefixes with the latest IEEE data.
o Disabled auto-generation of libpcre/pcre_chartables.c because that
was useless for our purposes and could also cause some version
control related problems. [David]
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
4.22SOC6 [2007-8-29]
o Included David's major massping migration project. The same
underlying engine is now uses for ping scanning as for port
scanning. We hope this will lead to better performance and
accuracy, as well as helping to de-bloat Nmap. Please test it out
and report your results to nmap-dev! For more details, see
http://seclists.org/nmap-dev/2007/q3/0277.html
o Fixed UMIT bug which occurred when installing to a non-standard
directory (e.g. a home directory). This caused Python to not be able
to find the necessary files. [Kris]
o Added an NSE script (HTTPpasswd.nse) for finding directory traversal
problems and /etc/password files on web servers. [Kris]
o Fixed an error related to version scans against SSL services on
UNIX. The error said "nsock_connect_ssl called - but nsock was
built w/o SSL support. QUITTING". Thanks to Jason DePriest for
tracking down the problem and David Fifield for fixing it.
o Removed win_dependencies cruft from UMIT directory. [Kris]
o Upgraded Libpcap from version 0.9.4 to 0.9.7 [Kris]
o Removed the effectively empty XML elements for traceroute hops which
timed out. [Eddie]
o Fixed (I hope) a problem with running Nmap on Mac OS X machines with
VMWare Fusion running. The error message started with:
"getinterfaces: Failed to open ethernet interface (vmnet8). A
possible cause on BSD operating systems is running out of BPF
devices ...." For more details, see
http://seclists.org/nmap-dev/2007/q3/0254.html.
o Check that --script arguments are reasonable when Nmap starts rather
than potentially waiting for a bunch of port scanning to finish
first. [Stoiko]
o Fixed (we hope) a UMIT problem which resulted in the error message:
"NameError: global name 'S_IRUSR' is not defined". [Adriano]
o Removed an error message which used to appear when you quit UMIT on
Windows. The message used to say "Errors occurred - See the logfile
[filename] for details." [Adriano]
o Fix permissions on files installed by Umit so that it should work
even if you do 'make install' from an account with a 077 umask.
o Add a feature to Umit that lets you search your unsaved
scans. [Eddie]
o Added back a previously removed feature which allows you to specify
'rnd' as one of your decoys (-D option) to let Nmap choose a random
IP. You also use a format such as rnd:5 to generate five random
decoys. [Kris]
o Reference guide (man page) updates to the NSE section, and some
general cleanup.
o When Nmap finishes, it now says "Nmap done" rather than "Nmap run
completed". No need to waste pixels on excess verbiage.
4.22SOC5 [2007-8-18]
o The Windows installer should actually install UMIT properly now.
o Remove umit.db from the installation process. Let Umit create a new
one on its own when needed.
o Fixed the UMIT portion of the Windows installer build system to
detect certain heinous errors (like not being able to find Python)
and bail out. [Kris]
o Prevent scripts directory from containing .svn cruft when using the
Win32 installer (thanks to David Fifield for the patch).
4.22SOC3 [2007-8-16]
o Umit is now included in the Nmap Windows executable installer.
Please give it a try and let us know what you think! Kris put a lot
of work into getting this set up.
o Added four new NSE scripts: HTTP proxy detection (Arturo 'Buanzo'
Busleiman), DNS zone transfer attempt (Eddie), detecting SQL
injection vulnerabilities on web sites (Eddie), and fetching and
displaying portions of /robots.txt from web servers (Eddie).
o All of your 2nd Quarter 2007 Nmap version detection fingerprints
were integrated by Doug. The DB now contains 4,347 signatures for
439 service protocols. Doug describes the highlights (craziest
services found) in his integration report at
http://hcsw.org/blog.pl/29 .
o NSE now supports raw IP packet sending and receiving thanks to a
patch from Marek Majkowski. Diman handled testing and applied the
patch.
o Nmap now has Snprintf() and Vsnprintf() as safer alternatives to the
standard version. The problem is that the Windows version of these
functions (_snprintf, _vsnprintf) doesn't properly terminate strings
when it has to truncate them. These wrappers ensure that the string
written is always truncated. Thanks to Kris for doing the work.
o Upgraded libpcre from version 6.7 to 7.2 [Kris]
o Merged various Umit bug fixes from SourceForge trunk: "missing import
webbrowser on umit", "Missing markup in 'OS Class' on
HostDetailsPage", "some command line options are now working
(target, profile, verbose, open result file and run an nmap
command)", "removing unused functions import from os.path",
"verbosity works on command line"
o Eddie fixed several Umit bugs. Umit now sets the file save
extension to .usr unless the user specifies something else. The
details highlight regular expression was improved and an error message was added
when no target was specified and -iR and -iL aren't used.
o reason.cc/reason.h renamed to portreasons.cc/.h because a reason.h
in the Windows platform SDK was causing conflicts. [Kris]
o Fixed a bug in --iflist which would lead to crashes. Thanks to
Michael Lawler for the report, and Eddie for the fix.
o Finished updating WinPcap to 4.01 (a few static libraries were
missed) [ Eddie ]
o Added NSE support for buffered data reads. [Stoiko]
o Added new --script-args option for passing arguments to NSE scripts
[Stoiko]
o Performed a bunch of OS fingerprint text canonicalization thanks to
reports of dozens of capitalization inconsistencies from Suicidal Bob.
o Fixed an assertion failure which could be experienced when script
scan was requested without also requesting version scan. [Stoiko]
o Fixed an output bug on systems like Windows which return -1 when
vsnprintf is passed a too-small buffer rather than returning the
size needed. Thanks to jah (jah(a)zadkiel.plus.com) for the report.
o Added sys/types.h include to portreasons.h to help OpenBSD compilation.
Thanks to Olivier Meyer for the patch.
o Many hard coded function names and instances of __FUNCTION__ were
changed to __func__ [Kris]
o Configure scripts for Nmap, Nbase, and Nsock were optimized to
remove redundant checks. This improves compilation time
performance. [Eddie]
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
4.22SOC2 [2007-7-11]
o NSE compilation fixes by Stoiko and Kris
4.22SOC1 [2007-7-8]
o The UMIT graphical Nmap frontend is now included (as an ALPHA TEST
release) with the Nmap tarball distribution. It isn't yet in the
RPMs or the Windows distributions. UMIT is written with Python/GTK
and has many huge advantages over NmapFE. It installs from the Nmap
source tarballs as part of the "make install" process unless you
specify --without-umit to configure. Please give UMIT a try (the
executable is named umit) and let us know the results! We hope to
include UMIT in the Windows Nmap distributions soon.
o Added more Nmap Scripting Engine scripts, bringing the total to 31.
The new ones are bruteTelnet (Eddie Bell), SMTPcommands (Jason
DePriest), iax2Detect (Jason), nbstat (Brandon Enright),
SNMPsysdescr (Thomas Buchanan), HTTPAuth (Thomas), finger (Eddie),
ircServerInfo (Doug Hoyte), and MSSQLm (Thomas Buchanan).
o Added the --reason option which explains WHY Nmap assigned a port
status. For example, a port could be listed as "filtered" because
no response was received, or because an ICMP network unreachable
message was received. [ Eddie ]
o Integrated all of your 2nd generation OS detection submissions,
increasing the database size by 68% since 4.21ALPHA4 to 699
fingerprints. The 2nd generation database is now nearly half (42%)
the size of the original. Please keep those submissions coming so
that we can do another integration round before the SoC program ends
on August 20! Thanks to David Fifield for doing most of the
integration work!
o Integrated version detection submissions. The database has grown by
more than 350 signatures since 4.21ALPHA4. Nmap now has 4,236
signatures for 432 service protocols. As usual, Doug Hoyte deserves
credit for the integration marathon, which he describes at
http://hcsw.org/blog.pl .
o Added the NSE library (NSELib) which is a library of useful
functions (which can be implemented in LUA or as loadable C/C++
modules) for use by NSE scripts. We already have libraries for bit
operations (bit), list operations (listop), URL fetching and
manipulation (url), activation rules (shortport), and miscellaneous
commonly useful functions (stdnse). Stoiko added the underlying
functionality, though numerous people contributed to the library
routines.
o Added --servicedb and --versiondb command-line options which allow
you to specify a custom Nmap services (port to port number translation
and port frequency) file or version detection database. [ David
Fifield ]
o The build dependencies were dramatically reduced by removing
unnecessary header includes and moving header includes from .h
files to .cc as well as adding some forward declarations. This
reduced the number of makefile.dep dependencies from 1469 to 605.
This should make Nmap compilation faster and prevent some
portability problems. [David Fifield]
o Upgraded from WinPcap 3.1 to WinPcap 4.01 and fixed a WinPcap installer
error. [Eddie]
o In verbose mode, Nmap now reports where it obtains data files (such as
nmap-services) from. [David Fifield]
o Canonicalized a bunch of OS classes, device types, etc. in the OS
detection and version scanning databases so they are named
consistently. [Doug]
o If we get a ICMP Protocol Unreachable from a host other than our
target during a port scan, we set the state to 'filtered' rather than
'closed'. This is consistent with how port unreachable errors work for
udp scan. [Kris]
o Relocated OSScan warning message (could not find 1 closed and 1 open
port). Now output.cc prints the warning along with a targets OSScan
results. [Eddie]
o Fixed a bug which caused port 0 to be improperly used for gen1 OS
detection in some cases when your scan includes port 0 (it isn't
included by default). Thanks to Sebastian Wolfgarten for the report
and Kris Katterjohn for the fix.
o The --iflist table now provides WinPcap device names on
Windows. [Eddie]
o The Nmap reference guide (man page) DocBook XML source is now in the
SVN repository at svn://svn.insecure.org/nmap/docs/refguide.xml .
o NSE now has garbage collection so that if you forget to close a
socket before exiting a script, it is closed for you. [Stoiko]
o The [portused] tag in XML output now provides the open TCP port used
for OS detection as well as the closed TCP and UDP ports which were
reported previously. [Kris]
o XML output now has a [times] tag for reporting final time
information which was already printed in normal output in verbose
mode (round trip time, rtt variance, timeout, etc.) [Kris]
o Changed the XML output format so that the [extrareasons] tag (part
of Eddie's --reason patch) falls within the [extraports] tag. [Kris]
o Nmap now provides more concise OS fingerprints for submission thanks
to better merging. [David Fifield]
o A number of changes were made to the Windows build system to handle
version numbers, publisher field, add/remove program support,
etc. [Eddie]
o The Nmap -A option now enables the traceroute option too [Eddie]
o Improved how the Gen1 OS Detection system selects which UDP ports to
send probes to. [Kris]
o Updated nmap-mac-prefixes to latest IEEE data as of 5/18/07. Also
removed some high (greater than 0x80) characters from some company
names because they were causing this error on Windows when Nmap is
compiled in Debug mode:
isctype.c Line 56: Expression: (unsigned)(c + 1) <= 256".
Thanks to Sina Bahram for the initial report and Thomas Buchanan for
tracking down the problem.
o Added a SIP (IP phone) probe from Matt Selsky to nmap-service-probes.
o Fixed a bug which prevented the NSE scripts directory from appearing
in the Win32 .zip version of Nmap.
o Fixed a bug in --traceroute output. It occurred when a traced host could
be fully consolidated, but only the first hop number was outputted. [Kris]
o The new "rnd" option to -D allows you to ask Nmap to generate random
decoy IPs rather having to specify them all yourself. [Kris]
o Fixed a Traceroute bug relating to scanning through the localhost
interface on Windows (which previously caused a crash). Thanks to
Alan Jones for the report and Eddie Bell for the fix.
o Fixed a traceroute bug related to tracing between interfaces of a
multi-homed host. Thanks to David Fifield for reporting the problem
and Eddie Bell for the fix.
o Service detection (-sV) and OS detection (-O) are now (rightfully)
disabled when used with the IPProto Scan (-sO). Using the Service
Scan like this led to premature exiting, and the OS Scan led to gross
inaccuracies. [Kris]
o Updated IANA assignment IP list for random IP (-iR) generation. [Kris]
4.21ALPHA4 [2007-3-20]
o Performed another big OS detection run. The DB has grown almost 10%
to 417 fingerprints. All submissions up to February 6 have been
processed. Please keep them coming!
o Fixed XML output so that the opening [os] tag is printed again. The
line which prints this was somehow removed when NSE was integrated.
Thanks to Joshua Abraham for reporting the problem.
o Fixed a small bug in traceroute progress output which didn't
properly indicate completion. [Kris]
o Fixed a portability problem related to the new traceroute
functionality so that it compiles on Mac OS X. Thanks to Christophe
Thil for reporting the problem and sending the 1-line fix.
o Updated nmap-mac-prefixes to include the latest MAC prefix (OUI)
data from the IEEE as of March 20, 2007.
4.21ALPHA3 [2007-3-16]
o Just fixed a packaging problem with the 4.21ALPHA2 release (thanks
to Alan Jones for reporting it).
4.21ALPHA2 [2007-3-15]
o Performed a huge OS detection submission integration marathon. More
than 500 submissions were processed, increasing the 2nd generation
OS DB size 65% to 381 fingerprints. And many of the existing ones
were improved. We still have a bit more than 500 submissions (sent
after January 16) to process. Please keep those submissions coming!
o Integrated all of your Q32006 service fingerprint submissions. The
nmap-service-probe DB grew from 3,671 signatures representing 415
service protocols to 3,877 signatures representing 426 services. Big
thanks to version detection czar Doug Hoyte for doing this. Notable
changes are described at http://hcsw.org/blog.pl?a=20&b=20 .
o Nmap now has traceroute support, thanks to an excellent patch by
Eddie Bell. The new system uses Nmap data to determine which sort of
packets are most likely to slip through the target network and
produce useful results. The system is well optimized for speed and
bandwidth efficiency, and the clever output system avoids repeating
the same initial hops for each target system. Enable this
functionality by specifying --traceroute.
o Nmap now has a public Subversion (SVN) source code repository. See
the announcement at http://seclists.org/nmap-dev/2006/q4/0253.html
and then the updated usage instructions at
http://seclists.org/nmap-dev/2006/q4/0281.html .
o Fixed a major accuracy bug in gen1 OS detection (some debugging code
was accidentally left in). Thanks to Richard van den Berg for finding
the problem.
o Changed the IP protocol scan so that it sends proper IGMP headers when
scanning that protocol. This makes it much more likely that the host
will respond, proving that it's "open". [Kris]
o Improved the algorithm for classifying the TCP timestamp frequency
for OS detection. The new algorithm is described at
http://nmap.org/osdetect/osdetect-methods.html#osdetect-ts .
o Fixed the way Nmap detects whether one of its data files (such as
nmap-services) exists and has permissions which allow it to be read.
o Added a bunch of nmap-services port listings from Stephanie Wen.
o Update IANA assignment IP list for random IP (-iR) generation.
Thanks to Kris Katterjohn for the patch.
o Fix nmap.xsl (the transform for rendering Nmap XML results as HTML)
to fix some bugs related to OS detection output. Thanks to Tom
Sellers for the patch.
o Fixed a bug which prevented the --without-liblua compilation option
from working. Thanks to Kris Katterjohn for the patch.
o Fixed a bug which caused nmap --iflist to crash (and might have
caused crashes in other circumstances too). Thanks to Kris
Katterjohn for the report and Diman Todorov for the fix.
o Applied a bunch of code cleanup patches from Kris Katterjohn.
o Some scan types were fixed when used against localhost. The UDP Scan
doesn't find it's own port, the TCP Scan won't print a message (with -d)
about an unexpected packet (for the same reason), and the IPProto Scan
won't list every port as "open" when using --data-length >= 8. [Kris]
o The IPProto Scan should be more accurate when scanning protocol 17 (UDP).
ICMP Port Unreachables are now checked for, and UDP is listed as "open"
if it receives one rather than "open|filtered" or "filtered". [Kris]
o The --scanflags option now also accepts "ECE", "CWR", "ALL" and "NONE" as
arguments. [Kris]
o The --packet-trace option was added to NmapFE. The Ordered Ports (-r)
option in now available to non-root users on NmapFE as well. [Kris]
4.21ALPHA1 [2006-12-10]
o Integrated the Nmap Scripting Engine (NSE) into mainline Nmap.
Diman Todorov and I have been working on this for more than six months, and
we hope it will expand Nmap's capabilities in many cool ways. We're
accepting (and writing) general purpose scripts to put into Nmap
proper, and you can also write personal scripts to deal with issues
specific to your environment. The system is documented at
http://nmap.org/nse/ .
o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt) as of December 7.
4.20 [2006-12-7]
o Integrated the latest OS fingerprint submissions. The 2nd
generation DB size has grown to 231 fingerprints. Please keep them
coming! New fingerprints include Mac OS X Server 10.5 pre-release,
NetBSD 4.99.4, Windows NT, and much more.
o Fixed a segmentation fault in the new OS detection system
which was reported by Craig Humphrey and Sebastian Garcia.
o Fixed a TCP sequence prediction difficulty indicator bug. The index
is supposed to go from 0 ("trivial joke") to about 260 (OpenBSD).
But some systems generated ISNs so insecurely that Nmap went
berserk and reported a negative difficulty index. This generally
only affects some printers, crappy cable modems, and Microsoft
Windows (old versions). Thanks to Sebastian Garcia for helping me
track down the problem.
4.20RC2 [2006-12-2]
o Integrated all of your OS detection submissions since RC1. The DB
has increased 13% to 214 fingerprints. Please keep them coming!
New fingerprints include versions of z/OS, OpenBSD, Linux, AIX,
FreeBSD, Cisco CatOS, IPSO firewall, and a slew of printers and
misc. devices. We also got our first Windows 95 fingerprint,
submitted anonymously of course :).
o Fixed (I hope) the "getinterfaces: intf_loop() failed" error which
was seen on Windows Vista. The problem was apparently in
intf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX to
MAX_IF_TYPE rather than 32). Thanks to Dan Griffin
(dan(a)jwsecure.com) for tracking this down!
o Applied a couple minor bug fixes for IP options
support and packet tracing. Thanks to Michal Luczaj
(regenrecht(a)o2.pl) for reporting them.
o Incorporated SLNP (Simple Library Network Protocol) version
detection support. Thanks to Tibor Csogor (tibi(a)tiborius.net) for
the patch.
4.20RC1 [2006-11-20]
o Fixed (I hope) a bug related to Pcap capture on Mac OS X. Thanks to
Christophe Thil for reporting the problem and to Kurt Grutzmacher
and Diman Todorov for helping to track it down.
o Integrated all of your OS detection submissions since ALPHA11. The
DB has increased 27% to 189 signatures. Notable additions include
the Apple Airport Express, Windows Vista RC1, OpenBSD 4.0, a Sony
TiVo device, and tons of broadband routers, printers, switches, and
Linux kernels. Keep those submissions coming!
o Upgraded the included LibPCRE from version 6.4 to 6.7. Thanks to
Jochen Voss (voss(a)seehuhn.de) for the suggestion (he found some bugs
in 6.4)
4.20ALPHA11 [2006-11-2]
o Integrated all of your OS detection submissions, bringing the
database up to 149 fingerprints. This is an increase of 28% from
ALPHA10. Notable additions include FreeBSD 6.1, a bunch of HP
LaserJet printers, and HP-UX 11.11. We also got a bunch of more
obscure submissions like Minix 3.1.2a and "Ember InSight Adapter for
programming EM2XX-family embedded devices". Who doesn't have a few
of those laying around? I'm hoping that all the obscure submissions
mean that more of the mainstream systems are being detected out of
the box! Please keep those submissions (obscure or otherwise)
coming!
4.20ALPHA10 [2006-10-23]
o Integrated tons of new OS fingerprints. The DB now contains 116
fingerprints, which is up 63% since the previous version. Please keep
the submissions coming!
4.20ALPHA9 [2006-10-13]
o Integrated the newly submitted OS fingerprints. The DB now contains
71 fingerprints, up 27% from 56 in ALPHA8. Please keep them coming!
We still only have 4.2% as many fingerprints as the gen1 database.
o Added the --open option, which causes Nmap to show only open ports.
Ports in the states "open|closed" and "unfiltered" might be open, so
those are shown unless the host has an overwhelming number of them.
o Nmap gen2 OS detection used to always do 2 retries if it fails to
find a match. Now it normally does just 1 retry, but does 4 retries
if conditions are good enough to warrant fingerprint submission.
This should speed things up on average. A new --max-os-tries option
lets you specify a higher lower maximum number of tries.
o Added --unprivileged option, which is the opposite of --privileged.
It tells Nmap to treat the user as lacking network raw socket and
sniffing privileges. This is useful for testing, debugging, or when
the raw network functionality of your operating system is somehow
broken.
o Fixed a confusing error message which occurred when you specified a
ping scan or list scan, but also specified -p (which is only used for
port scans). Thanks to Thomas Buchanan for the patch.
o Applied some small cleanup patches from Kris Katterjohn
4.20ALPHA8 [2006-9-30]
o Integrated the newly submitted OS fingerprints. The DB now contains
56, up 33% from 42 in ALPHA7. Please keep them coming! We still only
have 3.33% as many signatures as the gen1 database.
o Nmap 2nd generation OS detection now has a more sophisticated
mechanism for guessing a target OS when there is no exact match in the
database (see http://nmap.org/osdetect/osdetect-guess.html )
o Rewrote mswin32/nmap.rc to remove cruft and hopefully reduce some
MFC-related compilation problems we've seen. Thanks to KX
(kxmail(a)gmail.com) for doing this.
o NmapFE now uses a spin button for verbosity and debugging options so
that you can specify whatever verbosity (-v) or debugging (-d) level
you desire. The --randomize-hosts option was also added to NmapFE.
Thanks to Kris Katterjohn for the patches.
o A dozen or so small patches to Nmap and NmapFE by Kris Katterjohn.
o Removed libpcap/Win32 and libpcap/msdos as Nmap doesn't use them.
This reduces the Nmap tar.bz2 by about 50K. Thanks to Kris Katterjohn
for the suggestion.
4.20ALPHA7 [2006-9-12]
o Did a bunch of Nmap 2nd generation fingerprint integration work.
Thanks to everyone who sent some in, though we still need a lot more.
Also thanks to Zhao for a bunch of help with the integration tools.
4.20ALPHA6 had 12 fingerprints, this new version has 42. The old DB
(still included) has 1,684.
o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt) as of September 6, 2006.
Also added the unregistered PearPC virtual NIC prefix, as suggested
by Robert Millan (rmh(a)aybabtu.com).
o Applied some small internal cleanup patches by Kris Katterjohn.
4.20ALPHA6 [2006-9-2]
o Fixed a bug in 2nd generation OS detection which would (usually) prevent
fingerprints from being printed when systems don't respond to the 1st
ICMP echo probe (the one with bogus code value of 9). Thanks to
Brandon Enright for reporting and helping me debug the problem.
o Fixed some problematic Nmap version detection signatures which could
cause warning messages. Thanks to Brandon Enright for the initial patch.
4.20ALPHA5 [2006-8-31]
o Worked with Zhao to improve the new OS detection system with
better algorithms, probe changes, and bug fixes. We're
now ready to start growing the new database! If Nmap gives you
fingerprints, please submit them at the given URL. The DB is still
extremely small. The new system is extensively documented at
http://nmap.org/osdetect/ .
o Nmap now supports IP options with the new --ip-options flag. You
can specify any options in hex, or use "R" (record route), "T"
(record timestamp), "U") (record route & timestamp), "S [route]"
(strict source route), or "L [route]" (loose source route). Specify
--packet-trace to display IP options of responses. For further
information and examples, see http://nmap.org/man/ and
http://seclists.org/nmap-dev/2006/q3/0052.html . Thanks to Marek
Majkowski for writing and sending the patch.
o Integrated all 2nd quarter service detection fingerprint
submissions. Please keep them coming! We now |
Intro
