Thema: Nmap ...

[SiLæncer]

Changelog

Integrated all 12 of your IPv6 OS fingerprint submissions from June to September. No new groups, but several classifications were strengthened, especially Windows localhost and OS X.
Upgraded Npcap, our new Windows packet capturing driver/library, from version to 0.09 to 0.10r2. This includes many bug fixes, with a particular on emphasis on concurrency issues discovered by running hundreds of Nmap instances at a time. More details are available from https://github.com/nmap/npcap/releases.
New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx, ProConOS, and Tridium Fox
Improved some output filtering to remove or escape carriage returns ('r') that could allow output spoofing by overwriting portions of the screen. Issue reported by Adam Rutherford.
[NSE] Fixed a few bad Lua patterns that could result in denial of service due to excessive backtracking. [Adam Rutherford, Daniel Miller]
Fixed a discrepancy between the number of targets selected with -iR and the number of hosts scanned, resulting in output like "Nmap done: 1033 IP addresses" when the user specified -iR 1000.
Fixed a bug in port specification parsing that could cause extraneous 'T', 'U', 'S', and 'P' characters to be ignored when they should have caused an error. [David Fifield]
[GH#543] Restored compatibility with LibreSSL, which was lost in adding library version checks for OpenSSL 1.1.
[Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting in this message instead of Ndiff output:
ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found. Did find:
/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
Reported by Kyle Gustafson.
[NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to not output TLSv1.2 info with DHE ciphersuites or others involving ServerKeyExchange messages.
[NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now shows the Subject Alternative Name extension; all extensions are shown in the XML output.
[NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
[GH#369] coap-resources grabs the list of available resources from CoAP endpoints. [Mak Kolybabi]
fox-info retrieves detailed version and configuration info from Tridium Niagara Fox services.
ipmi-brute performs authentication brute-forcing on IPMI services. [Claudiu Perta]
ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows connection without a password.
ipmi-version retrieves protocol version and authentication options from ASF-RMCP (IPMI) services.
a MQTT broker, subscribes to topics, and lists the messages received.
pcworx-info retrieves PLC model, firmware version, and date from Phoenix Contact PLCs.

[close]

http://nmap.org/

[SiLæncer]

Changelog

[Windows] Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing increased stability, bug fixes, and raw 802.11 WiFi capture (unused by Nmap). Further details on these changes can be found at https://github.com/nmap/npcap/releases. [Yang Luo]
Fixed the way Nmap handles scanning names that resolve to the same IP. Due to changes in 7.30, the IP was only being scanned once, with bogus results displayed for the other names. The previous behavior is now restored. [Tudor Emil Coman]
[Nping][GH#559] Fix Nping's ability to use Npcap on Windows. A privilege check was performed too late, so the Npcap loading code assumed the user had no rights. [Yang Luo, Daniel Miller]
[GH#350] Fix an assertion failure due to floating point error in equality comparison, which triggered mainly on OpenBSD:

    assertion "diff <= interval" failed: file "timing.cc", line 440

This was reported earlier as [GH#472] but the assertion fixed there was a different one. [David Carlier]
[Zenmap] Fix a crash in the About page in the Spanish translation due to a missing format specifier:

    File "zenmapGUI\About.pyo", line 217, in __init__
    TypeError: not all arguments converted during string formatting

[Daniel Miller]
[Zenmap][GH#556] Better visual indication that display of hostname is tied to address in the Topology page. You can show numeric addresses with hostnames or without, but you can't show hostnames without numeric addresses when they are not available. [Daniel Miller]
To increase the number of IPv6 fingerprint submissions, a prompt for submission will be shown with some random chance for successful matches of OS classes that are based on only a few submissions. Previously, only unsuccessful matches produced such a prompt. [Daniel Miller]

[close]

http://nmap.org/

[SiLæncer]

Changelog

[Windows] Updated the bundled Npcap from 0.10r9 to 0.78r5, with an improved installer experience, driver signing updates to work with Windows 10 build 1607, and bugfixes for WiFi connectivity problems. [Yang Luo, Daniel Miller]
Integrated all of your IPv4 OS fingerprint submissions from April to September (568 of them). Added 149 fingerprints, bringing the new total to 5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more. Highlights: http://seclists.org/nmap-dev/2016/q4/110 [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted from April to September (779 of them). The signature count went up 3.1% to 11,095. We now detect 1161 protocols, from airserv-ng, domaintime, and mep to nutcracker, rhpp, and usher. Highlights: http://seclists.org/nmap-dev/2016/q4/115 [Daniel Miller]
Fix reverse DNS on Windows which was failing with the message "mass_dns: warning: Unable to determine any DNS servers." This was because the interface GUID comparison needed to be case-insensitive. [Robert Croteau]

[NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:

cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270 services. [Soldier of Fortran]
cics-user-enum brute-forces usernames for CICS users on TN3270 services. [Soldier of Fortran]
fingerprint-strings will print the ASCII strings it finds in the service fingerprints that Nmap shows for unidentified services. [Daniel Miller]
[GH#606] ip-geolocation-map-bing renders IP geolocation data as an image via Bing Maps API. [Mak Kolybabi]
[GH#606] ip-geolocation-map-google renders IP geolocation data as an image via Google Maps API. [Mak Kolybabi]
[GH#606] ip-geolocation-map-kml records IP geolocation data in a KML file for import into other mapping software [Mak Kolybabi]
nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST and OHOST. Helpfully, nje-node-brute can now brute force both of those values. [Soldier of Fortran]
[GH#557] ssl-cert-intaddr will search for private IP addresses in TLS certificate fields and extensions. [Steve Benson]
tn3270-screen shows the login screen from mainframe TN3270 Telnet services, including any hidden fields. The script is accompanied by the new tn3270 library. [Soldier of Fortran]
tso-enum enumerates usernames for TN3270 Telnet services. [Soldier of Fortran]
tso-brute brute-forces passwords for TN3270 Telnet services. [Soldier of Fortran]
vtam-enum brute-forces VTAM application IDs for TN3270 services. [Soldier of Fortran]
[NSE][GH#518] Brute scripts are faster and more accurate. New feedback and adaptivity mechanisms in brute.lua help brute scripts use resources more efficiently, dynamically changing number of threads based on protocol messages like FTP 421 errors, network errors like timeouts, etc. [Sergey Khegay]
[GH#353] New option --defeat-icmp-ratelimit dramatically reduces UDP scan times in exchange for labeling unresponsive (and possibly open) ports as "closed|filtered". Ports which give a UDP protocol response to one of Nmap's scanning payloads will be marked "open". [Sergey Khegay]
[NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that service at some point. Reported by Brian Morin.
[NSE][GH#606] New NSE library, geoip.lua, provides a common framework for storing and retrieving IP geolocation results. [Mak Kolybabi]
[Ncat] Restore the connection success message that Ncat prints with -v. This was accidentally suppressed when not using -z.
[GH#316] Added scan resume from Nmap's XML output. Now you can --resume a canceled scan from all 3 major output formats: -oN, -oG, and -oX. [Tudor Emil Coman]
[Ndiff][GH#591] Fix a bug where hosts with the same IP but different hostnames were shown as changing hostnames between scans. Made sort stable with regard to hostnames. [Daniel Miller]
[NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for TLS Server Name Indication extension. The argument overrides the default use of the host's targetname. [Bertrand Bonnefoy-Claudet]
[GH#505] Updated Russian translation of Zenmap by Alexander Kozlov.
[NSE][GH#588] Fix a crash in smb.lua when using smb-ls due to a floating-point number being passed to os.time ("bad argument"). [Dallas Winger]
[NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in mysql-brute and other scripts due to including a null terminator in the salt value. This bug affects Nmap 7.25BETA2 and later releases. [Daniel Miller]
The --open option now implies --defeat-rst-ratelimit. This may result in inaccuracies in the numbers of "Not shown:" closed and filtered ports, but only in situations where it also speeds up scan times. [Daniel Miller]
[NSE] Added known Diffie-Hellman parameters for haproxy, postfix, and IronPort to ssl-dh-params. [Frank Bergmann]
Added service probe for ClamAV servers (clam), an open source antivirus engine used in mail scanning. [Paulino Calderon]
Added service probe and UDP payload for Quick UDP Internet Connection (QUIC), a secure transport developed by Google and used with HTTP/2. [Daniel Miller]
[NSE] Enabled resolveall to run against any target provided as a hostname, so the resolveall.hosts script-arg is no longer required. [Daniel Miller]

[NSE] Revised script http-default-accounts in several ways [nnposter]:

Added 21 new fingerprints, plus broadened 5 to cover more variants.
[GH#577] It can now can test systems that return status 200 for non-existent pages.
[GH#604] Implemented XML output. Layout of the classic text output has also changed, including reporting blank usernames or passwords as "", instead of just empty strings.
Added CPE entries to individual fingerprints (where known). They are reported only in the XML output.
[NSE][GH#573] Updated http.lua to allow processing of HTTP responses with malformed header names. Such header lines are still captured in the rawheader list but skipped otherwise. [nnposter]
[GH#416] New service probe and match line for iperf3. [Eric Gershman]
[NSE][GH#555] Add Drupal to the set of web apps brute forced by http-form-brute. [Nima Ghotbi]

[close]

http://nmap.org/

[SiLæncer]

Changelog

[Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
Integrated all of your service/version detection fingerprints submitted from September to March (855 of them). The signature count went up 2.9% to 11,418. We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon, slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140
[NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:

    [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors. OSPFv2 authentication is supported. [Emiliano Ticci]
    [GH#671] cics-info checks IBM TN3270 services for CICS transaction services and extracts useful information. [Soldier of Fortran]
    [GH#671] cics-user-brute does brute-force enumeration of CICS usernames on IBM TN3270 services. [Soldier of Fortran]
    [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and Secure flags. [Steve Benson]
    http-security-headers checks for the HTTP response headers related to security given in OWASP Secure Headers Project, giving a brief description of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]
    [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache Struts2. [Seth Jackson]
    [GH#876] http-vuln-cve2017-5689 detects a privilege escalation vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT) capable systems. [Andrew Orr]
    http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]
    [GH#713] impress-remote-discover attempts to pair with the LibreOffice Impress presentation remote service and extract version info. Pairing is PIN-protected, and the script can optionally brute-force the PIN. New service probe and match line also added. [Jeremy Hiebert]
    [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked Double Pulsar backdoor in Windows SMB servers. [Andrew Orr]
    smb-vuln-cve-2017-7494 detects a remote code execution vulnerability affecting Samba versions 3.5.0 and greater with writable shares. [Wong Wai Tuck]
    smb-vuln-ms17-010 detects a critical remote code execution vulnerability affecting SMBv1 servers in Microsoft Windows systems (ms17-010). The script also reports patched systems. [Paulino Calderon]
    [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability (CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]
    vmware-version queries VMWare SOAP API for version and product information. Submitted in 2011, this was mistakenly turned into a service probe that was unable to elicit any matches. [Aleksey Tyurin]

[Ncat] A series of changes and fixes based on feedback from the Red Hat community:

    [GH#157] Ncat will now continue trying to connect to each resolved address for a hostname before declaring the connection refused, allowing it to fallback from IPv6 to IPv4 or to connect to names that use DNS failover. [Jaromir Koncicky, Michal Hlavinka]
    The --no-shutdown option now also works in connect mode, not only in listen mode.
    Made -i/--idle-timeout not cause Ncat in server mode to close while waiting for an initial connection. This was also causing -i to interfere with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]
    [GH#773] Ncat in server mode properly handles TLS renegotiations and other situations where SSL_read returns a non-fatal error. This was causing SSL-over-TCP connections to be dropped. [Daniel Miller]
    Enable --ssl-ciphers to be used with Ncat in client mode, not only in server (listen) mode. [Daniel Miller]

[NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use fully qualified paths. SMB scripts now work against all modern versions of Microsoft Windows. [Paulino Calderon]
[NSE] smb library's share_get_list now properly uses anonymous connections first before falling back authenticating as a known user.
New service probes and matches for Apache HBase and Hadoop MapReduce. [Paulino Calderon]
Extended Memcached service probe and added match for Apache ZooKeeper. [Paulino Calderon]
[NSE] New script argument "vulns.short" will reduce vulns library script output to a single line containing the target name or IP, the vulnerability state, and the CVE ID or title of the vulnerability. [Daniel Miller]
[NSE][GH#862] SNMP scripts will now take a community string provided like `--script-args creds.snmp=private`, which previously did not work because it was interpreted as a username. [Daniel Miller]
[NSE] Resolved several issues in the default HTTP redirect rules:

    [GH#826] A redirect is now cancelled if the original URL contains embedded credentials
    [GH#829] A redirect test is now more careful in determining whether a redirect destination is related to the original host
    [GH#830] A redirect is now more strict in avoiding possible redirect loops

[nnposter]
[NSE][GH#766] The HTTP Host header will now include the port unless it is the default one for a given scheme. [nnposter]
[NSE] The HTTP response object has a new member, fragment, which contains a partially received body (if any) when the overall request fails to complete. [nnposter]
[NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which are silently ignored (in accordance with RFC 6265). Unrecognized attributes were previously causing HTTP requests with such cookies to fail. [nnposter]
[NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
[NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie header that has an extraneous trailing semicolon. [nnposter]
[NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated with option any_af. As an added benefit, option any_af is now available for all connections via comm.lua, not just HTTP requests. [nnposter]
[NSE][GH#781] There is a new common function, url.get_default_port(), to obtain the default port number for a given scheme. [nnposter]
[NSE][GH#833] Function url.parse() now returns the port part as a number, not a string. [nnposter]
No longer allow ICMP Time Exceeded messages to mark a host as down during host discovery. Running traceroute at the same time as Nmap was causing interference. [David Fifield]
[NSE][GH#807] Fixed a JSON library issue that was causing long integers to be expressed in the scientific/exponent notation. [nnposter]
[NSE] Fixed several potential hangs in NSE scripts that used receive_buf(pattern), which will not return if the service continues to send data that does not match pattern. A new function in match.lua, pattern_limit, is introduced to limit the number of bytes consumed while searching for the pattern. [Daniel Miller, Jacek Wielemborek]
[Nsock] Handle any and all socket connect errors the same: raise as an Nsock error instead of fatal. This prevents Nmap and Ncat from quitting with "Strange error from connect:" [Daniel Miller]
[NSE] Added several commands to redis-info to extract listening addresses, connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
[NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting changes at the source site (www.robtex.com). [aDoN]
[NSE][GH#620][GH#715] Added 8 new http-enum fingerprints for Hadoop infrastructure components. [Thomas Debize, Varunram Ganesh]
[NSE][GH#629] Added two new fingerprints to http-default-accounts (APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
[NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS probe due to a string escaping mixup. [Alexandr Savca]
[NSE][GH#694] ike-version now outputs information about supported attributes and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was submitted by Alexis La Goutte. [Daniel Miller]
[GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter]
[GH#649] New service probe and match lines for the JMON and RSE services of IBM Explorer for z/OS. [Soldier of Fortran]
Removed a duplicate service probe for Memcached added in 2011 (the original probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
New service probe and match line for NoMachine NX Server remote desktop. [Justin Cacak]
[Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap was installed to /Applications/Applications/Zenmap.app instead of /Applications/Zenmap.app.
[Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
[Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option, which was added in Nmap 7.10. Previously, this was treated the same as not specifying -v at all. [lymanZerga11]
[GH#630] Updated or removed some OpenSSL library calls that were deprecated in OpenSSL 1.1. [eroen]
[NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
[NSE][GH#627] Fixed script hang in several brute scripts due to the "threads" script-arg not being converted to a number. Error message was "nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]

[close]

http://nmap.org/

[SiLæncer]

Changelog

    [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several issues with installation and compatibility with the Windows 10 Creators Update.
    [NSE][GH#910] NSE scripts now have complete SSH support via libssh2, including password brute-forcing and running remote commands, thanks to the combined efforts of three Summer of Code students: [Devin Bjelland, Sergey Khegay, Evangelos Deirmentzoglou]
    [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
        ftp-syst sends SYST and STAT commands to FTP servers to get system version and connection information. [Daniel Miller]
        [GH#916] http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
        iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr Timorin, Daniel Miller]
        [GH#915] openwebnet-discovery retrieves device identifying information and number of connected devices running on openwebnet protocol. [Rewanth Cool]
        puppet-naivesigning checks for a misconfiguration in the Puppet CA where naive signing is enabled, allowing for any CSR to be automatically signed. [Wong Wai Tuck]
        [GH#943] smb-protocols discovers if a server supports dialects NT LM 0.12 (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old smbv2-enabled script. [Paulino Calderon]
        [GH#943] smb2-capabilities lists the supported capabilities of SMB2/SMB3 servers. [Paulino Calderon]
        [GH#943] smb2-time determines the current date and boot date of SMB2 servers. [Paulino Calderon]
        [GH#943] smb2-security-mode determines the message signing configuration of SMB2/SMB3 servers. [Paulino Calderon]
        [GH#943] smb2-vuln-uptime attempts to discover missing critical patches in Microsoft Windows systems based on the SMB2 server uptime. [Paulino Calderon]
        ssh-auth-methods lists the authentication methods offered by an SSH server. [Devin Bjelland]
        ssh-brute performs brute-forcing of SSH password credentials. [Devin Bjelland]
        ssh-publickey-acceptance checks public or private keys to see if they could be used to log in to a target. A list of known-compromised key pairs is included and checked by default. [Devin Bjelland]
        ssh-run uses user-provided credentials to run commands on targets via SSH. [Devin Bjelland]
    [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3 improvements. It was fully replaced by the smb-protocols script.
    [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect (client) mode with --udp --ssl. Also added Application Layer Protocol Negotiation (ALPN) support with the --ssl-alpn option. [Denis Andzakovic, Daniel Miller]
    Updated the default ciphers list for Ncat and the secure ciphers list for Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
    [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup Exec Agent 15 or 16. [Andrew Orr]
    [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino Calderon]
    [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that resolve to unique addresses will be listed. [Aaron Heesakkers]
    [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]
    [NSE][GH#936] Function url.escape no longer encodes so-called "unreserved" characters, including hyphen, period, underscore, and tilde, as per RFC 3986. [nnposter]
    [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent connections are supported on HTTP 1.0 target (unless the target explicitly declares otherwise), as per RFC 7230. [nnposter]
    [NSE][GH#934] The HTTP response object has a new member, version, which contains the HTTP protocol version string returned by the server, e.g. "1.0". [nnposter]
    [NSE][GH#938] Fix handling of the objectSID Active Directory attribute by ldap.lua. [Tom Sellers]
    [NSE] Fix line endings in the list of Oracle SIDs used by oracle-sid-brute. Carriage Return characters were being sent in the connection packets, likely resulting in failure of the script. [Anant Shrivastava]
    [NSE][GH#141] http-useragent-checker now checks for changes in HTTP status (usually 403 Forbidden) in addition to redirects to indicate forbidden User Agents. [Gyanendra Mishra]

[close]

http://nmap.org/

[SiLæncer]

Changelog

[Windows] Updated the bundled Npcap from 0.93 to 0.99-r2, with many stability fixes and installation improvements, as well as fixes to raw 802.11 frame capture. See https://nmap.org/npcap/changelog
Integrated all of your service/version detection fingerprints submitted from March 2017 to August 2017 (728 of them). The signature count went up 1.02% to 11,672, including 26 new softmatches. We now detect 1224 protocols from filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and watchguard. We will try to integrate the remaining submissions in the next release.
Integrated all of your IPv4 OS fingerprint submissions from September 2016 to August 2017 (667 of them). Added 298 fingerprints, bringing the new total to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and more.
Integrated all 33 of your IPv6 OS fingerprint submissions from September 2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added, as well as strengthened groups for Linux and OS X.
Added the --resolve-all option to resolve and scan all IP addresses of a host. This essentially replaces the resolveall NSE script. [Daniel Miller]
[NSE][SECURITY] Nmap developer nnposter found a security flaw (directory traversal vulnerability) in the way the non-default http-fetch script sanitized URLs. If a user manualy ran this NSE script with against a malicious web server, the server could potentially (depending on NSE arguments used) cause files to be saved outside the intended destination directory. Existing files couldn't be overwritten. We fixed http-fetch, audited our other scripts to ensure they didn't make this mistake, and we updated the httpspider library API to protect against this by default. [nnposter, Daniel Miller]
[NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
deluge-rpc-brute performs brute-force credential testing against Deluge BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
hostmap-crtsh lists subdomains by querying Google's Certificate Transparency logs. [Paulino Calderon]
[GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and reports back the IP address and port of the actual server behind the load-balancer. [Seth Jackson]
http-jsonp-detection Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers. [Vinamra Bhatia]
http-trane-info obtains information from Trane Tracer SC controllers and connected HVAC devices. [Pedro Joaquin]
[GH#609] nbd-info uses the new nbd.lua library to query Network Block Devices for protocol and file export information. [Mak Kolybabi]
rsa-vuln-roca checks for RSA keys generated by Infineon TPMs vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks SSH and TLS services. [Daniel Miller]
[GH#987] smb-enum-services retrieves the list of services running on a remote Windows machine. Modern Windows systems requires a privileged domain account in order to list the services. [Rewanth Cool]
tls-alpn checks TLS servers for Application Layer Protocol Negotiation (ALPN) support and reports supported protocols. ALPN largely replaces NPN, which tls-nextprotoneg was written for. [Daniel Miller]
[GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN. This was causing Ncat 7.60 in connect mode to quit with error: libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket. [nnposter]
[Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on renegotiation, the same issue that was partially fixed for server mode in [GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel Miller]
[NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle misbehaving or rate-limiting services. Most significantly, brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for reporing infinite loops and proposing changes.
[NSE] VNC scripts now support Apple Remote Desktop authentication (auth type 30) [Daniel Miller]
[NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed out. [Aniket Pandey]
[NSE][GH#1114] Update bitcoin-getaddr to receive more than one response message, since the first message usually only has one address in it. [h43z]
[Ncat][GH#1139] Ncat now selects the correct default port for a given proxy type. [Pavel Zhukov]
[NSE] memcached-info can now gather information from the UDP memcached service in addition to the TCP service. The UDP service is frequently used as a DDoS reflector and amplifier. [Daniel Miller]
[NSE][GH#1129] Changed url.absolute() behavior with respect to dot and dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]
Removed deprecated and undocumented aliases for several long options that used underscores instead of hyphens, such as --max_retries. [Daniel Miller]
Improved service scan's treatment of soft matches in two ways. First of all, any probes that could result in a full match with the soft matched service will now be sent, regardless of rarity. This improves the chances of matching unusual services on non-standard ports. Second, probes are now skipped if they don't contain any signatures for the soft matched service. Previously the probes would still be run as long as the target port number matched the probe's specification. Together, these changes should make service/version detection faster and more accurate. For more details on how it works, see https://nmap.org/book/vscan.html. [Daniel Miller]
--version-all now turns off the soft match optimization, ensuring that all probes really are sent, even if there aren't any existing match lines for the softmatched service. This is slower, but gives the most comprehensive results and produces better fingerprints for submission. [Daniel Miller]
[NSE][GH#1083] New set of Telnet softmatches for version detection based on Telnet DO/DON'T options offered, covering a wide variety of devices and operating systems. [D Roberson]
[GH#1112] Resolved crash opportunities caused by unexpected libpcap version string format. [Gisle Vanem, nnposter]
[NSE][GH#1090] Fix false positives in rexec-brute by checking responses for indications of login failure. [Daniel Miller]
[NSE][GH#1099] Fix http-fetch to keep downloaded files in separate destination directories. [Aniket Pandey]

[NSE] Added new fingerprints to http-default-accounts:

Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
[GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob Fitzpatrick, Paulino Calderon]
Added a new service detection match for WatchGuard Authentication Gateway. [Paulino Calderon]
[NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays (parameter qscan.delay). [nnposter]
[NSE][GH#1046] Script http-headers now fails properly if the target does not return a valid HTTP response. [spacewander]
[Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by default, in accordance with RFC 7465. [Codarren Velvindron]
[NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused by not checking the error code in responses. Implementations which return an error are not vulnerable. [Juho Jokelainen]
[NSE][GH#958] Two new libraries for NSE.
idna - Support for internationalized domain names in applications (IDNA)
punycode (a transfer encoding syntax used in IDNA)
[Rewanth Cool]

[NSE] New fingerprints for http-enum:

[GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
[GH#767] Many WordPress version detections [Rewanth Cool]

[GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues:

Usernames and/or passwords could not be empty
Passwords could not contain colons
SOCKS5 authentication was not properly documented
SOCKS5 authentication had a memory leak
[nnposter]
[GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to be run. [Lukas Schwaighofer]
[GH#977] Improved DNS service version detection coverage and consistency by using data from a Project Sonar Internet wide survey. Numerouse false positives were removed and reliable softmatches added. Match lines for version.bind responses were also conslidated using the technique below. [Tom Sellers]
[GH#977] Changed version probe fallbacks so as to work cross protocol (TCP/UDP). This enables consolidating match lines for services where the responses on TCP and UDP are similar. [Tom Sellers]
[NSE][GH#532] Added the zlib library for NSE so scripts can easily handle compression. This work started during GSOC 2014, so we're particularly pleased to finally integrate it! [Claudiu Perta, Daniel Miller]
[NSE][GH#1004] Fixed handling of brute.retries variable. It was being treated as the number of tries, not retries, and a value of 0 would result in infinite retries. Instead, it is now the number of retries, defaulting to 2 (3 total tries), with no option for infinite retries.
[NSE] http-devframework-fingerprints.lua supports Jenkins server detection and returns extra information when Jenkins is detected [Vinamra Bhatia]
[GH#926] The rarity level of MS SQL's service detection probe was decreased. Now we can find MS SQL in odd ports without increasing version intensity. [Paulino Calderon]
[GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We were always reporting the version number of the included source, even when a different version was actually linked. [Pavel Zhukov]
Add a new helper function for nmap-service-probes match lines: $I(1,">") will unpack an unsigned big-endian integer value up to 8 bytes wide from capture 1. The second option can be "<" for little-endian. [Daniel Miller]

[close]

http://nmap.org/

[SiLæncer]

Changelog

    [Windows] The Npcap Windows packet capturing library (https://npcap.org/) is faster and more stable than ever. Nmap 7.80 updates the bundled Npcap from version 0.99-r2 to 0.9982, including all of these changes from the last 15 Npcap releases: https://nmap.org/npcap/changelog
    [NSE] Added 11 NSE scripts, from 8 authors, bringing the total up to 598! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
        [GH#1232] broadcast-hid-discoveryd discovers HID devices on a LAN by sending a discoveryd network broadcast probe. [Brendan Coles]
        [GH#1236] broadcast-jenkins-discover discovers Jenkins servers on a LAN by sending a discovery broadcast probe. [Brendan Coles]
        [GH#1016][GH#1082] http-hp-ilo-info extracts information from HP Integrated Lights-Out (iLO) servers. [rajeevrmenon97]
        [GH#1243] http-sap-netweaver-leak detects SAP Netweaver Portal with the Knowledge Management Unit enabled with anonymous access. [ArphanetX]
        https-redirect detects HTTP servers that redirect to the same port, but with HTTPS. Some nginx servers do this, which made ssl-* scripts not run properly. [Daniel Miller]
        [GH#1504] lu-enum enumerates Logical Units (LU) of TN3270E servers. [Soldier of Fortran]
        [GH#1633] rdp-ntlm-info extracts Windows domain information from RDP services. [Tom Sellers]
        smb-vuln-webexec checks whether the WebExService is installed and allows code execution. [Ron Bowes]
        smb-webexec-exploit exploits the WebExService to run arbitrary commands with SYSTEM privileges. [Ron Bowes]
        [GH#1457] ubiquiti-discovery extracts information from the Ubiquiti Discovery service and assists version detection. [Tom Sellers]
        [GH#1126] vulners queries the Vulners CVE database API using CPE information from Nmap's service and application version detection. [GMedian, Daniel Miller]
    [GH#1291][GH#34][GH#1339] Use pcap_create instead of pcap_live_open in Nmap, and set immediate mode on the pcap descriptor. This solves packet loss problems on Linux and may improve performance on other platforms. [Daniel Cater, Mike Pontillo, Daniel Miller]
    [NSE] Collected utility functions for string processing into a new library, stringaux.lua. [Daniel Miller]
    [NSE] New rand.lua library uses the best sources of random available on the system to generate random strings. [Daniel Miller]
    [NSE] New library, oops.lua, makes reporting errors easy, with plenty of debugging detail when needed, and no clutter when not. [Daniel Miller]
    [NSE] Collected utility functions for manipulating and searching tables into a new library, tableaux.lua. [Daniel Miller]
    [NSE] New knx.lua library holds common functions and definitions for communicating with KNX/Konnex devices. [Daniel Miller]
    [NSE][GH#1571] The HTTP library now provides transparent support for gzip- encoded response body. (See https://github.com/nmap/nmap/pull/1571 for an overview.) [nnposter]
    [Nsock][Ncat][GH#1075] Add AF_VSOCK (Linux VM sockets) functionality to Nsock and Ncat. VM sockets are used for communication between virtual machines and the hypervisor. [Stefan Hajnoczi]
    [Security][Windows] Address CVE-2019-1552 in OpenSSL by building with the prefix "C:\Program Files (x86)\Nmap\OpenSSL". This should prevent unauthorized users from modifying OpenSSL defaults by writing configuration to this directory.
    [Security][GH#1147][GH#1108] Reduced LibPCRE resource limits so that version detection can't use as much of the stack. Previously Nmap could crash when run on low-memory systems against target services which are intentionally or accidentally difficult to match. Someone assigned CVE-2018-15173 for this issue. [Daniel Miller]
    [GH#1361] Deprecate and disable the -PR (ARP ping) host discovery option. ARP ping is already used whenever possible, and the -PR option would not force it to be used in any other case. [Daniel Miller]
    [NSE] bin.lua is officially deprecated. Lua 5.3, added 2 years ago in Nmap 7.25BETA2, has native support for binary data packing via string.pack and string.unpack. All existing scripts and libraries have been updated. [Daniel Miller]
    [NSE] Completely removed the bit.lua NSE library. All of its functions are replaced by native Lua bitwise operations, except for `arshift` (arithmetic shift) which has been moved to the bits.lua library. [Daniel Miller]
    [NSE][GH#1571] The HTTP library is now enforcing a size limit on the received response body. The default limit can be adjusted with a script argument, which applies to all scripts, and can be overridden case-by-case with an HTTP request option. (See https://github.com/nmap/nmap/pull/1571 for details.) [nnposter]
    [NSE][GH#1648] CR characters are no longer treated as illegal in script XML output. [nnposter]
    [GH#1659] Allow resuming nmap scan with lengthy command line [Clément Notin]
    [NSE][GH#1614] Add TLS support to rdp-enum-encryption. Enables determining protocol version against servers that require TLS and lays ground work for some NLA/CredSSP information collection. [Tom Sellers]
    [NSE][GH#1611] Address two protocol parsing issues in rdp-enum-encryption and the RDP nse library which broke scanning of Windows XP. Clarify protocol types [Tom Sellers]
    [NSE][GH#1608] Script http-fileupload-exploiter failed to locate its resource file unless executed from a specific working directory. [nnposter]
    [NSE][GH#1467] Avoid clobbering the "severity" and "ignore_404" values of fingerprints in http-enum. None of the standard fingerprints uses these fields. [Kostas Milonas]
    [NSE][GH#1077] Fix a crash caused by a double-free of libssh2 session data when running SSH NSE scripts against non-SSH services. [Seth Randall]
    [NSE][GH#1565] Updates the execution rule of the mongodb scripts to be able to run on alternate ports. [Paulino Calderon]
    [Ncat][GH#1560] Allow Ncat to connect to servers on port 0, provided that the socket implementation allows this. [Daniel Miller]
    Update the included libpcap to 1.9.0. [Daniel Miller]
    [NSE][GH#1544] Fix a logic error that resulted in scripts not honoring the smbdomain script-arg when the target provided a domain in the NTLM challenge. [Daniel Miller]
    [Nsock][GH#1543] Avoid a crash (Protocol not supported) caused by trying to reconnect with SSLv2 when an error occurs during DTLS connect. [Daniel Miller]
    [NSE][GH#1534] Removed OSVDB references from scripts and replaced them with BID references where possible. [nnposter]
    [NSE][GH#1504] Updates TN3270.lua and adds argument to disable TN3270E [Soldier of Fortran]
    [GH#1504] RMI parser could crash when encountering invalid input [Clément Notin]
    [GH#863] Avoid reporting negative latencies due to matching an ARP or ND response to a probe sent after it was recieved. [Daniel Miller]
    [Ncat][GH#1441] To avoid confusion and to support non-default proxy ports, option --proxy now requires a literal IPv6 address to be specified using square-bracket notation, such as --proxy [2001:db8::123]:456. [nnposter]
    [Ncat][GH#1214][GH#1230][GH#1439] New ncat option provides control over whether proxy destinations are resolved by the remote proxy server or locally, by Ncat itself. See option --proxy-dns. [nnposter]
    [NSE][GH#1478] Updated script ftp-syst to prevent potential endless looping. [nnposter]
    [GH#1454] New service probes and match lines for v1 and v2 of the Ubiquiti Discovery protocol. Devices often leave the related service open and it exposes significant amounts of information as well as the risk of being used as part of a DDoS. New nmap-payload entry for v1 of the protocol. [Tom Sellers]
    [NSE] Removed hostmap-ip2hosts.nse as the API has been broken for a while and the service was completely shutdown on Feb 17th, 2019. [Paulino Calderon]
    [NSE][GH#1318] Adds TN3270E support and additional improvements to tn3270.lua and updates tn3270-screen.nse to display the new setting. [mainframed]
    [NSE][GH#1346] Updates product codes and adds a check for response length in enip-info.nse. The script now uses string.unpack. [NothinRandom]
    [Ncat][GH#1310][GH#1409] Temporary RSA keys are now 2048-bit to resolve a compatibility issue with OpenSSL library configured with security level 2, as seen on current Debian or Kali. [Adrian Vollmer, nnposter]
    [NSE][GH#1227] Fix a crash (double-free) when using SSH scripts against non-SSH services. [Daniel Miller]
    [Zenmap] Fix a crash when Nmap executable cannot be found and the system PATH contains non-UTF-8 bytes, such as on Windows. [Daniel Miller]
    [Zenmap] Fix a crash in results search when using the dir: operator:

        AttributeError: 'SearchDB' object has no attribute 'match_dir' [Daniel
        Miller]

    [Ncat][GH#1372] Fixed an issue with Ncat -e on Windows that caused early termination of connections. [Alberto Garcia Illera]
    [NSE][GH#1359] Fix a false-positive in http-phpmyadmin-dir-traversal when the server responds with 200 status to a POST request to any URI. [Francesco Soncina]
    [NSE] New vulnerability state in vulns.lua, UNKNOWN, is used to indicate that testing could not rule out vulnerability. [Daniel Miller]
    [GH#1355] When searching for Lua header files, actually use them where they are found instead of forcing /usr/include. [Fabrice Fontaine, Daniel Miller]
    [NSE][GH#1331] Script traceroute-geolocation no longer crashes when www.GeoPlugin.net returns null coordinates [Michal Kubenka, nnposter]
    Limit verbose -v and debugging -d levels to a maximum of 10. Nmap does not use higher levels internally. [Daniel Miller]
    [NSE] tls.lua when creating a client_hello message will now only use a SSLv3 record layer if the protocol version is SSLv3. Some TLS implementations will not handshake with a client offering less than TLSv1.0. Scripts will have to manually fall back to SSLv3 to talk to SSLv3-only servers. [Daniel Miller]
    [NSE][GH#1322] Fix a few false-positive conditions in ssl-ccs-injection. TLS implementations that responded with fatal alerts other than "unexpected message" had been falsely marked as vulnerable. [Daniel Miller]
    Emergency fix to Nmap's birthday announcement so Nmap wishes itself a "Happy 21st Birthday" rather than "Happy 21th" in verbose mode (-v) on September 1, 2018. [Daniel Miller]
    [GH#1150] Start host timeout clocks when the first probe is sent to a host, not when the hostgroup is started. Sometimes a host doesn't get probes until late in the hostgroup, increasing the chance it will time out. [jsiembida]
    [NSE] Support for edns-client-subnet (ECS) in dns.lua has been improved by:
        [GH#1271] Using ECS code compliant with RFC 7871 [John Bond]
        Properly trimming ECS address, as mandated by RFC 7871 [nnposter]
        Fixing a bug that prevented using the same ECS option table more than once [nnposter]
    [Ncat][GH#1267] Fixed communication with commands launched with -e or -c on Windows, especially when --ssl is used. [Daniel Miller]
    [NSE] Script http-default-accounts can now select more than one fingerprint category. It now also possible to select fingerprints by name to support very specific scanning. [nnposter]
    [NSE] Script http-default-accounts was not able to run against more than one target host/port. [nnposter]
    [NSE][GH#1251] New script-arg `http.host` allows users to force a particular value for the Host header in all HTTP requests.
    [NSE][GH#1258] Use smtp.domain script arg or target's domain name instead of "example.com" in EHLO command used for STARTTLS. [gwire]
    [NSE][GH#1233] Fix brute.lua's BruteSocket wrapper, which was crashing Nmap with an assertion failure due to socket mixup [Daniel Miller]: nmap: nse_nsock.cc:672: int receive_buf(lua_State*, int, lua_KContext): Assertion `lua_gettop(L) == 7' failed.
    [NSE][GH#1254] Handle an error condition in smb-vuln-ms17-010 caused by IPS closing the connection. [Clément Notin]
    [Ncat][GH#1237] Fixed literal IPv6 URL format for connecting through HTTP proxies. [Phil Dibowitz]
    [NSE][GH#1212] Updates vendors from ODVA list for enip-info. [NothinRandom]
    [NSE][GH#1191] Add two common error strings that improve MySQL detection by the script http-sql-injection. [Robert Taylor, Paulino Calderon]
    [NSE][GH#1220] Fix bug in http-vuln-cve2006-3392 that prevented the script to generate the vulnerability report correctly. [rewardone]
    [NSE][GH#1218] Fix bug related to screen rendering in NSE library tn3270. This patch also improves the brute force script tso-brute. [mainframed]
    [NSE][GH#1209] Fix SIP, SASL, and HTTP Digest authentication when the algorithm contains lowercase characters. [Jeswin Mathai]
    [GH#1204] Nmap could be fooled into ignoring TCP response packets if they used an unknown TCP Option, which would misalign the validation, causing it to fail. [Clément Notin, Daniel Miller]
    [NSE]The HTTP response parser now tolerates status lines without a reason phrase, which improves compatibility with some HTTP servers. [nnposter]
    [NSE][GH#1169][GH#1170][GH#1171]][GH#1198] Parser for HTTP Set-Cookie header is now more compliant with RFC 6265:
        empty attributes are tolerated
        double quotes in cookie and/or attribute values are treated literally
        attributes with empty values and value-less attributes are parsed equally
        attributes named "name" or "value" are ignored
    [nnposter]
    [NSE][GH#1158] Fix parsing http-grep.match script-arg. [Hans van den Bogert]
    [Zenmap][GH#1177] Avoid a crash when recent_scans.txt cannot be written to. [Daniel Miller]
    Fixed --resume when the path to Nmap contains spaces. Reported on Windows by Adriel Desautels. [Daniel Miller]
    New service probe and match lines for adb, the Android Debug Bridge, which allows remote code execution and is left enabled by default on many devices. [Daniel Miller]

[close]

http://nmap.org/

[SiLæncer]

Changelog

    [GH#2126] Fix the "iocp" Nsock engine for Windows to be able to correctly handle PCAP read events. This engine is now the default for Windows, which should greatly improve performance over the previous default, the "poll" engine. [Daniel Miller]
    [GH#2051] Restrict Nmap's search path for scripts and data files. NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be searched on Windows, where it was previously defined as C:\Nmap . Additionally, the --script option will not interpret names as directory names unless they are followed by a '/'. [Daniel Miller]
    Removed nmap-update. This program was intended to provide a way to update data files and NSE scripts, but the infrastructure was never fielded. It depended on Subversion version control and would have required maintaining separate versions of NSE scripts for compatibility.
    [GH#2050] Reduced CPU usage of OS scan by 50% by avoiding string copy operations and removing undocumented fingerprint syntax unused in nmap-os-db ('&' and '+' in expressions). [Daniel Miller]
    [GH#92] Fix a regression in ARP host discovery left over from the move from massping to ultra_scan in Nmap 4.22SOC8 (2007) that sometimes resulted in missing ARP responses from targets near the end of a scan. Accuracy and speed are both improved. [Daniel Miller]
    [GH#1834] Addressed over 250 code quality issues identified by LGTM.com, improving our code quality score from "C" to "A+"
    [GH#1764] Fix an assertion failure when unsolicited ARP response is received:

        nmap: Target.cc:503: void Target::stopTimeOutClock(const timeval*): Assertion `htn.toclock_running == true' failed.

    [GH#1859] Allow multiple UDP payloads to be specified for a port in nmap-payloads. If the first payload does not get a response, the remaining payloads are tried round-robin. [Paul Miseiko, Rapid7]
    [GH#1860] 23 new UDP payloads and dozens more default ports for existing payloads developed for Rapid7's InsightVM scan engine. These speed up and ensure detection of open UDP services. [Paul Miseiko, Rapid7]
    [GH#1616] New option --discovery-ignore-rst tells Nmap to ignore TCP RST responses when determining if a target is up. Useful when firewalls are spoofing RST packets. [Tom Sellers, Rapid7]
    [Ncat][GH#2087][GH#1927][GH#1928][GH#1974] It is now possible to override the value of TLS SNI via --ssl-servername [Hank Leininger, nnposter]
    [GH#2104] Fixed parsing of TCP options which would hang (infinite loop) if an option had an explicit length of 0. Affects Nmap 7.80 only. [Daniel Miller, Imed Mnif]
    [NSE][GH#1460] Script ssh2-enum-algos would fail if the server initiated the key exchange before completing the protocol version exchange [Scott Ellis, nnposter]
    [NSE][GH#2105] Fetching of SSH2 keys might fail because of key exchange confusion [nnposter]
    [NSE][GH#2098] Performance of script afp-ls has been dramatically improved [nnposter]
    [NSE][GH#2091] Parsing of AFP FPGetFileDirParms and FPEnumerateExt2FPEnumerateExt2 responses was not working correctly [nnposter]
    [NSE][GH#2089] Eliminated false positives in script http-shellshock caused by simple reflection of HTTP request data [Anders Kaseorg]
    [NSE][GH#1473] SNMP scripts are now enabled on non-standard ports where SNMP has been detected [usd-markus, nnposter]
    [NSE][GH#2084] MQTT library was using incorrect position when parsing received responses [tatulea]
    [NSE][GH#2086] IPMI library was using incorrect position when parsing received responses [Star Salzman]
    [NSE][GH#2086] Scripts ipmi-brute and deluge-rpc-brute were not capturing successfully brute-forced credentials [Star Salzman]
    Allow resuming IPv6 scans with --resume. The address parsing was assuming IPv4 addresses, leading to "Unable to parse ip" error. In a related fix, MAC addresses will not be parsed as IP addresses when resuming from XML. [Daniel Miller]
    [GH#1622][GH#2068] Fix reverse-DNS handling of PTR records that are not lowercase. Nmap was failing to identify reverse-DNS names when the DNS server delivered them like ".IN-ADDR.ARPA". [Lucas Nussbaum, Richard Schütz, Daniel Miller]
    [NSE][GH#1999][GH#2005] IKE library was not properly populating the protocol number in aggressive mode requests. [luc-x41]
    [GH#1963] Added service fingerprinting for MySQL 8.x, Microsoft SQL Server 2019, MariaDB, and Crate.io CrateDB. Updated PostreSQL coverage and added specific detection of recent versions running in Docker. [Tom Sellers]
    [NSE] New script uptime-agent-info collects system information from an Idera Uptime Infrastructure Monitor agent. [Daniel Miller]
    [NSE] New outlib library will consolidate functions related to NSE output, both string formatting conventions and structured output. [Daniel Miller]
    New XML output "hosthint" tag emitted during host discovery when a target is found to be up. This gives earlier notification than waiting for the hostgroup to finish all scan phases. [Paul Miseiko]
    [GH#917] New UDP payloads for GPRS Tunneling Protocol (GTP) on ports 2123, 2152, and 3386. [Guillaume Teissier]
    [NSE][GH#1825] SSH scripts now run on several ports likely to be SSH based on empirical data from Shodan.io, as well as the netconf-ssh service. [Lim Shi Min Jonathan, Daniel Miller]
    [Zenmap][GH#1777] Stop creating a debugging output file 'tmp.txt' on the desktop in macOS. [Roland Linder]
    [Nping] Address build failure under libc++ due to "using namespace std;" in several headers, resulting in conflicting definitions of bind(). Reported by StormBytePP and Rosen Penev. [Daniel Miller]
    [Ncat][GH#1868] Fix a fatal error when connecting to a Linux VM socket with verbose output enabled. [Stefano Garzarella]
    [Ncat][GH#2060] Proxy credentials can be alternatively passed onto Ncat by setting environment variable NCAT_PROXY_AUTH, which reduces the risk of the credentials getting captured in process logs. [nnposter]
    [NSE][GH#1723] Fixed a crash on Windows when processing a GZIP-encoded HTTP body. [Daniel Miller]
    Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities.
    Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API.
    [GH#1717][GH#1718] Processing of IP address CIDR blocks was not working correctly on ppc64, ppc64le, and s390x architectures. [rfrohl, nnposter]
    [Windows] Add support for the new loopback behavior in Npcap 0.9983. This enables Nmap to scan localhost on Windows without needing the Npcap Loopback Adapter to be installed, which was a source of problems for some users. [Daniel Miller]
    [NSE] MS SQL library has improved version resolution, from service pack level to individual cumulative updates [nnposter]
    [NSE][GH#2077] With increased verbosity, script http-default-accounts now reports matched target fingerprints even if no default credentials were found [nnposter]
    [NSE][GH#2063] IPP request object conversion to string was not working correctly [nnposter]
    [NSE][GH#2063] IPP response parser was not correctly processing end-of-attributes-tag [nnposter]
    [NSE] Script cups-info was failing due to erroneous double-decoding of the IPP printer status [nnposter]
    [NSE][GH#2010] Oracle TNS parser was incorrectly unmarshalling DALC byte arrays [nnposter]
    [NSE] The password hashing function for Oracle 10g was not working correctly for non-alphanumeric characters [nnposter]
    [NSE] Virtual host probing list, vhosts-full.lst, was missing numerous entries present in vhosts-default.lst [nnposter]
    [NSE][GH#1931][GH#1932] Script http-grep was not correctly calculating Luhn checksum [Colleen Li, nnposter]
    [NSE][GH#1838] Scripts dhcp-discover and broadcast-dhcp-discover now support new argument "mac" to force a specific client MAC address [nnposter]
    [NSE] Code improvements in RPC Dump, benefitting NFS-related scripts [nnposter]
    [NSE] RPC code was using incorrect port range, which was causing some calls, such as NFS mountd, to fail intermittently [nnposter]
    [NSE][GH#1876] XML output from script ssl-cert now includes RSA key modulus and exponent [nnposter]
    [NSE][GH#1837] Nmap no longer crashes when SMB scripts, such as smb-ls, call smb.find_files [nnposter]
    [NSE][GH#1802] The MongoDB library was causing errors when assembling protocol payloads. [nnposter]
    [NSE][GH#1781][GH#1796] The RTSP library was not correctly generating request strings. [nnposter]
    [NSE][GH#1706] VNC handshakes were failing with insert position out of bounds error. [nnposter]
    [NSE][GH#1720] Function marshall_dom_sid2 in library msrpctypes was not correctly populating ID Authority. [nnposter]
    [NSE][GH#1720] Unmarshalling functions in library msrpctypes were attempting arithmetic on a nil argument. [Ivan Ivanov, nnposter]
    [NSE][GH#1720] Functions lsa_lookupnames2 and lsa_lookupsids2 in library msrpc were incorrectly referencing function strjoin when called with debug level 2 or higher. [Ivan Ivanov]
    [NSE][GH#1755][GH#2096] Added HTTP default account fingerprints for Tomcat Host Manager and Dell iDRAC9. [Clément Notin]
    [NSE][GH#1476][GH#1707] A MS-SMB spec non-compliance in Samba was causing protocol negotiation to fail with data string too short error. [Clément Notin, nnposter]
    [NSE][GH#1480][GH#1713][GH#1714] A bug in SMB library was causing scripts to fail with bad format argument error. [Ivan Ivanov]
    [NSE] New script, dicom-brute.nse, attempts to brute force the called Application Entity Title of DICOM servers. [Paulino Calderon]
    [NSE] New script, dicom-ping.nse, discovers DICOM servers and determines if any Application Entity Title is allowed to connect. [Paulino Calderon]
    [NSE] New library, dicom.lua, implements the DICOM protocol used for storing and transfering medical images. [Paulino Calderon]
    [NSE][GH#1665] The HTTP library no longer crashes when code requests digest authentication but the server does not provide the necessary authentication header. [nnposter]
    [NSE] Fixed a bug in http-wordpress-users.nse that could cause extraneous output to be captured as part of a username. [Duarte Silva]
    Added a UDP payload for STUN (Session Traversal Utilities for NAT). [David Fifield]
    [NSE] Fixed an off-by-one bug in the stun.lua library that prevented parsing a server response. [David Fifield]

[close]

http://nmap.org/

[SiLæncer]

Whats new:>>

    [NSE][GH#2136][GH#2137] Rectify error "time result cannot be represented..." in the AFP library. [Clément Notin]
    [NSE][GH#1473] It is now possible to control whether the SNMP library uses v1 (default) or v2c by setting script argument snmp.version. [nnposter] o [NSE][GH#2128] MySQL library was not properly parsing server responses, resulting in script crashes. [nnposter]
    [NSE] Script mysql-audit now defaults to the bundled mysql-cis.audit for the audit rule base. [nnposter]

http://nmap.org/

[SiLæncer]

Changelog

    [Windows] Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.00 to the latest version 1.50. You can read about the dozens of performance improvements, bug fixes and feature enhancements at https://npcap.org/changelog.
    [Windows] Thanks to the Npcap 1.50 upgrade, Nmap now works on the Windows ARM architecture so you can run it on lightweight and power-efficient tablets like the Microsoft Surface Pro X and Samsung Galaxy Book Go. More ARM devices are on the way along with the upcoming Windows 11 release. See the Npcap on ARM announcement at https://seclists.org/nmap-announce/2021/2.
    [Windows] Updated our Windows builds to Visual Studio 2019, Windows 10 SDK, and the UCRT. This prevents Nmap from working on Windows Vista and earlier, but they can still use older versions of Nmap on their ancient operating system.
    New Nmap option --unique will prevent Nmap from scanning the same IP address twice, which can happen when different names resolve to the same address. [Daniel Miller]
    [NSE][GH#1691] TLS 1.3 now supported by most scripts for which it is relevant, such as ssl-enum-ciphers. Some functions like ssl tunnel connections and certificate parsing will require OpenSSL 1.1.1 or later to fully support TLS 1.3. [Daniel Miller]

    [NSE] Added 3 NSE scripts, from 4 authors, bringing the total up to 604! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:

        [GH#2201] nbns-interfaces queries NetBIOS name service (NBNS) to gather IP addresses of the target's network interfaces [Andrey Zhukov]
        [GH#711] openflow-info gathers preferred and supported protocol versions from OpenFlow devices [Jay Smith, Mak Kolybabi]
        port-states prints a list of ports that were found in each state, including states that were summarized as "Not shown: X closed ports" [Daniel Miller]

    Several changes to UDP payloads to improve accuracy:

        [GH#2269] Fix an issue with -sU where payload data went out-of-scope before it was used, causing corrupted payloads to be sent. [Mariusz Ziulek]
        Nmap's retransmission limits were preventing some UDP payloads from being tried with -sU and -PU. Now, Nmap sends each payload for a particular port at the same time without delay. [Daniel Miller]

        New UDP payloads:

            [GH#1279] TS3INIT1 for UDP 3389 [colcrunch]
            [GH#1895] DTLS for UDP 3391 (RD Gateway) [Arnim Rupp]

    [NSE][GH#2208][GH#2203] SMB2 dialect handling has been redesigned. Visible changes include:

        Notable improvement in speed of script smb-protocols and others
        Some SMB scripts are no longer using a hardcoded dialect, improving target interoperability
        Dialect names are aligned with Microsoft, such as 3.0.2, instead of 3.02 [nnposter]
    [GH#2350] Upgraded OpenSSL to version 1.1.1k. This addresses some CVE's which don't affect Nmap in a material way. Details: https://github.com/nmap/nmap/issues/2350
    Removed support for the ancient WinPcap library since we already include our own Npcap library (https://npcap.org) supporting the same API. WinPcap was abandoned years ago and it's official download page says that "WE RECOMMEND USING Npcap INSTEAD" for security, stability, compatibility, and support reasons.
    [GH#2257] Fix an issue in addrset matching that was causing all targets to be excluded if the --excludefile listed a CIDR range that contains an earlier, smaller CIDR range. [Daniel Miller]
    Upgrade the Windows NSIS installer to use the latest NSIS 3 (version 3.07) instead of the previous NSIS 2 generation.
    Setting --host-timeout=0 will disable the host timeout, which is set by -T5 to 15 minutes. Earlier versions of Nmap require the user to specify a very long timeout instead.

    Improvements to Nmap's XML output:

        If a host times out, the XML <host> element will have the attribute timedout="true" and the host's timing info (srtt etc.) will still be printed.
        The "extrareasons" element now includes a list of port numbers for each "ignored" state. The "All X ports" and "Not shown:" lines in normal output have been changed slightly to provide more detail. [Daniel Miller]
    [NSE][GH#2237] Prevent the ssl-* NSE scripts from probing ports that were excluded from version scan, usually 9100-9107, since JetDirect will print anything sent to these ports. [Daniel Miller]
    [GH#2206] Nmap no longer produces cryptic message "Failed to convert source address to presentation format" when unable to find useable route to the target. [nnposter]
    [Ncat][GH#2202] Use safety-checked versions of FD_* macros to abort early if number of connections exceeds FD_SETSIZE. [Pavel Zhukov]
    [Ncat] Connections proxied via SOCKS4/SOCKS5 were intermittently dropping server data sent right after the connection got established, such as port banners. [Sami Pönkänen]
    [Ncat][GH#2149] Fixed a bug in proxy connect mode which would close the connection as soon as it was opened in Nmap 7.90 and 7.91.
    [NSE][GH#2175] Fixed NSE so it will not consolidate all port script output for targets which share an IP (e.g. HTTP vhosts) under one target. [Daniel Miller]
    [Zenmap][GH#2157] Fixed an issue where a failure to execute Nmap would result in a Zenmap crash with "TypeError: coercing to Unicode" exception.
    Nmap no longer considers an ICMP Host Unreachable as confirmation that a target is down, in accordance with RFC 1122 which says these errors may be transient. Instead, the probe will be destroyed and other probes used to determine aliveness. [Daniel Miller]
    [Ncat][GH#2154] Ncat no longer crashes when used with Unix domain sockets.
    [Ncat][GH#2167][GH#2168] Ncat is now again generating certificates with the duration of one year. Due to a bug, recent versions of Ncat were using only one minute. [Tobias Girstmair]
    [NSE][GH#2281] URL/percent-encoding is now using uppercase hex digits to align with RFC 3986, section 2.1, and to improve compatibility with some real-world web servers. [nnposter]
    [NSE][GH#2174] Script hostmap-crtsh got improved in several ways. The most visible are that certificate SANs are properly split apart and that identities that are syntactically incorrect to be hostnames are now ignored. [Michel Le Bihan, nnposter]
    [NSE] Loading of a Nikto database failed if the file was referenced relative to the Nmap directory [nnposter]
    [GH#2199] Updated Nmap's NPSL license to rewrite a poorly-worded clause abiyt "proprietary software companies". The new license version 0.93 is still available from https://nmap.org/npsl/. As described on that page, we are also still offering Nmap 7.90, 7.91, and 7.92 under the previous Nmap 7.80 license. Finally, we still offer the Nmap OEM program for companies who want a non-copyleft license allowing them to redistribute Nmap with their products at https://nmap.org/oem/.
    [NSE] Script smb2-vuln-uptime no longer reports false positives when the target does not provide its boot time. [nnposter]
    [NSE][GH#2197] Client packets composed by the DHCP library will now contain option 51 (IP address lease time) only when requested. [nnposter]
    [NSE][GH#2192] XML decoding in library citrixxml no longer crashes when encountering a character reference with codepoint greater than 255. (These references are now left unmodified.) [nnposter]
    [NSE] Script mysql-audit now defaults to the bundled mysql-cis.audit for the audit rule base. [nnposter]
    [NSE][GH#1473] It is now possible to control whether the SNMP library uses v1 (default) or v2c by setting script argument snmp.version. [nnposter]

[close]

http://nmap.org/

[SiLæncer]

Changelog

   

    This release commemorates Nmap's 25th anniversary! It all started with this September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html.
    [Windows]Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.50 to the latest version 1.71. It includes dozens of performance improvements, bug fixes and feature enhancements described at https://npcap.com/changelog.
    Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions. Binaries for this release include OpenSSL 3.0.5.
    Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1
    [GH#2416]Fix a bug that prevented Nmap from discovering interfaces on Linux when no IPv4 addresses were configured. [Daniel Miller, nnposter]
    [NSE][GH#2463]NSE "exception handling" with nmap.new_try() will no longer result in a stack traceback in debug output nor a "ERROR: script execution failed" message in script output, since the intended behavior has always been to end the script immediately without output. [Daniel Miller]
    [GH#2494]Update the Nmap output DTD to match actual output since the `<hosthint>` element was added in Nmap 7.90.
    [NSE][GH#2496]Fix newtargets support: since Nmap 7.92, scripts could not add targets in script pre-scanning phase. [Daniel Miller]
    [GH#2468]Scripts dhcp-discover and broadcast-dhcp-discover now support setting a client identifier. [nnposter]
    [GH#2331][GH#2471]Script oracle-tns-version was not reporting the version correctly for Oracle 19c or newer [linholmes]
    [GH#2296][GH#2342]Script redis-info was crashing or producing inaccurate information about client connections and/or cluster nodes. [nnposter]
    [GH#2379]Nmap and Nping were unable to obtain system routes on FreeBSD [benpratt, nnposter]
    [GH#2464]Script ipidseq was broken due to calling an unreachable library function. [nnposter]
    [GH#2420][GH#2436]Support for EC crypto was not properly enabled if Nmap was compiled with OpenSSL in a custom location. [nnposter]
    [NSE]Improvements to event handling and pcap socket garbage collection, fixing potential hangs and crashes. [Daniel Miller]
    We ceased creating the Nmap win32 binary zipfile. It was useful back when you could just unzip it and run Nmap from there, but that hasn't worked well for many years. The win32 self-installer handles Npcap installation and many other dependencies and complexities. Anyone who needs the binaries for some reason can still install Nmap on any system and retrieve them from there. For now we're keeping the Win32 zipfile in the Nmap OEM Edition (https://nmap.org/oem) for companies building Nmap into their own products. But even in that case we believe that running the Nmap OEM self-installer in silent mode is a better approach.
    [GH#2388]Fix TDS7 password encoding for mssql.lua, which had been assuming ASCII input even though other parts of the library had been passing it Unicode.
    [GH#2402]Replace deprecated CPEs for IIS with their updated identifier, cpe:/a:microsoft:internet_information_services [Esa Jokinen]
    [NSE][GH#2393]Fix script-terminating error when unknown BSON data types are encountered. Added parsers for most standard data types. [Daniel Miller]
    [Ncat]Fix hostname/certificate comparison and matching to handle ASN.1 strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.
    [Ncat][GH#2365]Added support for SOCKS5 proxies that return bind addresses as hostnames, instead of IPv4/IPv6 addresses. [pomu0325]

[close]

http://nmap.org/

[SiLæncer]

Changelog

   

    Zenmap and Ndiff now use Python 3! Thanks to the many contributors who made this effort possible:

    [GH#2088][GH#1176][Zenmap]Updated Zenmap to Python 3 and PyGObject. [Jakub Kulík]
    [GH#1807][GH#1176][Ndiff]Updated Ndiff to Python 3. [Brian Quigley]
    Additional Python 3 update fixes by Sam James, Daniel Miller. Special thanks to those who opened Python 3-related issues and pull requests: Eli Schwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa, Hasan Aliyev, and others.
    [Windows]Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.71 to the latest version 1.75. It includes dozens of performance improvements, bug fixes and feature enhancements described at https://npcap.com/changelog.
    Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M (28-bit), and MA-L (36-bit) registrations instead of the fixed 3-byte MAC prefix used previously for lookups.
    Added partial silent-install support to the Nmap Windows installer. It previously didn't offer silent mode (/S) because the free/demo version of Npcap Windoes packet capturing driver that it needs and ships with doesn't include a silent installer. Now with the /S option, Nmap checks whether Npcap is already installed (either the free version or OEM) and will silently install itself if so. This is similar to how the Wireshark installer works and is particularly helpful for organizations that want to fully automate their Nmap (and Npcap) deployments. See https://nmap.org/nmap-silent-install for more details.
    Lots of profile-guided memory and processing improvements for Nmap, including OS fingerprint matching, probe matching and retransmission lookups for large hostgroups, and service name lookups. Overhauled Nmap's string interning and several other startup-related procedures to speed up start times, especially for scans using OS detection. [Daniel Miller]
    Integrated many of the most-submitted IPv4 OS fingerprints for recent versions of Windows, iOS, macOS, Linux, and BSD. Added 22 fingerprints, bringing the new total to 5700!
    [NSE][GH#548]Added the tftp-version script which requests a nonexistent file from a TFTP server and matches the error message to a database of known software. [Mak Kolybabi]
    [Ncat][GH#1223]Ncat can now accept "connections" from multiple UDP hosts in listen mode with the --keep-open option. This also enables --broker and --chat via UDP. [Daniel Miller]
    [GH#2575]Upgraded OpenSSL binaries (for the Windows builds and for RPM's) to version 3.0.8. This resolves some CVE's (CVE-2022-3602; CVE-2022-3786) which don't impact Nmap proper since it doesn't do certificate validation, but could possibly impact Ncat when the --ssl-verify option is used.
    Upgrade included libraries: zlib 1.2.13, Lua 5.4.4, libpcap 1.10.4
    [GH#2532]Removed the bogus OpenSSL message from the Windows Nmap executable which looked like "NSOCK ERROR ssl_init_helper(): OpenSSL legacy provider failed to load." We actually already have the legacy provider built-in to our OpenSSL builds, and that's why loading the external one fails.
    [GH#2541]UDP port scan (-sU) and version scan (-sV) now both use the same data source, nmap-service-probes, for data payloads. Previously, the nmap-payloads file was used for port scan. Port scan responses will be used to kick-start the version matching process. [Daniel Miller]
    Nmap's service scan (-sV) can now probe the UDP service behind a DTLS tunnel, the same as it already does for TCP services with SSL/TLS encryption. The DTLSSessionReq probe has had its rarity lowered to 2 to allow it to be sent sooner in the scan. [Daniel Miller]
    [Ncat]Ncat in listen mode with --udp --ssl will use DTLS to secure incoming connections. [Daniel Miller]
    [GH#1023]Handle Internationalized Domain Names (IDN) like .?? on platforms where getaddrinfo supports the AI_IDN flag. [Daniel Miller]
    [Ncat]Addressed an issue from the Debian bug tracker (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969314) regarding data received immediately after a SOCKS CONNECT response. Ncat can now be correctly used in the ProxyCommand option of OpenSSH.
    Improved DNS domain name parsing to avoid recursion and enforce name length limits, avoiding a theoretical stack overflow issue with certain crafted DNS server responses, reported by Philippe Antoine.
    [GH#2338][NSE]Fix mpint packing in ssh2 library, which was causing OpenSSH errors like "ssh_dispatch_run_fatal: bignum is negative" [Sami Loone]
    [GH#2507]Updates to the Japanese manpage translation by Taichi Kotake.
    [Ncat][GH#1026][GH#2426]Dramatically speed up Ncat transfers on Windows by avoiding a 125ms wait for every read from STDIN. [scriptjunkie]
    [GH#1192][Windows]Periodically reset the system idle timer to keep the system from going to sleep while scans are in process. This only affects port scans and OS detection scans, since NSE and version scan do not rely on timing data to adjust speed.
    Updated the Nmap Public Source License (NPSL) to Version 0.95. This just clarifies that the derivative works definition and all other license clauses only apply to parties who choose to accept the license in return for the special rights granted (such as Nmap redistribution rights). If a party can do everything they need to using copyright provisions outside of this license such as fair use, we support that and aren't trying to claim any control over their work. Versions of Nmap released under previous versions of the NPSL may also be used under the NPSL 0.95 terms.
    Avoid storing many small strings from IPv4 OS detection results in the global string_pool. These were effectively leaked after a host is done being scanned, since string_pool allocations are not freed until Nmap quits.

[close]

http://nmap.org/

[SiLæncer]

Changelog

o [Windows] Upgraded Npcap (our Windows raw packet capturing and
  transmission driver) from version 1.75 to the latest version 1.79. It
  includes many performance improvements, bug fixes and feature
  enhancements described at https://npcap.com/changelog.

o Integrated over 4000 IPv4 OS fingerprints submitted since June 2020. Added
  336 fingerprints, bringing the new total to 6036.  Additions include iOS 15 &
  16, macOS Ventura & Monterey, Linux 6.1, OpenBSD 7.1, and lwIP 2.2

o Integrated over 2500 service/version detection fingerprints submitted since
  June 2020. The signature count went up 1.4% to 12089, including 9 new
  softmatches.  We now detect 1246 protocols, including new additions of grpc,
  mysqlx, essnet, remotemouse, and tuya.

o [NSE] Four new scripts from the DINA community (https://github.com/DINA-community)
  for querying industrial control systems:

  + hartip-info reads device information from devices using the Highway
    Addressable Remote Transducer protocol

  + iec61850-mms queries devices using Manufacturing Message Specification
    requests. [Dennis Rösch, Max Helbig]

  + multicast-profinet-discovery Sends a multicast PROFINET DCP Identify All
    message and prints the responses. [Stefan Eiwanger, DINA-community]

  + profinet-cm-lookup queries the DCERPC endpoint mapper exposed via the
    PNIO-CM service.

o Upgraded included libraries: Lua 5.4.6, libpcre2 10.43, zlib 1.3.1,
  libssh2 1.11.0, liblinear 2.47

o [GH#2639] Upgraded OpenSSL binaries (for the Windows builds and for
  RPMs) to version 3.0.13. CVEs resolved in this update include only 2
  moderate-severity issues which we do not believe affect Nmap:
  CVE-2023-5363 and CVE-2023-2650

o [Zenmap][Ndiff][GH#2649] Zenmap and Ndiff now use setuptools, not distutils for packaging.

o [Ncat][GH#2685] Fixed Ncat UDP server mode to not quit after EOF on stdin. Reported
  as Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039613

o [GH#2672] Fixed an issue where TCP Connect scan (-sT) on Windows would fail to open any
  sockets, leading to scans that never finish. [Daniel Miller]

o [NSE] ssh-auth-methods will now print the pre-authentication banner text when
  available. Requires libssh2 1.11.0 or later. [Daniel Miller]

o [Zenmap][GH#2739] Fix a crash in Zenmap when changing a host comment.

o [NSE][GH#2766] Fix TLS 1.2 signature algorithms for EdDSA. [Daniel Roethlisberger]

o [Zenmap][GH#2706] RPM spec files now correctly require the python3 package, not python>=3

o Improvements to OS detection fingerprint matching, including a syntax change
  for nmap-os-db that allows ranges within the TCP Options string. This leads
  to more concise and maintainable fingerprints. [Daniel Miller]

o Improved the OS detection engine by using a new source port for each retry.
  Scans from systems such as Windows that do not send RST for unsolicited
  SYN|ACK responses were previously unable to get a response in subsequent
  tries. [Daniel Miller]

o Several profile-guided optimizations of the port scan engine. [Daniel Miller]

o [GH#2731] Fix an out-of-bounds read which led to out-of-memory errors when
  duplicate addresses were used with --exclude

o [GH#2609] Fixed a memory leak in Nsock: compiled pcap filters were not freed.

o [GH#2658] Fixed a crash when using service name wildcards with -p, as in -p "http*"

o [NSE] Fixed DNS TXT record parsing which caused asn-query to fail in Nmap
  7.80 and later. [David Fifield, Mike Pattrick]

o [NSE][GH#2727][GH#2728] Fixed packet size testing in KNX scripts [f0rw4rd]

[close]

http://nmap.org/