Movatterモバイル変換

Nmap Changelog

#Nmap Changelog ($Id: CHANGELOG 39139 2025-04-30 19:58:18Z dmiller $); -*-text-*-

[Nping][GH#2862]Promoted Nping version number from a 0.7.95 alpha release tothe same release version as Nmap.
[GH#2982]Fixed an issue preventing the Nmap OEM 7.95 uninstaller fromcorrectly uninstalling Nmap OEM.
[Zenmap][GH#2854]Fixed a Zenmap crash in DiffViewer when Ndiff exits with error.
[Zenmap]Fixed several UnicodeDecodeError or UnicodeEncodeError crashesthroughout Zenmap.
[Zenmap][GH#1696]Fixed an issue preventing Zenmap from launching if nmap wasnot in the PATH. The issue primarily affected macOS users. [Daniel Miller]
[GH#2838][GH#2836]Fixed a couple of issues with parsing the argument to the-iR option.
[NSE][GH#2852]Added TLS support toredis.lua and improved -sV detection of redis.
[Zenmap][GH#2358]Added dark mode, accessed via Profile->Toggle Dark Mode orwindow::dark_mode in zenmap.conf. [Daniel Miller]
Upgraded included libraries: Lua 5.4.7, libssh2 1.11.1, libpcap 1.10.5,libpcre 10.45
[NSE]New scripttargets-ipv6-eui64 generates target IPv6 addresses from auser-provided file of MAC addresses, using the EUI-64 method. [Daniel Miller]
[NSE][GH#2973]New service probes and scripts for MikroTik's WinBox routeradmin service.mikrotik-routeros-version queries the 'info' and 'list' filesto get the RouterOS version.mikrotik-routeros-username-brute brute-forcesusernames for the router using CVE-2024-54772. [deauther890, Daniel Miller]
[GH#2954]Fix 2 potential crashes in parsing IPv6 extension headersdiscovered using AFL++ fuzzer. [Domen Puncer Kugler, Daniel Miller]
[Nping]Bind raw socket to device when possible. This was already done forIPv6, but was needed for IPv4 L3 tunnels. [ValdikSS]
[Ncat]Ncat in connect mode no longer defaults to half-closed TCPconnections. This makes it more compatible with other netcats. The -k optionwill enable the old behavior. Seehttps://seclists.org/nmap-dev/2013/q1/188[Daniel Miller]
[Nsock][GH#2788]Fix an issue affecting Ncat where unread bytes in the SSLlayer's buffer could not be read until more data arrived on the socket, whichcould lead to deadlock. [Daniel Miller]
[Ncat][GH#2422]New Ncat option -q to delay quit after EOF on stdin, thesame as traditional netcat's -q option. [Daniel Miller]
[Ncat][GH#2843]Ncat in listen mode with -e or -c correctly handles error andEOF conditions that had not been being delivered to the child process.
[Ncat][Windows]All Nsock engines now work correctly. The default is still'select', but others can be set with --nsock-engine=iocp or--nsock-engine=poll [Daniel Miller]
[NSE][GH#1014][GH#2616]SSH NSE scripts now catch connection errors thrown bythe libssh2 Lua binding, providing useful output instead of a backtrace.[Joshua Rogers, Daniel Miller]
[NSE]Several fixes and extensions to the libssh2 NSE bindings: fixedlibssh2.channel_read_stderr, which was reading stdout instead; add bindingfor libssh2_userauth_publickey_frommemory; allow open_channel to avoid allocating a pty;
[GH#2139][Nsock][Windows]Fixed the IOCP Nsock engine, which had been demotedsince Nmap 7.91 due to unresolved issues around SSL sockets and IPv6. [Daniel Miller]
[Nsock]Improvements for platforms without selectable pcap handles (e.g.Windows). Interleaved pcap and socket events were favoring pcap reads,possibly resulting in timeouts of the socket events. [Daniel Miller]
[Nsock]Improved memory performance of poll engine on Windows. [Daniel Miller]
[Nsock][GH#187][GH#2912]Improvements to Nsock event list management, fixingerrors like "could not find 1 of the purportedly pending events on that IOD." [Daniel Miller]
[GH#2113]Fixed the issue where TCP Connect scans (-sT) on Windows would show'filtered' instead of 'closed', due to differences in understanding timeouts.
Nmap will now allow targets to be specified both on the command line and inan input file with -iL. Previously, if targets were provided in both places,only the targets in the input file would be scanned, and no notice was giventhat the command-line targets were ignored. [Daniel Miller]
[GH#1451]Nmap now performs forward DNS lookups in parallel, using the sameengine that has been reliably performing reverse-DNS lookups for nearly adecade. Scanning large lists of hostnames is now enormously faster and avoidsthe unresponsive wait for blocking system calls, so progress stats can beshown. In testing, resolving 1 million website names to both IPv4 and IPv6took just over an hour. The previous system took 49 hours for the same dataset! [Daniel Miller]
When Nmap is used with --disable-arp-ping, a local IP that cannot beARP-resolved will use the "no-route" reason instead of the "unknown-response"reason, since no response was received.
[NSE][GH#2571][GH#2572][GH#2622][GH#2784]Various bug fixes in themssql NSElibrary. [johnjaylward, nnposter]
[NSE][GH#2925][GH#2917][GH#2924]Testing for acceptance of SSH keys fora given username caused heap corruption. [Julijan Nedic, nnposter]
[NSE][GH#2919][GH#2917]Scripts were not able to load SSH public keys.from a file. [nnposter]
[NSE][GH#2928][GH#2640]Encryption/decryption performed by the OpenSSL NSEmodule did not work correctly when the IV started with a null byte.[nnposter]
[NSE][GH#2901][GH#2744][GH#2745]Arbitrary separator in stdnse.tohex() is nowsupported. Scriptsmb-protocols now reports SMB dialects correctly.[nnposter]
[NSE]ether_type inconsistency in packet.Frame has been resolved. BothFrame:new() and Frame:build_ether_frame() now use an integer. [nnposter]
[GH#2900][GH#2896][GH#2897]Nmap is now able to scan IP protocol 255.[nnposter]

Nmap 7.95 [2024-04-23]§

Integrated over 4,000 of your IPv4 OS fingerprints. Added 336 signatures,bringing the new total to 6,036. Additions include iOS 15 & 16, macOSVentura & Monterey, Linux 6.1, OpenBSD 7.1, and lwIP 2.2
Integrated over 2,500 service/version detection fingerprints. The signaturecount went up 1.4% to 12,089, including 9 new softmatches. We now detect1,246 protocols, including new additions of grpc, mysqlx, essnet,remotemouse, and tuya.
[Windows]Upgraded Npcap (our Windows raw packet capturing and transmissiondriver) from version 1.75 to the latest version 1.79. It includes manyperformance improvements, bug fixes and feature enhancements described athttps://npcap.com/changelog.
[NSE]Added four new scripts from the DINA community(https://github.com/DINA-community) for querying industrial controlsystems:
- hartip-info reads device information from devices using the HighwayAddressable Remote Transducer protocol
- iec61850-mms queries devices using Manufacturing Message Specificationrequests. [Dennis Rösch, Max Helbig]
- multicast-profinet-discovery Sends a multicast PROFINET DCP Identify Allmessage and prints the responses. [Stefan Eiwanger, DINA-community]
- profinet-cm-lookup queries the DCERPC endpoint mapper exposed via thePNIO-CM service.
Improvements to OS detection fingerprint matching, including a syntaxchange for nmap-os-db that allows ranges within the TCP Optionsstring. This leads to more concise and maintainable fingerprints. [DanielMiller]
Improved the OS detection engine by using a new source port for each retry.Scans from systems such as Windows that do not send RST for unsolicitedSYN|ACK responses were previously unable to get a response in subsequenttries. [Daniel Miller]
Several profile-guided optimizations of the port scan engine. [Daniel Miller]
Upgraded from libpcre 7.6 to libpcre2 10.43.
Upgraded included libraries: Lua 5.4.6, zlib 1.3.1, libssh2 1.11.0, andliblinear 2.47
[GH#2639]Upgraded OpenSSL binaries (for the Windows builds and for RPMs)to version 3.0.13. This addresses various OpenSSL vulnerabilities whichdon't impact Nmap (full details are in the GH issue).
[GH#2672]Fixed an issue where TCP Connect scan (-sT) on Windows would failto open any sockets, leading to scans that never finish. [Daniel Miller]
[Zenmap][Ndiff][GH#2649]Zenmap and Ndiff now use setuptools, not distutils
```
for packaging.
```
[Ncat][GH#2685]Fixed Ncat UDP server mode to not quit after EOF onstdin. Reported as Debian bug:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039613
[NSE]ssh-auth-methods will now print the pre-authenticationbanner textwhen available. Requires libssh2 1.11.0 or later. [Daniel Miller]
[Zenmap][GH#2739]Fix a crash in Zenmap when changing a host comment.
[NSE][GH#2766]Fix TLS 1.2 signature algorithms for EdDSA. [Daniel Roethlisberger]
[Zenmap][GH#2706]RPM spec files now correctly require the python3 package, not python>=3
[GH#2731]Fix an out-of-bounds read which led to out-of-memory errors whenduplicate addresses were used with --exclude
[GH#2609]Fixed a memory leak in Nsock: compiled pcap filters were not freed.
[GH#2658]Fixed a crash when using service name wildcards with -p, as in -p "http*"
[NSE]Fixed DNS TXT record parsing bug which causedasn-query to fail inNmap 7.80 and later. [David Fifield, Mike Pattrick]
[NSE][GH#2727][GH#2728]Fixed packet size testing in KNX scripts [f0rw4rd]

Nmap 7.94 [2023-05-19]§

Zenmap and Ndiff now use Python 3! Thanks to the many contributors who madethis effort possible:
- [GH#2088][GH#1176][Zenmap]Updated Zenmap to Python 3 and PyGObject. [Jakub Kulík]
- [GH#1807][GH#1176][Ndiff]Updated Ndiff to Python 3. [Brian Quigley]
- Additional Python 3 update fixes by Sam James, Daniel Miller. Special thanksto those who opened Python 3-related issues and pull requests: EliSchwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa,Hasan Aliyev, and others.
[Windows]Upgraded Npcap (our Windows raw packet capturing andtransmission driver) from version 1.71 to the latest version 1.75. Itincludes dozens of performance improvements, bug fixes and featureenhancements described athttps://npcap.com/changelog.
Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M(28-bit), and MA-L (36-bit) registrations instead of the fixed 3-byte MACprefix used previously for lookups.
Added partial silent-install support to the Nmap Windowsinstaller. It previously didn't offer silent mode (/S) because thefree/demo version of Npcap Windoes packet capturing driver that itneeds and ships with doesn't include a silent installer. Now withthe /S option, Nmap checks whether Npcap is already installed(either the free version or OEM) and will silently install itself ifso. This is similar to how the Wireshark installer works and isparticularly helpful for organizations that want to fully automatetheir Nmap (and Npcap) deployments. Seehttps://nmap.org/nmap-silent-install for more details.
Lots of profile-guided memory and processing improvements for Nmap, includingOS fingerprint matching, probe matching and retransmission lookups for largehostgroups, and service name lookups. Overhauled Nmap's string interning andseveral other startup-related procedures to speed up start times, especiallyfor scans using OS detection. [Daniel Miller]
Integrated many of the most-submitted IPv4 OS fingerprints for recentversions of Windows, iOS, macOS, Linux, and BSD. Added 22 fingerprints,bringing the new total to 5700!
[NSE][GH#548]Added thetftp-version script which requests anonexistent file from a TFTP server and matches the error messageto a database of known software. [Mak Kolybabi]
[Ncat][GH#1223]Ncat can now accept "connections" from multiple UDP hosts inlisten mode with the --keep-open option. This also enables --broker and--chat via UDP. [Daniel Miller]
[GH#2575]Upgraded OpenSSL binaries (for the Windows builds and forRPM's) to version 3.0.8. This resolves some CVE's (CVE-2022-3602;CVE-2022-3786) which don't impact Nmap proper since it doesn't docertificate validation, but could possibly impact Ncat when the--ssl-verify option is used.
Upgrade included libraries: zlib 1.2.13, Lua 5.4.4, libpcap 1.10.4
[GH#2532]Removed the bogus OpenSSL message from the Windows Nmapexecutable which looked like "NSOCK ERROR ssl_init_helper(): OpenSSLlegacy provider failed to load." We actually already have the legacyprovider built-in to our OpenSSL builds, and that's why loading theexternal one fails.
[GH#2541]UDP port scan (-sU) and version scan (-sV) now both use the samedata source, nmap-service-probes, for data payloads. Previously, thenmap-payloads file was used for port scan. Port scan responses will be usedto kick-start the version matching process. [Daniel Miller]
Nmap's service scan (-sV) can now probe the UDP service behind a DTLS tunnel,the same as it already does for TCP services with SSL/TLS encryption. TheDTLSSessionReq probe has had its rarity lowered to 2 to allow it to be sentsooner in the scan. [Daniel Miller]
[Ncat]Ncat in listen mode with --udp --ssl will use DTLS to secure incomingconnections. [Daniel Miller]
[GH#1023]Handle Internationalized Domain Names (IDN) like Яндекс.рф onplatforms where getaddrinfo supports the AI_IDN flag. [Daniel Miller]
[Ncat]Addressed an issue from the Debian bug tracker(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969314) regarding datareceived immediately after a SOCKS CONNECT response. Ncat can now becorrectly used in the ProxyCommand option of OpenSSH.
Improved DNS domain name parsing to avoid recursion and enforce name lengthlimits, avoiding a theoretical stack overflow issue with certain crafted DNSserver responses, reported by Philippe Antoine.
[GH#2338][NSE]Fix mpint packing inssh2 library, which was causing OpenSSHerrors like "ssh_dispatch_run_fatal: bignum is negative" [Sami Loone]
[GH#2507]Updates to the Japanese manpage translation by Taichi Kotake.
[Ncat][GH#1026][GH#2426]Dramatically speed up Ncat transfers onWindows by avoiding a 125ms wait for every read fromSTDIN. [scriptjunkie]
[GH#1192][Windows]Periodically reset the system idle timer to keep thesystem from going to sleep while scans are in process. This only affects portscans and OS detection scans, since NSE and version scan do not rely ontiming data to adjust speed.
Updated the Nmap Public Source License (NPSL) to Version 0.95. Thisjust clarifies that the derivative works definition and all otherlicense clauses only apply to parties who choose to accept thelicense in return for the special rights granted (such as Nmapredistribution rights). If a party can do everything they need tousing copyright provisions outside of this license such as fair use,we support that and aren't trying to claim any control over theirwork. Versions of Nmap released under previous versions of the NPSLmay also be used under the NPSL 0.95 terms.
Avoid storing many small strings from IPv4 OS detection results in the globalstring_pool. These were effectively leaked after a host is done beingscanned, since string_pool allocations are not freed until Nmap quits.

Nmap 7.93 [2022-09-01]§

This release commemorates Nmap's 25th anniversary! It all started with thisSeptember 1, 1997 Phrack article by Fyodor:https://nmap.org/p51-11.html.
[Windows]Upgraded Npcap (our Windows raw packet capturing andtransmission driver) from version 1.50 to the latest version 1.71. Itincludes dozens of performance improvements, bug fixes and featureenhancements described athttps://npcap.com/changelog.
Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions.Binaries for this release include OpenSSL 3.0.5.
Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1
[GH#2416]Fix a bug that prevented Nmap from discovering interfaces on Linuxwhen no IPv4 addresses were configured. [Daniel Miller, nnposter]
[NSE][GH#2463]NSE "exception handling" with nmap.new_try() will no longerresult in a stack traceback in debug output nor a "ERROR: script executionfailed" message in script output, since the intended behavior has always beento end the script immediately without output. [Daniel Miller]
[GH#2494]Update the Nmap output DTD to match actual output since the`<hosthint>` element was added in Nmap 7.90.
[NSE][GH#2496]Fix newtargets support: since Nmap 7.92, scripts could not addtargets in script pre-scanning phase. [Daniel Miller]
[GH#2468]Scriptsdhcp-discover andbroadcast-dhcp-discover now supportsetting a client identifier. [nnposter]
[GH#2331][GH#2471]Scriptoracle-tns-version was not reporting the versioncorrectly for Oracle 19c or newer [linholmes]
[GH#2296][GH#2342]Scriptredis-info was crashing or producing inaccurateinformation about client connections and/or cluster nodes. [nnposter]
[GH#2379]Nmap and Nping were unable to obtain system routes on FreeBSD[benpratt, nnposter]
[GH#2464]Scriptipidseq was broken due to calling an unreachable libraryfunction. [nnposter]
[GH#2420][GH#2436]Support for EC crypto was not properly enabled if Nmapwas compiled with OpenSSL in a custom location. [nnposter]
[NSE]Improvements to event handling and pcap socket garbage collection,fixing potential hangs and crashes. [Daniel Miller]
We ceased creating the Nmap win32 binary zipfile. It was useful back whenyou could just unzip it and run Nmap from there, but that hasn't worked wellfor many years. The win32 self-installer handles Npcap installation and manyother dependencies and complexities. Anyone who needs the binaries for somereason can still install Nmap on any system and retrieve them from there.For now we're keeping the Win32 zipfile in the Nmap OEM Edition(https://nmap.org/oem) for companies building Nmap into their ownproducts. But even in that case we believe that running the Nmap OEMself-installer in silent mode is a better approach.
[GH#2388]Fix TDS7 password encoding formssql.lua, which had been assumingASCII input even though other parts of the library had been passing it Unicode.
[GH#2402]Replace deprecated CPEs for IIS with their updated identifier,cpe:/a:microsoft:internet_information_services [Esa Jokinen]
[NSE][GH#2393]Fix script-terminating error when unknown BSON data types areencountered. Added parsers for most standard data types. [Daniel Miller]
[Ncat]Fix hostname/certificate comparison and matching to handle ASN.1strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.
[Ncat][GH#2365]Added support for SOCKS5 proxies that return bind addressesas hostnames, instead of IPv4/IPv6 addresses. [pomu0325]

Nmap 7.92 [2021-08-07]§

[Windows]Upgraded Npcap (our Windows raw packet capturing andtransmission driver) from version 1.00 to the latest version 1.50. You canread about the dozens of performance improvements, bug fixes and featureenhancements athttps://npcap.com/changelog.
[Windows]Thanks to the Npcap 1.50 upgrade, Nmap now works on the WindowsARM architecture so you can run it on lightweight and power-efficienttablets like the Microsoft Surface Pro X and Samsung Galaxy Book Go. MoreARM devices are on the way along with the upcoming Windows 11 release. Seethe Npcap on ARM announcement athttps://seclists.org/nmap-announce/2021/2.
[Windows]Updated our Windows builds to Visual Studio 2019, Windows 10SDK, and the UCRT. This prevents Nmap from working on Windows Vista andearlier, but they can still use older versions of Nmap on their ancientoperating system.
New Nmap option --unique will prevent Nmap from scanning the same IPaddress twice, which can happen when different names resolve to the sameaddress. [Daniel Miller]
[NSE][GH#1691]TLS 1.3 now supported by most scripts for which it isrelevant, such asssl-enum-ciphers. Some functions like ssl tunnelconnections and certificate parsing will require OpenSSL 1.1.1 or later tofully support TLS 1.3. [Daniel Miller]
[NSE]Added 3 NSE scripts, from 4 authors, bringing the total up to 604!They are all listed athttps://nmap.org/nsedoc/, and the summaries arebelow:
- [GH#2201]nbns-interfaces queries NetBIOS name service (NBNS) to gatherIP addresses of the target's network interfaces [Andrey Zhukov]
- [GH#711]openflow-info gathers preferred and supported protocol versionsfrom OpenFlow devices [Jay Smith, Mak Kolybabi]
- port-states prints a list of ports that were found in each state,including states that were summarized as "Not shown: X closed ports"[Daniel Miller]
Several changes to UDP payloads to improve accuracy:
- [GH#2269]Fix an issue with -sU where payload data went out-of-scopebefore it was used, causing corrupted payloads to be sent. [MariuszZiulek]
- Nmap's retransmission limits were preventing some UDP payloads frombeing tried with -sU and -PU. Now, Nmap sends each payload for aparticular port at the same time without delay. [Daniel Miller]
- New UDP payloads:
  - [GH#1279]TS3INIT1 for UDP 3389 [colcrunch]
  - [GH#1895]DTLS for UDP 3391 (RD Gateway) [Arnim Rupp]
[NSE][GH#2208][GH#2203]SMB2 dialect handling has beenredesigned. Visible changes include:
- Notable improvement in speed of scriptsmb-protocols and others
- Some SMB scripts are no longer using a hardcoded dialect, improvingtarget interoperability
- Dialect names are aligned with Microsoft, such as 3.0.2, instead of3.02 [nnposter]
[GH#2350]Upgraded OpenSSL to version 1.1.1k. This addresses someCVE's which don't affect Nmap in a material way. Details:https://github.com/nmap/nmap/issues/2350
Removed support for the ancient WinPcap library since we already includeour own Npcap library (https://npcap.com) supporting the same API. WinPcapwas abandoned years ago and it's official download page says that "WERECOMMEND USING Npcap INSTEAD" for security, stability, compatibility, andsupport reasons.
[GH#2257]Fix an issue in addrset matching that was causing all targets tobe excluded if the --excludefile listed a CIDR range that contains anearlier, smaller CIDR range. [Daniel Miller]
[GH#1922]Fix an issue that would cause Nmap to hang during scanswith a host timeout, such as -T5. Any active probes when a target timed outwere counting towards the global congestion window.
[GH#2153]Do not count host discovery phase time against the host timeout,since Nmap may wait a long time between sending probes to a target while itprocesses other targets instead.
[GH#2153]Fix issues with matching ICMP Time Exceeded messages that led toignored responses and long scan times when scanning distant targets.
Upgrade the Windows NSIS installer to use the latest NSIS 3 (version3.07) instead of the previous NSIS 2 generation.
Setting --host-timeout=0 will disable the host timeout, which is set by-T5 to 15 minutes. Earlier versions of Nmap require the user to specify avery long timeout instead.
Improvements to Nmap's XML output:
- If a host times out, the XML <host> element will have the attributetimedout="true" and the host's timing info (srtt etc.) will still beprinted.
- The "extrareasons" element now includes a list of port numbers for each"ignored" state. The "All X ports" and "Not shown:" lines in normaloutput have been changed slightly to provide more detail. [DanielMiller]
[NSE][GH#2237]Prevent the ssl-* NSE scripts from probing ports that wereexcluded from version scan, usually 9100-9107, since JetDirect will printanything sent to these ports. [Daniel Miller]
[GH#2206]Nmap no longer produces cryptic message "Failed to convertsource address to presentation format" when unable to find useable routeto the target. [nnposter]
[Ncat][GH#2202]Use safety-checked versions of FD_* macros to abort earlyif number of connections exceeds FD_SETSIZE. [Pavel Zhukov]
[Ncat]Connections proxied via SOCKS4/SOCKS5 were intermittently droppingserver data sent right after the connection got established, such as portbanners. [Sami Pönkänen]
[Ncat][GH#2149]Fixed a bug in proxy connect mode which would close theconnection as soon as it was opened in Nmap 7.90 and 7.91.
[NSE][GH#2175]Fixed NSE so it will not consolidate all port script outputfor targets which share an IP (e.g. HTTP vhosts) under one target. [DanielMiller]
[Zenmap][GH#2157]Fixed an issue where a failure to execute Nmap wouldresult in a Zenmap crash with "TypeError: coercing to Unicode" exception.
Nmap no longer considers an ICMP Host Unreachable as confirmation that atarget is down, in accordance with RFC 1122 which says these errors may betransient. Instead, the probe will be destroyed and other probes used todetermine aliveness. [Daniel Miller]
[Ncat][GH#2154]Ncat no longer crashes when used with Unix domain sockets.
[Ncat][GH#2167][GH#2168]Ncat is now again generating certificates withthe duration of one year. Due to a bug, recent versions of Ncat were usingonly one minute. [Tobias Girstmair]
[NSE][GH#2281]URL/percent-encoding is now using uppercase hex digits toalign with RFC 3986, section 2.1, and to improve compatibility with somereal-world web servers. [nnposter]
[NSE][GH#2174]Scripthostmap-crtsh got improved in several ways. The mostvisible are that certificate SANs are properly split apart and thatidentities that are syntactically incorrect to be hostnames are nowignored. [Michel Le Bihan, nnposter]
[NSE]Loading of a Nikto database failed if the file was referencedrelative to the Nmap directory [nnposter]
We're no longer building and distributing 32-bit Linux binary RPMs sincethe vast majority of users are on x64 systems now. Nmap still works on32-bit systems and so users can build it themselves from the sourceRPMs or tarball, or obtain it from their distribution's repository.
[GH#2199]Updated Nmap's NPSL license to rewrite a poorly-worded clauseabout "proprietary software companies". The new license version 0.93 isstill available fromhttps://nmap.org/npsl/. As described on that page, weare also still offering Nmap 7.90, 7.91, and 7.92 under the previous Nmap7.80 license. Finally, we still offer the Nmap OEM program for companieswho want a non-copyleft license allowing them to redistribute Nmap withtheir products athttps://nmap.org/oem/.
[NSE]Scriptsmb2-vuln-uptime no longer reports false positives when thetarget does not provide its boot time. [nnposter]
[NSE][GH#2197]Client packets composed by the DHCP library will nowcontain option 51 (IP address lease time) only when requested. [nnposter]
[NSE][GH#2192]XML decoding in library citrixxml no longer crashes whenencountering a character reference with codepoint greater than 255. (Thesereferences are now left unmodified.) [nnposter]
[NSE]Scriptmysql-audit now defaults to the bundled mysql-cis.audit forthe audit rule base. [nnposter]
[NSE][GH#1473]It is now possible to control whether the SNMP library usesv1 (default) or v2c by setting script argument snmp.version. [nnposter]

Nmap 7.91 [2020-10-09]§

[NSE][GH#2136][GH#2137]Fix several places where Lua's os.time was being usedto represent dates prior to January 1, 1970, which fails on Windows. Notably,NSE refused to run in UTC+X timezones with the error "time result cannot berepresented in this installation" [Clément Notin, nnposter, Daniel Miller]
[GH#2148][Zenmap]Fix a crash in the profile editor due to a missing import.
[GH#2139][Nsock][Windows]Demote the IOCP Nsock engine because of some knownissues that will take longer to resolve. The previous default "poll" enginewill be used instead.
[GH#2140][Nsock][Windows]Fix a crash in service scan due to a previously-unknownerror being returned from the IOCP Nsock engine. [Daniel Miller]
[NSE][GH#2128]MySQL library was not properly parsing server responses,resulting in script crashes. [nnposter]
[GH#2135]Silence the irrelevant warning, "Your ports include 'T:' but youhaven't specified any TCP scan type" when running nmap -sUV

Nmap 7.90 [2020-10-03]§

[Windows]Upgraded Npcap, our Windows packet capturing (and sending)library to the milestone 1.00 release! It's the culmination of 7 years ofdevelopment with 170 public pre-releases. This includes dozens ofperformance improvements, bug fixes, and feature enhancements describedathttps://npcap.com/changelog.
Integrated over 800 service/version detection fingerprints submitted sinceAugust 2017. The signature count went up 1.8% to 11,878, including 17 newsoftmatches. We now detect 1237 protocols from airmedia-audio, banner-ivu,and control-m to insteon-plm, pi-hole-stats, and ums-webviewer. Asignificant number of submissions remain to be integrated in the nextrelease.
Integrated over 330 of the most-frequently-submitted IPv4 OS fingerprintssince August 2017. Added 26 fingerprints, bringing the new total to 5,678.Additions include iOS 12 & 13, macOS Catalina & Mojave, Linux 5.4, FreeBSD13, and more.
Integrated all 67 of your IPv6 OS fingerprint submissions from August 2017 toSeptember 2020. Added new groups for FreeBSD 12, Linux 5.4, and Windows 10,and consolidated several weak groups to improve classification accuracy.
[NSE]Added 3 NSE scripts, from 2 authors, bringing the total up to 601!They are all listed athttps://nmap.org/nsedoc/, and the summaries arebelow:
- dicom-brute attempts to brute force the called Application Entity Titleof DICOM servers. [Paulino Calderon]
- dicom-ping discovers DICOM servers and determines if any ApplicationEntity Title is allowed to connect. [Paulino Calderon]
- uptime-agent-info collects system information from an Idera UptimeInfrastructure Monitor agent. [Daniel Miller]
[GH#1834]Addressed over 250 code quality issues identified by LGTM.com,improving our code quality score from "C" to "A+"
Released Npcap OEM Edition. For more than 20 years, the Nmap Project hasbeen funded by selling licenses for companies to distribute Nmap withtheir products, along with commercial support. Hundreds of commercialproducts now use Nmap for network discovery tasks like port scanning,host discovery, OS detection, service/version detection, and of coursethe Nmap Scripting Engine (NSE). Until now they have just used standardNmap, but this new OEM Edition is customized for use within other Windowssoftware. Nmap OEM contains the OEM version of our Npcap driver, whichallows for silent installation. It also removes the Zenmap GUI, whichcuts the installer size by more than half. And it reports itself as NmapOEM so customers know it's a properly licensed Nmap. Seehttps://nmap.org/oem for more details. We will be reaching out to allexisting licensees with Nmap OEM access credentials, but any licenseeswho wants it quicker should seehttps://nmap.org/oem.
Upgraded the Nmap license form a sort of hacked-up version of GPLv2 to acleaner and better organized version (still based on GPLv2) now called theNmap Public Source License to avoid confusion. Seehttps://nmap.org/npsl/for more details and annotated license text. This NPSL project was startedin 2006 (community discussion here:https://seclists.org/nmap-dev/2006/q4/126) and then it lost momentum for 7years until it was restarted in 2013(https://seclists.org/nmap-dev/2013/q1/399) and then we got distracted bydevelopment again. We still have some ideas for improving the NPSL, butit's already much better than the current license, so we're applying NPSLVersion 0.92 to the code now and can make improvements later ifneeded. This does not change the license of previous Nmap releases.
Removed nmap-update. This program was intended to provide a way to updatedata files and NSE scripts, but the infrastructure was never fielded. Itdepended on Subversion version control and would have required maintainingseparate versions of NSE scripts for compatibility.
Removed the silent-install command-line option (/S) from the Windowsinstaller. It causes several problems and there were no objections when weproposed removing it in 2016 (https://seclists.org/nmap-dev/2016/q4/168).It will remain in Nmap OEM since its main use was for customers whoredistribute Nmap with other software. If anyone else has a strong needfor an Nmap silent installer, please contact sales@nmap.com and we'll seewhat we can do.
[GH#1860]23 new UDP payloads and dozens more default ports for existingpayloads developed for Rapid7's InsightVM scan engine. These speed up andensure detection of open UDP services. [Paul Miseiko, Rapid7]
[GH#2051]Restrict Nmap's search path for scripts and data files.NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not besearched on Windows, where it was previously defined as C:\Nmap .Additionally, the --script option will not interpret names as directory namesunless they are followed by a '/'. [Daniel Miller]

[GH#1764]Fix an assertion failure when unsolicited ARP response is received:

nmap: Target.cc:503: void Target::stopTimeOutClock(const timeval*): Assertion `htn.toclock_running == true' failed.

[NSE]Newoutlib library consolidates functions related to NSE output,both string formatting conventions and structured output. [Daniel Miller]
[NSE]Newdicom library implements the DICOM protocol used forstoring and transfering medical images. [Paulino Calderon]
[GH#92]Fix a regression in ARP host discovery left over from the move frommassping to ultra_scan in Nmap 4.22SOC8 (2007) that sometimes resulted inmissing ARP responses from targets near the end of a scan. Accuracy and speedare both improved. [Daniel Miller]
[GH#2126]Fix the "iocp" Nsock engine for Windows to be able to correctlyhandle PCAP read events. This engine is now the default for Windows, whichshould greatly improve performance over the previous default, the "poll"engine. [Daniel Miller]
[GH#2050]Reduced CPU usage of OS scan by 50% by avoiding string copyoperations and removing undocumented fingerprint syntax unused in nmap-os-db('&' and '+' in expressions). [Daniel Miller]
[GH#1859]Allow multiple UDP payloads to be specified for a port innmap-payloads. If the first payload does not get a response, the remainingpayloads are tried round-robin. [Paul Miseiko, Rapid7]
[GH#1616]New option --discovery-ignore-rst tells Nmap to ignore TCP RSTresponses when determining if a target is up. Useful when firewalls arespoofing RST packets. [Tom Sellers, Rapid7]
[Ncat][GH#2087][GH#1927][GH#1928][GH#1974]It is now possible to overridethe value of TLS SNI via --ssl-servername [Hank Leininger, nnposter]
[GH#2104]Fixed parsing of TCP options which would hang (infinite loop) if anoption had an explicit length of 0. Affects Nmap 7.80 only.[Daniel Miller, Imed Mnif]
Added a UDP payload for STUN (Session Traversal Utilities for NAT).[David Fifield]
[NSE]Fixed an off-by-one bug in thestun.lua library that preventedparsing a server response. [David Fifield]
[NSE][GH#1460]Scriptssh2-enum-algos would fail if the server initiatedthe key exchange before completing the protocol version exchange[Scott Ellis, nnposter]
[NSE][GH#2105]Fetching of SSH2 keys might fail because of key exchangeconfusion [nnposter]
[NSE][GH#2098]Performance of scriptafp-ls has been dramatically improved[nnposter]
[NSE][GH#2091]Parsing of AFP FPGetFileDirParms andFPEnumerateExt2FPEnumerateExt2 responses was not working correctly [nnposter]
[NSE][GH#2089]Eliminated false positives in scripthttp-shellshock caused bysimple reflection of HTTP request data [Anders Kaseorg]
[NSE][GH#1473]SNMP scripts are now enabled on non-standard ports where SNMPhas been detected [usd-markus, nnposter]
[NSE][GH#2084]MQTT library was using incorrect position when parsingreceived responses [tatulea]
[NSE][GH#2086]IPMI library was using incorrect position when parsingreceived responses [Star Salzman]
[NSE][GH#2086]Scriptsipmi-brute anddeluge-rpc-brute were not capturingsuccessfully brute-forced credentials [Star Salzman]
Allow resuming IPv6 scans with --resume. The address parsing was assuming IPv4addresses, leading to "Unable to parse ip" error. In a related fix, MAC addresseswill not be parsed as IP addresses when resuming from XML. [Daniel Miller]
[GH#1622][GH#2068]Fix reverse-DNS handling of PTR records that are not lowercase.Nmap was failing to identify reverse-DNS names when the DNS server deliveredthem like ".IN-ADDR.ARPA". [Lucas Nussbaum, Richard Schütz, Daniel Miller]
[NSE][GH#1999][GH#2005]IKE library was not properly populating the protocolnumber in aggressive mode requests. [luc-x41]
[GH#1963]Added service fingerprinting for MySQL 8.x, Microsoft SQLServer 2019, MariaDB, and Crate.io CrateDB. Updated PostreSQL coverage andadded specific detection of recent versions running in Docker. [Tom Sellers]
New XML output "hosthint" tag emitted during host discovery when a target isfound to be up. This gives earlier notification than waiting for thehostgroup to finish all scan phases. [Paul Miseiko]
[GH#917]New UDP payloads for GPRS Tunneling Protocol (GTP) on ports 2123,2152, and 3386. [Guillaume Teissier]
[NSE][GH#1825]SSH scripts now run on several ports likely to be SSH based onempirical data from Shodan.io, as well as the netconf-ssh service.[Lim Shi Min Jonathan, Daniel Miller]
[Zenmap][GH#1777]Stop creating a debugging output file 'tmp.txt' on thedesktop in macOS. [Roland Linder]
[Nping]Address build failure under libc++ due to "using namespace std;" inseveral headers, resulting in conflicting definitions of bind(). Reported byStormBytePP and Rosen Penev. [Daniel Miller]
[Ncat][GH#1868]Fix a fatal error when connecting to a Linux VM socket withverbose output enabled. [Stefano Garzarella]
[Ncat][GH#2060]Proxy credentials can be alternatively passed onto Ncat bysetting environment variable NCAT_PROXY_AUTH, which reduces the risk of thecredentials getting captured in process logs. [nnposter]
[NSE][GH#1723]Fixed a crash on Windows when processing a GZIP-encoded HTTPbody. [Daniel Miller]
Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities.
Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API.
[GH#1717][GH#1718]Processing of IP address CIDR blocks was not workingcorrectly on ppc64, ppc64le, and s390x architectures. [rfrohl, nnposter]
[Windows]Add support for the new loopback behavior in Npcap 0.9983 andlater. This enables Nmap to scan localhost on Windows without needing theNpcap Loopback Adapter to be installed, which was a source of problems forsome users. [Daniel Miller]
[NSE]MS SQL library has improved version resolution, from service pack levelto individual cumulative updates [nnposter]
[NSE][GH#2077]With increased verbosity, scripthttp-default-accounts nowreports matched target fingerprints even if no default credentials were found[nnposter]
[NSE][GH#2063]IPP request object conversion to string was not workingcorrectly [nnposter]
[NSE][GH#2063]IPP response parser was not correctly processingend-of-attributes-tag [nnposter]
[NSE]Scriptcups-info was failing due to erroneous double-decodingof the IPP printer status [nnposter]
[NSE][GH#2010]Oracle TNS parser was incorrectly unmarshalling DALC bytearrays [nnposter]
[NSE]The password hashing function for Oracle 10g was not working correctlyfor non-alphanumeric characters [nnposter]
[NSE]Virtual host probing list, vhosts-full.lst, was missing numerousentries present in vhosts-default.lst [nnposter]
[NSE][GH#1931][GH#1932]Scripthttp-grep was not correctly calculating Luhnchecksum [Colleen Li, nnposter]
[NSE][GH#1838]Scriptsdhcp-discover andbroadcast-dhcp-discover now supportnew argument "mac" to force a specific client MAC address [nnposter]
[NSE]Code improvements in RPC Dump, benefitting NFS-related scripts[nnposter]
[NSE]RPC code was using incorrect port range, which was causing some calls,such as NFS mountd, to fail intermittently [nnposter]
[NSE][GH#1876]XML output from scriptssl-cert now includes RSA key modulusand exponent [nnposter]
[NSE][GH#1837]Nmap no longer crashes when SMB scripts, such assmb-ls, callsmb.find_files [nnposter]
[NSE][GH#1802]The MongoDB library was causing errors when assembling protocolpayloads. [nnposter]
[NSE][GH#1781][GH#1796]The RTSP library was not correctly generating requeststrings. [nnposter]
[NSE][GH#1706]VNC handshakes were failing with insert position out of boundserror. [nnposter]
[NSE][GH#1720]Function marshall_dom_sid2 in library msrpctypes was notcorrectly populating ID Authority. [nnposter]
[NSE][GH#1720]Unmarshalling functions in library msrpctypes were attemptingarithmetic on a nil argument. [Ivan Ivanov, nnposter]
[NSE][GH#1720]Functions lsa_lookupnames2 and lsa_lookupsids2 in librarymsrpc were incorrectly referencing function strjoin when called with debuglevel 2 or higher. [Ivan Ivanov]
[NSE][GH#1755][GH#2096]Added HTTP default account fingerprints for TomcatHost Manager and Dell iDRAC9. [Clément Notin]
[NSE][GH#1476][GH#1707]A MS-SMB spec non-compliance in Samba was causingprotocol negotiation to fail with data string too short error.[Clément Notin, nnposter]
[NSE][GH#1480][GH#1713][GH#1714]A bug in SMB library was causing scripts tofail with bad format argument error. [Ivan Ivanov]
[NSE][GH#1665]The HTTP library no longer crashes when code requests digestauthentication but the server does not provide the necessary authenticationheader. [nnposter]
[NSE]Fixed a bug inhttp-wordpress-users.nse that could causeextraneous output to be captured as part of a username. [Duarte Silva]

Nmap 7.80 [2019-08-10]§

[Windows]The Npcap Windows packet capturing library (https://npcap.com/)is faster and more stable than ever. Nmap 7.80 updates the bundled Npcapfrom version 0.99-r2 to 0.9982, including all of these changes from thelast 15 Npcap releases:https://npcap.com/changelog
[NSE]Added 11 NSE scripts, from 8 authors, bringing the total up to 598!They are all listed athttps://nmap.org/nsedoc/, and the summaries arebelow:
- [GH#1232]broadcast-hid-discoveryd discovers HID devices on a LAN bysending a discoveryd network broadcast probe. [Brendan Coles]
- [GH#1236]broadcast-jenkins-discover discovers Jenkins servers on a LANby sending a discovery broadcast probe. [Brendan Coles]
- [GH#1016][GH#1082]http-hp-ilo-info extracts information from HPIntegrated Lights-Out (iLO) servers. [rajeevrmenon97]
- [GH#1243]http-sap-netweaver-leak detects SAP Netweaver Portal with theKnowledge Management Unit enabled with anonymous access. [ArphanetX]
- https-redirect detects HTTP servers that redirect to the same port, butwith HTTPS. Some nginx servers do this, which made ssl-* scripts not runproperly. [Daniel Miller]
- [GH#1504]lu-enum enumerates Logical Units (LU) of TN3270E servers.[Soldier of Fortran]
- [GH#1633]rdp-ntlm-info extracts Windows domain information from RDPservices. [Tom Sellers]
- smb-vuln-webexec checks whether the WebExService is installed and allowscode execution. [Ron Bowes]
- smb-webexec-exploit exploits the WebExService to run arbitrary commandswith SYSTEM privileges. [Ron Bowes]
- [GH#1457]ubiquiti-discovery extracts information from the UbiquitiDiscovery service and assists version detection. [Tom Sellers]
- [GH#1126]vulners queries the Vulners CVE database API using CPEinformation from Nmap's service and application version detection.[GMedian, Daniel Miller]
[GH#1371]The macOS installer is now built for x86_64 architecture, not i386.
[GH#1396]Fixed the Windows installer, which would replace the entire PATHsystem variable with the path for Nmap if it exceeded 1024 bytes. This wasfixed by using the "large strings" build of NSIS to build the new installer.[Daniel Miller]
Replaced the addrset matching code that is used by --exclude and--excludefile with a much faster implementation using a radix tree (trie).https://seclists.org/nmap-dev/2018/q4/13
[GH#1291][GH#34][GH#1339]Use pcap_create instead of pcap_live_open inNmap, and set immediate mode on the pcap descriptor. This solves packetloss problems on Linux and may improve performance on other platforms.[Daniel Cater, Mike Pontillo, Daniel Miller]
[NSE][GH#1330]Fixed an infinite loop intls-alpn when the server forces aparticular protocol. [Daniel Miller]
[NSE]Collected utility functions for string processing into a newlibrary,stringaux.lua. [Daniel Miller]
[NSE]Newrand.lua library uses the best sources of random available onthe system to generate random strings. [Daniel Miller]
[NSE]New library,oops.lua, makes reporting errors easy, with plenty ofdebugging detail when needed, and no clutter when not. [Daniel Miller]
[NSE]Collected utility functions for manipulating and searching tablesinto a new library,tableaux.lua. [Daniel Miller]
[NSE]Newknx.lua library holds common functions and definitions forcommunicating with KNX/Konnex devices. [Daniel Miller]
[NSE][GH#1571]The HTTP library now provides transparent support for gzip-encoded response body. (Seehttps://github.com/nmap/nmap/pull/1571 for anoverview.) [nnposter]
[Nsock][Ncat][GH#1075]Add AF_VSOCK (Linux VM sockets) functionality toNsock and Ncat. VM sockets are used for communication between virtualmachines and the hypervisor. [Stefan Hajnoczi]
[Security][Windows]Address CVE-2019-1552 in OpenSSL by building with theprefix "C:\Program Files (x86)\Nmap\OpenSSL". This should preventunauthorized users from modifying OpenSSL defaults by writingconfiguration to this directory.
[Security][GH#1147][GH#1108]Reduced LibPCRE resource limits so thatversion detection can't use as much of the stack. Previously Nmap couldcrash when run on low-memory systems against target services which areintentionally or accidentally difficult to match. Someone assignedCVE-2018-15173 for this issue. [Daniel Miller]
[GH#1361]Deprecate and disable the -PR (ARP ping) host discoveryoption. ARP ping is already used whenever possible, and the -PR optionwould not force it to be used in any other case. [Daniel Miller]
[NSE]bin.lua is officially deprecated. Lua 5.3, added 2 years ago in Nmap7.25BETA2, has native support for binary data packing via string.pack andstring.unpack. All existing scripts and libraries have been updated.[Daniel Miller]
[NSE]Completely removed the bit.lua NSE library. All of its functions arereplaced by native Lua bitwise operations, except for `arshift`(arithmetic shift) which has been moved to thebits.lua library. [DanielMiller]
[NSE][GH#1571]The HTTP library is now enforcing a size limit on thereceived response body. The default limit can be adjusted with a scriptargument, which applies to all scripts, and can be overridden case-by-casewith an HTTP request option. (Seehttps://github.com/nmap/nmap/pull/1571for details.) [nnposter]
[NSE][GH#1648]CR characters are no longer treated as illegal in scriptXML output. [nnposter]
[GH#1659]Allow resuming nmap scan with lengthy command line [ClémentNotin]
[NSE][GH#1614]Add TLS support tordp-enum-encryption. Enables determiningprotocol version against servers that require TLS and lays ground work forsome NLA/CredSSP information collection. [Tom Sellers]
[NSE][GH#1611]Address two protocol parsing issues inrdp-enum-encryptionand the RDP nse library which broke scanning of Windows XP. Clarifyprotocol types [Tom Sellers]
[NSE][GH#1608]Scripthttp-fileupload-exploiter failed to locate itsresource file unless executed from a specific workingdirectory. [nnposter]
[NSE][GH#1467]Avoid clobbering the "severity" and "ignore_404" values offingerprints inhttp-enum. None of the standard fingerprints uses thesefields. [Kostas Milonas]
[NSE][GH#1077]Fix a crash caused by a double-free of libssh2 session datawhen running SSH NSE scripts against non-SSH services. [Seth Randall]
[NSE][GH#1565]Updates the execution rule of the mongodb scripts to beable to run on alternate ports. [Paulino Calderon]
[Ncat][GH#1560]Allow Ncat to connect to servers on port 0, provided thatthe socket implementation allows this. [Daniel Miller]
Update the included libpcap to 1.9.0. [Daniel Miller]
[NSE][GH#1544]Fix a logic error that resulted in scripts not honoring thesmbdomain script-arg when the target provided a domain in the NTLMchallenge. [Daniel Miller]
[Nsock][GH#1543]Avoid a crash (Protocol not supported) caused by tryingto reconnect with SSLv2 when an error occurs during DTLS connect. [DanielMiller]
[NSE][GH#1534]Removed OSVDB references from scripts and replaced themwith BID references where possible. [nnposter]
[NSE][GH#1504]Updates TN3270.lua and adds argument to disable TN3270E[Soldier of Fortran]
[GH#1504]RMI parser could crash when encountering invalid input [ClémentNotin]
[GH#863]Avoid reporting negative latencies due to matching an ARP or NDresponse to a probe sent after it was recieved. [Daniel Miller]
[Ncat][GH#1441]To avoid confusion and to support non-default proxy ports,option --proxy now requires a literal IPv6 address to be specified usingsquare-bracket notation, such as --proxy [2001:db8::123]:456. [nnposter]
[Ncat][GH#1214][GH#1230][GH#1439]New ncat option provides control overwhether proxy destinations are resolved by the remote proxy server orlocally, by Ncat itself. See option --proxy-dns. [nnposter]
[NSE][GH#1478]Updated scriptftp-syst to prevent potential endlesslooping. [nnposter]
[GH#1454]New service probes and match lines for v1 and v2 of the UbiquitiDiscovery protocol. Devices often leave the related service open and itexposes significant amounts of information as well as the risk of beingused as part of a DDoS. New nmap-payload entry for v1 of theprotocol. [Tom Sellers]
[NSE]Removed hostmap-ip2hosts.nse as the API has been broken for a whileand the service was completely shutdown on Feb 17th, 2019. [PaulinoCalderon]
[NSE][GH#1318]Adds TN3270E support and additional improvements totn3270.lua and updatestn3270-screen.nse to display the newsetting. [mainframed]
[NSE][GH#1346]Updates product codes and adds a check for response lengthinenip-info.nse. The script now uses string.unpack. [NothinRandom]
[Ncat][GH#1310][GH#1409]Temporary RSA keys are now 2048-bit to resolve acompatibility issue with OpenSSL library configured with security level 2,as seen on current Debian or Kali. [Adrian Vollmer, nnposter]
[NSE][GH#1227]Fix a crash (double-free) when using SSH scripts againstnon-SSH services. [Daniel Miller]
[Zenmap]Fix a crash when Nmap executable cannot be found and the systemPATH contains non-UTF-8 bytes, such as on Windows. [Daniel Miller]
[Zenmap]Fix a crash in results search when using the dir: operator:
```
AttributeError: 'SearchDB' object has no attribute 'match_dir'
```
[Daniel Miller]
[Ncat][GH#1372]Fixed an issue with Ncat -e on Windows that caused earlytermination of connections. [Alberto Garcia Illera]
[NSE][GH#1359]Fix a false-positive inhttp-phpmyadmin-dir-traversal whenthe server responds with 200 status to a POST request to anyURI. [Francesco Soncina]
[NSE]New vulnerability state invulns.lua, UNKNOWN, is used to indicatethat testing could not rule out vulnerability. [Daniel Miller]
[GH#1355]When searching for Lua header files, actually use them wherethey are found instead of forcing /usr/include. [Fabrice Fontaine, DanielMiller]
[NSE][GH#1331]Scripttraceroute-geolocation no longer crashes whenwww.GeoPlugin.net returns null coordinates [Michal Kubenka, nnposter]
Limit verbose -v and debugging -d levels to a maximum of 10. Nmap does notuse higher levels internally. [Daniel Miller]
[NSE]tls.lua when creating a client_hello message will now only use aSSLv3 record layer if the protocol version is SSLv3. Some TLSimplementations will not handshake with a client offering less thanTLSv1.0. Scripts will have to manually fall back to SSLv3 to talk toSSLv3-only servers. [Daniel Miller]
[NSE][GH#1322]Fix a few false-positive conditions inssl-ccs-injection. TLS implementations that responded with fatal alertsother than "unexpected message" had been falsely marked asvulnerable. [Daniel Miller]
Emergency fix to Nmap's birthday announcement so Nmap wishes itself a"Happy 21st Birthday" rather than "Happy 21th" in verbose mode (-v) onSeptember 1, 2018. [Daniel Miller]
[GH#1150]Start host timeout clocks when the first probe is sent to ahost, not when the hostgroup is started. Sometimes a host doesn't getprobes until late in the hostgroup, increasing the chance it will timeout. [jsiembida]
[NSE]Support for edns-client-subnet (ECS) indns.lua has been improved by:
- [GH#1271]Using ECS code compliant with RFC 7871 [John Bond]
- Properly trimming ECS address, as mandated by RFC 7871 [nnposter]
- Fixing a bug that prevented using the same ECS option table more thanonce [nnposter]
[Ncat][GH#1267]Fixed communication with commands launched with -e or -con Windows, especially when --ssl is used. [Daniel Miller]
[NSE]Scripthttp-default-accounts can now select more than onefingerprint category. It now also possible to select fingerprints by nameto support very specific scanning. [nnposter]
[NSE]Scripthttp-default-accounts was not able to run against more thanone target host/port. [nnposter]
[NSE][GH#1251]New script-arg `http.host` allows users to force aparticular value for the Host header in all HTTP requests.
[NSE][GH#1258]Use smtp.domain script arg or target's domain name insteadof "example.com" in EHLO command used for STARTTLS. [gwire]
[NSE][GH#1233]Fixbrute.lua's BruteSocket wrapper, which was crashingNmap with an assertion failure due to socket mixup [Daniel Miller]: nmap:nse_nsock.cc:672: int receive_buf(lua_State*, int, lua_KContext):Assertion `lua_gettop(L) == 7' failed.
[NSE][GH#1254]Handle an error condition insmb-vuln-ms17-010 caused byIPS closing the connection. [Clément Notin]
[Ncat][GH#1237]Fixed literal IPv6 URL format for connecting through HTTPproxies. [Phil Dibowitz]
[NSE][GH#1212]Updates vendors from ODVA list forenip-info. [NothinRandom]
[NSE][GH#1191]Add two common error strings that improve MySQL detectionby the scripthttp-sql-injection. [Robert Taylor, Paulino Calderon]
[NSE][GH#1220]Fix bug inhttp-vuln-cve2006-3392 that prevented the scriptto generate the vulnerability report correctly. [rewardone]
[NSE][GH#1218]Fix bug related to screen rendering in NSE librarytn3270. This patch also improves the brute force scripttso-brute. [mainframed]
[NSE][GH#1209]Fix SIP, SASL, and HTTP Digest authentication when thealgorithm contains lowercase characters. [Jeswin Mathai]
[GH#1204]Nmap could be fooled into ignoring TCP response packets if theyused an unknown TCP Option, which would misalign the validation, causingit to fail. [Clément Notin, Daniel Miller]
[NSE]The HTTP response parser now tolerates status lines without a reasonphrase, which improves compatibility with some HTTP servers. [nnposter]
[NSE][GH#1169][GH#1170][GH#1171]][GH#1198] Parser for HTTP Set-Cookie headeris now more compliant with RFC 6265:
- empty attributes are tolerated
- double quotes in cookie and/or attribute values are treated literally
- attributes with empty values and value-less attributes are parsed equally
- attributes named "name" or "value" are ignored
[nnposter]
[NSE][GH#1158]Fix parsinghttp-grep.match script-arg. [Hans van denBogert]
[Zenmap][GH#1177]Avoid a crash when recent_scans.txt cannot be writtento. [Daniel Miller]
Fixed --resume when the path to Nmap contains spaces. Reported on Windowsby Adriel Desautels. [Daniel Miller]
New service probe and match lines for adb, the Android Debug Bridge, whichallows remote code execution and is left enabled by default on manydevices. [Daniel Miller]

Nmap 7.70 [2018-03-20]§

[Windows]We made a ton of improvements to our Npcap Windows packetcapturing library (https://npcap.com/) for greater performance andstability, as well as smoother installer and better 802.11 raw framecapturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to0.99-r2, including all these changes from the last seven Npcap releases:https://npcap.com/changelog
Integrated all of your service/version detection fingerprints submitted fromMarch 2017 to August 2017 (728 of them). The signature count went up 1.02%to 11,672, including 26 new softmatches. We now detect 1224 protocols fromfilenet-pch, lscp, and netassistant to sharp-remote, urbackup, andwatchguard. We will try to integrate the remaining submissions in the nextrelease.
Integrated all of your IPv4 OS fingerprint submissions from September 2016to August 2017 (667 of them). Added 298 fingerprints, bringing the new totalto 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, andmore.
Integrated all 33 of your IPv6 OS fingerprint submissions from September2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added,as well as strengthened groups for Linux and OS X.
Added the --resolve-all option to resolve and scan all IP addresses of ahost. This essentially replaces theresolveall NSE script. [Daniel Miller]
[NSE][SECURITY]Nmap developer nnposter found a security flaw (directorytraversal vulnerability) in the way the non-defaulthttp-fetch scriptsanitized URLs. If a user manualy ran this NSE script against a maliciousweb server, the server could potentially (depending on NSE arguments used)cause files to be saved outside the intended destination directory. Existingfiles couldn't be overwritten. We fixedhttp-fetch, audited our otherscripts to ensure they didn't make this mistake, and updated thehttpspiderlibrary API to protect against this by default. [nnposter, Daniel Miller]
[NSE]Added 9 NSE scripts, from 8 authors, bringing the total up to 588!They are all listed athttps://nmap.org/nsedoc/, and the summaries arebelow:
- deluge-rpc-brute performs brute-force credential testing against DelugeBitTorrent RPC services, using the newzlib library. [Claudiu Perta]
- hostmap-crtsh lists subdomains by querying Google's CertificateTransparency logs. [Paulino Calderon]
- [GH#892]http-bigip-cookie decodes unencrypted F5 BIG-IP cookies andreports back the IP address and port of the actual server behind theload-balancer. [Seth Jackson]
- http-jsonp-detection Attempts to discover JSONP endpoints in web servers.JSONP endpoints can be used to bypass Same-origin Policy restrictions inweb browsers. [Vinamra Bhatia]
- http-trane-info obtains information from Trane Tracer SC controllers andconnected HVAC devices. [Pedro Joaquin]
- [GH#609]nbd-info uses the newnbd.lua library to query Network BlockDevices for protocol and file export information. [Mak Kolybabi]
- rsa-vuln-roca checks for RSA keys generated by Infineon TPMsvulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). ChecksSSH and TLS services. [Daniel Miller]
- [GH#987]smb-enum-services retrieves the list of services running on aremote Windows machine. Modern Windows systems requires a privileged domainaccount in order to list the services. [Rewanth Cool]
- tls-alpn checks TLS servers for Application Layer Protocol Negotiation(ALPN) support and reports supported protocols. ALPN largely replaces NPN,whichtls-nextprotoneg was written for. [Daniel Miller]
[GH#978]Fixed Nsock on Windows giving errors when selecting on STDIN. Thiswas causing Ncat 7.60 in connect mode to quit with error: libnsockselect_loop(): nsock_loop error 10038: An operation was attempted onsomething that is not a socket. [nnposter]
[Ncat][GH#197][GH#1049]Fix --ssl connections from dropping onrenegotiation, the same issue that was partially fixed for server mode in[GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [DanielMiller]
[NSE][GH#1062][GH#1149]Some changes tobrute.lua to better handlemisbehaving or rate-limiting services. Most significantly,brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim forreporing infinite loops and proposing changes.
[NSE]VNC scripts now support Apple Remote Desktop authentication (auth type30) [Daniel Miller]
[NSE][GH#1111]Fix a script crash inftp.lua when PASV connection timed out.[Aniket Pandey]
[NSE][GH#1114]Updatebitcoin-getaddr to receive more than one responsemessage, since the first message usually only has one address in it. [h43z]
[Ncat][GH#1139]Ncat now selects the correct default port for a given proxytype. [Pavel Zhukov]
[NSE]memcached-info can now gather information from the UDP memcachedservice in addition to the TCP service. The UDP service is frequently used asa DDoS reflector and amplifier. [Daniel Miller]
[NSE][GH#1129]Changed url.absolute() behavior with respect to dot anddot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]
Removed deprecated and undocumented aliases for several long options thatused underscores instead of hyphens, such as --max_retries. [Daniel Miller]
Improved service scan's treatment of soft matches in two ways. First of all,any probes that could result in a full match with the soft matched servicewill now be sent, regardless of rarity. This improves the chances ofmatching unusual services on non-standard ports. Second, probes are nowskipped if they don't contain any signatures for the soft matched service.Previously the probes would still be run as long as the target port numbermatched the probe's specification. Together, these changes should makeservice/version detection faster and more accurate. For more details on howit works, seehttps://nmap.org/book/vscan.html. [Daniel Miller]
--version-all now turns off the soft match optimization, ensuring that allprobes really are sent, even if there aren't any existing match lines forthe softmatched service. This is slower, but gives the most comprehensiveresults and produces better fingerprints for submission. [Daniel Miller]
[NSE][GH#1083]New set of Telnet softmatches for version detection based onTelnet DO/DON'T options offered, covering a wide variety of devices andoperating systems. [D Roberson]
[GH#1112]Resolved crash opportunities caused by unexpected libpcap versionstring format. [Gisle Vanem, nnposter]
[NSE][GH#1090]Fix false positives inrexec-brute by checking responses forindications of login failure. [Daniel Miller]
[NSE][GH#1099]Fixhttp-fetch to keep downloaded files in separatedestination directories. [Aniket Pandey]
[NSE]Added new fingerprints tohttp-default-accounts:
- Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
- [GH#1074]ActiveMQ, Purestorage, and Axis Network Cameras [Rob Fitzpatrick, Paulino Calderon]
Added a new service detection match for WatchGuard Authentication Gateway.[Paulino Calderon]
[NSE][GH#1038][GH#1037]Scriptqscan was not observing interpacket delays(parameterqscan.delay). [nnposter]
[NSE][GH#1046]Scripthttp-headers now fails properly if the target does notreturn a valid HTTP response. [spacewander]
[Ncat][Nsock][GH#972]Remove RC4 from the list of TLS ciphers used bydefault, in accordance with RFC 7465. [Codarren Velvindron]
[NSE][GH#1022]Fix a false positive condition inipmi-cipher-zero caused bynot checking the error code in responses. Implementations which return anerror are not vulnerable. [Juho Jokelainen]
[NSE][GH#958]Two new libraries for NSE.
- idna - Support for internationalized domain names in applications (IDNA)
- punycode (a transfer encoding syntax used in IDNA)
[Rewanth Cool]
[NSE]New fingerprints forhttp-enum:
- [GH#954]Telerik UI CVE-2017-9248 [Harrison Neal]
- [GH#767]Many WordPress version detections [Rewanth Cool]
[GH#981][GH#984][GH#996][GH#975]Fixed Ncat proxy authentication issues:
- Usernames and/or passwords could not be empty
- Passwords could not contain colons
- SOCKS5 authentication was not properly documented
- SOCKS5 authentication had a memory leak
[nnposter]
[GH#1009][GH#1013]Fixes to autoconf header files to allow autoreconf to berun. [Lukas Schwaighofer]
[GH#977]Improved DNS service version detection coverage and consistencyby using data from a Project Sonar Internet wide survey. Numerouse falsepositives were removed and reliable softmatches added. Match lines forversion.bind responses were also conslidated using the technique below.[Tom Sellers]
[GH#977]Changed version probe fallbacks so as to work cross protocol(TCP/UDP). This enables consolidating match lines for services where theresponses on TCP and UDP are similar. [Tom Sellers]
[NSE][GH#532]Added thezlib library for NSE so scripts can easilyhandle compression. This work started during GSOC 2014, so we'reparticularly pleased to finally integrate it! [Claudiu Perta, DanielMiller]
[NSE][GH#1004]Fixed handling of brute.retries variable. It was being treatedas the number of tries, not retries, and a value of 0 would result ininfinite retries. Instead, it is now the number of retries, defaulting to 2(3 total tries), with no option for infinite retries.
[NSE]http-devframework-fingerprints.lua supports Jenkins server detectionand returns extra information when Jenkins is detected [Vinamra Bhatia]
[GH#926]The rarity level of MS SQL's service detection probe was decreased.Now we can find MS SQL in odd ports without increasing version intensity.[Paulino Calderon]
[GH#957]Fix reporting of zlib and libssh2 versions in "nmap --version". Wewere always reporting the version number of the included source, even when adifferent version was actually linked. [Pavel Zhukov]
Add a new helper function for nmap-service-probes match lines: $I(1,">") willunpack an unsigned big-endian integer value up to 8 bytes wide from capture1. The second option can be "<" for little-endian. [Daniel Miller]

Nmap 7.60 [2017-07-31]§

[Windows]Updated the bundled Npcap from 0.91 to 0.93, fixing several issueswith installation and compatibility with the Windows 10 Creators Update.
[NSE][GH#910]NSE scripts now have complete SSH support via libssh2,including password brute-forcing and running remote commands, thanks to thecombined efforts of three Summer of Code students: [Devin Bjelland, SergeyKhegay, Evangelos Deirmentzoglou]
[NSE]Added 14 NSE scripts from 6 authors, bringing the total up to 579!They are all listed athttps://nmap.org/nsedoc/, and the summaries are below:
- ftp-syst sends SYST and STAT commands to FTP servers to get system versionand connection information. [Daniel Miller]
- [GH#916]http-vuln-cve2017-8917 checks for an SQL injection vulnerability affectingJoomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
- iec-identify probes for the IEC 60870-5-104 SCADA protocol. [AleksandrTimorin, Daniel Miller]
- [GH#915]openwebnet-discovery retrieves device identifying information andnumber of connected devices running on openwebnet protocol. [Rewanth Cool]
- puppet-naivesigning checks for a misconfiguration in the Puppet CA wherenaive signing is enabled, allowing for any CSR to be automatically signed.[Wong Wai Tuck]
- [GH#943]smb-protocols discovers if a server supports dialects NT LM 0.12(SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the oldsmbv2-enabled script. [Paulino Calderon]
- [GH#943]smb2-capabilities lists the supported capabilities of SMB2/SMB3servers. [Paulino Calderon]
- [GH#943]smb2-time determines the current date and boot date of SMB2servers. [Paulino Calderon]
- [GH#943]smb2-security-mode determines the message signing configuration ofSMB2/SMB3 servers. [Paulino Calderon]
- [GH#943]smb2-vuln-uptime attempts to discover missing critical patches inMicrosoft Windows systems based on the SMB2 server uptime. [Paulino Calderon]
- ssh-auth-methods lists the authentication methods offered by an SSH server.[Devin Bjelland]
- ssh-brute performs brute-forcing of SSH password credentials. [Devin Bjelland]
- ssh-publickey-acceptance checks public or private keys to see if they couldbe used to log in to a target. A list of known-compromised key pairs isincluded and checked by default. [Devin Bjelland]
- ssh-run uses user-provided credentials to run commands on targets via SSH.[Devin Bjelland]
[NSE]Removed smbv2-enabled, which was incompatible with the new SMBv2/3improvements. It was fully replaced by thesmb-protocols script.
[Ncat][GH#446]Added Datagram TLS (DTLS) support to Ncat in connect (client)mode with --udp --ssl. Also added Application Layer Protocol Negotiation(ALPN) support with the --ssl-alpn option. [Denis Andzakovic, Daniel Miller]
Updated the default ciphers list for Ncat and the secure ciphers list forNsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDHciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
[NSE][GH#930]Fixndmp-version andndmp-fs-info when scanning Veritas BackupExec Agent 15 or 16. [Andrew Orr]
[NSE][GH#943]Added new SMB2/3 library and related scripts. [Paulino Calderon]
[NSE][GH#950]Added wildcard detection todns-brute. Only hostnames thatresolve to unique addresses will be listed. [Aaron Heesakkers]
[NSE]FTP scripts likeftp-anon andftp-brute now correctly handleTLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]
[NSE][GH#936]Function url.escape no longer encodes so-called "unreserved"characters, including hyphen, period, underscore, and tilde, as per RFC 3986.[nnposter]
[NSE][GH#935]Function http.pipeline_go no longer assumes that persistentconnections are supported on HTTP 1.0 target (unless the target explicitlydeclares otherwise), as per RFC 7230. [nnposter]
[NSE][GH#934]The HTTP response object has a new member, version, whichcontains the HTTP protocol version string returned by the server, e.g. "1.0".[nnposter]
[NSE][GH#938]Fix handling of the objectSID Active Directory attributebyldap.lua. [Tom Sellers]
[NSE]Fix line endings in the list of Oracle SIDs used byoracle-sid-brute.Carriage Return characters were being sent in the connection packets, likelyresulting in failure of the script. [Anant Shrivastava]
[NSE][GH#141]http-useragent-checker now checks for changes in HTTP status(usually 403 Forbidden) in addition to redirects to indicate forbidden UserAgents. [Gyanendra Mishra]

Nmap 7.50 [2017-06-13]§

[Windows]Updated the bundled Npcap from 0.78 to 0.91, with several bugfixesfor WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
Integrated all of your service/version detection fingerprints submitted fromSeptember to March (855 of them). The signature count went up 2.9% to 11,418.We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon,slmp, and zookeeper. Highlights:http://seclists.org/nmap-dev/2017/q2/140
[NSE]Added 14 NSE scripts from 12 authors, bringing the total up to 566!They are all listed athttps://nmap.org/nsedoc/, and the summaries are below:
- [GH#743]broadcast-ospf2-discover discovers OSPF 2 routers and neighbors.OSPFv2 authentication is supported. [Emiliano Ticci]
- [GH#671]cics-info checks IBM TN3270 services for CICS transaction servicesand extracts useful information. [Soldier of Fortran]
- [GH#671]cics-user-brute does brute-force enumeration of CICS usernames onIBM TN3270 services. [Soldier of Fortran]
- [GH#669]http-cookie-flags checks HTTP session cookies for HTTPOnly andSecure flags. [Steve Benson]
- http-security-headers checks for the HTTP response headers related tosecurity given in OWASP Secure Headers Project, giving a brief descriptionof the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]
- [GH#740][GH#759]http-vuln-cve2017-5638 checks for the RCE bug in ApacheStruts2. [Seth Jackson]
- [GH#876]http-vuln-cve2017-5689 detects a privilege escalationvulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT)capable systems. [Andrew Orr]
- http-vuln-cve2017-1001000 detects a privilege escalation vulnerability inWordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]
- [GH#713]impress-remote-discover attempts to pair with the LibreOfficeImpress presentation remote service and extract version info. Pairing isPIN-protected, and the script can optionally brute-force the PIN. Newservice probe and match line also added. [Jeremy Hiebert]
- [GH#854]smb-double-pulsar-backdoor detects the Shadow Brokers-leakedDouble Pulsar backdoor in Windows SMB servers. [Andrew Orr]
- smb-vuln-cve-2017-7494 detects a remote code execution vulnerabilityaffecting Samba versions 3.5.0 and greater with writable shares.[Wong Wai Tuck]
- smb-vuln-ms17-010 detects a critical remote code execution vulnerabilityaffecting SMBv1 servers in Microsoft Windows systems (ms17-010). Thescript also reports patched systems. [Paulino Calderon]
- [GH#686]tls-ticketbleed checks for the Ticketbleed vulnerability(CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]
- vmware-version queries VMWare SOAP API for version and product information.Submitted in 2011, this was mistakenly turned into a service probe that wasunable to elicit any matches. [Aleksey Tyurin]
[Ncat]A series of changes and fixes based on feedback from the Red Hat community:
- [GH#157]Ncat will now continue trying to connect to each resolved addressfor a hostname before declaring the connection refused, allowing it tofallback from IPv6 to IPv4 or to connect to names that use DNS failover.[Jaromir Koncicky, Michal Hlavinka]
- The --no-shutdown option now also works in connect mode, not only in listen mode.
- Made -i/--idle-timeout not cause Ncat in server mode to close whilewaiting for an initial connection. This was also causing -i to interferewith the HTTP proxy server mode. [Carlos Manso, Daniel Miller]
- [GH#773]Ncat in server mode properly handles TLS renegotiations and othersituations where SSL_read returns a non-fatal error. This was causingSSL-over-TCP connections to be dropped. [Daniel Miller]
- Enable --ssl-ciphers to be used with Ncat in client mode, not only inserver (listen) mode. [Daniel Miller]
[NSE]New fingerprints forhttp-enum:
- Endpoints for Spring MVC and Boot Actuator [Paulino Calderon]
- [GH#620][GH#715]8 fingerprints for Hadoop infrastructure components[Thomas Debize, Varunram Ganesh]
[NSE][GH#266][GH#704][GH#238][GH#883]NSE libraries smb and msrpc now usefully qualified paths. SMB scripts now work against all modern versionsof Microsoft Windows. [Paulino Calderon]
[NSE]smb library's share_get_list now properly uses anonymous connectionsfirst before falling back authenticating as a known user.
New service probes and matches for Apache HBase and Hadoop MapReduce.[Paulino Calderon]
Extended Memcached service probe and added match for Apache ZooKeeper.[Paulino Calderon]
[NSE]New script argument "vulns.short" will reducevulns library scriptoutput to a single line containing the target name or IP, the vulnerabilitystate, and the CVE ID or title of the vulnerability. [Daniel Miller]
[NSE][GH#862]SNMP scripts will now take a community string provided like`--script-args creds.snmp=private`, which previously did not work because itwas interpreted as a username. [Daniel Miller]
[NSE]Resolved several issues in the default HTTP redirect rules:
- [GH#826]A redirect is now cancelled if the original URL containsembedded credentials
- [GH#829]A redirect test is now more careful in determining whethera redirect destination is related to the original host
- [GH#830]A redirect is now more strict in avoiding possible redirectloops
[nnposter]
[NSE][GH#766]The HTTP Host header will now include the port unless it isthe default one for a given scheme. [nnposter]
[NSE]The HTTP response object has a new member, fragment, which containsa partially received body (if any) when the overall request fails tocomplete. [nnposter]
[NSE][GH#866]NSE now allows cookies to have arbitrary attributes, whichare silently ignored (in accordance with RFC 6265). Unrecognized attributeswere previously causing HTTP requests with such cookies to fail. [nnposter]
[NSE][GH#844]NSE now correctly parses a Set-Cookie header that has unquotedwhitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
[NSE][GH#731]NSE is now able to process HTTP responses with a Set-Cookieheader that has an extraneous trailing semicolon. [nnposter]
[NSE][GH#708]TLS SNI now works correctly for NSE HTTP requests initiatedwith option any_af. As an added benefit, option any_af is now available forall connections viacomm.lua, not just HTTP requests. [nnposter]
[NSE][GH#781]There is a new common function, url.get_default_port(),to obtain the default port number for a given scheme. [nnposter]
[NSE][GH#833]Function url.parse() now returns the port part as a number,not a string. [nnposter]
No longer allow ICMP Time Exceeded messages to mark a host as down duringhost discovery. Running traceroute at the same time as Nmap was causinginterference. [David Fifield]
[NSE][GH#807]Fixed a JSON library issue that was causing long integersto be expressed in the scientific/exponent notation. [nnposter]
[NSE]Fixed several potential hangs in NSE scripts that usedreceive_buf(pattern), which will not return if the service continues to senddata that does not match pattern. A new function inmatch.lua, pattern_limit,is introduced to limit the number of bytes consumed while searching for thepattern. [Daniel Miller, Jacek Wielemborek]
[Nsock]Handle any and all socket connect errors the same: raise as an Nsockerror instead of fatal. This prevents Nmap and Ncat from quitting with"Strange error from connect:" [Daniel Miller]
[NSE]Added several commands toredis-info to extract listening addresses,connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
[NSE][GH#679][GH#681]Refreshed scripthttp-robtex-reverse-ip, reflectingchanges at the source site (www.robtex.com). [aDoN]
[NSE][GH#629]Added two new fingerprints tohttp-default-accounts(APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
[NSE][GH#716]Fix fororacle-tns-version which was sending an invalid TNSprobe due to a string escaping mixup. [Alexandr Savca]
[NSE][GH#694]ike-version now outputs information about supported attributesand unknown vendor ids. Also, a new fingerprint for FortiGate VPNs wassubmitted by Alexis La Goutte. [Daniel Miller]
[GH#700]Enabled support for TLS SNI on the Windows platform. [nnposter]
[GH#649]New service probe and match lines for the JMON and RSE services ofIBM Explorer for z/OS. [Soldier of Fortran]
Removed a duplicate service probe for Memcached added in 2011 (the originalprobe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
New service probe and match line for NoMachine NX Server remote desktop.[Justin Cacak]
[Zenmap]Fixed a recurring installation problem on OS X/macOS where Zenmapwas installed to /Applications/Applications/Zenmap.app instead of/Applications/Zenmap.app.
[Zenmap][GH#639]Zenmap will no longer crash when no suitable temporarydirectory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
[Zenmap][GH#626]Zenmap now properly handles the -v0 (no output) option,which was added in Nmap 7.10. Previously, this was treated the same as notspecifying -v at all. [lymanZerga11]
[GH#630]Updated or removed some OpenSSL library calls that were deprecatedin OpenSSL 1.1. [eroen]
[NSE]Scriptssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
[NSE][GH#627]Fixed script hang in several brute scripts due to the "threads"script-arg not being converted to a number. Error message was"nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]

Nmap 7.40 [2016-12-20]§

[Windows]Updated the bundled Npcap from 0.10r9 to 0.78r5, with animproved installer experience, driver signing updates to work withWindows 10 build 1607, and bugfixes for WiFi connectivityproblems. [Yang Luo, Daniel Miller]
Integrated all of your IPv4 OS fingerprint submissions from April toSeptember (568 of them). Added 149 fingerprints, bringing the new total to5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more.Highlights:http://seclists.org/nmap-dev/2016/q4/110 [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted fromApril to September (779 of them). The signature count went up 3.1% to 11,095.We now detect 1161 protocols, from airserv-ng, domaintime, and mep tonutcracker, rhpp, and usher. Highlights:http://seclists.org/nmap-dev/2016/q4/115[Daniel Miller]
Fix reverse DNS on Windows which was failing with the message "mass_dns:warning: Unable to determine any DNS servers." This was because the interfaceGUID comparison needed to be case-insensitive. [Robert Croteau]
[NSE]Added 12 NSE scripts from 4 authors, bringing the total up to 552!They are all listed athttps://nmap.org/nsedoc/, and the summaries are below:
- cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270services. [Soldier of Fortran]
- cics-user-enum brute-forces usernames for CICS users on TN3270 services.[Soldier of Fortran]
- fingerprint-strings will print the ASCII strings it finds in the servicefingerprints that Nmap shows for unidentified services. [Daniel Miller]
- [GH#606]ip-geolocation-map-bing renders IP geolocation data as an imagevia Bing Maps API. [Mak Kolybabi]
- [GH#606]ip-geolocation-map-google renders IP geolocation data as an imagevia Google Maps API. [Mak Kolybabi]
- [GH#606]ip-geolocation-map-kml records IP geolocation data in a KML filefor import into other mapping software [Mak Kolybabi]
- nje-pass-brute brute-forces the password to a NJE node, given a valid RHOSTand OHOST. Helpfully,nje-node-brute can now brute force both of thosevalues. [Soldier of Fortran]
- [GH#557]ssl-cert-intaddr will search for private IP addresses in TLScertificate fields and extensions. [Steve Benson]
- tn3270-screen shows the login screen from mainframe TN3270 Telnet services,including any hidden fields. The script is accompanied by the newtn3270library. [Soldier of Fortran]
- tso-enum enumerates usernames for TN3270 Telnet services. [Soldier of Fortran]
- tso-brute brute-forces passwords for TN3270 Telnet services. [Soldier of Fortran]
- vtam-enum brute-forces VTAM application IDs for TN3270 services.[Soldier of Fortran]
[NSE][GH#518]Brute scripts are faster and more accurate. New feedback andadaptivity mechanisms inbrute.lua help brute scripts use resources moreefficiently, dynamically changing number of threads based on protocolmessages like FTP 421 errors, network errors like timeouts, etc.[Sergey Khegay]
[GH#353]New option --defeat-icmp-ratelimit dramatically reduces UDP scantimes in exchange for labeling unresponsive (and possibly open) ports as"closed|filtered". Ports which give a UDP protocol response to one of Nmap'sscanning payloads will be marked "open". [Sergey Khegay]
[NSE][GH#533]Removed ssl-google-cert-catalog, since Google shut off thatservice at some point. Reported by Brian Morin.
[NSE][GH#606]New NSE library,geoip.lua, provides a common framework forstoring and retrieving IP geolocation results. [Mak Kolybabi]
[Ncat]Restore the connection success message that Ncat prints with -v. Thiswas accidentally suppressed when not using -z.
[GH#316]Added scan resume from Nmap's XML output. Now you can --resume acanceled scan from all 3 major output formats: -oN, -oG, and -oX.[Tudor Emil Coman]
[Ndiff][GH#591]Fix a bug where hosts with the same IP but differenthostnames were shown as changing hostnames between scans. Made sort stablewith regard to hostnames. [Daniel Miller]
[NSE][GH#540]Add tls.servername script-arg for forcing a name to be used forTLS Server Name Indication extension. The argument overrides the default useof the host's targetname. [Bertrand Bonnefoy-Claudet]
[GH#505]Updated Russian translation of Zenmap by Alexander Kozlov.
[NSE][GH#588]Fix a crash insmb.lua when usingsmb-ls due to afloating-point number being passed to os.time ("bad argument").[Dallas Winger]
[NSE][GH#596]Fix a bug inmysql.lua that caused authentication failures inmysql-brute and other scripts due to including a null terminator in the saltvalue. This bug affects Nmap 7.25BETA2 and later releases. [Daniel Miller]
The --open option now implies --defeat-rst-ratelimit. This may result ininaccuracies in the numbers of "Not shown:" closed and filtered ports, butonly in situations where it also speeds up scan times. [Daniel Miller]
[NSE]Added known Diffie-Hellman parameters for haproxy, postfix, andIronPort tossl-dh-params. [Frank Bergmann]
Added service probe for ClamAV servers (clam),an open source antivirus engine used in mail scanning. [Paulino Calderon]
Added service probe and UDP payload for Quick UDP Internet Connection (QUIC),a secure transport developed by Google and used with HTTP/2. [Daniel Miller]
[NSE]Enabledresolveall to run against any target provided as a hostname, sotheresolveall.hosts script-arg is no longer required. [Daniel Miller]
[NSE]Revised scripthttp-default-accounts in several ways [nnposter]:
- Added 21 new fingerprints, plus broadened 5 to cover more variants.
- [GH#577]It can now can test systems that return status 200 fornon-existent pages.
- [GH#604]Implemented XML output. Layout of the classic text output has alsochanged, including reporting blank usernames or passwords as "<blank>",instead of just empty strings.
- Added CPE entries to individual fingerprints (where known). They arereported only in the XML output.
[NSE][GH#573]Updatedhttp.lua to allow processing of HTTP responses withmalformed header names. Such header lines are still captured in the rawheaderlist but skipped otherwise. [nnposter]
[GH#416]New service probe and match line for iperf3. [Eric Gershman]
[NSE][GH#555]Add Drupal to the set of web apps brute forced byhttp-form-brute. [Nima Ghotbi]

Nmap 7.31 [2016-10-20]§

[Windows]Updated the bundled Npcap from 0.10r2 to 0.10r9, bringingincreased stability, bug fixes, and raw 802.11 WiFi capture (unusedby Nmap). Further details on these changes can be found athttps://github.com/nmap/npcap/releases. [Yang Luo]
Fixed the way Nmap handles scanning names that resolve to the same IP. Due tochanges in 7.30, the IP was only being scanned once, with bogus resultsdisplayed for the other names. The previous behavior is now restored.[Tudor Emil Coman]
[Nping][GH#559]Fix Nping's ability to use Npcap on Windows. A privilegecheck was performed too late, so the Npcap loading code assumed the user had norights. [Yang Luo, Daniel Miller]
[GH#350]Fix an assertion failure due to floating point error in equalitycomparison, which triggered mainly on OpenBSD:
```
assertion "diff <= interval" failed: file "timing.cc", line 440
```
This was reported earlier as [GH#472] but the assertion fixed there was adifferent one. [David Carlier]
[Zenmap]Fix a crash in the About page in the Spanish translation due to amissing format specifier:
```
File "zenmapGUI\About.pyo", line 217, in __init__TypeError: not all arguments converted during string formatting
```
[Daniel Miller]
[Zenmap][GH#556]Better visual indication that display of hostname is tied toaddress in the Topology page. You can show numeric addresses with hostnamesor without, but you can't show hostnames without numeric addresses when theyare not available. [Daniel Miller]
To increase the number of IPv6 fingerprint submissions, a prompt forsubmission will be shown with some random chance for successful matches of OSclasses that are based on only a few submissions. Previously, onlyunsuccessful matches produced such a prompt. [Daniel Miller]

Nmap 7.30 [2016-09-29]§

Integrated all 12 of your IPv6 OS fingerprint submissions from June toSeptember. No new groups, but several classifications were strengthened,especially Windows localhost and OS X. [Daniel Miller]
[NSE]Added 7 NSE scripts, from 3 authors, bringing the total up to 541!They are all listed athttps://nmap.org/nsedoc/, and the summaries are below(authors are listed in brackets):
- [GH#369]coap-resources grabs the list of available resources from CoAPendpoints. [Mak Kolybabi]
- fox-info retrieves detailed version and configuration info from TridiumNiagara Fox services. [Stephen Hilt]
- ipmi-brute performs authentication brute-forcing on IPMI services.[Claudiu Perta]
- ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allowsconnection without a password. [Claudiu Perta]
- ipmi-version retrieves protocol version and authentication options fromASF-RMCP (IPMI) services. [Claudiu Perta]
- [GH#352]mqtt-subscribe connects to a MQTT broker, subscribes to topics,and lists the messages received. [Mak Kolybabi]
- pcworx-info retrieves PLC model, firmware version, and date from PhoenixContact PLCs. [Stephen Hilt]
Upgraded Npcap, our new Windows packet capturing driver/library,from version to 0.09 to 0.10r2. This includes many bug fixes, with aparticular on emphasis on concurrency issues discovered by runninghundreds of Nmap instances at a time. More details are availablefromhttps://github.com/nmap/npcap/releases. [Yang Luo, DanielMiller, Fyodor]
New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx,ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]
Improved some output filtering to remove or escape carriage returns ('\r')that could allow output spoofing by overwriting portions of the screen. Issuereported by Adam Rutherford. [Daniel Miller]
[NSE]Fixed a few bad Lua patterns that could result in denial of service dueto excessive backtracking. [Adam Rutherford, Daniel Miller]
Fixed a discrepancy between the number of targets selected with -iR and thenumber of hosts scanned, resulting in output like "Nmap done: 1033 IPaddresses" when the user specified -iR 1000. [Daniel Miller]
Fixed a bug in port specification parsing that could cause extraneous'T', 'U', 'S', and 'P' characters to be ignored when they should havecaused an error. [David Fifield]
[GH#543]Restored compatibility with LibreSSL, which was lost in addinglibrary version checks for OpenSSL 1.1. [Wonko7]

[Zenmap]Fixed a bug in the Compare Scans window of Zenmap on OS X resultingin this message instead of Ndiff output:

ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found.  Did find:/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture

Reported by Kyle Gustafson. [Daniel Miller]

[NSE]Fixed a bug inssl-enum-ciphers andssl-dh-params which caused them tonot output TLSv1.2 info with DHE ciphersuites or others involvingServerKeyExchange messages. [Daniel Miller]
[NSE]Added X509v3 extension parsing to NSE's sslcert code.ssl-cert nowshows the Subject Alternative Name extension; all extensions are shown in theXML output. [Daniel Miller]

Nmap 7.25BETA2 [2016-09-01]§

[GH#376]Windows binaries are now code-signed with our "Insecure.Com LLC"SHA256 certificate. This should give our users extra peace-of-mind and avoidtriggering Microsoft's ever-increasing security warnings.
[NSE]Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, autf8 library, and native binary packing and unpacking functions. Removed bitlibrary, addedbits.lua, replaced base32, base64, andbin libraries. [PatrickDonnelly]
[NSE]Added 2 NSE scripts, bringing the total up to 534! They are both listedathttps://nmap.org/nsedoc/, and the summaries are below:
- oracle-tns-version decodes the version number from Oracle Database Server'sTNS listener. [Daniel Miller]
- clock-skew analyzes and reports clock skew between Nmap and services thatreport timestamps, grouping hosts with similar skews. [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted fromJanuary to April (578 of them). The signature count went up 2.2% to 10760.We now detect 1122 protocols, from elasticsearch, fhem, and goldengate toptcp, resin-watchdog, and siemens-logo. [Daniel Miller]
Upgraded Npcap, our new Windows packet capturing driver/library,from version 0.07-r17 to 0.09. This includes many improvements you canread about athttps://github.com/nmap/npcap/releases.
[Nsock][GH#148]Added the new IOCP Nsock engine which uses the WindowsOverlapped I/O API to improve performance of version scan and NSE againstmany targets on Windows. [Tudor Emil Coman]
[GH#376]Windows binaries are now code-signed with our "Insecure.Com LLC"SHA256 certificate. This should give our users extra peace-of-mind and avoidtriggering Microsoft's ever-increasing security warnings.
Various performance improvements for large-scale high-rate scanning,including increased ping host groups, faster probe matching, and ensuringdata types can handle an Internet's-worth of targets. [Tudor Emil Coman]
[Zenmap]Long-overdue Spanish language translation has been added! Muy bien![Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
[Zenmap][GH#449]Fix a crash when closing Zenmap due to a read-onlyzenmap.conf. User will be warned that config cannot be saved and that theyshould fix the file permissions. [Daniel Miller]
[NSE]Fix a crash when parsing TLS certificates that OpenSSL doesn't support,like DH certificates or corrupted certs. When this happens,ssl-enum-cipherswill label the ciphersuite strength as "unknown." Reported by BertrandBonnefoy-Claudet. [Daniel Miller]
[NSE][GH#531]Fix two issues insslcert.lua that prevented correct operationsagainst LDAP services when version detection or STARTTLS were used.[Tom Sellers]
[GH#426]Remove a workaround for lack of selectable pcap file descriptors onWindows, which required including pcap-int.h and locking us to a singleversion of libpcap. The new method, using WaitForSingleObject should workwith all versions of both WinPcap and Npcap. [Daniel Miller]
[NSE][GH#234]Added a --script-timeout option for limiting run time forevery individual NSE script. [Abhishek Singh]
[Ncat][GH#444]Added a -z option to Ncat. Just like the -z option intraditional netcat, it can be used to quickly check the status of aport. Port ranges are not supported since we recommend a certain other toolfor port scanning. [Abhishek Singh]
Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and"nmap" with no options result in the same behaviors as on Linux (and nocrashes) [Daniel Miller]
[NSE]ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode,which are vulnerable to the SWEET32 attack.
[NSE][GH#117]tftp-enum now only brute-forces IP-address-based Cisco filenames whenthe wordlist contains "{cisco}". Previously, custom wordlists would still endup sending these extra 256 requests. [Sriram Raghunathan]
[GH#472]Avoid an unnecessary assert failure in timing.cc when printing estimatedcompletion time. Instead, we'll output a diagnostic error message:
```
Timing error: localtime(n) is NULL
```
where "n" is some number that is causing problems. [Jean-Guilhem Nousse]
[NSE][GH#519]Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]
[NSE]Added 9 new fingerprints for scripthttp-default-accounts.(Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix,Schneider controller, Xerox printer, Citrix NetScaler, ESXi hypervisor)[nnposter]
[NSE]Completed a refresh and validation of almost all fingerprints forscripthttp-default-accounts. Also improved the script speed. [nnposter]
[GH#98]Added support for decoys in IPv6. Earlier we supported decoys only inIPv4. [Abhishek Singh]
Various performance improvements for large-scale high-rate scanning,including increased ping host groups, faster probe matching, and ensuringdata types can handle an Internet's-worth of targets. [Tudor Emil Coman]
[GH#484]Allow Nmap to compile on some older Red Hat distros that disable ECcrypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]
[GH#439]Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]
[Ncat]Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssland --max-conns, due to improper accounting of file descriptors. [DanielMiller]
FTP Bounce scan: improved some edge cases like anonymous login withoutpassword, 500 errors used to indicate port closed, and timeouts for LISTcommand. Also fixed a 1-byte array overrun (read) when checking forprivileged ports. [Daniel Miller]
[GH#140]Allow target DNS names up to 254 bytes. We previously imposed anincorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]
[NSE]The hard limit on number of concurrently running scripts can nowincrease above 1000 to match a high user-set --min-parallelism value. [TudorEmil Coman]
[NSE]Solved a memory corruption issue that would happen if a socket connectoperation produced an error immediately, such as Network Unreachable. Theevent handler was throwing a Lua error, preventing Nsock from cleaning upproperly, leaking events. [Abhishek Singh, Daniel Miller]
[NSE]Added thedatetime library for performing date and time calculations,and as a helper to theclock-skew script.
[GH#103][GH#364]Made Nmap's parallel reverse DNS resolver more robust, fullyhandling truncated replies. If a response is too long, we now fall back tousing the system resolver to answer it. [Abhishek Singh]
[Zenmap][GH#279]Added a legend for the Topography window. [Suraj Hande]

Nmap 7.25BETA1 [2016-07-15]§

Nmap now ships with and uses Npcap, our new packet sniffing libraryfor Windows. It's based on WinPcap (unmaintained for years), butuses modern Windows APIs for better performance. It also includessecurity improvements and many bug fixes. Seehttps://npcap.com. Andit enables Nmap to perform SYN scans and OS detection againstlocalhost, which we haven't been able to do on Windows sinceMicrosoft removed the raw sockets API in 2003. [Yang Luo, DanielMiller, Fyodor]
[NSE]Added 6 NSE scripts, from 5 authors, bringing the total up to 533!They are all listed athttps://nmap.org/nsedoc/, and the summaries are below(authors are listed in brackets):
- clamav-exec detects ClamAV servers vulnerable to unauthorized clamavcommand execution. [Paulino Calderon]
- http-aspnet-debug detects ASP.NET applications with debugging enabled.[Josh Amishav-Zlatin]
- http-internal-ip-disclosure determines if the web server leaks its internalIP address when sending an HTTP/1.0 request without a Host header. [JoshAmishav-Zlatin]
- [GH#304]http-mcmp detects mod_cluster Management Protocol (MCMP) and dumpsits configuration. [Frank Spierings]
- [GH#365]sslv2-drown detects vulnerability to the DROWN attack, includingCVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL.[Bertrand Bonnefoy-Claudet]
- vnc-title logs in to VNC servers and grabs the desktop title, geometry, andcolor depth. [Daniel Miller]
Integrated all of your IPv4 OS fingerprint submissions from Januaryto April (539 of them). Added 98 fingerprints, bringing the new totalto 5187. Additions include Linux 4.4, Android 6.0, Windows Server2016, and more. [Daniel Miller]
Integrated all 31 of your IPv6 OS fingerprint submissions from January toJune. The classifier added 2 groups and expanded several others. SeveralApple OS X groups were consolidated, reducing the total number of groups to93. [Daniel Miller]
Update oldest supported Windows version to Vista (Windows 6.0). This enablesthe use of the poll Nsock engine, which has significant performance andaccuracy advantages. Windows XP users can still use Nmap 7.12, available fromhttps://nmap.org/dist/?C=M&O=D [Daniel Miller]
[NSE]Fix a crash that happened when trying to print the percent done of 0NSE script threads:
```
timing.cc:710 bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.
```
This would happen if no scripts were scheduled in a scan phase and the userpressed a key or specified a short --stats-every interval. Reported byRichard Petrie. [Daniel Miller]
[GH#283][Nsock]Avoid "unknown protocol:0" debug messages and an "Unknownaddress family 0" crash on Windows and other platforms that do not set thesrc_addr argument to recvfrom for TCP sockets. [Daniel Miller]
Retrieve the correct network prefix length for an adapter on Windows. If morethan one address was configured on an adapter, the same prefix length wouldbe used for both. This incorrect behavior is still used on Windows XP andearlier. Reported by Niels Bohr. [Daniel Miller]
Changed libdnet-stripped to avoid bailing completely when an interface isencountered with an unsupported hardware address type. Caused "INTERFACES:NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware addresstypes. [Daniel Miller]
Improved service detection of Docker and fixed a bug in the output ofdocker-version script. [Tom Sellers]
Fix detection of Microsoft Terminal Services (RDP). Our improved TLS serviceprobes were matching on port 3389 before our specific Terminal Servicesprobe, causing the port to be labeled as "ssl/unknown". Reported by JoshAmishav-Zlatin.
[NSE]Update to enablesmb-os-discovery to augment version detectionfor certain SMB related services using data that the script discovers.[Tom Sellers]
Improved version detection and descriptions for Microsoft and SambaSMB services. Also addresses certain issues with OS identification.[Tom Sellers]
[NSE]ssl-enum-ciphers will give a failing score to any server with an RSAcertificate whose public key uses an exponent of 1. It will also cap thescore of an RC4-ciphersuite handshake at C and output a warning referencingRFC 7465. [Daniel Miller]
[NSE]Refactored some SSLv2 functionality into a new library,sslv2.lua .[Daniel Miller]
[GH#399]Zenmap's authorization wrapper now uses an AppleScript method forprivilege escalation on OS X, avoiding the deprecatedAuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]
[GH#454]The OS X binary package is distributed in a .dmg disk image that nowfeatures an instructive background image. [Vincent Dumont]
[GH#420]Our OS X build system now uses gtk-mac-bundler and jhbuild toprovide all dependencies. We no longer use Macports for this purpose.[Vincent Dumont]
[GH#345][Zenmap]On Windows, save Zenmap's stderr output to a writeablelocation (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead ofnext to the zenmap.exe executable. This avoids a warning message when closingZenmap if it produced any stderr output. [Daniel Miller]
[GH#379][NSE]Fixhttp-iis-short-name-brute to report non vulnerable hosts.Reported by alias1. [Paulino Calderon]
[NSE][GH#371]Fixmysql-audit by adding needed library requires to themysql-cis.audit file. The script would fail with "Failed to load rulebase"message. [Paolo Perego]
[NSE][GH#362]Added support for LDAP over udp toldap-rootdse.nse.Also added version detection and information extraction to match thenew LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]
[GH#354]Added new version detection Probes for LDAP services, LDAPSearchReqand LDAPSearchReqUDP. The second is Microsoft Active Directory specific. TheProbes will elicit responses from target services that allow betterfinger-printing and information extraction. Also added nmap-payload entry fordetecting LDAP on udp. [Tom Sellers]
[NSE]More VNC updates: Support for VeNCrypt and Tight auth types, output ofauthentication sub-types invnc-info, and all zero-authentication types arerecognized and reported. [Daniel Miller]

Nmap 7.12 [2016-03-29]§

[Zenmap]Avoid file corruption in zenmap.conf, reported as files containingmany null ("\x00") characters. Example exceptions:
```
TypeError: int() argument must be a string or a number, not 'list'ValueError: unable to parse colour specification
```
[NSE]VNC updates includingvnc-brute support for TLS security type andnegotiating a lower RFB version if the server sends an unknown higherversion. [Daniel Miller]
[NSE]Added STARTTLS support for VNC, NNTP, and LMTP [Daniel Miller]
Added new service probes and match lines for OpenVPN on UDP and TCP.

Nmap 7.11 [2016-03-22]§

[NSE][GH#341]Added support for diffie-hellman-group-exchange-* SSH keyexchange methods tossh2.lua, allowingssh-hostkey to run on servers thatonly support custom Diffie-Hellman groups. [Sergey Khegay]
[NSE]Added support insslcert.lua for Microsoft SQL Server's TDS protocol,so you can now grab certs withssl-cert or check ciphers withssl-enum-ciphers. [Daniel Miller]
[Zenmap]Fix a crash when setting default window geometry:
```
TypeError: argument of type 'int' is not iterable
```

[Zenmap]Fix a crash when displaying the date from an Nmap XML file due to anempty or unknown locale:

File "zenmapCore/NmapParser.py", line 627, in get_formatted_date  locale.getpreferredencoding())LookupError: unknown encoding:

[Zenmap]Fix a crash due to incorrect file paths when installing to/usr/local prefix. Example:
```
Exception: File '/home/blah/.zenmap/scan_profile.usp' does not exist or could not be found!
```

Nmap 7.10 [2016-03-17]§

[NSE]Added 12 NSE scripts from 7 authors, bringing the total up to 527!They are all listed athttps://nmap.org/nsedoc/, and the summaries are below(authors are listed in brackets):
- [GH#322]http-apache-server-status parses the server status page ofApache's mod_status. [Eric Gershman]
- http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability inAllegro RomPager web server. Also added a fingerprint for detectingCVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]
- [GH#226]http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon"pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]
- imap-ntlm-info extracts hostname and sometimes OS version fromNTLM-auth-enabled IMAP services. [Justin Cacak]
- ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes.The discovery is the same astargets-ipv6-multicast-mld, but the subscribedaddresses are decoded and listed. [Alexandru Geana, Daniel Miller]
- ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQLServer instances via the NTLM challenge message. [Justin Cacak]
- nntp-ntlm-info extracts hostname and sometimes OS version fromNTLM-auth-enabled NNTP services. [Justin Cacak]
- pop3-ntlm-info extracts hostname and sometimes OS version fromNTLM-auth-enabled POP3 services. [Justin Cacak]
- rusers retrieves information about logged-on users from the rusersd RPCservice. [Daniel Miller]
- [GH#333]shodan-api queries the Shodan API (https://www.shodan.io) andretrieves open port and service info from their Internet-wide scan data.[Glenn Wilkinson]
- smtp-ntlm-info extracts hostname and sometimes OS version fromNTLM-auth-enabled SMTP and submission services. [Justin Cacak]
- telnet-ntlm-info extracts hostname and sometimes OS version fromNTLM-auth-enabled Telnet services. [Justin Cacak]
Updated the OpenSSL shipped with our binary builds (Windows, OS X, and LinuxRPM) to 1.0.2g with SSLv2 enabled.
Integrated all of your IPv4 OS fingerprint submissions from October toJanuary (536 of them). Added 104 fingerprints, bringing the new total to5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.Highlights:http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted fromOctober to January (508 of them). The signature count went up 2.2% to 10532.We now detect 1108 protocols, from icy,finger, and rtsp to ipfs,basestation, and minecraft-pe. Highlights:http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]
Integrated all 12 of your IPv6 OS fingerprint submissions from October toJanuary. The classifier added 3 new groups, including new and expanded groupsfor OS X, bringing the new total to 96. Highlights:http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]
[NSE]Upgrade tohttp-form-brute allowing correct handling of token-basedCSRF protections and cookies. Also, a simple database of common login formssupports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller]
[Zenmap][GH#247]Remember window geometry (position and size) from theprevious time Zenmap was run. [isjing]
New service probe for CORBA GIOP (General Inter-ORB Protocol) detectionshould elicit a not-found exception from GIOP services that do not respond tonon-GIOP probes. [Quentin Hardy]
[GH#284]Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given/32 netmasks regardless of actual netmask configured, resulting in failedrouting. Reported by Martin Gysi. [Daniel Miller]
[GH#272][GH#269]Give option parsing errors after the usage statement, oravoid printing the usage statement in some cases. The options summary hasgrown quite large, requiring users to scroll to the top to see the errormessage. [Abhishek Singh]
[GH#249][Nsock]Avoid a crash on Windows reported by users using Zenmap'sSlow Comprehensive Scan profile. In the case of unknown OpenSSL errors,ERR_reason_error_string would return NULL, which could not be printed withthe "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]
[GH#293][Zenmap]Fix a regression in our build that caused copy-and-paste tonot work in Zenmap on Windows.
Changed Nmap's idea of reserved and private IP addresses to include169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, inlibnetutil's isipprivate function, is used to filter -iR randomly generatedtargets. The newly-valid address ranges belong to the U.S. Department ofDefense, so users wanting to avoid those ranges should use their ownexclusion lists with --exclude or --exclude-file. [Bill Parker, DanielMiller]
Allow the -4 option for Nmap to indicate IPv4 address family. This is thedefault, and using the option doesn't change anything, but does make it moreexplicit which address family you want to scan. Using -4 with -6 is an error.[Daniel Miller]
[GH#265]When provided a verbosity of 0 (-v0), Nmap will not output any text to thescreen. This happens at the time of argument parsing, so the usual meaning of"verbosity 0" is preserved. [isjing]
[NSE][GH#314]Fix naming of SSL2_RC2_128_CBC_WITH_MD5 andSSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers insslv2 in order to match thedraft specification from Mozilla. [Bertrand Bonnefoy-Claudet]
[NSE][GH#320]Add STARTTLS support tosslv2 to enable SSLv2 detectionagainst services that are not TLS encrypted by default but that supportpost connection upgrade. This will enable more comprehensive detectionof SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]
[NSE][GH#301]Added default credential checks for RICOH Web Image Monitor andBeEF tohttp-default-accounts. [nnposter]
Properly display Next-hop MTU value from ICMP Type 3 Code 4 FragmentationRequired messages when tracing packets or in Nping output. Improper offsetmeant we were printing the total IP length. [Sławomir Demeszko]
[NSE]Added support for DHCP options "TFTP server name" and "Bootfile name"todhcp.lua and enabled checking for options with a code above 61 by default.[Mike Rykowski]
[NSE]whois-ip: Don't request a remote IANA assignments data file when thelocal filesystem will not permit the file to cached in a local file. [jah]
[NSE]Updatedhttp-php-version hash database to cover all versions from PHP4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulledfrom Shodan API (https://www.shodan.io/) [Daniel Miller]
Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scantypes, allowing periodic status updates with --stats-every or keypressevents. [Daniel Miller]
[GH#274]Use a shorter pcap_select timeout on OpenBSD, just as we do for OSX, old FreeBSD, and Solaris, which use BPF for packet capture and do not haveproperly select-able fds. Fix by OpenBSD port maintainer [David Carlier]
Print service info in grepable output for ports which are not listed innmap-services when a service tunnel (SSL) is detected. Previously, theservice info ("ssl|unknown") was not printed unless the service inside thetunnel was positively identified.http://seclists.org/nmap-dev/2015/q4/260[Daniel Miller]
[NSE][GH#242]Fix multiple false-positive sources in http-backup-agent.[Tom Sellers]

Nmap 7.01 [2015-12-09]§

Switch to using gtk-mac-bundler and jhbuild for building the OS X installer.This promises to reduce a lot of the problems we've had with local paths anddependencies using the py2app and macports build system. [Daniel Miller]
The Windows installer is now built with NSIS 2.47 which features LoadLibrarysecurity hardening to prevent DLL hijacking and other unsafe use of temporarydirectories. Thanks to Stefan Kanthak for reporting the issue to NSIS and tous and the many other projects that use it.
Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM)to 1.0.2e.

[Zenmap][GH#235]Fix several failures to launch Zenmap on OS X. The newbuild process eliminates these errors:

IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in'LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810.

[NSE][GH#254]Update the TLSSessionRequest probe inssl-enum-ciphers tomatch the one in nmap-service-probes, which was fixed previously to correct alength calculation error. [Daniel Miller]
[NSE][GH#251]Correct false positives and unexpected behavior in http-*scripts which used http.identify_404 to determine when a file was not foundon the target. The function was following redirects, which could be anindication of a soft-404 response. [Tom Sellers]
[NSE][GH#241]Fix a false-positive inhnap-info when the target respondswith 200 OK to any request. [Tom Sellers]
[NSE][GH#244]Fix an error response inxmlrpc-methods when run against anon-HTTP service. The expected behavior is no output. [Niklaus Schiess]
[NSE]Fix SSN validation function inhttp-grep, reported by Bruce Barnett.

Nmap 7.00 [2015-11-19]§

This is the most important release since Nmap 6.00 back in May 2012!For a list of the most significant improvements and new features,see the announcement at:https://nmap.org/7/
[NSE]Added 6 NSE scripts from 6 authors, bringing the total up to 515!They are all listed athttps://nmap.org/nsedoc/, and the summaries are below(authors are listed in brackets):
- targets-xml extracts target addresses from previous Nmap XML results files.[Daniel Miller]
- [GH#232]ssl-dh-params checks for problems with weak, non-safe, andexport-grade Diffie-Hellman parameters in TLS handshakes. This includes theLOGJAM vulnerability (CVE-2015-4000). [Jacob Gajek]
- nje-node-brute does brute-forcing of z/OS JES Network Job Entry node names.[Soldier of Fortran]
- ip-https-discover detectings support for Microsoft's IP over HTTPStunneling protocol. [Niklaus Schiess]
- [GH#165]broadcast-sonicwall-discover detects and extracts information fromSonicWall firewalls. [Raphael Hoegger]
- [GH#38]http-vuln-cve2014-8877 checks for and optionally exploits avulnerability in CM Download Manager plugin for Wordpress. [Mariusz Ziulek]
[Ncat][GH#151][GH#142]New option --no-shutdown prevents Ncat from shuttingdown when it reads EOF on stdin. This is the same as traditional netcat's"-d" option. [Adam Saponara]
[NSE][GH#229]Improve parsing inhttp.lua for multiple Set-Cookie headers ina single response. [nnposter]

Nmap 6.49BETA6 [2015-11-03]§

Integrated all of your IPv6 OS fingerprint submissions from April to October(only 9 of them!). We are steadily improving the IPv6 database, but we needyour submissions. The classifier added 3 new groups, bringing the new totalto 93. Highlights:http://seclists.org/nmap-dev/2015/q4/61 [Daniel Miller]
Integrated all of your IPv4 OS fingerprint submissions from February toOctober (1065 of them). Added 219 fingerprints, bringing the new total to4985. Additions include Linux 4.1, Windows 10, OS X 10.11, iOS 9, FreeBSD11.0, Android 5.1, and more. Highlights:http://seclists.org/nmap-dev/2015/q4/60 [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted fromFebruary to October (800+ of them). The signature count went up 2.5% to10293. We now detect 1089 protocols, from afp, bitcoin, and caldav toxml-rpc, yiff, and zebra. Highlights:http://seclists.org/nmap-dev/2015/q4/62[Daniel Miller]
[NSE]Added 10 NSE scripts from 5 authors, bringing the total up to 509!They are all listed athttps://nmap.org/nsedoc/, and the summaries are below(authors are listed in brackets):
- knx-gateway-discover andknx-gateway-info scripts gather information frommulticast and unicast KNX gateways, which connect home automation systemsto IP networks. [Niklaus Schiess, Dominik Schneider]
- http-ls parses web server directory index pages with optional recursion.[Pierre Lalet]
- xmlrpc-methods perfoms introspection of xmlrpc services and lists methodsand their descriptions. [Gyanendra Mishra]
- http-fetch can be used like wget or curl to fetch all files, specificfilenames, or files that match a given pattern. [Gyanendra Mishra]
- http-svn-enum enumerates users of a Subversion repository by examiningcommit logs. [Gyanendra Mishra]
- http-svn-info requests information from a Subversion repository, similar tothe "svn info" command. [Gyanendra Mishra]
- hnap-info detects and outputs info for Home Network Administration Protocoldevices. [Gyanendra Mishra]
- http-webdav-scan detects WebDAV servers and reports allowed methods anddirectory listing. [Gyanendra Mishra]
- tor-consensus-checker checks the target's address with the Tor directoryauthorities to determine if a target is a known Tor node. [Jiayi Ye]
[NSE]Several scripts have been split, combined, or renamed:
- [GH#171]smb-check-vulns has been split into:
  The scripts now use thevulns library, and the "unsafe" script-arg has beenreplaced by putting the scripts into the "dos" category. [Paulino Calderon]
- http-email-harvest was removed, as the newhttp-grep does email addressscraping by default. [Gyanendra Mishra]
- http-drupal-modules was renamed tohttp-drupal-enum. Extended to enumerateboth themes and modules of Drupal installaions. [Gyanendra Mishra]
[Ncat][GH#193]Fix Ncat listen mode over Unix sockets (named pipes) on OS X.This was crashing with the error:
```
Ncat: getnameinfo failed: Undefined error: 0 QUITTING.
```
Fixed by forcing the name to "localhost" [Michael Wallner]
[Zenmap]Fix a crash in Zenmap when using Compare Results:
```
AttributeError: 'NoneType' object has no attribute 'get_nmap_output'
```
[Daniel Miller]
[NSE][GH#194]Add support for reading fragmented TLS messages tossl-enum-ciphers. [Jacob Gajek]
[GH#51]Added IPv6 support to nmap_mass_rdns, improved reverse DNS cache,and refactored DNS code to improve readability andextensibility. All in all, this makes the rDNS portion of IPv6 scansmuch faster. [Gioacchino Mazzurco]
[NSE]Added NTLM brute support tohttp-brute. [Gyanendra Mishra]
[NSE]Added NTLM authentication support tohttp.lua and a related function to createan ntlm v2 session response insmbauth.lua. [Gyanendra Mishra]
[NSE][GH#106]Added a new NSE module,ls.lua, for accumulating andoutputting file and directory listings. Theafp-ls,nfs-ls, andsmb-lsscripts have been converted to use this module. [Pierre Lalet]
[NSE]bacnet-info.nse ands7-info.nse were added to the version category.[Paulino Calderon]
[NSE]Added 124 new identifiers tobacnet-info.nse vendor database.[Paulino Calderon]
[NSE]Fixedbacnet-info.nse to bind to the service port detectedduring scan instead of fixed port. [Paulino Calderon]
[NSE]Enhanced reporting of elliptic curve names and strengths inssl-enum-ciphers. The name of the curve is now reported instead of just "ec"[Brandon Paulsen]
[GH#75]Normalize Makefile targets to use the same verb-project format, e.g.build-ncat, check-zenmap, install-nping, clean-nsock [Gioacchino Mazzurco]
[NSE]Added builtin pattern and multiple pattern search tohttp-grep. [Gyanendra Mishra]
[NSE]http-crossdomainxml is nowhttp-cross-domain-policy and supports clientaccess policies and uses the new SLAXML parser. [Gyanendra Mishra]
[NSE]Added a patch forvulns lib that allows list of tables to be submittedto fields in the vulns report. [Jacob Gajek]
[NSE]Added additional checks for successful PUT request inhttp-put.[Oleg Mitrofanov]
[NSE]Added an update forhttp-methods that checks all possible methods not inAllow or Public header of OPTIONS response. [Gyanendra Mishra]
[NSE]Added SLAXML, an XML parser in Lua originally written by Gavin Kistner(a.k.a. Phrogz). [Gyanendra Mishra]
[NSE][GH#122]Update thesnmp-brute and other snmp-* scripts to use thecreds library to store brute-forced snmp community strings. This allows Nmapto use the correct brute-forced string for each host. [Gioacchino Mazzurco]
Several improvements to TLS/SSL detection in nmap-service-probes. A newprobe, TLSSessionReq, and improvements to default SSL ports should help speedup -sV scans.http://seclists.org/nmap-dev/2015/q2/17 [Daniel Miller]
[Nsock]Clean up the API so that nsp_* calls are now nsock_pool_* and nsi_*are nsock_iod_*. Simplify Nsock SSL init API, and make logging global to thelibrary instead of associated with a nspool. [Henri Doreau]
[GH#181]The configure script now prints a summary of configured options.Most importantly, it warns if OpenSSL was not found, since most users willwant this library compiled in. [Gioacchino Mazzurco]
Define TCP Options for SYN scan in nmap.h instead of literally throughout.This string is used by p0f and other IDS to detect Nmap scans, so having it acompile-time option is a step towards better evasion. [Daniel Miller]
[GH#51]Nmap's parallel reverse-DNS resolver now handles IPv6 addresses. Thisshould result in faster -6 scans. The old behavior is available with--system-dns. [Gioacchino Mazzurco]
[NSE]Fix a couple odd bugs in NSE command-line parsing. Most notably,--script broadcast-* will now work (generally, wildcards with scripts whosename begins with a category name were not working properly). [Daniel Miller]
[NSE][GH#113]http-form-fuzzer will now stop increasing the size of arequest when an HTTP 413 or 414 error indicates the web server will notaccept a larger request. [Gioacchino Mazzurco]
[NSE][GH#159]Add the ability to tag credentials in thecreds library withfreeform text for easy retrieval. This gives necessary granularity to trackcredentials to multiple web apps on a single host+port. [Gioacchino Mazzurco]

Nmap 6.49BETA5 [2015-09-25]§

Work around a bug which could cause Nmap to hang when runningmultiple instances at once on Windows. The actual bug appears to bein the WinPCAP driver in that it hanges when accessed viaOpenServiceA by multiple processes at once. So for now we have addeda mutex to prevent even multiple Nmap processes from makingconcurrent calls to this part of WinPcap. We've received the reportsfrom multiple users on Windows 8.1 and Windows Server 2012 R2 andthis fix seems to resolve the hang for them. [Daniel Miller]
[GH#212][NSE]Fix http.get_url function which was wrongly attemptingnon-SSL HTTP requests first when passed https URLs. [jah]
[GH#201]Fix Ndiff interpreter path problems in the OS X .dmginstaller which could prevent Ndiff (and the related Zenmap "compareresults" window) from working on OS X in some cases. [Daniel Miller]
Fix Nmap's DTD, which did not recognize that the script elementcould contain character data when a script returns a number or aboolean. [Jonathan Daugherty]
[GH#172][NSE]Fix reporting of DH parameter sizes byssl-enum-ciphers. The number shown was the length in bytes, not bitsas it should have been. Reported by Michael Staruch. [BrandonPaulsen]
Our Windows Nmap packages are now compiled with the older platformtoolset (v120_xp rather than v120) and so they may work with WindowsXP again for the dwindling number of users still on that operatingsystem.
[GH#34]Disable TPACKET_V3 in our included libpcap. This version ofthe Linux kernel packet ring API has problems that result in lots oflost packets. This patch falls back to TPACKET_V2 or earlierversions if available. [nnposter]
[NSE]Check for socket errors iniscsi.lua. This was causing theiscsi-info script to crash against some services. [Daniel Miller]
[NSE]Fixhttp-useragent-tester, which was using cached HTTPresponses instead of testing new User-Agent strings. [Daniel Miller]
Output a warning when deprecated options are used, and suggest thepreferred option. Currently deprecated: -i -o -m -sP -P0 -PN -oM-sR. The warning is only visible with -v. [Daniel Miller]
Add a fatal error for options like -oG- which is interpreted as thedeprecated -o option, outputting to a file named "G-", instead ofthe expected behavior of -oG - (Grepable output to stdout). [DanielMiller]
[GH#196]Fix raw packet sending on FreeBSD 10.0 and later. FreeBSDchanged byte order of the IPv4 stack, so SYN scan and other rawpacket functions were broken. [Edward Napierała] Also reported in[GH#50] by Olli Hauer.
[GH#183]Fix compilation on Visual Studio 2010, which failed witherror: "service_scan.cc(2559): error C2065: 'EOPNOTSUPP' :undeclared identifier" [Daniel Miller]
[GH#115][NSE]ssl-enum-ciphers will still produce output if OpenSSL(required for certificate parsing) is not available. In cases wherehandshake strength depends on the certificate, it will be reportedas "unknown". [jrchamp]

Nmap 6.49BETA4 [2015-07-06]§

Fix a hang on OS X in Zenmap's Topology page with error

zenmap_wrapper.py[857]: GError: Couldn't recognize the image file format for file'/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'

http://seclists.org/nmap-dev/2015/q3/8 [Daniel Miller]

Fix a small memory leak for each target specified as a hostname which failsto resolve. [Daniel Miller]
Allow 'make check' to succeed when Nmap is configured without OpenSSLsupport. This was broken due to our NSEunittest library expecting to be ableto load every library without error. [Daniel Miller]
[NSE]Enablessl-enum-ciphers to safely scan servers with a long handshakeintolerance issue which resulted in incomplete results when the handshake wasgreater than 255 bytes. [Jacob Gajek, Daniel Miller]
[Ncat]Fix a write overrun in Ncat that could cause a segfault if the -g(source route) option was given too many times. [Daniel Miller]
[NSE][GH#168]Allowssl-enum-ciphers to run on non-typical ports when it isselected by name. It will now send a service detection probe if the port isnot a typical SSL port and version scan (-sV) was not used. [Daniel Miller]

Nmap 6.49BETA3 [2015-06-25]§

[GH#166]Fix Ncat listen mode on Solaris and other platforms where struct sockaddrdoes not have a sa_len member. This also affected use of the -p and -soptions. Brandon Haberfeld reported the crash. [Daniel Miller]
[GH#164]Fix a Zenmap failure ot open on OS X with the error:"dyld: Symbol not found: _iconv Referenced from: /usr/lib/libcups.2.dylib"We had to remove the DYLD_LIBRARY_PATH environment variable fromzenmap_wrapper.py. Reported by Robert Strom. [Daniel Miller]
Report our https URL (https://nmap.org) in more places rather thanour non-SSL one. [David Fifield]
[NSE]Fix Diffie-Hellman parameter extraction intls.lua. [Jacob Gajek]

Nmap 6.49BETA2 [2015-06-16]§

[GH#154]Fix a crash (assertion error) when Nmap receives an ICMP HostUnreachable message.
[GH#158]Fix a configure failure when Python is not present, but no Pythonprojects were requested. [Gioacchino Mazzurco]
[GH#161][Zenmap]Fix Zenmap on OS X which was failing withzipimport.ZipImportError due to architecture mismatch.
[NSE]Remove ahbl.org checks fromdnsbl.lua, since the service was shut down.[Forrest B.]

Nmap 6.49BETA1 [2015-06-03]§

Integrated all of your IPv4 OS fingerprint submissions from May 2014 toFebruary 2015 (1900+ of them). Added 281 fingerprints, bringing the new totalto 4766. Addtions include Linux 3.18, Windows 8.1, OS X 10.10, Android 5.0,FreeBSD 10.1, OpenBSD 5.6, and more. Highlights:http://seclists.org/nmap-dev/2015/q2/169 [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted fromJune 2013 to February 2015 (2500+ of them). The signature count soared overthe 10000 mark, a 12% increase. We now detect 1062 protocols, from http,telnet, and ftp to jute, bgp, and slurm. Highlights:http://seclists.org/nmap-dev/2015/q2/171 [Daniel Miller]
Integrated all of your IPv6 OS fingerprint submissions from June 2013 toApril 2015 (only 97 of them!). We are steadily improving the IPv6 database,but we need your submissions. The classifier added 9 new groups, bringing thenew total to 90. Highlights:http://seclists.org/nmap-dev/2015/q2/170 [DanielMiller]
Nmap now has an official bug tracker! We are using Github Issues, which youcan reach fromhttp://issues.nmap.org/. We welcome your bug reports,enhancement requests, and code submissions via the Issues and Pull Requestfeatures of Github (https://github.com/nmap/nmap), though the repositoryitself is just a mirror of our authoritative Subversion repository.
[Zenmap]New Chinese-language (zh) translation from Jie Jiang, new Hindi (hi)translation by Gyanendra Mishra, and updated translations for German (de,Chris Leick), Italian (it, Jan Reister), Polish (pl, Jacek Wielemborek), andFrench (fr, MaZ)
Added options --data <hex string> and --data-string <string> to send custompayloads in scan packet data. [Jay Bosamiya]
--reason is enabled for verbosity > 2, and now includes the TTL of receivedpackets in Normal output (this was already present in XML) [Jay Bosamiya]
Fix ICMP Echo (-PE) host discovery for IPv6, broken since 6.45, caused byfailing to set the ICMP ID for outgoing packets which is used to matchincoming responses. [Andrew Waters]
Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused bypassing a NULL pointer to a WinPcap function that then tries to write anerror message to it. [Peter Malecka]
Enhance Nmap's tcpwrapped service detection by using a shorter timeout forthe tcpwrapped designation. This prevents falsely labeling services astcpwrapped which merely have a read timeout shorter than 6 seconds. Fulldiscussion:http://issues.nmap.org/39 [nnposter, Daniel Miller]
All nmap.org pages are now available SSL-secured to improve privacyand ensure your binaries can't be tampered with in transit. So besure to download fromhttps://nmap.org/download.html . We will soonremove the non-SSL version of the site. We still offer GPG-signedbinaries as well:https://nmap.org/book/install.html#inst-integrity
[NSE]Added 25 NSE scripts from 17 authors, bringing the total up to 494!They are all listed athttps://nmap.org/nsedoc/, and the summaries are below(authors are listed in brackets):
- bacnet-info gets device information from SCADA/ICS devices via BACnet(Building Automation and Control Networks) [Stephen Hilt, Michael Toecker]
- docker-version detects and fingerprints Docker [Claudio Criscione]
- enip-info gets device information from SCADA/ICS devices via EtherNet/IP[Stephen Hilt]
- fcrdns performs a Forward-confirmed Reverse DNS lookup and reportsanomalous results. [Daniel Miller]
- http-avaya-ipoffice-users enumerates users in Avaya IP Office 7.x systems.[Paulino Calderon]
- http-cisco-anyconnect gets version and tunnel information from Cisco SSLVPNs. [Patrik Karlsson]
- http-crossdomainxml detects overly permissive crossdomain policies andfinds trusted domain names available for purchase. [Paulino Calderon]
- http-shellshock detects web applications vulnerable to Shellshock(CVE-2014-6271). [Paulino Calderon]
- http-vuln-cve2006-3392 exploits a file disclosure vulnerability in Webmin.[Paul AMAR]
- http-vuln-cve2014-2126,http-vuln-cve2014-2127,http-vuln-cve2014-2128 andhttp-vuln-cve2014-2129 detect specific vulnerabilities in Cisco AnyConnectSSL VPNs. [Patrik Karlsson]
- http-vuln-cve2015-1427 detects Elasticsearch servers vulnerable to remotecode execution. [Gyanendra Mishra]
- http-vuln-cve2015-1635 detects Microsoft Windows systems vulnerable toMS15-034. [Paulino Calderon]
- http-vuln-misfortune-cookie detects the "Misfortune Cookie" vulnerabilityin Allegro RomPager 4.07, commonly used in SOHO routers for TR-069 access.[Andrew Orr]
- http-wordpress-plugins was renamedhttp-wordpress-enum and extended toenumerate both plugins and themes of Wordpress installations and theirversions.http-wordpress-enum is nowhttp-wordpress-users. [Paulino Calderon]
- mikrotik-routeros-brute performs password auditing attacks againstMikrotik's RouterOS API. [Paulino Calderon]
- omron-info gets device information from Omron PLCs via the FINS service.[Stephen Hilt]
- s7-info gets device information from Siemens PLCs via the S7 service,tunneled over ISO-TSAP on TCP port 102. [Stephen Hilt]
- snmp-info gets the enterprise number and other information from thesnmpEngineID in an SNMPv3 response packet. [Daniel Miller]
- ssl-ccs-injection detects whether a server is vulnerable to the SSL/TLSCCS Injection vulnerability (CVE-2014-0224) [Claudiu Perta]
- ssl-poodle detects the POODLE bug in SSLv3 (CVE-2014-3566) [Daniel Miller]
- supermicro-ipmi-conf exploits Supermicro IPMI/BMC controllers. [PaulinoCalderon]
- targets-ipv6-map4to6 generates target IPv6 addresses which correspond toIPv4 addresses mapped within a particular IPv6 subnet. [Raúl Fuentes]
- targets-ipv6-wordlist generates target IPv6 addresses from a wordlist madeof hexadecimal characters. [Raúl Fuentes]
Update our Windows build system to VS 2013 on Windows 8.1. Also, we now buildour included OpenSSL with DEP, ASLR, and SafeSEH enabled. [Daniel Miller]
Our OS X installer is now built for a minimum supported version of 10.8(Mountain Lion), a much-needed update from 10.5 (Leopard). Additionally,OpenSSL is now statically linked, allowing us to distribute the latest fromMacports instead of being subjected to the 0.9.8 branch still in use as of10.9. [Daniel Miller]
Add 2 more ASCII-art configure splash images to be rotated randomly with thetraditional dragon image. New ideas for other images to use here may be sentto dev@nmap.org. [Jay Bosamiya, Daniel Miller]
Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused bypassing a NULL pointer to a WinPcap function that then tries to write anerror message to it. [Peter Malecka]
Fix compilation and several bugs on AIX. [Daniel Miller]
Fix a bug in libdnet-stripped on Solaris that resulted in the wrong MACaddress being detected for all interfaces.http://seclists.org/nmap-dev/2015/q2/1 [Daniel Miller]
New features for the IPv6 OS detection engine allow for better classificationof systems: IPv6 guessed initial hop limit (TTL) and ratio of TCP initialwindow size to maximum segment size. [Alexandru Geana]
[NSE]Reworkssl-enum-ciphers to actually score the strength of the SSL/TLShandshake, including certificate key size and DH parameters if applicable.This is similar to Qualys's SSL Labs scanner, and means that we no longermaintain a list of scores per ciphersuite. [Daniel Miller]
[NSE]Improvedhttp-form-brute autodetection and behavior to handle moreunusual-but-valid HTML syntax, non-POST forms, success/failure testing onHTTP headers, and more. [nnposter]
[NSE]Reduce many NSE default timeouts and base them on Nmap's detectedtimeouts for those hosts from the port scan phase. Scripts which take timeoutscript-args can now handle 's' and 'ms' suffixes, just like Nmap's ownoptions. [Daniel Miller]
[NSE]Remove db2-discover, as its functionality was performed by serviceversion detection since the broadcast portion was separated intobroadcast-db2-discover.http://seclists.org/nmap-dev/2014/q3/415 [DanielMiller]
Cache dnet names not found on Windows when enumerating interfaces in theWindows Registry. Reduces startup times. [Elon Natovich]
[NSE]Makesmb-ls able to leverage results fromsmb-enum-shares or list ofshares specified on command line. [Pierre Lalet]
[NSE]Fix X509 cert date parsing for dates after 2049. Reported by TeppoTurtiainen. [Daniel Miller]
Handle a bunch of socket errors that can result from odd ICMP Type 3Destination Unreachable messages received during service scanning. The crashreported was "Unexpected error in NSE_TYPE_READ callback. Error code: 92(Protocol not available)" [Daniel Miller]
Fixed a crash (NULL pointer dereference) in PortList::isTCPwrapped when using-sV and -O on an unknown service not listed in nmap-services. [Pierre Lalet]
Fixed a benign TOCTOU race between stat() and open() in mmapfile().Reported by Camille Mougey. [Henri Doreau]
Reduce CPU consumption when using nsock poll engine with no registered FD,by actually calling Poll() for the time until timeout, instead of directlyreturning zero and entering the loop again. [Henri Doreau]
Change the URI for the fingerprint submitter to its new location athttps://nmap.org/cgi-bin/submit.cgi
[NSE]Added a check for Cisco ASA version disclosure, CVE-2014-3398, tohttp-enum in the 'security' category [Daniel Miller]
Fixed a bug that caused Nmap to fail to find any network interface when aPrism interface is in monitor mode. The fix was to define theARP_HRD_IEEE80211_PRISM header identifier in the libdnet-stripped code.[Brad Johnson]
Added a version probe for Tor. [David Fifield]
[NSE]Add support tocitrix-enum-apps-xml for reporting if Citrixpublished applications in the list are enforcing/requiring the levelof ICA/session data encryption shown in the script result.[Tom Sellers]
[NSE]Updated our Wordpress plugin list to improve thehttp-wordpress-enum NSE script. We can now detect 34,077 plugins,up from 18,570. [Danila Poyarkov]
[NSE]Add the signature algorithm that was used to sign the target port'sx509 certificate to the output ofssl-cert.nse [Tom Sellers]
[NSE]Fixed a bug in thesslcert.lua library that was triggered againstcertain services when version detection was used. [Tom Sellers]
[NSE]vulns.Report:make_output() now generates XML structured outputreports automatically. [Paulino Calderon]
[NSE]Add port.reason_ttl, host.reason, host.reason_ttl for use in scripts[Jay Bosamiya]
[NSE]If a version script is run by name, nmap.version_intensity() returnsthe maximum value (9) for it [Jay Bosamiya]
[NSE]shortport.version_port_or_service() takes an optional rarity parameternow to run only when version intensity > rarity [Jay Bosamiya]
[NSE]Added nmap.version_intensity() function so that NSE version scriptscan use the argument to --version-intensity (which can be overridden by thescript arg 'script-intensity') in order to decide whether to run or not[Jay Bosamiya]
Improve OS detection; If a port is detected to be 'tcpwrapped', then it willnot be used for OS detection. This helps in cases where a firewall might bethe port to be 'tcpwrapped' [Jay Bosamiya]
[Zenmap]Reduce noise generated in Topology View due to anonymoushops [Jay Bosamiya]
Added option --exclude-ports to Nmap so that some ports can be excluded fromscanning (for example, due to policy) [Jay Bosamiya]
[Zenmap]Catch the MemoryError caused in Zenmap due to large Nmap Output,and display a more helpful error message [Jay Bosamiya]
Catch badly named output files (such as those unintentionally caused by"-oX -sV logfile.xml") [Jay Bosamiya]
[Zenmap]Improved NmapParser to increase speed in opening scans. Large scansnow open in seconds instead of hours. [Jay Bosamiya]
Modify the included libpcap configure script to disable certain unusedfeatures: bluetooth, usb, usb-can, and dbus sniffing. Dbus support caused abuild problem on CentOS 6.5. [Daniel Miller]
Updated the bundled libpcap from 1.2.1 to 1.5.3 [Jay Bosamiya]
Correct the Target MAC Address in Nmap's ARP discovery to conform to what IPstacks in currently popular operating systems use. [Jay Bosamiya]
Fixed a bug which caused Nmap to be unable to have any runtime interactionwhen called from sudo or from a shell script. [Jay Bosamiya]
Improvements towhois-ip.nse: fix an unhandled error when a referred-toresponse could not be understood; add a new pattern to recognise aLACNIC "record not found" type of response and update the way ARIN isqueried. [jah]

Nmap 6.47 [2014-08-23]§

Integrated all of your IPv4 OS fingerprint submissions since June 2013(2700+ of them). Added 366 fingerprints, bringing the new total to 4485.Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2,OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved.Highlights:http://seclists.org/nmap-dev/2014/q3/325 [Daniel Miller]
(Windows, RPMs) Upgraded the included OpenSSL to version 1.0.1i. [Daniel Miller]
(Windows) Upgraded the included Python to version 2.7.8. [Daniel Miller]
Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. Thiswas added in 6.45, and resulted in trouble for Nmap XML parsers withoutnetwork access, as well as increased traffic to Nmap's servers. The doctypeis now:<!DOCTYPE nmaprun>
[Ndiff]Fixed the installation process on Windows, which was missing theactual Ndiff Python module since we separated it from the driver script.[Daniel Miller]
[Ndiff]Fixed the ndiff.bat wrapper in the zipfile Windows distribution,which was giving the error, "\Microsoft was unexpected at this time." Seehttps://support.microsoft.com/kb/2524009 [Daniel Miller]

[Zenmap]Fixed the Zenmap .dmg installer for OS X. Zenmap failed to launch,producing this error:

Could not import the zenmapGUI.App module:'dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so, 2):Library not loaded: /Users/david/macports-10.5/lib/libffi.5.dylib\nReferenced from:/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so\nReason: image not found'.

[Ncat]Fixed SOCKS5 username/password authentication. The password length wasbeing written in the wrong place, so authentication could not succeed.Reported with patch by Pierluigi Vittori.
Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc convertsthis to the string "(null)", but it caused segfault on Solaris. [Daniel Miller]
[Zenmap][Ndiff]Avoid crashing when users have the antiquated PyXML packageinstalled. Python tries to be nice and loads it when we import xml, but itisn't compatible. Instead, we force Python to use the standard library xmlmodule. [Daniel Miller]
Handle ICMP admin-prohibited messages when doing service version detection.Crash reported by Nathan Stocks was: Unexpected error in NSE_TYPE_READcallback. Error code: 101 (Network is unreachable) [David Fifield]
[NSE]Fix a bug causing http.head to not honor redirects. [Patrik Karlsson]
[Zenmap]Fix a bug in DiffViewer causing this crash:
```
TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-onlybuffer, not NmapParserSAX
```
Crash happened when trying to compare two scans within Zenmap. [Daniel Miller]

Nmap 6.46 [2014-04-18]§

[NSE]Made numerous improvements tossl-heartbleed to providemore reliable detection of the vulnerability.
[Zenmap]Fixed a bug which caused this crash message:
```
IOError: [Errno socket error] [Errno 10060] A connection attempt failedbecause the connected party did not properly respond after a period oftime, or established connection failed because connected host hasfailed torespond
```
The bug was caused by us adding a DOCTYPE definition to Nmap's XMLoutput which caused Python's XML parser to try and fetch the DTDevery time it parses an XML file. We now override that DTD-fetchingbehavior. [Daniel Miller]
[NSE]Fix some bugs which could causesnmp-ios-config andsnmp-sysdescr scripts to crash(http://seclists.org/nmap-dev/2014/q2/120) [Patrik Karlsson]
[NSE]Improved performance of citrix.lua library when handling large XMLresponses containing application lists. [Tom Sellers]

Nmap 6.45 [2014-04-11]§

Idle scan now supports IPv6. IPv6 packets don't usually come withfragments identifiers like IPv4 packets do, so new techniques had tobe developed to make idle scan possible. The implementation is byMathias Morbitzer, who made it the subject of his master's thesis.
When doing a ping scan (-sn), the --open option will prevent down hosts frombeing shown when -v is specified. This aligns with similar output for otherscan types. [Daniel Miller]
Fixed some syntax problems in nmap-os-db that were caused by some automatedmerging of fingerprints (http://seclists.org/nmap-dev/2013/q4/68) [DanielMiller]
New service probes and fingerprints for Quake1, TeamSpeak3, xmlsysd,Freelancer game server, All-Seeing Eye, AndroMouse, and AirHD.
Update included WinPcap to version 4.1.3 [Rob Nicholls]
[NSE]Convert many more scripts to emit structured XML output(https://nmap.org/book/nse-api.html#nse-structured-output) [Daniel Miller]
[NSE]Added 24 NSE scripts from 12 authors, bringing the total up to 470.They are all listed athttps://nmap.org/nsedoc/, and the summaries arebelow (authors are listed in brackets):
- allseeingeye-info gathers information from games using this query protocol.A version detection probe was also added. [Marin Maržić]
- freelancer-info gathers information about the Freelancer game server. Alsoadded a related version detection probe and UDP protocol payload fordetecting the service. [Marin Maržić]
- http-csrf detects Cross Site Request Forgeries (CSRF) vulnerabilities bysearching for CSRF tokens in HTML forms. [George Chatzisofroniou]
- http-devframework finds out the technology behind the target website basedon HTTP headers, static URLs, and other content and resources. [GeorgeChatzisofroniou]
- http-dlink-backdoor detects DLink routers with firmware backdoor allowingadmin access over HTTP interface. [Patrik Karlsson]
- http-dombased-xss finds potential DOM-based Cross-site Scripting (XSS)vulnerabilities by searching for specific patterns in JavaScript resources.[George Chatzisofroniou]
- http-errors crawls for URIs that return error status codes (HTTP 400 andabove). [George Chatzisofroniou]
- http-feed crawls a web site for Atom and RSS feeds. [George Chatzisofroniou]
- http-iis-short-name-brute detects Microsoft IIS servers vulnerable to afile/folder name disclosure and a denial of service vulnerability. Thescript obtains the "shortnames" of the files and folders in the webrootfolder. [Paulino Calderon]
- http-mobileversion-checker checks for mobile versions of web pages bysetting an Android User-Agent header and checking for HTTP redirects.[George Chatzisofroniou]
- http-ntlm-info gets server information from Web servers that require NTLMauthentication. [Justin Cacak]
- http-referer-checker finds JavaScript resources that are included from otherdomains, increasing a website's attack surface. [George Chatzisofroniou]
- http-server-header grabs the Server header as a last-ditch effort to get asoftware version. This can't be done as a softmatch because of the need tomatch non-HTTP services that obey some HTTP requests. [Daniel Miller]
- http-useragent-tester checks for sites that redirect common Web spiderUser-Agents to a different page than browsers get. [George Chatzisofroniou]
- http-vuln-cve2013-7091 (released as http-vuln-zimbra-lfi) looks forCVE-2013-7091, a LFI vulnerability in Zimbra. [Paul AMAR, Ron Bowes]
- http-xssed searches the xssed.com database of Cross-site Scriptingvulnerabilities for previously-reported XSS vulnerabilities in the target.[George Chatzisofroniou]
- qconn-exec tests the QNX QCONN service for remote command execution.[Brendan Coles]
- quake1-info retrieves server and player information from Quake 1 gameservers. Reports potential DoS amplification factor. [Ulrik Haugen]
- rfc868-time gets the date and time from an RFC 868 Time server. [DanielMiller]
- ssl-heartbleed detects the Heartbleed bug in OpenSSL CVE-2014-0160 [PatrikKarlsson]
- sstp-discover discovers Microsoft's Secure Socket Tunnelling Protocol(http://msdn.microsoft.com/en-us/library/cc247338.aspx) [Niklaus Schiess]
- unittest runs unit tests found in NSE libraries. The correspondingunittest.lua library has examples. Run `nmap --script=unittest--script-args=unittest.run -d` to run the tests. [Daniel Miller]
- weblogic-t3-info detects the T3 RMI protocol used by Oracle/BEA Weblogicand extracts the Weblogic version. [Alessandro Zanni, Daniel Miller]
- whois-ip andwhois-domain replace the whois script, which previously couldonly collect whois info for IP addresses. [George Chatzisofroniou]
[NSE]Fixed an error-handling bug insocks-open-proxy that caused it to failwhen scanning a SOCKS4-only proxy. Reported on IRC by Husky. [Daniel Miller]
[NSE]Improvedntp-info script to handle underscores in returneddata. [nnposter]
[NSE]Addunicode library for decoding and encoding UTF-8, UTF-16, CP437 andother character sets to Unicode code points. Scripts that previously justadded or skipped nulls in UTF-16 data can use this to support non-ASCIIcharacters. [Daniel Miller]
Significant code and documentation cleanup effort, fixing file encodings,trailing whitespace, indentation, spelling mistakes, NSEdoc formattingissues, PEP 8 compliance for Python, deprecation cleanup under python -3,cleanup of warnings from LLVM's AddressSanitizer. [Daniel Miller]
[Ncat]Added support for socks5 and corresponding regression tests.[Marek Lukaszuk, Petr Stodulka]
Added TCP support todns.lua. [John Bond]
Added safe fd_set operations. This makes nmap fail gracefully instead ofcrashing when the number of file descriptors grows over FD_SETSIZE. JacekWielemborek reported the crash. [Henri Doreau]
[NSE]Addedtls library for functions related to SSLv3 and TLS messages.Existingssl-enum-ciphers,ssl-date, andtls-nextprotoneg scripts wereupdated to use this library. [Daniel Miller]
Added NSE and Zenmap unit tests to "make check" [Daniel Miller]
[NSE]Enablehttp-enum to use the large Nikto fingerprint database at runtimeif provided by the user. For licensing reasons, we do not distribute thisdatabase, but the integration effort has the blessing of the Nikto folks.[George Chatzisofroniou]
Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release) [Daniel Miller]
Added version detection signatures and probes for a bunch of Androidremote mouse/keyboard servers, including AndroMouse, AirHID,Wifi-mouse, and RemoteMouse. [Paul Hemberger]
[Ncat]Fixed compilation when --without-liblua is specified inconfigure (an #include needed an ifdef guard). [Quentin Glidic]
Fixed a bug in libdnet with handling interfaces with AF_LINK addresses onFreeBSD >9 reported by idwer on IRC. Likely affected other *BSDs. Handled byskipping these non-network addresses. [Daniel Miller]
Fixed a bug with UDP checksum calculation. When the UDP checksum is zero(0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoidambiguity with +0, which indicates no checksum was calculated. This affectedUDP on IPv4 only. Reported by Michael Weber. [Daniel Miller]
[NSE]Removed a fixed value (28428) which was being set for the Request ID inthe snmpWalk library function; a value based on nmap.clock_ms will now be setinstead. [jah]
The ICMP ID of ICMP probes is now matched against the sent ICMP ID,to reduce the chance of false matches. Patch by Chris Johnson.
[NSE]Madetelnet-brute support multiple parallel guessing threads,reuse connections, and support password-only logins. [nnposter]
[NSE]Made the table returned by ssh1.fetch_host_key contain a "key"element, like that of ssh2.fetch_host_key. This fixed a crash in thessh-hostkey script reported by Dan Farmer and Florian Pelgrim. The"key" element of ssh2.fetch_host_key now is base64-encoded, to matchthe format used by the known_hosts file. [David Fifield]
[Nsock]Handle timers and timeouts via a priority queue (using a heap)for improved performance. Nsock now only iterates over events which arecompleted or expired instead of inspecting the entire event set at eachiteration. [Henri Doreau]
[NSE]Updatedns-cache-snoop script to use a new list of top 50domains rather than a 2010 list. [Nicolle Neulist]
[Zenmap]Fixed a crash that would happen when you entered a searchterm starting with a colon: "AttributeError:'FilteredNetworkInventory' object has no attribute 'match_'".Reported by Kris Paernell. [David Fifield]
[Ncat]Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDRand NCAT_LOCAL_PORT environment variables being set in all --*-exec childprocesses.

Nmap 6.40 [2013-07-29]§

[Ncat]Added --lua-exec. This feature is basically the equivalent of 'ncat--sh-exec "lua <scriptname>"' and allows you to run Lua scripts with Ncat,redirecting all stdin and stdout operations to the socket connection. Seehttps://nmap.org/book/ncat-man-command-options.html [Jacek Wielemborek]
Integrated all of your IPv4 OS fingerprint submissions since January(1,300 of them). Added 91 fingerprints, bringing the new total to 4,118.Additions include Linux 3.7, iOS 6.1, OpenBSD 5.3, AIX 7.1, and more.Many existing fingerprints were improved. Highlights:http://seclists.org/nmap-dev/2013/q2/518. [David Fifield]
Integrated all of your service/version detection fingerprints submittedsince January (737 of them)! Our signature count jumped by 273 to 8,979.We still detect 897 protocols, from extremely popular ones like http, ssh,smtp and imap to the more obscure airdroid, gopher-proxy, andenemyterritory. Highlights:http://seclists.org/nmap-dev/2013/q3/80. [David Fifield]
Integrated your latest IPv6 OS submissions and corrections. We're stilllow on IPv6 fingerprints, so please scan any IPv6 systems you own oradminister and submit them tohttps://nmap.org/submit/. Both newfingerprints (if Nmap doesn't find a good match) and corrections (if Nmapguesses wrong) are useful. [David Fifield]
[Nsock]Added initial proxy support to Nsock. Nmap version detectionand NSE can now establish TCP connections through chains of one ormore CONNECT or SOCKS4 proxies. Use the Nmap --proxies option with achain of one or more proxies as the argument (example:http://localhost:8080,socks4://someproxy.example.com). Note thatonly version detection and NSE are supported so far (no portscanning or host discovery), and there are other limitationsdescribed in the man page. [Henri Doreau]
[NSE]Added 14 NSE scripts from 6 authors, bringing the total up to 446.They are all listed athttps://nmap.org/nsedoc/, and the summaries arebelow (authors are listed in brackets):
- hostmap-ip2hosts finds hostnames that resolve to the target's IP addressby querying the online database athttp://www.ip2hosts.com (uses Bingsearch results) [Paulino Calderon]
- http-adobe-coldfusion-apsa1301 attempts to exploit an authenticationbypass vulnerability in Adobe Coldfusion servers (APSA13-01:http://www.adobe.com/support/security/advisories/apsa13-01.html) toretrieve a valid administrator's session cookie. [Paulino Calderon]
- http-coldfusion-subzero attempts to retrieve version, absolute path ofadministration panel and the file 'password.properties' from vulnerableinstallations of ColdFusion 9 and 10. [Paulino Calderon]
- http-comments-displayer extracts and outputs HTML and JavaScriptcomments from HTTP responses. [George Chatzisofroniou]
- http-fileupload-exploiter exploits insecure file upload forms in webapplications using various techniques like changing the Content-typeheader or creating valid image files containing the payload in thecomment. [George Chatzisofroniou]
- http-phpmyadmin-dir-traversal exploits a directory traversalvulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) toretrieve remote files on the web server. [Alexey Meshcheryakov]
- http-stored-xss posts specially crafted strings to every form itencounters and then searches through the website for those strings todetermine whether the payloads were successful. [George Chatzisofroniou]
- http-vuln-cve2013-0156 detects Ruby on Rails servers vulnerable toobject injection, remote command executions and denial of serviceattacks. (CVE-2013-0156) [Paulino Calderon]
- ike-version obtains information (such as vendor and device type whereavailable) from an IKE service by sending four packets to the host.This scripts tests with both Main and Aggressive Mode and sends multipletransforms per request. [Jesper Kueckelhahn]
- murmur-version detects the Murmur service (server for the Mumble voicecommunication client) versions 1.2.X. [Marin Maržić]
- mysql-enum performs valid-user enumeration against MySQL server using abug discovered and published by Kingcope(http://seclists.org/fulldisclosure/2012/Dec/9). [Aleksandar Nikolic]
- teamspeak2-version detects the TeamSpeak 2 voice communication serverand attempts to determine version and configuration information. [MarinMaržić]
- ventrilo-info detects the Ventrilo voice communication server serviceversions 2.1.2 and above and tries to determine version andconfiguration information. [Marin Maržić]
Updated the Nmap license agreement to close some loopholes and stop someabusers. It's particularly targeted at companies which distributemalware-laden Nmap installers as we caught Download.com doing lastyear--http://insecure.org/news/download-com-fiasco.html . The updatedlicense is in the all the normal places, includinghttps://svn.nmap.org/nmap/COPYING.
[NSE][SECURITY]Oops, there was a vulnerability in one of our 437 NSE scripts. Ifyou ran the (fortunately non-default)http-domino-enum-passwords scriptwith the (fortunately also non-default) domino-enum-passwords.idpathparameter against a malicious server, it could cause an arbitrarily namedfile to to be written to the client system. Thanks to Trustwave researcherPiotr Duszynski for discovering and reporting the problem. We've fixedthat script, and also updated several other scripts to use a newstdnse.filename_escape function for extra safety. This breaks our recordof never having a vulnerability in the 16 years that Nmap has existed, butthat's still a fairly good run! [David, Fyodor]
Unicast CIDR-style IPv6 range scanning is now supported, so you canspecify targets such as en.wikipedia.org/120. Obviously it will take agesif you specify a huge space. For example, a /64 contains18,446,744,073,709,551,616 addresses. [David Fifield]
It's now possible to mix IPv4 range notation with CIDR netmasks in targetspecifications. For example, 192.168-170.4-100,200.5/16 is effectively thesame as 192.168.168-170.0-255.0-255. [David Fifield]
Timeout script-args are now standardized to use the timespec that Nmap'scommand-line arguments take (5s, 5000ms, 1h, etc.). Some scripts thatpreviously took an integer number of milliseconds will now treat that as anumber of seconds if not explicitly denoted as ms. [Daniel Miller]
Nmap may now partially rearrange its target list for more efficienthost groups. Previously, a single target with a different interface,or with an IP address the same as a that of a target already in thegroup, would cause the group to be broken off at whatever size itwas. Now, we buffer a small number of such targets, and keep lookingthrough the input for more targets to fill out the current group.[David Fifield]
[Ncat]The -i option (idle timeout) now works in listen mode as well asconnect mode. [Tomas Hozza]
[Ncat]Ncat now support chained certificates with the --ssl-certoption. [Greg Bailey]
[Nping]Nping now checks for a matching ICMP ID on echo replies, to avoidreceiving crosstalk from other ping programs running at the sametime. [David Fifield]
[NSE]The ipOps.isPrivate library now considers the deprecated site-localprefix fec0::/10 to be private. [Marek Majkowski]
Nmap's routing table is now sorted first by netmask, then by metric.Previously it was the other way around, which could cause a very generalroute with a low metric to be preferred over a specific route with ahigher metric.
Routes are now sorted to prefer those with a lower metric. Retrieval ofmetrics is supported only on Linux and Windows. [David Fifield]
Fixed a byte-ordering problem on little-endian architectures when doingidle scan with a zombie that uses broken ID increments. [David Fifield]
Stop parsing TCP options after reaching EOL in libnetutil. Bug reported byGustavo Moreira. [Henri Doreau]
[NSE]Thedns-ip6-arpa-scan script now optionally accepts "/" syntax for anetwork mask. Based on a patch by Indula Nayanamith.
[Ncat]Reduced the default --max-conns limit from 100 to 60 on Windows, tostay within platform limitations. Suggested by Andrey Olkhin.
Fixed IPv6 routing table alignment on NetBSD.
Fixed our NSEDoc system so the author field uses UTF-8 and we can spellpeople's name properly, even if they use crazy non-ASCII characters likeMarin Maržić. [David Fifield]
UDP protocol payloads were added for detecting the Murmer service (aserver for the Mumble voice communication client) and TeamSpeak 2 VoIPsoftware.
[NSE]Addedhttp-phpmyadmin-dir-traversal by Alexey Meshcheryakov.
Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. Thiswas reported to break on -current as of May 2013. [Giovanni Bechis]
Fixed address matching for SCTP (-PY) ping. [Marin Maržić]
Removed some non-ANSI-C strftime format strings ("%F") andlocale-dependent formats ("%c") from NSE scripts and libraries.C99-specified %F was noticed by Alex Weber. [Daniel Miller]
[Zenmap]Improved internationalization support:
- Added Polish translation by Jacek Wielemborek.
- Updated the Italian translation. [Giacomo]
[Zenmap]Fixed internationalization files. Running in a language otherthan the default English would result in the error "ValueError: too manyvalues to unpack". [David Fifield]
[NSE]Updated the included Liblua from version 5.2.1 to 5.2.2. [PatrickDonnelly]
[Nsock]Added a minimal regression test suite for Nsock. [Henri Doreau]
[NSE]Updated theredis-brute andredis-info scripts to work against thelatest versions of redis server. [Henri Doreau]
[Ncat]Fixed errors in connecting to IPv6 proxies. [Joachim Henke]
[NSE]Updatedhostmap-bfk to work with the latest version of their website(bfk.de). [Paulino Calderon]
[NSE]Added XML structured output support to:
- xmpp-info,irc-info,sslv2,address-info [Daniel Miller]
- hostmap-bfk,hostmap-robtex, hostmap-ip2hosts. [Paulino Calderon]
- http-git.nse. [Alex Weber]
Added new service probes for:
- Erlang distribution nodes [Michael Schierl]
- Minecraft servers. [Eric Davisson]
- Hazelcast data grid. [Pavel Kankovsky]
[NSE]Rewrotetelnet-brute for better compatibility with a variety oftelnet servers. [nnposter]
Fixed a regression that changed the number of delimiters in machineoutput. [Daniel Miller]
Fixed a regression inbroadcast-dropbox-listener which prevented it fromproducing output. [Daniel Miller]
Handle ICMP type 11 (Time Exceeded) responses to port scan probes. Portswill be reported as "filtered", to be consistent with existing Connectscan results, and will have a reason of time-exceeded. DiabloHornreported this issue via IRC. [Daniel Miller]
Add new decoders (BROWSER, DHCP6 and LLMNR) tobroadcast-listener andchanged output of some of the decoders slightly. [Patrik Karlsson]
The list of name servers on Windows now ignores those from inactiveinterfaces. [David Fifield]
Namespace the pipes used to communicate with subprocesses by PID, to avoidmultiple instances of Ncat from interfering with each other. Patch byAndrey Olkhin.
[NSE]Changedip-geolocation-geoplugin to use the web service's new outputformat. Reported by Robin Wood.
Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fastconnect scans could write past the end of an fd_set and cause a variety ofcrashes:
```
nmap: scan_engine.cc:978: bool ConnectScanInfo::clearSD(int): Assertion `numSDs > 0' failed.select failed in do_one_select_round(): Bad file descriptor (9)
```
[David Fifield]
Fixed a bug that prevented Nmap from finding any interfaces when one ofthem had the type ARP_HDR_APPLETALK; this was the case for AppleTalkinterfaces. However, This support is not complete since AppleTalkinterfaces use different size hardware addresses than Ethernet. Nmap IPlevel scans should work without any problem, please refer to the'--send-ip' switch and to the following thread:http://seclists.org/nmap-dev/2013/q1/214. This bug was reported by StevenGregory Johnson. [Daniel Miller]
[Nping]Nping on Windows now skips localhost targets for privileged pingson (with an error message) because those generally don't work. [DavidFifield]
[Ncat]Ncat now keeps running in connect mode after receiving EOF from theremote socket, unless --recv-only is in effect. [Tomas Hozza]
Packet trace of ICMP packets now include the ICMP ID and sequence numberby default. [David Fifield]
[NSE]Fixed various NSEDoc bugs found by David Matousek.
[Zenmap]Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGEDenvironment variables. [Tyler Wagner]
Added an ncat_assert macro. This is similar to assert(), but remains evenif NDEBUG is defined. Replaced all Ncat asserts with this. We also movedoperation with side effects outside of asserts as yet another layer ofbug-prevention [David Fifield].
Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML intoXSL-FO, which can be converted into PDF using tools suck as Apache FOP.
Increased the number of slack file descriptors not used during connectscan. Previously, the calculation did not consider the descriptors used byvarious open log files. Connect scans using a lot of sockets could failwith the message "Socket creation in sendConnectScanProbe: Too many openfiles". [David Fifield]
Changed the --webxml XSL stylesheet to point to the new location ofnmap.xsl in the new repository (https://svn.nmap.org/nmap/docs/nmap.xsl).It still may not work in web browsers due to same origin policy (seehttp://seclists.org/nmap-dev/2013/q1/58). [David Fifield, Simon John]
[NSE]The vulnerability library can now preserve vulnerability informationacross multiple ports of the same host. The bug was reported byiphelix. [Djalal Harouni]
Removed the undocumented -q option, which renamed the nmap process tosomething like "pine".
Moved the Japanese man page from man1/jp to man1/ja. JP is a country codewhile JA is a language code. Reported by Christian Neukirchen.
[Nsock]Reworked the logging infrastructure to make it more flexible andconsistent. Updated Nmap, Nping and Ncat accordingly. Nsock log level cannow be adjusted at runtime by pressing d/D in nmap. [Henri Doreau, DavidFifield]
[NSE]Fixed scripts using unconnected UDP sockets. The bug was reported byDhiru Kholia athttp://seclists.org/nmap-dev/2012/q4/422. [David Fifield]
Made some changes to Ndiff to reduce parsing time when dealing with largeNmap XML output files. [Henri Doreau]
Clean up the source code a bit to resolve some false positive issuesidentified by the Parfait static code analysis program. Oracle apparentlyruns this on programs (including Nmap) that they ship with Solaris. Seehttp://seclists.org/nmap-dev/2012/q4/504. [David Fifield]
[Zenmap]Fixed a crash that could be caused by opening the About dialog,using the window manager to close it, and opening it again. This wasreported by Yashartha Chaturvedi and Jordan Schroeder. [David Fifield]
[Ncat]Made test-addrset.sh exit with nonzero status if any testsfail. This in turn causes "make check" to fail if any tests fail.[Andreas Stieger]
Fixed compilation with --without-liblua. The bug was reported by RickFarina, Nikos Chantziaras, and Alex Turbov. [David Fifield]
Fixed CRC32c calculation (as used in SCTP scans) on 64-bitplatforms. [Pontus Andersson]
[NSE]Added multicast group name output tobroadcast-igmp-discovery.nse. [Vasily Kulikov]
[NSE]Added new fingerprints forhttp-enum: Sitecore, Moodle, typo3,SquirrelMail, RoundCube. [Jesper Kückelhahn]

Nmap 6.25 [2012-11-29]§

[NSE]Added CPE tosmb-os-discovery output.
[Ncat]Fixed the printing of warning messages for large arguments tothe -i and -w options. [Michal Hlavinka]
[Ncat]Shut down the write part of connected sockets in listen modewhen stdin hits EOF, just as was already done in connect mode.[Michal Hlavinka]

[Zenmap]Removed a crashing error that could happen when canceling a"Print to File" on Windows:

Traceback (most recent call last):  File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb  File "zenmapGUI\Print.pyo", line 156, in run_print_operationGError: Error from StartDoc

This bug was reported by Imre Adácsi. [David Fifield]

Added some new checks for failed library calls. [Bill Parker]

Nmap 6.20BETA1 [2012-11-16]§

Integrated all of your IPv4 OS fingerprint submissions since January(more than 3,000 of them). Added 373 fingerprints, bringing the newtotal to 3,946. Additions include Linux 3.6, Windows 8, WindowsServer 2012, Mac OS X 10.8, and a ton of new WAPs, printers,routers, and other devices--including our first IP-enabled doorbell!Many existing fingerprints were improved. [David Fifield]
Integrated all of your service/version detection fingerprintssubmitted since January (more than 1,500)! Our signaturecount jumped by more than 400 to 8,645. We now detect 897protocols, from extremely popular ones like http, ssh, smtp and imapto the more obscure airdroid, gopher-proxy, andenemyterritory. [David Fifield]
Integrated your latest IPv6 OS submissions and corrections. We'restill low on IPv6 fingerprints, so please scan any IPv6 systems youown or administer and submit them tohttps://nmap.org/submit/. Bothnew fingerprints (if Nmap doesn't find a good match) and corrections(if Nmap guesses wrong) are useful.
Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto(Next Header) probes. Previously, only TCP and ICMP weresupported. [David Fifield]
Scripts can now return a structured name-value table so that resultsare query-able from XML output. Scripts can return a string asbefore, or a table, or a table and a string. In this last case, thetable will go to XML output and the string will go to screen output.Seehttps://nmap.org/book/nse-api.html#nse-structured-output [DanielMiller, David Fifield, Patrick Donnelly]
[Nsock]Added new poll and kqueue I/O engines for improvedperformance on Windows and BSD-based systems including Mac OS X.These are in addition to the epoll engine (used on Linux) and theclassic select engine fallback for other system. [Henri Doreau]
[Ncat]Added support for Unix domain sockets. The new -U and--unixsock options activate this mode. These provide compatibilitywith Hobbit's original Netcat. [Tomas Hozza]
Moved some Windows dependencies, including OpenSSL, libsvn, and thevcredist files, into a new public Subversion directory/nmap-mswin32-aux and moved it out of the source tarball. Thisreduces the compressed tarball size from 22 MB to 8 MB and similarlyreduces the bandwidth and storage required for an svn checkout.Folks who build Nmap on Windows will need to check out/nmap-mswin32-aux along with /nmap as described athttps://nmap.org/book/inst-windows.html#inst-win-source.
Many of the great features in this release were created by collegeand grad students generously sponsored by Google's Summer of Codeprogram. Thanks, Google Open Source Department! This year's teamof five developers is introduced athttp://seclists.org/nmap-dev/2012/q2/204 and their successesdocumented athttp://seclists.org/nmap-dev/2012/q4/138
[NSE]Replaced old RPC grinder (RPC enumeration, performed as partof version detection when a port seems to run a SunRPC service) witha faster and easier to maintain NSE-based implementation. This alsoallowed us to remove the crufty old pos_scan scan engine. [HaniBenhabiles]
Updated our Nmap Scripting Engine to use Lua 5.2 (and then 5.2.1)rather than 5.1. Seehttp://seclists.org/nmap-dev/2012/q2/34 fordetails. [Patrick Donnelly]
[NSE]Added 85(!) NSE scripts, bringing the total up to 433. Theyare all listed athttps://nmap.org/nsedoc/, and the summaries arebelow (authors are listed in brackets):
- ajp-auth retrieves the authentication scheme and realm of an AJPservice (Apache JServ Protocol) that requires authentication. TheApache JServ Protocol is commonly used by web servers tocommunicate with back-end Java application servercontainers. [Patrik Karlsson]
- ajp-brute performs brute force passwords auditing against theApache JServ protocol. [Patrik Karlsson]
- ajp-headers performs a HEAD or GET request against either the rootdirectory or any optional directory of an Apache JServ Protocolserver and returns the server response headers. [Patrik Karlsson]
- ajp-methods discovers which options are supported by the AJP(Apache JServ Protocol) server by sending an OPTIONS request andlists potentially risky methods. [Patrik Karlsson]
- ajp-request requests a URI over the Apache JServ Protocol anddisplays the result (or stores it in a file). Different AJPmethods such as; GET, HEAD, TRACE, PUT or DELETE may beused. [Patrik Karlsson]
- bjnp-discover retrieves printer or scanner information from aremote device supporting the BJNP protocol. The protocol is knownto be supported by network based Canon devices. [Patrik Karlsson]
- broadcast-ataoe-discover discovers servers supporting the ATA overEthernet protocol. ATA over Ethernet is an ethernet protocoldeveloped by the Brantley Coile Company and allows for simple,high-performance access to SATA drives over Ethernet. [PatrikKarlsson]
- broadcast-bjnp-discover attempts to discover Canon devices(Printers/Scanners) supporting the BJNP protocol by sending BJNPDiscover requests to the network broadcast address for both portsassociated with the protocol. [Patrik Karlsson]
- broadcast-eigrp-discovery performs network discovery and routinginformation gathering through Cisco's EIGRP protocol. [HaniBenhabiles]
- broadcast-igmp-discovery discovers targets that have IGMPMulticast memberships and grabs interesting information. [HaniBenhabiles]
- broadcast-pim-discovery discovers routers that are running PIM(Protocol Independent Multicast). [Hani Benhabiles]
- broadcast-tellstick-discover discovers Telldus TechnologiesTellStickNet devices on the LAN. The Telldus TellStick is used towirelessly control electric devices such as lights, dimmers andelectric outlets. [Patrik Karlsson]
- cassandra-brute performs brute force password auditing against theCassandra database. [Vlatko Kosturjak]
- cassandra-info attempts to get basic info and server status from aCassandra database. [Vlatko Kosturjak]
- cups-info lists printers managed by the CUPS printingservice. [Patrik Karlsson]
- cups-queue-info Lists currently queued print jobs of the remoteCUPS service grouped by printer. [Patrik Karlsson]
- dict-info Connects to a dictionary server using the DICT protocol,runs the SHOW SERVER command, and displays the result. [PatrikKarlsson]
- distcc-cve2004-2687 detects and exploits a remote code executionvulnerability in the distributed compiler daemon distcc. [PatrikKarlsson]
- dns-check-zone checks DNS zone configuration against bestpractices, including RFC 1912. The configuration checks aredivided into categories which each have a number of differenttests. [Patrik Karlsson]
- dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6network using a technique which analyzes DNS server response codesto dramatically reduce the number of queries needed to enumeratelarge networks. [Patrik Karlsson]
- dns-nsec3-enum tries to enumerate domain names from the DNS serverthat supports DNSSEC NSEC3 records. [Aleksandar Nikolic, JohnBond]
- eppc-enum-processes attempts to enumerate process info over theApple Remote Event protocol. When accessing an application overthe Apple Remote Event protocol the service responds with the uidand pid of the application, if it is running, prior to requestingauthentication. [Patrik Karlsson]
- firewall-bypass detects a vulnerability in Netfilter and otherfirewalls that use helpers to dynamically open ports for protocolssuch as ftp and sip. [Hani Benhabiles]
- flume-master-info retrieves information from Flume master HTTPpages. [John R. Bond]
- gkrellm-info queries a GKRellM service for monitoringinformation. A single round of collection is made, showing asnapshot of information at the time of the request. [PatrikKarlsson]
- gpsd-info retrieves GPS time, coordinates and speed from the GPSDnetwork daemon. [Patrik Karlsson]
- hostmap-robtex discovers hostnames that resolve to the target's IPaddress by querying the Robtex service athttp://www.robtex.com/dns/. [Arturo Busleiman]
- http-drupal-enum-users enumerates Drupal users by exploiting a aninformation disclosure vulnerability in Views, Drupal's mostpopular module. [Hani Benhabiles]
- http-drupal-modules enumerates the installed Drupal modules byusing a list of known modules. [Hani Benhabiles]
- http-exif-spider spiders a site's images looking for interestingexif data embedded in .jpg files. Displays the make and model ofthe camera, the date the photo was taken, and the embedded geotaginformation. [Ron Bowes]
- http-form-fuzzer performs a simple form fuzzing against formsfound on websites. Tries strings and numbers of increasing lengthand attempts to determine if the fuzzing was successful. [PiotrOlma]
- http-frontpage-login checks whether target machines are vulnerableto anonymous Frontpage login. [Aleksandar Nikolic]
- http-git checks for a Git repository found in a website's documentroot (/.git/<something>) then retrieves as much repoinformation as possible, including language/framework, Githubusername, last commit message, and repository description. [AlexWeber]
- http-gitweb-projects-enum retrieves a list of Git projects, ownersand descriptions from a gitweb (web interface to the Git revisioncontrol system). [riemann]
- http-huawei-hg5xx-vuln detects Huawei modems models HG530x,HG520x, HG510x (and possibly others...) vulnerable to a remotecredential and information disclosure vulnerability. It alsoextracts the PPPoE credentials and other interesting configurationvalues. [Paulino Calderon]
- http-icloud-findmyiphone retrieves the locations of all "Find myiPhone" enabled iOS devices by querying the MobileMe web service(authentication required). [Patrik Karlsson]
- http-icloud-sendmsg sends a message to a iOS device through theApple MobileMe web service. The device has to be registered withan Apple ID using the Find My iPhone application. [PatrikKarlsson]
- http-phpself-xss crawls a web server and attempts to find PHPfiles vulnerable to reflected cross site scripting via thevariable $_SERVER["PHP_SELF"]. [Paulino Calderon]
- http-rfi-spider crawls webservers in search of RFI (remote fileinclusion) vulnerabilities. It tests every form field it finds andevery parameter of a URL containing a query. [Piotr Olma]
- http-robtex-shared-ns Finds up to 100 domain names which use thesame name server as the target by querying the Robtex service athttp://www.robtex.com/dns/. [Arturo Busleiman]
- http-sitemap-generator spiders a web server and displays itsdirectory structure along with number and types of files in eachfolder. Note that files listed as having an 'Other' extension areones that have no extension or that are a root document. [PiotrOlma]
- http-slowloris-check tests a web server for vulnerability to theSlowloris DoS attack without actually launching a DoSattack. [Aleksandar Nikolic]
- http-slowloris tests a web server for vulnerability to theSlowloris DoS attack by launching a Slowloris attack. [AleksandarNikolic, Ange Gutek]
- http-tplink-dir-traversal exploits a directory traversalvulnerability existing in several TP-Link wirelessrouters. Attackers may exploit this vulnerability to read any ofthe configuration and password files remotely and withoutauthentication. [Paulino Calderon]
- http-traceroute exploits the Max-Forwards HTTP header to detectthe presence of reverse proxies. [Hani Benhabiles]
- http-virustotal checks whether a file has been determined asmalware by virustotal. Virustotal is a service that provides thecapability to scan a file or check a checksum against a number ofthe major antivirus vendors. [Patrik Karlsson]
- http-vlcstreamer-ls connects to a VLC Streamer helper service andlists directory contents. The VLC Streamer helper service is usedby the iOS VLC Streamer application to enable streaming ofmultimedia content from the remote server to the device. [PatrikKarlsson]
- http-vuln-cve2010-0738 tests whether a JBoss target is vulnerableto jmx console authentication bypass (CVE-2010-0738). [HaniBenhabiles]
- http-waf-fingerprint Tries to detect the presence of a webapplication firewall and its type and version. [Hani Benhabiles]
- icap-info tests a list of known ICAP service names and printsinformation about any it detects. The Internet Content AdaptationProtocol (ICAP) is used to extend transparent proxy servers and isgenerally used for content filtering and antivirusscanning. [Patrik Karlsson]
- ip-forwarding detects whether the remote device has ip forwardingor "Internet connection sharing" enabled, by sending an ICMP echorequest to a given target using the scanned host as defaultgateway. [Patrik Karlsson]
- ipv6-ra-flood generates a flood of Router Advertisements (RA) withrandom source MAC addresses and IPv6 prefixes. Computers, whichhave stateless autoconfiguration enabled by default (every majorOS), will start to compute IPv6 suffix and update their routingtable to reflect the accepted announcement. This will cause 100%CPU usage on Windows and platforms, preventing to process otherapplication requests. [Adam Stevko]
- irc-sasl-brute performs brute force password auditing against IRC(Internet Relay Chat) servers supporting SASLauthentication. [Piotr Olma]
- isns-info lists portals and iSCSI nodes registered with theInternet Storage Name Service (iSNS). [Patrik Karlsson]
- jdwp-exec attempts to exploit java's remote debugging port. Whenremote debugging port is left open, it is possible to inject javabytecode and achieve remote code execution. This script abusesthis to inject and execute a Java class file that executes thesupplied shell command and returns its output. [AleksandarNikolic]
- jdwp-info attempts to exploit java's remote debugging port. Whenremote debugging port is left open, it is possible to inject javabytecode and achieve remote code execution. This script injectsand execute a Java class file that returns remote systeminformation. [Aleksandar Nikolic]
- jdwp-inject attempts to exploit java's remote debugging port.When remote debugging port is left open, it is possible to injectjava bytecode and achieve remote code execution. This scriptallows injection of arbitrary class files. [Aleksandar Nikolic]
- llmnr-resolve resolves a hostname by using the LLMNR (Link-LocalMulticast Name Resolution) protocol. [Hani Benhabiles]
- mcafee-epo-agent check if ePO agent is running on port 8081 orport identified as ePO Agent port. [Didier Stevens and DanielMiller]
- metasploit-info gathers info from the Metasploit RPC service. Itrequires a valid login pair. After authentication it tries todetermine Metasploit version and deduce the OS type. Then itcreates a new console and executes few commands to get additionalinfo. [Aleksandar Nikolic]
- metasploit-msgrpc-brute performs brute force username and passwordauditing against Metasploit msgrpc interface. [Aleksandar Nikolic]
- mmouse-brute performs brute force password auditing against theRPA Tech Mobile Mouse servers. [Patrik Karlsson]
- mmouse-exec connects to an RPA Tech Mobile Mouse server, starts anapplication and sends a sequence of keys to it. Any applicationthat the user has access to can be started and the key sequence issent to the application after it has been started. [PatrikKarlsson]
- mrinfo queries targets for multicast routing information. [HaniBenhabiles]
- msrpc-enum queries an MSRPC endpoint mapper for a list of mappedservices and displays the gathered information. [AleksandarNikolic]
- ms-sql-dac queries the Microsoft SQL Browser service for the DAC(Dedicated Admin Connection) port of a given (or all) SQL Serverinstance. The DAC port is used to connect to the database instancewhen normal connection attempts fail, for example, when server ishanging, out of memory or in other bad states. [Patrik Karlsson]
- mtrace queries for the multicast path from a source to adestination host. [Hani Benhabiles]
- mysql-dump-hashes dumps the password hashes from an MySQL serverin a format suitable for cracking by tools such as John theRipper. Appropriate DB privileges (root) are required. [PatrikKarlsson]
- mysql-query runs a query against a MySQL database and returns theresults as a table. [Patrik Karlsson]
- mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQLand MariaDB servers by exploiting CVE2012-2122. If its vulnerable,it will also attempt to dump the MySQL usernames and passwordhashes. [Paulino Calderon]
- oracle-brute-stealth exploits the CVE-2012-3137 vulnerability, aweakness in Oracle's O5LOGIN authentication scheme. Thevulnerability exists in Oracle 11g R1/R2 and allows linking thesession key to a password hash. [Dhiru Kholia]
- pcanywhere-brute performs brute force password auditing againstthe pcAnywhere remote access protocol. [Aleksandar Nikolic]
- rdp-enum-encryption determines which Security layer and Encryptionlevel is supported by the RDP service. It does so by cyclingthrough all existing protocols and ciphers. [Patrik Karlsson]
- rmi-vuln-classloader tests whether Java rmiregistry allows classloading. The default configuration of rmiregistry allows loadingclasses from remote URLs, which can lead to remote codeexecution. The vendor (Oracle/Sun) classifies this as a designfeature. [Aleksandar Nikolic]
- rpc-grind fingerprints the target RPC port to extract the targetservice, RPC number and version. [Hani Benhabiles]
- sip-call-spoof spoofs a call to a SIP phone and detects the actiontaken by the target (busy, declined, hung up, etc.) [HaniBenhabiles]
- sip-methods enumerates a SIP Server's allowed methods (INVITE,OPTIONS, SUBSCRIBE, etc.) [Hani Benhabiles]
- smb-ls attempts to retrieve useful information about files sharedon SMB volumes. The output is intended to resemble the output ofthe UNIX <code>ls</code> command. [Patrik Karlsson]
- smb-print-text attempts to print text on a shared printer bycalling Print Spooler Service RPC functions. [Aleksandar Nikolic]
- smb-vuln-ms10-054 tests whether target machines are vulnerable tothe ms10-054 SMB remote memory corruptionvulnerability. [Aleksandar Nikolic]
- smb-vuln-ms10-061 tests whether target machines are vulnerable toms10-061 Printer Spooler impersonation vulnerability. [AleksandarNikolic]
- snmp-hh3c-logins attempts to enumerate Huawei / HP/H3C LocallyDefined Users through the hh3c-user.mib OID [Kurt Grutzmacher]
- ssl-date retrieves a target host's time and date from its TLSServerHello response. [Aleksandar Nikolic]
- tls-nextprotoneg enumerates a TLS server's supported protocols byusing the next protocol negotiation extension. [Hani Benhabiles]
- traceroute-geolocation lists the geographic locations of each hopin a traceroute and optionally saves the results to a KML file,plottable on Google earth and maps. [Patrik Karlsson]
[NSE]Added 12 new protocol libraries, bring our total to 105! Herethey are, with authors enclosed in brackets:
- ajp (Apache JServ Protocol) [Patrik Karlsson]
- base32 (Base32 encoding/decoding - RFC 4648) [Philip Pickering]
- bjnp (Canon BJNP printer/scanner discovery protocol) [Patrik Karlsson]
- cassandra (Cassandra database protocol) [Vlatko Kosturjak]
- eigrp (Cisco Enhanced Interior Gateway Routing Protocol) [Hani Benhabiles]
- gps (Global Positioning System - does GPRMC NMEA decoding) [Patrik Karlsson]
- ipp (CUPS Internet Printing Protocol) [Patrik Karlsson]
- isns (Internet Storage Name Service) [Patrik Karlsson]
- jdwp (Java Debug Wire Protocol) [Aleksandar Nikolic]
- mobileme (a service for managing Apple/Mac devices) [Patrik Karlsson]
- ospf (Open Shortest Path First routing protocol) [Patrik Karlsson]
- rdp (Remote Desktop Protocol) [Patrik Karlsson]
Added Common Platform Enumeration (CPE) identifiers to nearly 1,000more OS detection signatures. Nmap 6.01 had them for 2,608 of 3,572fingerprints (73%) and now we have them for 3,558 out of 3,946(90%). [David Fifield]
Scans that use OS sockets (including TCP connect scan, versiondetection, and script scan) now use the SO_BINDTODEVICE sockopt onLinux, so that the -e (select network device) option ishonored. [David Fifield]
[Zenmap]Host filters can now do negative matching, for example youcan use "os:!linux" to match hosts NOT detected as Linux. [DanielMiller]
Fixed a bug that caused an incorrect source address to be set whenscanning certain addresses (apparently those ending in .0) onWindows XP. The symptom of this bug was the messages
```
get_srcaddr: can't connect socket: The requested address is not valid in its context.Failed to convert source address to presentation format!?!  Error: Unknown error
```
Thanks to Robert Washam and Jorge Hernandez for reports and helpdebugging. [David Fifield]
Upgraded the included OpenSSL to version 1.0.1c. [David Fifield]
[NSE]Added changes to brute andunpwdb libraries to allow moreflexible iterator specification and control. [Aleksandar Nikolic]
Tested that our WinPcap installer works on Windows 8 and WindowsServer 2012 build 8400. Updated to installer text to recommend thatusers select the option to start 'NPF' at startup. [Rob Nicholls]
Changed libdnet's routing interface to return an interface name foreach route on the most common operating systems. This is used toimprove the quality of Nmap's matching of routes to interfaces,which was previously done by matching routes to interface addresses.[Djalal Harouni, David Fifield]
Fixed a bug that prevented Nmap from finding any interfaces when oneof them had the type ARPHDR_INFINIBAND; this was the case forIP-over-InfiniBand interfaces. However, This support is not completesince IPoIB interfaces use 20 bytes for the hardware address, andcurrently we only report and handle 6 bytes.Nmap IP level scans should work without any problem, please refer tothe '--send-ip' switch and to the following thread:http://seclists.org/nmap-dev/2012/q3/642This bug was reported by starlight.2012q3. [Djalal Harouni]
Fixed a bug that prevented Nmap from finding any interfaces when oneof them had the type ARPHDR_IEEE80211; this was the case for wirelessinterfaces operating in access point mode. This bug was reported bySebastiaan Vileijn. [Djalal Harouni]
Updated the Zenmap desktop icons on Windows, Linux, and Mac with higherresolution ones. [Sean Rivera, David Fifield]
[NSE]Script results for a host or service are now sortedalphabetically by script name. [Sean Rivera]
Fixed a bug that prevented Nmap from finding any interfaces when anyinterface had the type ARPHRD_VOID; this was the case for OpenVZvenet interfaces. [Djalal Harouni, David Fifield]
Linux unreachable routes are now properly ignored. [David Fifield]
Added Dan Miller as an Nmap committer. He has done a ton of greatwork on Nmap, as you can see by searching for him in this CHANGELOGor reading the Nmap committers list athttps://svn.nmap.org/nmap/docs/committers.txt .
Added a new --disable-arp-ping option. This option prevents Nmapfrom implicitly using ARP or ND host discovery for discoveringdirectly connected Ethernet targets. This is useful in networksusing proxy ARP, which make all addresses appear to be up using ARPscan. The previously recommended workaround for this situation,--send-ip, didn't work on Windows because that lame excuse for anoperating system is still missing raw socket support. [DavidFifield (editorializing added by Fyodor)]
Protocol scan (-sO) probes for TCP, UDP, and SCTP now go to ports80, 40125, and 80 respectively, instead of being randomly generatedor going to the same port as the source port. [David Fifield]
The Nmap --log-errors functionality (including errors and warningsin the normal-format output file) is now always true, whether youpass that option or not. [Sean Rivera]
[NSE]Rewroteftp-brute script to use thebrute library forperforming password auditing. [Aleksandar Nikolic]
Reduced the size of Port structures by about two thirds (from 176 to64 bytes on x86_64). They had accidentally grown during the IPv6code merge. [David Fifield]
Made source port numbers (used to encode probe metadata) incrementso as not to overlap between different scanning phases. Previouslyit was possible for an RST response to an ACK probe from hostdiscovery to be misinterpreted as a reply to a SYN probe from portscanning. [Sean Rivera, David Fifield]
[NSE]Added support for ECDSA keys tossh-hostkey.nse. [Adam Števko]
Changed the CPE for Linux from cpe:/o:linux:kernel tocpe:/o:linux:linux_kernel to reflect deprecation in the official CPEdictionary.
Added some additional CPE entries to nmap-service-probes.[Dillon Graham]

Fixed an assertion failure with IPv6 traceroute trying to use anunsupported protocol:

nmap: traceroute.cc:749: virtual unsigned char*UDPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion`source->ss_family == 2' failed.

This was reported by Pierre Emeriaud. [David Fifield]

Added version detection signatures for half a dozen new or changedproducts. [Tom Sellers]
Fixed protocol number-to-name mapping. A patch was contributed byhejianet.
[NSE]The nmap.ip_send function now takes a second argument, thedestination to send to. Previously the destination address was takenfrom the packet buffer, but this failed for IPv6 link-localaddresses, because the scope ID is not part of the packet. Callingip_send without a destination address will continue to use the oldbehavior, but this practice is deprecated.
Increased portability of configure scripts on systems using a libcother than Glibc. Several problems were reported by John Spencer.
[NSE]Fixed a bug inrpc-grind.nse that would cause unresponsive UDPports to be wrongly marked open. This was reported by ChristopherClements. [David Fifield]
[Ncat]Close connection endpoint when receiving EOF onstdin. [Michal Hlavinka].
Fixed interface listing on NetBSD. The bug was first noticed byFredrik Pettai and diagnosed by Jan Schaumann. [David Fifield]
[Ncat]Applied a blocking-socket workaround for a bug that couldprevent some sends from working in listen mode. The problem wasreported by Jonas Wielicki. [Alex Weber, David Fifield]
[NSE]Updatedmssql.lua library to support additional data types,enhanced some of the existing data types, added the DoneProcresponse token, and reordered code for maintainability. [TomSellers]
[Nping]Nping now prints out an error and exists when the user tries to usethe -p flag for a scan option where that is meaningless. [Sean Rivera]
[NSE]Added spoolss functions and constants tomsrpc.lua. [Aleksandar Nikolic]
[NSE]Reduced the number of names tried byhttp-vhosts by default.[Vlatko Kosturjak]
[Zenmap]Fixed a crash when using the en_NG locale: "ValueError:unknown locale: en_NG" [David Fifield]
[NSE]Fixed some bugs insnmp-interfaces which prevented the script fromoutputting discovered interface info and caused it to abort in thepre-scanning phase. [jah]
[NSE]Do a connect onrpc-grind (rpc.lua) UDP sockets so that socket_lockis invoked. This is necessary to avoid "Too many open files" errors ifRPC grind creates an excessive number of sockets. We should have acleaner general solution for this, and not require scripts to "connect"their unconnected UDP sockets. But there may be a good reason forenforcing socket locking only on connect, not on creation. [David Fifield]
[NSE]lltd-discovery scripts now parses for hostnames and outputs networkcard manufacturer. [Hani Benhabiles]
Added protocol specific payloads for IPv6 hop-by-hop (0x00), routing (0x2b),fragment (0x2c), and destination (0x3c). [Sean Rivera]
[NSE]Added support for decoding OSPF Hello packets tobroadcast-listener.[Hani Benhabiles]
[NSE]Fixed a false positive inhttp-vuln-cve2011-3192.nse, which detectedApache 2.2.22 as vulnerable. [Michael Meyer]
[NSE]Modified multiple scripts that operated against HTTP based servicesso as to remove false positives that were generated when the target serviceanswers with a 200 response to all requests. [Tom Sellers]
[NSOCK]Fixed an epoll-engine-specific bug. The engine didn't recognized FDsthat were internally closed and replaced by other ones. This happened duringreconnect attempts. Also, the IOD flags were not properly cleared.[Henri Doreau, Daniel Miller]
Added support for log type bitmasks in log_vwrite(). Also replaced a fatal()statement by an assert(0) to get rid of a possible infinite call loop whenpassed an invalid log type. [Henri Doreau]
Added handling for the unexpected error WSAENETRESET (10052). This error iscurrently wrapped in the ifdef for WIN32 as there error appears to be uniqueto windows [Sean Rivera]
[NSE]Added default values for Expires, Call-ID, Allow and Content-Lengthheaders in SIP requests and removed redundant code insip library.[Hani Benhabiles]
[NSE]Calling methods of unconnected sockets now causes the usualerror code return value, instead of raising a Lua error. The problemwas noticed by Daniel Miller. [David Fifield]
[NSE]Added AUTH_UNIX support to therpc library and NFS scripts.[Daniel Miller]
[Zenmap]Fixed a crash in the profile editor that would happen whenthe nmap binary couldn't be found. [David Fifield]
Made the various Makefiles' treatment of makefile.dep uniform:"make clean" keeps the file and "make distclean" deletes it.[Michael McTernan]
[NSE]Fixed dozens of scripts and libraries to work better onsystem which don't have OpenSSL available. [Patrik Karlsson]
[Ncat]--output logging now works in UDP mode. Thanks to MichalHlavinka for reporting the bug. [David Fifield]
[NSE]More Windows 7 and Windows 2008 fixes for thesmb library andsmb-lsscripts. [Patrik Karlsson]
[NSE]Added SPNEGO authentication supporting Windows 7 and Windows 2008 tothesmb library. [Patrik Karlsson]
[NSE]Changedhttp-brute so that it works against the root path("/") by default rather than always requiring thehttp-brute.pathscript argument. [Fyodor]
[NSE]Applied patch from Daniel Miller that fixes bug in several scripts andlibrarieshttp://seclists.org/nmap-dev/2012/q2/593 [Daniel Miller]
[Zenmap]Added Italian translation by Francesco Tombolini andJapanese translation by Yujiy Tounai. Some typos in the Japanesetranslation were corrected by OKANO Takayoshi.
[NSE]Rewrotemysql-brute to usebrute library [Aleksandar Nikolic]
Improved themysql library to handle multiple columns with the same name,added a formatResultset function to format a query response to a tablesuitable for script output. [Patrik Karlsson]
The message "nexthost: failed to determine route to ..." is now awarning rather than a fatal error. Addresses that are skipped inthis way are recorded in the XML output as "target" elements. [DavidFifield]
[NSE]targets-sniffer now is capable of sniffing IPv6 addresses.[Daniel Miller]
[NSE]Ported thepop3-brute script to use thebrute library.[Piotr Olma]
[NSE]Added an error message indicating script failure, when Nmap is beingrun in non verbose/debug mode. [Patrik Karlsson]
Service-scan information is now included in XML and grepable outputeven if -sV wasn't used. This information can be set by scripts in theabsence of -sV. [Daniel Miller]

Nmap 6.01 [2012-06-16]§

[Zenmap]Fixed a hang that would occur on Mac OS X 10.7. A symptomof the hang was this message in the system console:

Couldn't recognize the image file format for file'/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'

[David Fifield]

[Zenmap]Fixed a crash that happened when activating the host filter.
```
File "zenmapCore\SearchResult.pyo", line 155, in match_os
```
KeyError: 'osmatches'[jah]

Fixed an error that occurred when scanning certain addresses like192.168.0.0 on Windows XP:

get_srcaddr: can't connect socket: The requested address is not valid in its context.nexthost: failed to determine route to 10.80.0.0

[David Fifield]

Fixed a bug that caused Nmap to fail to find any network interface whenat least one of them is in the monitor mode. The fix was to define theARP_HRD_IEEE80211_RADIOTAP 802.11 radiotap header identifier in thelibdnet-stripped code. Network interfaces that are in this mode are usedby radiotap for 802.11 frame injection and reception. The bug wasreported by Tom Eichstaedt and Henri Doreau.http://seclists.org/nmap-dev/2012/q2/449 http://seclists.org/nmap-dev/2012/q2/478[Djalal Harouni, Henri Doreau]
Fixed the greppable output of hosts that time-out (when --host-timeout wasused and the host timed-out after something was received from that host).This issue was reported by Matthew Morgan. [jah]
[Zenmap]Updated the version of Python used to build the Windowsrelease from 2.7.1 to 2.7.3 to remove a false-positive securityalarm flagged by tools such as Secunia PSI. There was a minorvulnerability in certain Python27.dll web functionality (which Nmapdoesn't use anyway) and Secunia was flagging all software whichincludes that version of Python27.dll. This update should preventthe false alarm.

Nmap 6.00 [2012-05-21]§

Most important release since Nmap 5.00 in July 2009! For a list ofthe most significant improvements and new features, see theannouncement at:https://nmap.org/6/
In XML output, "osclass" elements are now child elements of the"osmatch" they belong to. Old output was thus:
```
<os><osclass/><osclass/>...<osmatch/><osmatch/>...</os>
```
New output is:
```
<os><osmatch><osclass/><osclass/>...</osmatch>...</os>
```
The option --deprecated-xml-osclass restores the old output, in caseyou use an Nmap XML parser that doesn't understand the newstructure. The xmloutputversion has been increased to 1.04.
Added a new "target" element to XML output that indicates when atarget specification was ignored, perhaps because of a syntax erroror DNS failure. It looks like this:
```
<target specification="1.2.3.4.5" status="skipped" reason="invalid"/>
```
[David Fifield]
[NSE]Added the scriptsamba-vuln-cve-2012-1182 which detects theSAMBA pre-auth remote root vulnerability (CVE-2012-1182).[Aleksandar Nikolic]
[NSE]Addedhttp-vuln-cve2012-1823.nse, which checks for PHP CGIinstallations with a remote code execution vulnerability. [PaulinoCalderon]
[NSE]Added script targets-ipv6-mld that sends a malformed ICMP6 MLD Queryto discover IPv6 enabled hosts on the LAN. [Niteesh Kumar]
[NSE]Addedrdp-vuln-ms12-020.nse by Aleksandar Nikolic. This testsfor two Remote Desktop vulnerabilities, including one allowingremote code execution, that were fixed in the MS12-020 advisory.
[NSE]Added astun library and the scriptsstun-version andstun-info, whichextract version information and the external NAT:ed address.[Patrik Karlsson]
[NSE]Added the scriptduplicates which attempts to determine duplicatehosts by analyzing information collected by other scripts. [Patrik Karlsson]
Fixed the routing table loop on OS X so that on-link routes appear.Previously, they were ignored so that things like ARP scan didn'twork. [Patrik Karlsson, David Fifield]
Upgraded included libpcap to version 1.2.1.
[NSE]Added ciphers from RFC 5932 and Fortezza-based ciphers tossl-enum-ciphers.nse. The patch was submitted by Darren McDonald.
[NSE]Renamed hostmap.nse tohostmap-bfk.nse.
Fixed a compilation problem on Solaris 9 caused by a missingdefinition of IPV6_V6ONLY. Reported by Dagobert Michelsen.
Setting --min-parallelism by itself no longer forces the maximumparallelism to the same value. [Chris Woodbury, David Fifield]
Changed XML output to show the "service" element whenever a tunnelis discovered for a port, even if the service behind it was unknown.[Matt Foster]
[Zenmap]Fixed a crash that would happen in the profile editor whenthe script.db file doesn't exist. The bug was reported by DanielMiller.
[Zenmap]It is now possible to compare scans having the same name orcommand line parameters. [Jah, David Fifield]
Fixed an error that could occur with ICMPv6 probes and -d4 debugging:"Unexpected probespec2ascii type encountered" [David Fifield]
[NSE]Added new scripthttp-chrono, which measures min, max and averageresponse times of web servers. [Ange Gutek]
Applied a workaround to make pcap captures work better on Solaris10. This involves peeking at the pcap buffer to ensure that capturesare not being lost. A symptom of the previous behavior was that,when doing ARP host discovery against two targets, only one would bereported as up. [David Fifield]
Fixed a bug that could cause Nsock timers to fire too early. Thiscould happen for the timed probes in IPv6 OS detection, causing anincorrect measurement of the TCP_ISR feature. [David Fifield]
[Zenmap]We now build on Windows with a newer version of PyGTK, socopy and paste should work again.
Changed the way timeout calculations are made in the IPv6 OS engine.In rare cases a certain interleaving of probes and responses wouldresult in an assertion failure.

Nmap 5.61TEST5 [2012-03-09]§

Integrated all of your IPv4 OS fingerprint submissions since June2011 (about 1,900 of them). Added about 256 new fingerprints (anddeleted some bogus ones), bringing the new total to 3,572.Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0through 9.0-PRERELEASE, and a ton of new WAPs, routers, and otherdevices. Many existing fingerprints were improved. For more details,seehttp://seclists.org/nmap-dev/2012/q1/431 [David Fifield]
Integrated all of your service/version detection fingerprintssubmitted since November 2010--more than 2,500 of them! Oursignature count increased more than 10% to 7,423 covering 862protocols. Some amusing and bizarre new services are described athttp://seclists.org/nmap-dev/2012/q1/359 [David Fifield]
Integrated your latest IPv6 OS submissions and corrections. We'restill low on IPv6 fingerprints, so please scan any IPv6 systems youown or administer and submit them tohttps://nmap.org/submit/. Bothnew fingerprints (if Nmap doesn't find a good match) and corrections(if Nmap guesses wrong) are useful.
[NSE]Added a host-based registry which only persists (for the givenhost) until all scripts have finished scanning that host. The normalregistry saves information until it is deleted or the Nmap scanends. That is a waste of memory for information which doesn't needto persist that long. Use the host based registry instead if youcan. Seehttps://nmap.org/book/nse-api.html#nse-api-registry. [PatrikKarlsson]
IPv6 OS detection now includes a novelty detection system whichavoids printing a match when an observed fingerprint is toodifferent from fingerprints seen before. As the OS database is stillsmall, this helps to avoid making (essentially) wild guesses whenseeing a new operating system. [David Fifield]
Refactored the nsock library to add the nsock-engines system. Thisallows system-specific scalable IO notification facilities to beused while maintaining the portable Nsock API. This initial versioncomes with an epoll-based engine for Linux and a select-basedfallback engine for all other operating systems. Also added the--nsock-engine option to Nmap, Nping and Ncat to enforce use of aspecific Nsock IO engine. [Henri Doreau]
[NSE]Added 43(!) NSE scripts, bringing the total up to 340. Theyare all listed athttps://nmap.org/nsedoc/, and the summaries arebelow (authors are listed in brackets):
- acarsd-info retrieves information from a listening acarsddaemon. Acarsd decodes ACARS (Aircraft Communication Addressingand Reporting System) data in real time. [Brendan Coles]
- asn-to-prefix produces a list of IP prefixes for a given AS number(ASN). It uses the external Shadowserver API (with theirpermission). [John Bond]
- broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to theDHCPv6 multicast address, parses the response, then extracts andprints the address along with any options returned by theserver. [Patrik Karlsson]
- broadcast-networker-discover discovers the EMC Networker backupsoftware server on a LAN by using network broadcasts. [Patrik Karlsson]
- broadcast-pppoe-discover discovers PPPoE servers using the PPPoEDiscovery protocol (PPPoED). [Patrik Karlsson]
- broadcast-ripng-discover discovers hosts and routing informationfrom devices running RIPng on the LAN by sending a RIPng Requestcommand and collecting the responses from all responsivedevices. [Patrik Karlsson]
- broadcast-versant-locate discovers Versant object databases usingthe srvloc protocol. [Patrik Karlsson]
- broadcast-xdmcp-discover discovers servers running the X DisplayManager Control Protocol (XDMCP) by sending a XDMCP broadcastrequest to the LAN. [Patrik Karlsson]
- cccam-version detects the CCcam service (software for sharingsubscription TV among multiple receivers). [David Fifield]
- dns-client-subnet-scan performs a domain lookup using theedns-client-subnet option that adds support for adding subnetinformation to the query describing where the query isoriginating. The script uses this option to supply a number ofgeographically distributed locations in an attempt to enumerate asmany different address records as possible. [John Bond]
- dns-nsid retrieves information from a DNS nameserver by requestingits nameserver ID (nsid) and asking for its id.server andversion.bind values. [John Bond]
- dns-srv-enum enumerates various common service (SRV) records for agiven domain name. The service records contain the hostname, portand priority of servers for a given service. [Patrik Karlsson]
- eap-info enumerates the authentication methods offered by an EAPauthenticator for a given identity or for the anonymous identityif no argument is passed. [Riccardo Cecolin]
- http-auth-finder spiders a web site to find web pages requiringform-based or HTTP-based authentication. [Patrik Karlsson]
- http-config-backup checks for backups and swap files of commoncontent management system and web server configurationfiles. [Riccardo Cecolin]
- http-generator displays the contents of the "generator" meta tagof a web page (default: /) if there is one. [Michael Kohl]
- http-proxy-brute performs brute force password guessing against aHTTP proxy server. [Patrik Karlsson]
- http-qnap-nas-info attempts to retrieve the model, firmwareversion, and enabled services from a QNAP Network Attached Storage(NAS) device. [Brendan Coles]
- http-vuln-cve2009-3960 exploits cve-2009-3960 also known as AdobeXML External Entity Injection. [Hani Benhabiles]
- http-vuln-cve2010-2861 executes a directory traversal attackagainst a ColdFusion server and tries to grab the password hashfor the administrator user. It then uses the salt value (hidden inthe web page) to create the SHA1 HMAC hash that the web serverneeds for authentication as admin. [Micah Hoffman]
- iax2-brute performs brute force password auditing against theAsterisk IAX2 protocol. [Patrik Karlsson]
- membase-brute performs brute force password auditing againstCouchbase Membase servers. [Patrik Karlsson]
- membase-http-info retrieves information (hostname, OS, uptime,etc.) from the CouchBase Web Administration port. [PatrikKarlsson]
- memcached-info retrieves information (including systemarchitecture, process ID, and server time) from distributed memoryobject caching system memcached. [Patrik Karlsson]
- mongodb-brute performs brute force password auditing against theMongoDB database. [Patrik Karlsson]
- nat-pmp-mapport maps a WAN port on the router to a local port onthe client using the NAT Port Mapping Protocol (NAT-PMP). [PatrikKarlsson]
- ndmp-fs-info lists remote file systems by querying the remotedevice using the Network Data Management Protocol (ndmp). [PatrikKarlsson]
- ndmp-version retrieves version information from the remote NetworkData Management Protocol (NDMP) service. [Patrik Karlsson]
- nessus-xmlrpc-brute performs brute force password auditing againsta Nessus vulnerability scanning daemon using the XMLRPCprotocol. [Patrik Karlsson]
- redis-brute performs brute force passwords auditing against aRedis key-value store. [Patrik Karlsson]
- redis-info retrieves information (such as version number andarchitecture) from a Redis key-value store. [Patrik Karlsson]
- riak-http-info retrieves information (such as node name andarchitecture) from a Basho Riak distributed database using theHTTP protocol. [Patrik Karlsson]
- rpcap-brute performs brute force password auditing against theWinPcap Remote Capture Daemon (rpcap). [Patrik Karlsson]
- rpcap-info connects to the rpcap service (provides remote sniffingcapabilities through WinPcap) and retrieves interfaceinformation. [Patrik Karlsson]
- rsync-brute performs brute force password auditing against thersync remote file syncing protocol. [Patrik Karlsson]
- rsync-list-modules lists modules available for rsync (remote filesync) synchronization. [Patrik Karlsson]
- socks-auth-info determines the supported authentication mechanismsof a remote SOCKS 5 proxy server. [Patrik Karlsson]
- socks-brute performs brute force password auditing against SOCKS 5proxy servers. [Patrik Karlsson]
- url-snarf sniffs an interface for HTTP traffic and dumps any URLs, and theiroriginating IP address. [Patrik Karlsson]
- versant-info extracts information, including file paths, versionand database names from a Versant object database. [PatrikKarlsson]
- vmauthd-brute performs brute force password auditing against theVMWare Authentication Daemon (vmware-authd). [Patrik Karlsson]
- voldemort-info retrieves cluster and store information from theVoldemort distributed key-value store using the Voldemort NativeProtocol. [Patrik Karlsson]
- xdmcp-discover requests an XDMCP (X display manager controlprotocol) session and lists supported authentication andauthorization mechanisms. [Patrik Karlsson]
[NSE]Added 14 new protocol libraries! They were all written byPatrik Karlsson, except for the EAP library by Riccardo Cecolin:
- dhcp6 (Dynamic Host Configuration Protocol for IPv6)
- eap (Extensible Authentication Protocol)
- iax2 (Inter-Asterisk eXchange v2 VoIP protocol)
- membase (Couchbase Membase TAP protocol)
- natpmp (NAT Port Mapping Protocol)
- ndmp (Network Data Management Protocol)
- pppoe (Point-to-point protocol over Ethernet)
- redis (in-memory key-value data store)
- rpcap (WinPcap Remote Capture Deamon)
- rsync (remote file sync)
- socks (SOCKS 5 proxy protocol)
- sslcert (for collecting SSL certificates and storing them in thehost-based registry)
- versant (an object database)
- xdmcp (X Display Manager Control Protocol)
CPE (Common Platform Enumeration) OS classification is now supportedfor IPv6 OS detection. Previously it was only available forIPv4. [David Fifield]
[NSE]The host.os table is now a structured array of table thatinclude OS class information and CPE. Seehttps://nmap.org/book/nse-api.html for documentation of the newstructure. [Henri Doreau, David]
[NSE]Service matches can now access CPE through theport.version.cpe array. [Henri Doreau]
Added a new --script-args-file option which allows you to specifythe name of a file containing all of your desired NSE scriptarguments. The arguments may be separated with commas or newlinesand may be overridden by arguments specified on the command-linewith --script-args. [Daniel Miller]
Audited the nmap-service-probes database to remove all unusedcaptures, fixing dozens of bugs with captures either being ignoredor two fields erroneously using the same capture. [Lauri Kokkonen,David Fifield, and Rob Nicholls]
Added new version detection probes and match lines for:
- Erlang Port Mapper Daemon
- Couchbase Membase NoSQL database
- Basho Riak distributed database protocol buffers client (PBC)
- Tarantool in-memory data store
[Patrik Karlsson]
Split the nmap-update client into its own binary RPM to avoid theNmap RPM having a dependency on the Subversion and APR libraries.We're not yet distributing this binary nmap-update RPM since thesystem isn't complete, but the source code is available in the Nmaptarball and source RPM. [David]
[NSE]Added authentication support to the MongoDB library andmodified existing scripts to support it. [Patrik Karlsson]
[NSE]Added support tobroadcast-listener for extracting address, native VLANand management IP address from CDP packets. [Tom Sellers]
[NSE]Added RPC Call CALLIT to the RPC library and modified UDP sockets to beunconnected in order to support broadcast. [Patrik Karlsson]
[NSE]Modified thessl-cert and ssl-google-cert-catalog scripts totake advantage of the newsslcert library which retrieves and cachesSSL certificates in the registry.
[NSE]Patch ourbitcoin library to support recent changes in theBitCoin protocol. [Andrew Orr, Patrik Karlsson]
Fixed an error where very long messages could cause anassertion failure: "log_vwrite: vsnprintf failed. Even afterincreasing bufferlen to ---, Vsnprintf returned -1 (logt == 1)."This was reported by David Hingos.
Fixed an assertion failure that was printed when a fatal erroroccurred while an XML tag was incomplete: "!xml.tag_open, file..\xml.cc, line 401". This was reported by David Hingos. [DavidFifield]
[NSE]Added support for decoding EIGRP broadcasts from Cisco routerstobroadcast-listener. [Tom Sellers]
[NSE]Added redirect support to thehttp library. All calls tohttp.get and http.head now transparently handle any HTTPredirects. The number and destination of redirects are limited bydefault to avoid endless loops or unwanted follows of redirects todifferent servers, but they can be configured. [Patrik Karlsson]
[NSE]Modified the sql-injection script to use thehttpspider library.[Lauri Kokkonen]
Added --with-apr and --with-subversion configuration options tosupport systems where those libraries aren't in the usual places.[David Fifield]
[NSE]Fixed a bunch of global access errors in various libraries reported bythe nse_check_globals script. [Patrik Karlsson]
Fixed an assertion failure which could occur when connecting to anSSL server:nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.Thanks to Ron for reporting the bug and testing. [Henri Doreau]
[NSE]Added support to the DNS library for the CHAOS class and NSIDrequests. [John Bond]
[NSE]Changed thednsbl library to take a much faster threadedapproach to querying DNS blacklists. [Patrik Karlsson]
[NSE]Added new services and the ATTACK category to the dnsblscript. [Duarte Silva]
[NSE]Fixed a memory leak in PortList::setServiceProbeResults()which was noticed and reported by David Fifield. The leak wastriggered by set_port_version calls from NSE. [Henri Doreau]
[NSE]Fixed a race condition inbroadcast-dhcp-discover.nse thatcould cause responses to be missed on fast networks. It was noticedby Vasiliy Kulikov. [David Fifield]
Fixed a bug in reverse name resolution: a name of "." would leavethe hostname unintialized and cause "Illegal character(s) inhostname" warnings. [Gisle Vanem]
Allow overriding the AR variable to use a different version of thear library creation tool when creating the liblinear library. [NunoGonçalves]
Added vcredist2008_x86.exe to the Windows zip file. This installerfrom MS must be run on new Windows 2008 systems (those which don'talready have it) before running Nmap. The Nmap Windows installeralready takes care of this. [David Fifield]
Removed about 5MB of unnecessary DocBook XSL from the Nping docsdirectory. [David Fifield]
Thepacket library now uses consistent naming of the address fieldsfor IPv4 and IPv6 packets (ip_bin_src, ip_bin_dst, ip_src, andip_dst). [Henri Doreau]
Update to the latest MAC address prefix assignments from IEEE as ofMarch 8, 2012. [Fyodor]
Fixed a problem in the ippackethdrinfo function which was leading towarning messages like: "BOGUS! Can't parse supposed IP packet" duringcertain IPv6 scans. [David Fifield]
Fixed building on Arch Linux. The PCAP_IS_SUITABLE test had to bemodified to ensure that -lnl was passed on the build line. See ther28202 svn log for further information. [David Fifield]
Include net/if.h before net/if_arp.h in netutil.cc and tcpip.cc tohopefully fix some build problems on AIX 5.3.
[NSE]Added IPv6 support tofirewalk.nse. [Henri Doreau]

Nmap 5.61TEST4 [2012-01-02]§

[NSE]Added a newhttpspider library which is used for recursivelycrawling web sites for information. New scripts using thisfunctionality includehttp-backup-finder, http-email-harvest,http-grep,http-open-redirect, andhttp-unsafe-output-escaping. Seehttps://nmap.org/nsedoc/ or the list later in this file for detailson these. [Patrik]
Our Mac OS X packages are now x86-only (rather than universal),reducing the download size from 30 MB to about 17. If you stillneed a PowerPC version (Apple stopped selling those machines in2006), you can use Nmap 5.51 or 5.61TEST2 fromhttps://nmap.org/dist/?C=M&O=D.
We set up a new SVN server for the Nmap codebase. This one uses SSLfor better security, WebDAV rather than svnserve for greaterfunctionality, is hosted on a faster (virtual) machine, providesNmap code history back to 1998 rather than 2005, and removes theneed for the special "guest" username. The new server is athttps://svn.nmap.org. More information:http://seclists.org/nmap-dev/2011/q4/504.
[NSE]Added a vulnerability management library (vulns.lua) to store and toreport discovered vulnerabilities. Modified these scripts to usethe new library:
- ftp-libopie.nse
- http-vuln-cve2011-3192.nse
- ftp-vuln-cve2010-4221.nse
- ftp-vsftpd-backdoor.nse
- smtp-vuln-cve2011-1720.nse
- smtp-vuln-cve2011-1764.nse
- afp-path-vuln.nse
[Djalal, Henri]
[NSE]Added a new script force feature. You can force scripts torun against target ports (even if the "wrong" service is detected)by placing a plus in front of the script name passed to --script.Seehttps://nmap.org/book/nse-usage.html#nse-script-selection. [MartinSwende]
[NSE]Added 51(!) NSE scripts, bringing the total up to 297. Theyare all listed athttps://nmap.org/nsedoc/, and the summaries arebelow (authors listed in brackets):
- amqp-info gathers information (a list of all server properties)from an AMQP (advanced message queuing protocol)server. [Sebastian Dragomir]
- bitcoin-getaddr queries a Bitcoin server for a list of knownBitcoin nodes. [Patrik Karlsson]
- bitcoin-info extracts version and node information from a Bitcoinserver [Patrik Karlsson]
- bitcoinrpc-info obtains information from a Bitcoin server bycalling getinfo on its JSON-RPC interface. [ToniRuottu]
- broadcast-pc-anywhere sends a special broadcast probe to discoverPC-Anywhere hosts running on a LAN. [Patrik Karlsson]
- broadcast-pc-duo discovers PC-DUO remote control hosts andgateways running on the LAN. [Patrik Karlsson]
- broadcast-rip-discover discovers hosts and routing informationfrom devices running RIPv2 on the LAN. It does so by sending aRIPv2 Request command and collects the responses from all devicesresponding to the request. [Patrik Karlsson]
- broadcast-sybase-asa-discover discovers Sybase Anywhere servers onthe LAN by sending broadcast discovery messages. [Patrik Karlsson]
- broadcast-wake-on-lan wakes a remote system up from sleep bysending a Wake-On-Lan packet. [Patrik Karlsson]
- broadcast-wpad-discover Retrieves a list of proxy servers on theLAN using the Web Proxy Autodiscovery Protocol (WPAD). [PatrikKarlsson]
- dns-blacklist checks target IP addresses against multiple DNSanti-spam and open proxy blacklists and returns a list of serviceswhere the IP has been blacklisted. [Patrik Karlsson]
- dns-zeustracker checks if the target IP range is part of a Zeusbotnet by querying ZTDNS @ abuse.ch. [Mikael Keri]
- ganglia-info retrieves system information (OS version, availablememory, etc.) from a listening Ganglia Monitoring Daemon orGanglia Meta Daemon. [Brendan Coles]
- hadoop-datanode-info discovers information such as log directoriesfrom an Apache Hadoop DataNode HTTP status page. [John R. Bond]
- hadoop-jobtracker-info retrieves information from an Apache HadoopJobTracker HTTP status page. [John R. Bond]
- hadoop-namenode-info retrieves information from an Apache HadoopNameNode HTTP status page. [John R. Bond]
- hadoop-secondary-namenode-info retrieves information from anApache Hadoop secondary NameNode HTTP status page. [John R. Bond]
- hadoop-tasktracker-info retrieves information from an ApacheHadoop TaskTracker HTTP status page. [John R. Bond]
- hbase-master-info retrieves information from an Apache HBase(Hadoop database) master HTTP status page. [John R. Bond]
- hbase-region-info retrieves information from an Apache HBase(Hadoop database) region server HTTP status page. [John R. Bond]
- http-apache-negotiation checks if the target http server hasmod_negotiation enabled. This feature can be leveraged to findhidden resources and spider a web site using fewer requests. [HaniBenhabiles]
- http-backup-finder Spiders a website and attempts to identifybackup copies of discovered files. It does so by requesting anumber of different combinations of the filename (e.g. index.bak,index.html~, copy of index.html). [Patrik Karlsson]
- http-cors tests an http server for Cross-Origin Resource Sharing(CORS), a way for domains to explicitly opt in to having certainmethods invoked by another domain. [Toni Ruottu]
- http-email-harvest spiders a web site and collects e-mailaddresses. [Patrik Karlsson]
- http-grep spiders a website and attempts to match all pages andurls against a given string. Matches are counted and grouped perurl under which they were discovered. [Patrik Karlsson]
- http-method-tamper tests whether a JBoss target is vulnerable tojmx console authentication bypass (CVE-2010-0738). [HaniBenhabiles]
- http-open-redirect spiders a website and attempts to identify openredirects. Open redirects are handlers which commonly take a URLas a parameter and responds with a http redirect (3XX) to thetarget. [Martin Holst Swende]
- http-put uploads a local file to a remote web server using theHTTP PUT method. You must specify the filename and URL path withNSE arguments. [Patrik Karlsson]
- http-robtex-reverse-ip Obtains up to 100 forward DNS names for atarget IP address by querying the Robtex service(http://www.robtex.com/ip/). [riemann]
- http-unsafe-output-escaping spiders a website and attempts toidentify output escaping problems where content is reflected backto the user. [Martin Holst Swende]
- http-vuln-cve2011-3368 tests for the CVE-2011-3368 (Reverse ProxyBypass) vulnerability in Apache HTTP server's reverse proxymode. [Ange Gutek, Patrik Karlsson]
- ipv6-node-info obtains hostnames, IPv4 and IPv6 addresses throughIPv6 Node Information Queries. [David Fifield]
- irc-botnet-channels checks an IRC server for channels that arecommonly used by malicious botnets. [David Fifield, Ange Gutek]
- irc-brute performs brute force password auditing against IRC(Internet Relay Chat) servers. [Patrik Karlsson]
- krb5-enum-users discovers valid usernames by brute force queryinglikely usernames against a Kerberos service. [Patrik Karlsson]
- maxdb-info retrieves version and database information from a SAPMax DB database. [Patrik Karlsson]
- metasploit-xmlrpc-brute performs brute force password auditingagainst a Metasploit RPC server using the XMLRPC protocol. [VlatkoKosturjak]
- ms-sql-dump-hashes Dumps the password hashes from an MS-SQL serverin a format suitable for cracking by tools such asJohn-the-ripper. In order to do so the user needs to have theappropriate DB privileges. [Patrik Karlsson]
- nessus-brute performs brute force password auditing against aNessus vulnerability scanning daemon using the NTP 1.2protocol. [Patrik Karlsson]
- nexpose-brute performs brute force password auditing against aNexpose vulnerability scanner using the API 1.1. [VlatkoKosturjak]
- openlookup-info parses and displays thebanner information of anOpenLookup (network key-value store) server. [Toni Ruottu]
- openvas-otp-brute performs brute force password auditing against aOpenVAS vulnerability scanner daemon using the OTP 1.0protocol. [Vlatko Kosturjak]
- reverse-index creates a reverse index at the end of scan outputshowing which hosts run a particular service. [Patrik Karlsson]
- rexec-brute performs brute force password auditing against theclassic UNIX rexec (remote exec) service. [Patrik Karlsson]
- rlogin-brute performs brute force password auditing against theclassic UNIX rlogin (remote login) service. [Patrik Karlsson]
- rtsp-methods determines which methods are supported by the RTSP(real time streaming protocol) server. [Patrik Karlsson]
- rtsp-url-brute attempts to enumerate RTSP media URLS by testingfor common paths on devices such as surveillance IPcameras. [Patrik Karlsson]
- telnet-encryption determines whether the encryption option issupported on a remote telnet server. Some systems (includingFreeBSD and the krb5 telnetd available in many Linuxdistributions) implement this option incorrectly, leading to aremote root vulnerability. [Patrik Karlsson, David Fifield,Fyodor]
- tftp-enum enumerates TFTP (trivial file transfer protocol) filenames by testingfor a list of common ones. [Alexander Rudakov]
- unusual-port compares the detected service on a port against theexpected service for that port number (e.g. ssh on 22, http on 80)and reports deviations. An early version of this same idea waswritten by Daniel Miller. [Patrik Karlsson]
- vuze-dht-info retrieves some basic information, including protocolversion from a Vuze filesharing node. [Patrik Karlsson]
[NSE]Added some new protocol libraries
- amqp (advanced message queuing protocol) [Sebastian Dragomir]
- bitcoin crypto currency [Patrik Karlsson
- dnsbl for DNS-based blacklists [Patrik Karlsson
- rtsp (real time streaming protocol) [Patrik Karlsson]
- httpspider and vulns have separate entries in this CHANGELOG
Nmap now includes a nmap-update program for obtaining the latestupdates (new scripts, OS fingerprints, etc.) The system iscurrently only available to a few developers for testing, but wehope to enable a larger set of beta testers soon. [David]
On Windows, the directory [HOME]\AppData\Roaming\nmap is nowsearched for data files. This is the equivalent of $HOME/.nmap onPOSIX. [David]
Improved OS detection performance by scaling congestion controlincrements by the response rate during OS scan, just as was donefor port scan before. [David]
[NSE]The targets-ipv6-multicast-*.nse scripts now scan allinterfaces by default. They show the MAC address and interface namenow too. [David, Daniel Miller]
Added some new version detection probes:
- MongoDB service [Martin Holst Swende]
- Metasploit XMLRPC service [Vlatko Kosturjak]
- Vuze filesharing system [Patrik]
- Redis key-value store [Patrik]
- memcached [Patrik]
- Sybase SQL Anywhere [Patrik]
- VMware ESX Server [Aleksey Tyurin]
- TCP Kerberos [Patrik]
- PC-Duo [Patrik]
- PC Anywhere [Patrik]
Targets requiring different source addresses now go into differenthostgroups, not only for host discovery but also for port scanning.Before, only responses to one of the source addresses would beprocessed, and the others would be ignored. [David]
Tidied up the version detection DB (nmap-service-probes) with a newcleanup/canonicalization program sv-tidy. In particular, this:
- Removes excess whitespace
- Sorts templates in the order m p v i d o h cpe:
- Canonicalizes template delimiters in the order: / | % = @ #.
[David]
The --exclude and --excludefile options for excluding targets cannow be used together. [David]
[NSE]Added support for detecting whether a http connection was establishedusing SSL or not to thehttp.lua library [Patrik]
[NSE]Added local port to BPF filter insnmp-brute to fix bug that wouldprevent multiple scripts from receiving the correct responses. The bug wasdiscovered by Brendan Bird. [Patrik]
[NSE]Changed thedhcp-discover script to use the DHCPINFORM requestto query dhcp servers instead of DHCPDISCOVER. Also removed DoS codefromdhcp-discover and placed the script into the discovery and safecategories. Added support for adding options to DHCP requests andcleaned up some code in thedhcp library. [Patrik]
[NSE]Applied patch tosnmp-brute that solves problems with handlingerrors that occur during community list file parsing. [DuarteSilva]
[NSE]Added new fingerprints tohttp-enum for:
- Subversion, CVS and Apache Archiva [Duarte Silva]
- DVCS systems Git, Mercurial and Bazaar [Hani Benhabiles].
[NSE]Applied some code cleanup to thesnmp library. [Brendan Byrd]
[NSE]Fixed an undeclared variable bug insnmp-ios-config [Patrik]
[NSE]Add additional version information to Mongodb scripts [MartinSwende]
[NSE]Added path argument to thehttp-auth script and update thescript to use stdnse.format_output. [Duarte Silva, Patrik]
[NSE]Fixed bug in thehttp library that would fail to parseauthentication headers if no parameters were present. [Patrik]
Made a syntax change in the zenmap.desktop file for compliance withthe XDG standard. [Frederik Schwarzer]
[NSE]Replaced a number of GET requests to HEAD in http-fingerprints.lua. HEAD is quicker and sufficient when no matchingis performed on the returned contents. [Hani Benhabiles]
[NSE]Added support for retrieving SSL certificates from FTPservers. [Matt Selsky]
[Nping]The --safe-payloads option is now the default. Added--include-payloads for the special situations where payloads areneeded. [Colin Rice]
[NSE]Added new functionality and fixed some bugs in thebrute library:
- Added support for restricting the number of guesses performed by thebrute library against users, to prevent account lockouts.
- Added support to guess the username as password. The documentationpreviously suggested (wrongly) that this was the default behavior.
- Added support to guess an empty string as password if notpresent in the dictionary. [Patrik]
[NSE]Re-enabled support for guessing the username in addition to passwordthat was incorrectly removed from themetasploit-xmlrpc-brute in previouscommit. [Patrik]
[NSE]Fixed bug that would prevent brute scripts from running if no servicefield was present in the port table. [Patrik]
[NSE]Turned on promiscuous mode intargets-sniffer.nse so that itfinds packets not only from or to the scanning host. [David]
The Zenmap topology display feature is now disabled when there aremore than 1,000 target hosts. Those topology maps slow down theinterface and are generally too crowded to be of much use.
[NSE]Modified thehttp library to support servers that don't return validchunked encoded data, such as the Citrix XML service. [Patrik]
[NSE]Fixed a bug where thebrute library would not abort even after allretries were exhausted [Patrik]
Fixed a bug in the IPv6 OS probe called NI. The Node InformationQuery didn't include the target address as the payload, so at leastOS X didn't respond. This differed from the probe sent by theipv6fp.py program from which some of our fingerprints were derived.[David]
[NSE]Fixed an error in themssql library that was causing thebroadcast-ms-sql-discover script to fail when trying to update port versioninformation. [Patrik]
[NSE]Added the missing broadcast category to thebroadcast-listener script.[Jasey DePriest]
[NSE]Made changes to the categories of the following scripts (newcategories shown) [Duarte Silva]:
- http-userdir-enum.nse (auth,intrusive)
- mysql-users.nse (auth,intrusive)
- http-wordpress-enum.nse (auth,intrusive,vuln)
- krb5-enum-users.nse (auth,intrusive)
- snmp-win32-users.nse (default,auth,safe)
- smtp-enum-users.nse (auth,external,intrusive)
- ncp-enum-users.nse (auth,safe)
- smb-enum-users.nse (auth,intrusive)
Made nbase compile with the clang compiler that is a part of Xcode4.2. [Daniel J. Luke]
[NSE]Fix a nil table index bug discovered in themongodblibrary. [Thomas Buchanan]
[NSE]Added XMPP support tossl-cert.nse.
[NSE]Madehttp-wordpress-enum.nse able to get names of users whohave no posts. [Duarte Silva]
Increased hop distance estimates from OS detection by one. Thedistance now counts the number of hops including the final one tothe target, not just the number of intermediate nodes. The IPv6distance calculation already worked this way. [David]

Nmap 5.61TEST2 [2011-09-30]§

Added IPv6 OS detection system! The new system utilizes many testssimilar to IPv4, and also some IPv6-specific ones that we found tobe particularly effective. And it uses a machine learning approachrather than the static classifier we use for IPv4. We hope to movesome of the IPv6 innovations back to our IPv4 system if they workout well. The database is still very small, so please submit anyfingerprints that Nmap gives you to the specified URL (as long asyou are certain that you know what the target system isrunning). Usage and results output are basically the same as withIPv4, but we will soon document the internal mechanisms athttps://nmap.org/book/osdetect.html, just as we have for IPv4. For anexample, try "nmap -6 -O scanme.nmap.org". [David, Luis]
[NSE]Added 3 scripts, bringing the total to 246! You can learnmore about them athttps://nmap.org/nsedoc/. Here they are (authorslisted in brackets):
- lltd-discovery uses the Microsoft LLTD protocol to discover hostson a local network. [Gorjan Petrovski]
- ssl-google-cert-catalog queries Google's Certificate Catalog forthe SSL certificates retrieved from target hosts. [Vasiliy Kulikov]
- quake3-info extracts information from a Quake3-like gameserver. [Toni Ruottu]
Improved AIX support for raw scans. This includes some patchesoriginally written by Peter O'Gorman and Florian Schmid. It alsoinvolved various build fixes found necessary on AIX 6.1 and 7.1. Seehttps://nmap.org/book/inst-other-platforms.html . [David]
Fixed Nmap so that it again compiles and runs on Solaris 10,including IPv6 support. [David]
[NSE]Moved our brute force authentication cracking scripts(*-brute) from the "auth" category into a new "brute"category. Nmap's brute force capabilities have grown tremendously!You can see all 32 of them athttps://nmap.org/nsedoc/categories/brute.html . It isn't clearwhetherdns-brute should be in the brute category, so for now itisn't. [Fyodor]
Made the interface gathering loop work on Linux when an interfaceindex is more than two digits in /proc/sys/if_inet6. Joe McEacherntracked down the problem and provided the fix.
[NSE]Fixed a bug indns.lua: ensure that dns.query() always return two values(status, response) and replaced the workaround inasn-query.nse by the properuse. [Henri]
[NSE]Madeirc-info.nse handle the case where the MOTD is missing.Patch by Sebastian Dragomir.
Updated nmap-mac-prefixes to include the latest IEEE assignmentsas of 2011-09-29.

Nmap 5.61TEST1 [2011-09-19]§

Added Common Platform Enumeration (CPE,http://cpe.mitre.org/)output for OS and service versions. This is a standard way toidentify operating systems and applications so that Nmap canbetter interoperate with other software. Nmap's own (generally morecomprehensive) taxonomy/classification system is still supported aswell. Some OS and version detection results don't have CPE entriesyet. CPE entries show up in normal output with the headings "OSCPE:" and "Service Info:":
```
OS CPE: cpe:/o:linux:kernel:2.6.39Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
```
These also appear in XML output, which additionally has CPE entriesfor service versions. [David, Henri]
Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4ARP scan. It is the default ping type for local IPv6 networks.[Weilin]
Integrated your latest (IPv4) OS detection submissions andcorrections until June 22. New fingerprints include Linux 3, FreeBSD9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to3,308 fingerprints. Seehttp://seclists.org/nmap-dev/2011/q3/556. Please keep thosefingerprints coming! We now accept IPv4 and IPv6 OS fingerprints aswell as service fingerprints, plus corrections of all types if Nmapguess wrong.
[NSE]Added 27 scripts, bringing the total to 243! You can learnmore about any of them athttps://nmap.org/nsedoc/. Here are the newones (authors listed in brackets):
- address-info shows extra information about IPv6 addresses, such asembedded MAC or IPv4 addresses when available. [David Fifield]
- bittorrent-discovery discovers bittorrent peers sharing a filebased on a user-supplied torrent file or magnet link. [GorjanPetrovski]
- broadcast-db2-discover attempts to discover DB2 servers on thenetwork by sending a broadcast request to port 523/udp. [PatrikKarlsson]
- broadcast-dhcp-discover sends a DHCP request to the broadcastaddress (255.255.255.255) and reports the results. [PatrikKarlsson]
- broadcast-listener sniffs the network for incoming broadcastcommunication and attempts to decode the received packets. Itsupports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP anda few more. [Patrik Karlsson]
- broadcast-ping sends broadcast pings on a selected interface usingraw ethernet packets and outputs the responding hosts' IP and MACaddresses or (if requested) adds them as targets. [GorjanPetrovski]
- cvs-brute performs brute force password auditing against CVSpserver authentication. [Patrik Karlsson]
- cvs-brute-repository attempts to guess the name of the CVSrepositories hosted on the remote server. With knowledge of thecorrect repository name, usernames and passwords can beguessed. [Patrik Karlsson]
- ftp-vsftpd-backdoor tests for the presence of the vsFTPd 2.3.4backdoor reported on 2011-07-04 (CVE-2011-2523). This scriptattempts to exploit the backdoor using the innocuous 'id' commandby default, but that can be changed with the 'exploit.cmd' or'ftp-vsftpd-backdoor.cmd' script arguments. [Daniel Miller]
- ftp-vuln-cve2010-4221 checks for a stack-based buffer overflow inthe ProFTPD server, version between 1.3.2rc3 and 1.3.3b. [DjalalHarouni]
- http-awstatstotals-exec exploits a remote code executionvulnerability in Awstats Totals 1.0 up to 1.14 and possibly otherproducts based on it (CVE: 2008-3922). [Paulino Calderon]
- http-axis2-dir-traversal Exploits a directory traversalvulnerability in Apache Axis2 version 1.4.1 by sending a speciallycrafted request to the parameter 'xsd' (OSVDB-59001). By defaultit will try to retrieve the configuration file of the Axis2service '/conf/axis2.xml' using the path '/axis2/services/' toreturn the username and password of the admin account. [PaulinoCalderon]
- http-default-accounts tests for access with default credentialsused by a variety of web applications and devices. [PaulinoCalderon]
- http-google-malware checks if hosts are on Google's blacklist ofsuspected malware and phishing servers. These lists are constantlyupdated and are part of Google's Safe Browsing service. [PaulinoCalderon]
- http-joomla-brute performs brute force password auditing againstJoomla web CMS installations. [Paulino Calderon]
- http-litespeed-sourcecode-download exploits a null-byte poisoningvulnerability in Litespeed Web Servers 4.0.x before 4.0.15 toretrieve the target script's source code by sending a HTTP requestwith a null byte followed by a .txt file extension(CVE-2010-2333). [Paulino Calderon]
- http-vuln-cve2011-3192 detects a denial of service vulnerabilityin the way the Apache web server handles requests for multipleoverlapping/simple ranges of a page. [Duarte Silva]
- http-waf-detect attempts to determine whether a web server isprotected by an IPS (Intrusion Prevention System), IDS (IntrusionDetection System) or WAF (Web Application Firewall) by probing theweb server with malicious payloads and detecting changes in theresponse code and body. [Paulino Calderon]
- http-wordpress-brute performs brute force password auditingagainst Wordpress CMS/blog installations. [Paulino Calderon]
- http-wordpress-enum enumerates usernames in Wordpress blog/CMSinstallations by exploiting an information disclosurevulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and3.2-beta2 and possibly others. [Paulino Calderon]
- imap-brute performs brute force password auditing against IMAPservers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLMauthentication. [Patrik Karlsson]
- smtp-brute performs brute force password auditing against SMTPservers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLMauthentication. [Patrik Karlsson]
- smtp-vuln-cve2011-1764 checks for a format string vulnerability inthe Exim SMTP server (version 4.70 through 4.75) with DomainKeysIdentified Mail (DKIM) support (CVE-2011-1764). [Djalal Harouni]
- targets-ipv6-multicast-echo sends an ICMPv6 echo request packet tothe all-nodes link-local multicast address (ff02::1) to discoverresponsive hosts on a LAN without needing to individually pingeach IPv6 address. [David Fifield, Xu Weilin]
- targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with aninvalid extension header to the all-nodes link-local multicastaddress (ff02::1) to discover (some) available hosts on theLAN. This works because some hosts will respond to this probe withan ICMPv6 parameter problem packet. [David Fifield, Xu Weilin]
- targets-ipv6-multicast-slaac performs IPv6 host discovery bytriggering stateless address auto-configuration (SLAAC). [DavidFifield, Xu Weilin]
- xmpp-brute Performs brute force password auditing against XMPP(Jabber) instant messaging servers. [Patrik Karlsson]
Fixed compilation on OS X 10.7 Lion. Thanks to Patrik Karlsson andBabak Farroki for researching fixes.
[NSE]The script arguments which start with a script name(e.g.http-brute.hostname orafp-ls.maxfiles) can now accept theunqualified arguments as well (hostname, maxfiles). This lets youuse the generic version ("hostname") when you want to affectmultiple scripts, while using the qualified version to targetindividual scripts. If both are specified, the qualified versiontakes precedence for that particular script. This works for libraryscript arguments too (e.g. you can specify 'timelimit' rather thanunpwdb.timelimit). [Paulino]
[Ncat]Updated SSL certificate store (ca-bundle.crt), primarily toremove the epic fail known as DigiNotar.
Nmap now defers options parsing until it has read through all thecommand line arguments. This removes the few remaining cases whereoption order mattered (for example, IPv6 users previously had tospecify -6 before -S). [Shinnok]
[NSE]Added a new default credential list for Oracle databases andmodified theoracle-brute script to make use of it. [Patrik]
[NSE]Our Packet library (packet.lua) now handles IPv6. This is usedby the new multicast IPv6 host discovery scripts(targets-ipv6-*). [Weilin]
[NSE]Replaced xmpp.nse with an an overhauled version namedxmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov]
[NSE]Fixed SSL compressor names inssl-enum-ciphers.nse, andremoved redundant multiple listings of the NULL compressor.[Matt Selsky]
[NSE]Added cipher strength ratings tossl-enum-ciphers.nse.[Gabriel Lawrence]
[NSE]Fixed a bug in thessh2-enum-algos script that would prevent it fromdisplaying any output unless run in debug mode. [Patrik]
[NSE]Added 4 more protocol libraries. You can learn more about anyof them athttps://nmap.org/nsedoc/. Here are the new ones (authorslisted in brackets):
- bittorrent supports the BitTorrent file sharing protocol [GorjanPetrovski]
- cvs includes support for the Concurrent Versions System (CVS)[Patrik Karlsson]
- sasl provides common code for "Simple Authentication and SecurityLayer" to services supporting it. The algorithms supported by thelibrary are: PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. [DjalalHarouni, Patrik Karlsson]
- xmpp handles XMPP (Jabber) IM servers [Patrik Karlsson]
[NSE]Removed the mac-geolocation script, which relied on a Googledatabase to determine strikingly accurate GPS coordinates foranyone's wireless access points (based on their MAC address). Itwas very powerful. Perhaps Google decided it was too powerful, asthey discontinued the service before our script was even 2 monthsold.
[Ncat]Added an --append-output option which, when used along with-o and/or -x, prevents clobbering (truncating) an existingfile. [Shinnok]
Fixed RPC scan (part of -sV) to work on the 64-bit machines where"unsigned long" is 8 bytes rather than 4. We now use the moreportable u32 in the code. [David]
[NSE]Moved some scripts into the default category:giop-info,vnc-info,ncp-serverinfo,smb-security-mode, and andafp-serverinfo. [Djalal]
Relaxed the XML DTD to allow validation of files where the verbositylevel changed during the scan. Also made a service confidence of 8(used when tcpwrapped) or any other number between 0 and 10legal. [Daniel Miller]
[NSE]Fixed authentication problems in the TNS library that would preventauthentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury]
[NSE]Added basic query support to the Oracle TNS library so that scriptscan now make SQL queries against database servers. Also improvedsupport for 64-bit database servers and improved the documentation. [Patrik]
Removed some restrictions on probe matching that, for example,prevented a RST/ACK reply from being recognized in a NULL scan. Thiswas found and fixed by Matthew Stickney and Joe McEachern.
Rearranged some characters classes in service matches to avoid anythat look like POSIX collating symbols ("[.xyz.]"). John Hutchisondiscovered this error caused by one of the match lines:
```
InitMatch: illegal regexp: POSIX collating elements are not supported
```
[Daniel Miller]
[NSE]Added more than 100 new signatures tohttp-enum (many forknown vulnerabilities). They are in the categories: general,attacks, cms, security, management and database [Paulino]
[NSE]Updated account status text in brute force password discoveryscripts in an effort to make the reporting more consistent acrossall scripts. This will have an impact on any code that parses thesevalues. [Tom Sellers]
Nmap now includes the Liblinear library for large linearclassification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). Weare using it for the upcoming IPv6 OS detection system, and (if thatworks out well) may eventually use it for IPv4 too. It uses athree-clause BSD license.
[NSE]Better error messages (including a traceback) are now providedwhen script loading fails. [Patrick]
[Zenmap]Prevent Zenmap from deleting ports when merging scansresults based on newer scans which did not actually scan the portsin question. Additionally Zenmap now only updates ports with newinformation if the new information uses the same protocol--not justthe same port number. [Colin Rice]
[Ncat]Fixed a crash which would occur when --ssl-verify is combinedwith -vvv on windows. [Colin Rice]
[Nping]Added new --safe-payloads option for echo mode which causesreturned packet payloads to be zeroed to reduce privacy risks ifNping echo server was to accidentally (or through malicious intent)return a packet which wasn't sent by the Nping echo client. We hopeto soon make this behavior the default. [Luis]
Fixed a bug that would make Nmap segfault if it failed to open aninterface using pcap. The bug details and patch are posted athttp://seclists.org/nmap-dev/2011/q3/365 [Patrik]
Ncat SCTP mode now supports connection brokering(--sctp --broker). [Shinnok]
Consolidated a bunch of duplicate code between Ncat's listen(ncat_listen.c) and broker (ncat_broker.c) modes to easemaintenance. [Shinnok]
Added a 'nostore' nse argument to the brute force library whichprevents the brute force authentication cracking scripts fromstoring found credentials in thecreds library (they will still beprinted in script output).
[NSE]Fixed the nsedebug print_hex() function so it does not print anempty line if there are no remaining characters, and improved its NSEDoc.[Chris Woodbury].
[Ncat]Ncat no longer blocks while an ssl handshake is taking placeor waiting to complete. This could make listening Ncat instancesunavailable to other clients because one client was taking too longto complete the SSL handshake. Our public Ncat chat server is nowmuch more reliable (connect with: ncat --ssl -v chat.nmap.org).[Shinnok]
[NSE]Updated SMTP and IMAP libraries to support authenticationusing both plain-text and the SASL library. [Patrik]
[Zenmap]The Zenmap crash handler now instructs users to mail incrash information to nmap-dev rather than offering to create aSourceforge bug tracker entry. [Colin Rice]
[NSE]Applied patch from Chris Woodbury that adds the followingadditional information to the output ofsmb-os-discovery: NetBIOScomputer name, NetBIOS domain name, FQDN, and forest name.
[NSE]Updatedsmb-brute to add detection for valid credentials where thetarget account was expired or limited by time or login host constraints.[Tom Sellers]
[Ncat]Ncat now supports IPV6 addresses by default without the -6 flag.Additionally ncat listens on both ::1 and localhost when passed-l, or any other listening mode unless a specific listening address issupplied. [Colin Rice]
Fixed broken XML output in the case of timed-out hosts; theenclosing host element was missing. The fix was suggested by RémiMollon.
[NSE]Multipleldap-brute changes by Tom Sellers:
- Added support for 2008 R2 functional level Active Directory instances
- Added detection for valid credentials where the target account wasexpired or limited by time or login host constraints.
- Added support for specifying a UPN suffix to be appended to usernameswhen brute forcing Microsoft Active Directory accounts.
- Added support for saving discovered credentials to a CSV file.
- Now reports valid credentials as they are discovered when the scriptis run with -vv or higher.
[NSE]ldap-search.nse - Added support for saving search results toCSV. This is done by using the ldap.savesearch script argument tospecify an output filename prefix. [Tom Sellers]
Handle an unconventional IPv6 internal link-local address conventionused by Mac OS X. Seehttp://seclists.org/nmap-dev/2011/q3/906. [David]
[NSE]Optimized stdnse.format_output (changing the data structures)to improve performance for scripts which produce a lot of output. Seehttp://seclists.org/nmap-dev/2011/q3/623. [Djalal]
[NSE]Fixnping-brute so that it again works on IPv6. [Toni Ruottu]
[NSE]Added the make_array and make_object functions to ourjsonlibrary, allowing LUA tables to be treated as JSON arrays orobjects. Seehttp://seclists.org/nmap-dev/2011/q3/15 [Daniel Miller]
[NSE]Theip-geolocation-ipinfodb now allows you to specify anIPInfoDB API key using the apikey NSE argument. [Gorjan]
[NSE]Renamed http-wp-plugins to http-wordpress-plugins script forconsistency withhttp-wordpress-brute and nowhttp-wordpress-enum. [Fyodor]

Nmap 5.59BETA1 [2011-06-30]§

[NSE]Added 40 scripts, bringing the total to 217! You can learnmore about any of them athttps://nmap.org/nsedoc/. Here are the newones (authors listed in brackets):
- afp-ls: Lists files and their attributes from Apple FilingProtocol (AFP) volumes. [Patrik Karlsson]
- backorifice-brute: Performs brute force password auditing againstthe BackOrifice remote administration (trojan) service. [GorjanPetrovski]
- backorifice-info: Connects to a BackOrifice service and gathersinformation about the host and the BackOrifice serviceitself. [Gorjan Petrovski]
- broadcast-avahi-dos: Attempts to discover hosts in the localnetwork using the DNS Service Discovery protocol, then testswhether each host is vulnerable to the Avahi NULL UDP packetdenial of service bug (CVE-2011-1002). [Djalal Harouni]
- broadcast-netbios-master-browser: Attempts to discover masterbrowsers and the Windows domains they manage. [Patrik Karlsson]
- broadcast-novell-locate: Attempts to use the Service LocationProtocol to discover Novell NetWare Core Protocol (NCP)servers. [Patrik Karlsson]
- creds-summary: Lists all discovered credentials (e.g. from bruteforce and default password checking scripts) at end of scan.[Patrik Karlsson]
- dns-brute: Attempts to enumerate DNS hostnames by brute forceguessing of common subdomains. [Cirrus]
- dns-nsec-enum: Attempts to discover target hosts' services usingthe DNS Service Discovery protocol. [Patrik Karlsson]
- dpap-brute: Performs brute force password auditing against aniPhoto Library. [Patrik Karlsson]
- epmd-info: Connects to Erlang Port Mapper Daemon (epmd) andretrieves a list of nodes with their respective portnumbers. [Toni Ruottu]
- http-affiliate-id: Grabs affiliate network IDs (e.g. GoogleAdSense or Analytics, Amazon Associates, etc.) from a webpage. These can be used to identify pages with the sameowner. [Hani Benhabiles, Daniel Miller]
- http-barracuda-dir-traversal: Attempts to retrieve theconfiguration settings from a Barracuda Networks Spam & VirusFirewall device using the directory traversal vulnerabilitydescribed athttp://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles]
- http-cakephp-version: Obtains the CakePHP version of a webapplication built with the CakePHP framework by fingerprintingdefault files shipped with the CakePHP framework. [PaulinoCalderon]
- http-majordomo2-dir-traversal: Exploits a directory traversalvulnerability existing in the Majordomo2 mailing list manager toretrieve remote files. (CVE-2011-0049). [Paulino Calderon]
- http-wp-plugins: Tries to obtain a list of installed WordPressplugins by brute force testing for known plugins. [Ange Gutek]
- ip-geolocation-geobytes: Tries to identify the physical locationof an IP address using the Geobytes geolocation web service(http://www.geobytes.com/iplocator.htm). [Gorjan Petrovski]
- ip-geolocation-geoplugin: Tries to identify the physical locationof an IP address using the Geoplugin geolocation web service(http://www.geoplugin.com/). [Gorjan Petrovski]
- ip-geolocation-ipinfodb: Tries to identify the physical locationof an IP address using the IPInfoDB geolocation web service(http://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski]
- ip-geolocation-maxmind: Tries to identify the physical location ofan IP address using a Geolocation Maxmind database file (availablefromhttp://www.maxmind.com/app/ip-location). [Gorjan Petrovski]
- ldap-novell-getpass: Attempts to retrieve the Novell UniversalPassword for a user. You must already have (and include in scriptarguments) the username and password for an eDirectory serveradministrative account. [Patrik Karlsson]
- mac-geolocation: Looks up geolocation information for BSSID (MAC)addresses of WiFi access points in the Google geolocationdatabase. [Gorjan Petrovski]
- mysql-audit: Audit MySQL database server security configurationagainst parts of the CIS MySQL v1.0.2 benchmark (the engine canalso be used for other MySQL audits by creating appropriate auditfiles). [Patrik Karlsson]
- ncp-enum-users: Retrieves a list of all eDirectory users from theNovell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
- ncp-serverinfo: Retrieves eDirectory server information (OSversion, server name, mounts, etc.) from the Novell NetWare CoreProtocol (NCP) service. [Patrik Karlsson]
- nping-brute: Performs brute force password auditing against anNping Echo service. [Toni Ruottu]
- omp2-brute: Performs brute force password auditing against theOpenVAS manager using OMPv2. [Henri Doreau]
- omp2-enum-targets: Attempts to retrieve the list of target systemsand networks from an OpenVAS Manager server. [Henri Doreau]
- ovs-agent-version: Detects the version of an Oracle OVSAgentServerby fingerprinting responses to an HTTP GET request and an XML-RPCmethod call. [David Fifield]
- quake3-master-getservers: Queries Quake3-style master servers forgame servers (many games other than Quake 3 use this sameprotocol). [Toni Ruottu]
- servicetags: Attempts to extract system information (OS, hardware,etc.) from the Sun Service Tags service agent (UDP port6481). [Matthew Flanagan]
- sip-brute: Performs brute force password auditing against SessionInitiation Protocol (SIP -http://en.wikipedia.org/wiki/Session_Initiation_Protocol)accounts. This protocol is most commonly associated with VoIPsessions. [Patrik Karlsson]
- sip-enum-users: Attempts to enumerate valid SIP user accounts.Currently only the SIP server Asterisk is supported. [PatrikKarlsson]
- smb-mbenum: Queries information managed by the Windows MasterBrowser. [Patrik Karlsson]
- smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflowwithin versions of Exim prior to version 4.69 (CVE-2010-4344) anda privilege escalation vulnerability in Exim 4.72 and prior(CVE-2010-4345). [Djalal Harouni]
- smtp-vuln-cve2011-1720: Checks for a memory corruption in thePostfix SMTP server when it uses Cyrus SASL library authenticationmechanisms (CVE-2011-1720). This vulnerability can allow denialof service and possibly remote code execution. [Djalal Harouni]
- snmp-ios-config: Attempts to downloads Cisco router IOSconfiguration files using SNMP RW (v1) and display or savethem. [Vikas Singhal, Patrik Karlsson]
- ssl-known-key: Checks whether the SSL certificate used by a hosthas a fingerprint that matches an included database of problematickeys. [Mak Kolybabi]
- targets-sniffer: Sniffs the local network for a configurableamount of time (10 seconds by default) and prints discoveredaddresses. If the newtargets script argument is set, discoveredaddresses are added to the scan queue. [Nick Nikolaou]
- xmpp: Connects to an XMPP server (port 5222) and collects serverinformation such as supported auth mechanisms, compression methodsand whether TLS is supported and mandatory. [Vasiliy Kulikov]
Nmap has long supported IPv6 for basic (connect) port scans, basichost discovery, version detection, Nmap Scripting Engine. Thisrelease dramatically expands and improves IPv6 support:
- IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,etc.) are now supported. [David, Weilin]
- IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDPdiscovery packets, etc.) is now supported. [David, Weilin]
- IPv6 traceroute is now supported [David]
- IPv6 protocol scan (-sO) is now supported, including creatingrealistic headers for many protocols. [David]
- IPv6 support to the wsdd, dnssd andupnp NSE libraries. [DanielMiller, Patrik]
- The --exclude and --excludefile now support IPV6 addresses withnetmasks. [Colin]
Scanme.Nmap.Org (the system anyone is allowed to scan for testingpurposes) is now dual-stacked (has an IPv6 address as well as IPv4)so you can scan it during IPv6 testing. We also added a DNS recordfor ScanmeV6.nmap.org which is IPv6-only. Seehttp://seclists.org/nmap-dev/2011/q2/428. [Fyodor]
The Nmap.Org website as well as sister sites Insecure.Org,SecLists.Org, and SecTools.Org all have working IPv6 addresses now(dual stacked). [Fyodor]
Nmap now determines the filesystem location it is being run from andthat path is now included early in the search path for data files(such as nmap-services). This reduces the likelihood of needing tospecify --datadir or getting data files from a different version ofNmap installed on the system. For full details, seehttps://nmap.org/book/data-files-replacing-data-files.html . Thanksto Solar Designer for implementation advice. [David]
Created a page on our SecWiki for collecting Nmap script ideas! Ifyou have a good idea, post it to the incoming section of the page.Or if you're in a script writing mood but don't know what to write,come here for inspiration:https://secwiki.org/w/Nmap_Script_Ideas.
The development pace has greatly increased because Google (again)sponsored a 7 full-time college and graduate student programmerinterns this summer as part of their Summer of Code program!Thanks, Google Open Source Department! We're delighted to introducethe team:http://seclists.org/nmap-dev/2011/q2/312
[NSE]Added 7 new protocol libraries, bringing the total to 66. Youcan read about them all athttps://nmap.org/nsedoc/. Here are the newones (authors listed in brackets):
- creds: Handles storage and retrieval of discovered credentials(such as passwords discovered by brute force scripts). [PatrikKarlsson]
- ncp: A tiny implementation of Novell Netware Core Protocol(NCP). [Patrik Karlsson]
- omp2: OpenVAS Management Protocol (OMP) version 2 support. [HenriDoreau]
- sip: Supports a limited subset of SIP commands andmethods. [Patrik Karlsson]
- smtp: Simple Mail Transfer Protocol (SMTP) operations. [DjalalHarouni]
- srvloc: A relatively small implementation of the Service LocationProtocol. [Patrik Karlsson]
- tftp: Implements a minimal TFTP server. It is used insnmp-ios-config to obtain router config files.[Patrik Karlsson]
Improved Nmap's service/version detection database by adding:
- Apple iPhoto (DPAP) protocol probe [Patrik]
- Zend Java Bridge probe [Michael Schierl]
- BackOrifice probe [Gorjan Petrovski]
- GKrellM probe [Toni Ruottu]
- Signature improvements for a wide variety of services (we now have7,375 signatures)
[NSE]ssh-hostkey now additionally has a postrule that prints hostsfound during the scan which share the same hostkey. [Henri Doreau]
[NSE]Added 300+ new signatures tohttp-enum which look for admindirectories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, Wordpress,and more. [Paulino]
Made the final IP address space assignment update as all availableIPv4 address blocks have now been allocated to the regionalregistries. Our random IP generation (-iR) logic now only excludesthe various reserved blocks. Thanks to Kris for years of regularupdates to this function!
[NSE]Replacedhttp-trace with a new more effective version. [Paulino]
Performed some output cleanup work to remove unimportant statuslines so that it is easier to find the good stuff! [David]
[Zenmap]now properly kills Nmap scan subprocess when you cancel ascan or quit Zenmap on Windows. [Shinnok]
[NSE]Banned scripts from being in both the "default" and"intrusive" categories. We did this by removingdhcp-discover anddns-zone-transfer from the set of scripts run by default (leavingthem "intrusive"), and reclassifyingdns-recursion,ftp-bounce,http-open-proxy, andsocks-open-proxy as "safe" rather than"intrusive" (keeping them in the "default" set).
[NSE]Added a credential storage library (creds.lua) and modifiedthebrute library and scripts to make use of it. [Patrik]
[Ncat]Created a portable version of ncat.exe that you can just droponto Microsoft Windows systems without having to run any installeror copy over extra library files. See the Ncat page(https://nmap.org/ncat/) for binary downloads and a link to buildinstructions. [Shinnok]
Fix a segmentation fault which could occur when running Nmap onvarious Android-based phones. The problem related to NULL beingpassed to freeaddrinfo(). [David, Vlatko Kosturjak]
[NSE]The host.bin_ip and host.bin_ip_src entries now also work with16-byte IPv6 addresses. [David]
[Ncat]Updated the ca-bundle.crt list of trusted certificateauthority certificates. [David]
[NSE]Fixed a bug in the SMB Authentication library which couldprevent concurrently running scripts with valid credentials fromlogging in. [Chris Woodbury]
[NSE]Re-workedhttp-form-brute.nse to better autodetect formfields, allow brute force attempts where only the password (nousername) is needed, follow HTTP redirects, and better detectincorrect login attempts. [Patrik, Daniel Miller]
[Zenmap]Changed the "slow comprehensive scan" profile's NSE scriptselection from "all" to "default or (discovery and safe)"categories. Except for testing and debugging, "--script all" israrely desirable.
[NSE]Added the stdnse.silent_require method which is used forlibrary requires that you know might fail (e.g. "openssl" fails ifNmap was compiled without that library). If these libraries arecalled with silent_require and fail to load, the script will ceaserunning but the user won't be presented with ugly failure messagesas would happen with a normal require. [Patrick Donnelly]
[Zenmap]Fixed a bug in topology mapper which caused endpointsbehind firewalls to sometimes show up in the wrong place (seehttp://seclists.org/nmap-dev/2011/q2/733). [Colin Rice]
[Zenmap]If you scan a system twice, any open ports from the firstscan which are closed in the 2nd will be properly marked asclosed. [Colin Rice].
[Zenmap]Fixed an error that could cause a crash ("TypeError: aninteger is required") if a sort column in the ports table was unset.[David]
[Ndiff]Added nmaprun element information (Nmap version, scan date,etc.) to the diff. Also, the Nmapbanner with version number anddata is now only printed if there were other differences in thescan. [Daniel Miller, David, Dr. Jesus]
[NSE]Added nmap.get_interface and nmap.get_interface_info functionsso scripts can access characteristics of the scanning interface.Removed nmap.get_interface_link. [Djalal]
Fixed an overflow in scan elapsed time display that caused negativetimes to be printed after about 25 days. [Daniel Miller]
Updated nmap-rpc from the master list, now maintained by IANA.[Daniel Miller, David]
[Zenmap]Fixed a bug in the option parser: -sN (null scan) wasinterpreted as -sn (no port scan). This was reported byShitaneddine. [David]
[Ndiff]Fixed the Mac OS X packages to use the correct path forPython: /usr/bin/python instead of /opt/local/bin/python. The bugwas reported by Wellington Castello. [David]
Removed the -sR (RPC scan) option--it is now an alias for -sV(version scan), which always does RPC scan when anrpcinfo serviceis detected.
[NSE]Improved the ms-sql scripts and library in several ways:
- Improved version detection and server discovery
- Added support for named pipes, integrated authentication, andconnecting to instances by name or port
- Improved script and library stability and documentation.
[Patrik Karlsson, Chris Woodbury]
[NSE]Fixed http.validate_options when handling a cookie table.[Sebastian Prengel]
Added a Service Tags UDP probe for port 6481/udp. [David]
[NSE]Enabledfirewalk.nse to automatically find the gateways atwhich probes are dropped and fixed various bugs. [Henri Doreau]
[Zenmap]Worked around a pycairo bug that prevented saving thetopology graphic as PNG on Windows: "Error Saving Snapshot:Surface.write_to_png takes one argument which must be a filename(str), file object, or a file-like object which has a 'write' method(like StringIO)". The problem was reported by Alex Kah. [David]
The -V and --version options now show the platform Nmap was compiledon, which features are compiled in, the version numbers of librariesit is linked against, and whether the libraries are the ones thatcome with Nmap or the operating system. [Ambarisha B., David]
Fixed some inconsistencies in nmap-os-db reported by Xavier Sudrefrom netVigilance.
The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]
[NSE]Added a shortport.ssl function which can be used as a scriptportrule to match SSL services. It is similar in concept to ourexisting shortport.http. [David]
Set up the RPM build to use the compat-glibc and compat-gcc-34-c++packages (on CentOS 5.3) to resolve a report of Nmap failing to runon old versions of Glibc. [David]
We no longer support Nmap on versions of Windows earlier than XPSP2. Even Microsoft no longer supports Windows versions that old.But if you must use Nmap on such systems anyway, please seehttps://secwiki.org/w/Nmap_On_Old_Windows_Releases.
There were hundreds of other little bug fixes and improvements(especially to NSE scripts). See the SVN logs for revisions 22,274through 24,460 for details.

Nmap 5.51 [2011-02-11]§

[Ndiff]Added support for prerule and postrule scripts. [David]
[NSE]Fixed a bug which caused some NSE scripts to fail due to theabsence of the NSE SCRIPT_NAME environment variable when loaded.Michael Pattrick reported the problem. [Djalal]
[Zenmap]Selecting one of the scan targets in the left pane issupposed to jump to that host in the Nmap Output in the right pane(but it wasn't). Brian Krebs reported this bug. [David]
Fixed an obscure bug in Windows interface matching. If the MACaddress of an interface couldn't be retrieved, it might have beenused instead of the correct interface. Alexander Khodyrev reportedthe problem. [David]
[NSE]Fixed portrules indns-zone-transfer andftp-proftpd-backdoorthat used shortport functions incorrectly and always returnedtrue. [Jost Krieger]
[Ndiff]Fixed ndiff.dtd to include two elements that can be diffed:status and address. [Daniel Miller]
[Ndiff]Fixed the ordering of hostscript-related elements in XMLoutput. [Daniel Miller]
[NSE]Fixed a bug in thenrpe-enum script that would make it run forevery port (when it was selected--it isn't by default). DanielMiller reported the bug. [Patrick]
[NSE]When an NSE script sets a negative socket timeout, it nowcauses a controlled Lua stack trace instead of a fatal error.Vlatko Kosturjak reported the bug. [David]
[Zenmap]Worked around an error that caused the py2app bootstrapexecutable to be non-universal even when the rest of the applicationwas universal. This prevented the binary .dmg from working onPowerPC. Yxynaxen reported the problem. [David]
[Ndiff]Fixed an output line that wasn't being redirected to a filewhen all other output was. [Daniel Miller]

Nmap 5.50 [2011-01-28]§

[Zenmap]Added a new script selection interface, allowing you tochoose scripts and arguments from a list which includes descriptionsof every available script. Just click the "Scripting" tab in theprofile editor. [Kirubakaran]
[Nping]Added echo mode, a novel technique for discovering how yourpackets are changed (or dropped) in transit between the host theyoriginated and a target machine. It can detect network addresstranslation, packet filtering, routing anomalies, and more. You cantry it out against our public Nping echo server using this command:
```
nping --echo-client "public" echo.nmap.org'
```
Or learn more about echo mode athttps://nmap.org/book/nping-man-echo-mode.html . [Luis]
[NSE]Added an amazing 46 scripts, bringing the total to 177! Youcan learn more about any of them athttps://nmap.org/nsedoc/. Hereare the new ones (authors listed in brackets):
- broadcast-dns-service-discovery: Attempts to discover hosts'services using the DNS Service Discovery protocol. It sends amulticast DNS-SD query and collects all the responses. [PatrikKarlsson]
- broadcast-dropbox-listener: Listens for the LAN sync informationbroadcasts that the Dropbox.com client broadcasts every 20seconds, then prints all the discovered client IP addresses, portnumbers, version numbers, display names, and more. [Ron Bowes,Mak Kolybabi, Andrew Orr, Russ Tait Milne]
- broadcast-ms-sql-discover: Discovers Microsoft SQL servers in thesame broadcast domain. [Patrik Karlsson]
- broadcast-upnp-info: Attempts to extract system information from theUPnP service by sending a multicast query, then collecting,parsing, and displaying all responses. [Patrik Karlsson]
- broadcast-wsdd-discover: Uses a multicast query to discover devicessupporting the Web Services Dynamic Discovery (WS-Discovery)protocol. It also attempts to locate any published WindowsCommunication Framework (WCF) web services (.NET 4.0 orlater). [Patrik Karlsson]
- db2-discover: Attempts to discover DB2 servers on the network byquerying open ibm-db2 UDP ports (normally port 523). [PatrikKarlsson]
- dns-update.nse: Attempts to perform an unauthenticated dynamic DNSupdate. [Patrik Karlsson]
- domcon-brute: Performs brute force password auditing against theLotus Domino Console. [Patrik Karlsson]
- domcon-cmd: Runs a console command on the Lotus Domino Console withthe given authentication credentials (see also:domcon-brute).[Patrik Karlsson]
- domino-enum-users: Attempts to discover valid IBM Lotus Domino usersand download their ID files by exploiting the CVE-2006-5835vulnerability. [Patrik Karlsson]
- firewalk: Tries to discover firewall rules using an IP TTLexpiration technique known as firewalking. [Henri Doreau]
- ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3cbackdoor reported as OSVDB-ID 69562. This script attempts toexploit the backdoor using the innocuous id command by default,but that can be changed with a script argument. [Mak Kolybabi]
- giop-info: Queries a CORBA naming server for a list ofobjects. [Patrik Karlsson]
- gopher-ls: Lists files and directories at the root of a gopherservice. Remember those? [Toni Ruottu]
- hddtemp-info: Reads hard disk information (such as brand, model, andsometimes temperature) from a listening hddtemp service. [ToniRuottu]
- hostmap: Tries to find hostnames that resolve to the target's IPaddress by querying the online database athttp://www.bfk.de/bfk_dnslogger.html . [Ange Gutek]
- http-brute: Performs brute force password auditing against httpbasic authentication. [Patrik Karlsson]
- http-domino-enum-passwords: Attempts to enumerate the hashed DominoInternet Passwords that are (by default) accessible by allauthenticated users. This script can also download any Domino IDFiles attached to the Person document. [Patrik Karlsson]
- http-form-brute: Performs brute force password auditing against httpform-based authentication. [Patrik Karlsson]
- http-vhosts: Searches for web virtual hostnames by making a largenumber of HEAD requests against http servers using commonhostnames. [Carlos Pantelides]
- informix-brute: Performs brute force password auditing againstIBM Informix Dynamic Server. [Patrik Karlsson]
- informix-query: Runs a query against IBM Informix Dynamic Serverusing the given authentication credentials (see also:informix-brute). [Patrik Karlsson]
- informix-tables: Retrieves a list of tables and column definitionsfor each database on an Informix server. [Patrik Karlsson]
- iscsi-brute: Performs brute force password auditing against iSCSItargets. [Patrik Karlsson]
- iscsi-info: Collects and displays information from remote iSCSItargets. [Patrik Karlsson]
- modbus-discover: Enumerates SCADA Modbus slave ids (sids) andcollects their device information. [Alexander Rudakov]
- nat-pmp-info: Queries a NAT-PMP service for its externaladdress. [Patrik Karlsson]
- netbus-auth-bypass: Checks if a NetBus server is vulnerable to anauthentication bypass vulnerability which allows full accesswithout knowing the password. [Toni Ruottu]
- netbus-brute: Performs brute force password auditing against theNetbus backdoor ("remote administration") service. [Toni Ruottu]
- netbus-info: Opens a connection to a NetBus server and extractsinformation about the host and the NetBus service itself. [ToniRuottu]
- netbus-version: Extends version detection to detect NetBuster, ahoneypot service that mimes NetBus. [Toni Ruottu]
- nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons toobtain information such as load averages, process counts, logged inuser information, etc. [Mak Kolybabi]
- oracle-brute: Performs brute force password auditing against Oracleservers. [Patrik Karlsson]
- oracle-enum-users: Attempts to enumerate valid Oracle user namesagainst unpatched Oracle 11g servers (this bug was fixed inOracle's October 2009 Critical Patch Update). [Patrik Karlsson]
- path-mtu: Performs simple Path MTU Discovery to target hosts. [KrisKatterjohn]
- resolveall: Resolves hostnames and adds every address (IPv4 or IPv6,depending on Nmap mode) to Nmap's target list. This differs fromNmap's normal host resolution process, which only scans the firstaddress (A or AAAA record) returned for each host name. [KrisKatterjohn]
- rmi-dumpregistry: Connects to a remote RMI registry and attempts todump all of its objects. [Martin Holst Swende]
- smb-flood: Exhausts a remote SMB server's connection limit by byopening as many connections as we can. Most implementations ofSMB have a hard global limit of 11 connections for user accountsand 10 connections for anonymous. Once that limit is reached,further connections are denied. This script exploits that limit bytaking up all the connections and holding them. [Ron Bowes]
- ssh2-enum-algos: Reports the number of algorithms (for encryption,compression, etc.) that the target SSH2 server offers. Ifverbosity is set, the offered algorithms are each listed bytype. [Kris Katterjohn]
- stuxnet-detect: Detects whether a host is infected with the Stuxnetworm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]
- svn-brute: Performs brute force password auditing against Subversionsource code control servers. [Patrik Karlsson]
- targets-traceroute: Inserts traceroute hops into the Nmap scanningqueue. It only functions if Nmap's --traceroute option is used andthe newtargets script argument is given. [Henri Doreau]
- vnc-brute: Performs brute force password auditing against VNCservers. [Patrik Karlsson]
- vnc-info: Queries a VNC server for its protocol version andsupported security types. [Patrik Karlsson]
- wdb-version: Detects vulnerabilities and gathers information (suchas version numbers and hardware support) from VxWorks Wind DeBugagents. [Daniel Miller]
- wsdd-discover: Retrieves and displays information from devicessupporting the Web Services Dynamic Discovery (WS-Discovery)protocol. It also attempts to locate any published WindowsCommunication Framework (WCF) web services (.NET 4.0 orlater). [Patrik Karlsson]
[NSE]Added 12 new protocol libraries:
- dhcp.lua by Ron
- dnssd.lua (DNS Service Discovery) by Patrik
- ftp.lua by David
- giop.lua (CORBA naming service) by Patrik
- informix.lua (Informix database) by Patrik
- iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik
- nrpc.lua (Lotus Domino RPC) by Patrik
- rmi.lua (Java Remote Method Invocation) by Martin Holst Swende
- tns.lua (Oracle) by Patrik
- upnp.lua (UPnP support) by Thomas Buchanan and Patrik
- vnc.lua (Virtual Network Computing) by Patrik
- wsdd.lua (Web Service Dynamic Discovery) by Patrik
[NSE]Added a newbrute library that provides a basic framework and logicfor brute force password auditing scripts. [Patrik]
[Zenmap]Greatly improved performance for large scans bybenchmarking intensively and then recoding dozens of slow parts.Time taken to load our benchmark file (a scan of just over a millionIPs belonging to Microsoft corporation, with 74,293 hosts up) wasreduced from hours to less than two minutes. Memory consumptiondecreased dramatically as well. [David]
Performed a major OS detection integration run. The database hasgrown more than 14% to 2,982 fingerprints and many of the existingfingerprints were improved. Highlights include Linux 2.6.37, iPhoneOS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4.David posted highlights of his integration work athttp://seclists.org/nmap-dev/2010/q4/651
Performed a huge version detection integration run. The number ofsignatures has grown by more than 11% to 7,355. More than a thirdof our signatures are for http, but we also detect 743 other serviceprotocols, from abc, acap, access-remote-pc, and achat to zenworks,zeo, and zmodem. David posted highlights athttp://seclists.org/nmap-dev/2010/q4/761.
[NSE]Added thetarget NSE library which allows scripts to add newlydiscovered targets to Nmap's scanning queue. This allows Nmap tosupport a wide range of target acquisition techniques. Scripts whichcan now use this feature includedns-zone-transfer, hostmap,ms-sql-info,snmp-interfaces,targets-traceroute, and severalmore. [Djalal]
[NSE]Nmap has two new NSE script scanning phases. The new pre-scanoccurs before Nmap starts scanning. Some of the initial pre-scanscripts use techniques like broadcast DNS service discovery or DNSzone transfers to enumerate hosts which can optionally be treated astargets. The other phase (post scan) runs after all of Nmap'sscanning is complete. We don't have any of these scripts yet, butthey could compile scan statistics or present the results in adifferent way. One idea is a reverse index which provides a list ofservices discovered during a network scan, along with a list of IPsfound to be running each service. Seehttps://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]
[NSE]A new --script-help option describes all scripts matching agiven specification. It accepts the same specification format as--script does. For example, try 'nmap --script-help "default orhttp-*"'. [David, Martin Holst Swende]
Dramatically improved nmap.xsl (used for converting Nmap XML outputto HTML). In particular:
- Put verbose details behind expander buttons so you can see them ifyou want, but they don't distract from the main output. Inparticular, offline hosts and traceroute results are collapsed bydefault.
- Improved the color scheme to be less garish.
- Added support for the new NSE pre-scan and post-scan phases.
- Changed script output to use 'pre' tags to keep even lengthyoutput readable.
- Added a floating menu to the lower-right for toggling whetherclosed/filtered ports are shown or not (they are now hidden bydefault if Javascript is enabled).
Many smaller improvements were made as well. You can find the newfile athttps://nmap.org/svn/docs/nmap.xsl, and here is an examplescan processed through it:https://nmap.org/book/output-formats-output-to-html.html . [Tom]
[NSE]Created a new "broadcast" script category for the broadcast-*scripts. These perform network discovery by broadcasting on thelocal network and listening for responses. Since they don'tdirectly relate to targets specified on the command line, these arekept out of the default category (nor do they go in "discovery").
Integrated cracked passwords from the Gawker.com compromise(http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000password database. A team of Nmap developers lead by Brandon Enrighthas cracked 635,546 out of 748,081 password hashes so far(85%). Gawker doesn't exactly have the most sophisticated users onthe Internet--their top passwords are "123456", "password","12345678", "lifehack", "qwerty", "abc123", "12345", "monkey","111111", "consumer", and "letmein".
XML output now excludes output for down hosts when only doing hostdiscovery, unless verbosity (-v) was requested. This is how italready worked for normal scans, but the ping-only case wasoverlooked. [David]
Updated the Windows build process to work with (and require) VisualC++ 2010 rather than 2008. If you want to build Zenmap too, you nowneed Python 2.7 (rather than 2.6) and GTK+ 2.22. Seehttps://nmap.org/book/inst-windows.html#inst-win-source [David, RobNicholls, KX]
Merged port names in the nmap-services file with allocated namesfrom the IANA (http://www.iana.org/assignments/port-numbers). Weonly added IANA names which were "unknown" in our file--we didn'tdeal with conflicting names. [David]
Enabled the ASLR and DEP security technologies for Nmap.exe,Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ willset the /DYNAMICBASE and /NXCOMPAT flags in the PEheader. Executables generated using py2exe or NSIS and third partybinaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Supportfor DEP on XP SP3, using SetProcessDEPPolicy(), could still beimplemented. Seehttp://seclists.org/nmap-dev/2010/q3/328. [Robert]
Investigated using the CPE (Common Platform Enumeration) standardfor describing operating systems, devices, and service names forNmap OS and service detection. You can read David's reports athttp://seclists.org/nmap-dev/2010/q3/278 andhttp://seclists.org/nmap-dev/2010/q3/303.
[Zenmap]Improved the output viewer to show new output in constanttime. Previously it would get slower and slower as the output grewlonger, eventually making Zenmap appear to freeze with 100% CPU. RobNicholls and Ray Middleton helped with testing. [David]
The Linux RPM builds of Nmap and related tools (ncat, nping, etc.)now link to system libraries dynamically rather than statically.They still link statically to dependency libraries such as OpenSSL,Lua, LibPCRE, Libpcap, etc. We hope this will improve portability sothe RPMs will work on distributions with older software (like RHEL,Debian stable) as well as more bleeding edge ones likeFedora. [David]
[NSE]Added the ability to send and receive on unconnected sockets.This can be used, for example, to receive UDP broadcasts withouthaving to use Libpcap. A number of scripts have been changed so thatthey can work as prerule scripts to discover services by UDPbroadcasting, and optionally add the discovered targets to thescanning queue:
- ms-sql-info
- upnp-info
- dns-service-discovery
The nmap.new_socket function can now optionally take a defaultprotocol and address family, which will be used if the socket is notconnected. There is a new nmap.sendto function to be used withunconnected UDP sockets. [David, Patrik]
[Nping]Substantially improved the Nping man page. You can read itonline athttps://nmap.org/book/nping-man.html . [Luis, David]
Documented the licenses of the third-party software used by Nmap andits sibling tools:https://svn.nmap.org/nmap/docs/3rd-party-licenses.txt . [David]
[NSE]Improved the SMB scripts so that they can run in parallelrather than using a mutex to force serialization. This quadrupledthe SMB scan speed in one large scale test. Seehttp://seclists.org/nmap-dev/2010/q3/819. [Ron]
Added a simple Nmap NSE script template to make writing new scriptseasier:https://nmap.org/svn/docs/sample-script.nse. [Ron]
[Zenmap]Made the topology node radiuses grow logarithmicallyinstead of linearly, so that hosts with thousands of open portsdon't overwhelm the diagram. Also only open ports (notopen|filtered) are considered when calculating node sizes. HenriDoreau found and fixed a bug in the implementation. [Daniel Miller]
[NSE]Added the get_script_args NSE function for parsing scriptarguments in a clean and standardized way(https://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]
Increased the initial RTT timeout for ARP scans from 100 ms to 200ms. Some wireless and VPN links were taking around 300 ms torespond. The default of one retransmission gives them 400 ms to bedetected.
Added new version detection probes and signatures from Patrik for:
- Lotus Domino Console running on tcp/2050 (shows OS and hostname)
- IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
- Database servers running the DRDA protocol
- IBM Websphere MQ (shows name of queue-manager and channel)
Fix Nmap compilation on OpenSolaris (seehttp://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]
[NSE]Thehttp library's request functions now accept an additional"auth" table within the option table, which causes Basicauthentication credentials to be sent. [David]
Improved IPv6 host output in that we now remember and report theforward DNS name (given by the user) and any non-scanned addresses(usually because of round robin DNS). We already did this forIPv4. [David]
[Zenmap]Upgraded to the newer gtk.Tooltip API to avoid deprecationmessages about gtk.Tooltip. [Rob Nicholls]
[NSE]Madedns-zone-transfer script able to add new discovered DNSrecords to the Nmap scanning queue. [Djalal]
[NSE]Enhancessl-cert to also report the type and bit size of SSLcertificate public keys [Matt Selsky]
[Ncat]Make --exec and --idle-timeout work when connecting with--proxy. Florian Roth reported the bug. [David]
[Nping]Fixed a bug which caused Nping to fail when targetingbroadcast addresses (seehttp://seclists.org/nmap-dev/2010/q3/752). [Luis]
[Nping]Nping now limits concurrent open file descriptors properlybased on the resources available on the host (seehttp://seclists.org/nmap-dev/2010/q4/2). [Luis]
[NSE]Improved ssh2's kex_init() parameters: all of the algorithmand language lists can be set using new keys in the "options" tableargument. These all default to the same value used before. Also, therequired "cookie" argument is now replaced by an optional "cookie"key in the "options" table, defaulting to random bytes as suggestedby the RFC. [Kris]
Ncat now logs Nsock debug output to stderr instead of stdout forconsistency with its other debug messages. [David]
[NSE]Added a new function, shortport.http, for HTTP scriptportrules and changed 14 scripts to use it. [David]
Updated to the latest config.guess and config.sub. Thanks to TyMiller for a reminder. [David]
[NSE]Added prerule support tosnmp-interfaces and the ability toadd the remote host's interface addresses to the scanning queue.The new script arguments used for this functionality are "host"(required) and "port" (optional). [Kris]
Fixed some inconsistencies in nmap-os-db and a small memory leakthat would happen where there was more than one round of OSdetection. These were reported by Xavier Sudre fromnetVigilance. [David]
[NSE]Fixed a bug with worker threads calling the wrong destructors.Fixing this allows better parallelism inhttp-brute.nse. The problemwas reported by Patrik Karlsson. [David, Patrick]
Upgraded the OpenSSL binaries shipped in our Windows installer toversion 1.0.0a. [David]
[NSE]Added prerule support to thedns-zone-transfer script,allowing it to run early to discover IPs from DNS records andoptionally add those IPs to Nmap's target queue. You must specifythe DNS server and domain name to use with scriptarguments. [Djalal]
Changed the name of libdnet's sctp_chunkhdr to avoid a conflict witha struct of the same name in netinet/sctp.h. This caused acompilation error when Nmap was compiled with an OpenSSL that hadSCTP support. [Olli Hauer, Daniel Roethlisberger]
[NSE]Implemented a big cleanup of the Nmap NSE Nsock librarybinding code. [Patrick]
Added a bunch of Apple and Netatalk AFP service detectionsignatures. These often provide extra details such as whether thetarget is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]
[NSE]Host tables now have a host.traceroute member available when--traceroute is used. This array contains the IP address, reverseDNS name, and RTT for each traceroute hop. [Henri Doreau]
[NSE]Made theftp-anon script return a directory listing whenanonymous login is allowed. [Gutek, David]
[NSE]Added the nmap.resolve() function. It takes a host name andoptionally an address family (such as "inet") and returns a tablecontaining all of its matching addresses. If no address family isspecified, all addresses for the name are returned. [Kris]
[NSE]Added the nmap.address_family() function which returns the addressfamily Nmap is using as a string (e.g., "inet6" is returned if Nmap iscalled with the -6 option). [Kris]
[NSE]Scripts can now access the MTU of the host.interface device usinghost.interface_mtu. [Kris]
Restrict the default Windows DLL search path by removing the currentdirectory. This adds extra protection against DLL hijacking attacks,especially if we were to add file type associations to Nmap in thefuture. We implement this with the SetDllDirectory function whenavailable (Windows XP SP1 and later). Otherwise, we callSetCurrentDirectory with the directory containing theexecutable. [David]
Nmap now prints the MTU for interfaces in --iflist output. [Kris]
[NSE]Removed references to the MD2 algorithm, which OpenSSL 1.x.xno longer supports. [Alexandru]
[Ncat,NSE]Server Name Indication (SNI) is now supported by Ncat andNmap NSE, allowing them to connect to servers which run multiple SSLwebsites on one IP address. To enable this for NSE, the nmap.connectfunction has been changed to accept host and port tables (like thoseprovided to the action function) in place of a string and anumber. [David]
[NSE]Renamed db2-info and db2-brute scripts to drda-*. Addedsupport other DRDA based databases such as IBM Informix DynamicServer and Apache Derby. [Patrik]
[Nsock]Added a new function, nsi_set_hostname, to set the intendedhostname of the target. This allows the use of Server NameIndication in SSL connections. [David]
[NSE]Limits the number of ports thatqscan will scan (now up to 8open ports and up to 1 closed port by default). These limits can becontrolled with theqscan.numopen andqscan.numclosed scriptarguments. [David]
[NSE]Madesslv2.nse give special output when SSLv2 is supported,but no SSLv2 ciphers are offered. This happened with a specificSendmail configuration. [Matt Selsky]
[NSE]Added a "times" table to the host table passed to scripts.This table contains Nmap's timing data (srtt, the smoothed roundtrip time; rttvar, the rtt variance; and timeout), all representedas floating-point seconds. Theipidseq andqscan scripts wereupdated to utilize the host's timeout value rather than using aconservative guess of 3 seconds for read timeouts. [Kris]
Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping),which were improperly sending whole packets in version5.35DC1. [Kris]
[NSE]When receiving raw packets from Pcap, the packet capture timeis now available to scripts as an additional return value frompcap_receive(). It is returned as the floating point number ofseconds since the epoch. Also added the nmap.clock() function whichreturns the current time (and convenience functions clock_ms() andclock_us()). Qscan.nse was updated to use this more accurate timingdata. [Kris]
[Ncat,Nsock]Fixed some minor bugs discovered using the Smatchsource code analyzer (http://smatch.sourceforge.net/). [David]
[Zenmap]Fixed a crash that would happen after opening the searchwindow, entering a relative date criterion such as "after:-7", andthen clicking the "Expressions" button. The error message was
```
AttributeError: 'tuple' object has no attribute 'strftime'
```
[David]
Added a new packet payload--a NAT-PMP external address request forport 5351/udp. Payloads help us elicit responses from listening UDPservices to better distinguish them from filtered ports. Thispayload goes well with our newnat-pmp-info script. [David, Patrik]
Updated IANA IP address space assignment list for random IP (-iR)generation. [Kris]
[Ncat]Ncat now uses case-insensitive string comparison whenchecking authentication schemes and parameters. Florian Roth found aserver offering "BASIC" instead of "Basic", and the HTTP RFCrequires case-insensitive comparisons in most places. [David]
[NSE]There is now a limit of 1,000 concurrent running scripts,instituted to keep memory under control when there are many openports. Nathan reported 3 GB of memory use (with an out-of-memory NSEcrash) for one host with tens of thousands of open ports. This limitcan be controlled with the variable CONCURRENCY_LIMIT innse_main.lua. [David]
The command line in XML output (/nmaprun/@args attribute) now doesquoting of whitespace using double quotes and backslashes. Thisallows recovering the original command line array even whenarguments contain whitespace. [David]
Added a service detection probe for master servers of Quake 3 andrelated games. [Toni Ruottu]
[Zenmap]Updated French translation. [Henri Doreau]
[Zenmap]Fixed an crash when printing a scan that had no output(like a scan made by command-line Nmap). Henri Doreau noticed theerror. [David]

Nmap 5.35DC1 [2010-07-16]§

[NSE]Added 17 scripts, bringing the total to 131! They aredescribed individually in the CHANGELOG, but here is the list of newones:afp-serverinfo, db2-brute,dns-cache-snoop,dns-fuzz,ftp-libopie http-php-version,irc-unrealircd-backdoor,ms-sql-brute,ms-sql-config,ms-sql-empty-password,ms-sql-hasdbaccess,ms-sql-query,ms-sql-tables,ms-sql-xp-cmdshell,nfs-ls,ntp-monlist .Learn more about any of these at:https://nmap.org/nsedoc/
Performed a major OS detection integration run. The database hasgrown to 2,608 fingerprints (an increase of 262) and many of theexisting fingerprints were improved. These include the Apple iPadand Cisco IOS 15.X devices. We also received many fingerprints forancient Microsoft systems including MS-DOS with MS Networking Client3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of hisintegration work athttp://seclists.org/nmap-dev/2010/q2/283.
Performed a large version detection integration run. The number ofsignatures has grown to 6,622 (an increase of 279). New signaturesinclude a remote administrative backdoor that a school famously usedto spy on its students, an open source digital currency scheme namedBitcoin, and game servers for EVE Online, l2emurt Lineage II, andFrozen Bubble. You can read David's highlights athttp://seclists.org/nmap-dev/2010/q2/385.
[NSE]Addednfs-ls.nse, which lists NFS exported files and theirattributes. The nfs-acls and nfs-dirlist scripts were deletedbecause all their features are supported by this script. [Djalal]
[NSE]Add new DB2 library and two scripts
- db2-brute.nse uses theunpwdb library to guess credentials for DB2
- db2-info.nse re-write of Tom Sellers script to use the new library
[Patrik]
[NSE]Added a library for Microsoft SQL Server and 7 new scripts. The newscripts are:
- ms-sql-brute.nse uses theunpwdb library to guess credentials for MSSQL
- ms-sql-config retrieves various configuration details from the server
- ms-sql-empty-password checks if the sa account has an empty password
- ms-sql-hasdbaccess lists database access per user
- ms-sql-query add support for running custom queries against the database
- ms-sql-tables lists databases, tables, columns and datatypes with optionalkeyword filtering
- ms-sql-xp-cmdshell adds support for OS command execution to privilegedusers
[Patrik]
[NSE]Added theafp-serverinfo script that gets a hostname, IPaddresses, and other configuration information from an AFP server.The script, and a patch to theafp library, were contributed byAndrew Orr and subsequently enhanced by Patrik and David.
[NSE]Added additional vulnerability checks to smb-check-vulns.nse:The Windows RAS RPC service vulnerability MS06-025(http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)and the Windows DNS Server RPC vuln MS07-029(http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).Note that these are only run if you specify the "unsafe" script argbecause the implemented test crashes vulnerable services. [Drazen]
[NSE]Addeddns-cache-snoop.nse by Eugene Alexeev. This script performscache snooping by either sending non-recursive queries or by measuringresponse times.
[Zenmap]Added the ability to print Nmap output to aprinter. [David]
[Nmap, Ncat, Nping]The default unit for time specifications is nowseconds, not milliseconds, and times may have a decimal point. 1000now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.Floating point values such as 1.5 are now allowed. This affects thefollowing options:Nmap:
```
--host-timeout--max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout--scan-delay --max-scan-delay--stats-every
```
Ncat:
```
-d --delay-i --idle-timeout-w --wait
```
Nping:
```
--delay--host-timeout--icmp-orig-time --icmp-recv-time --icmp-trans-time
```
Some sanity checks have been added to catch what looks like anattempt to use the old millisecond defaults. For example,--host-timeout 10000 yields
```
Since April 2010, the default unit for --host-timeout is seconds,so your time of "10000" is 2.8 hours. If this is what you want,use "10000s".QUITTING!
```
You can always disable the warning by giving an explicit unit.
[NSE]Scripts which take an argument for a time duration can nowhave the duration be a number followed by a unit, like elsewhere inNmap. An example is "10m" for 10 minutes. The units understood are"ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" forhours. Seconds are the default if no unit is specified. The newfunction stdnse.parse_timespec does the parsing of theseformats. Theqscan.delay script argument, which formerly interpretedits argument as being in milliseconds, now defaults to seconds;append "ms" to continue using the same numbers. [David]
[NSE]Addedirc-unrealircd-backdoor.nse, which detects a backdoorthat was in UnrealIRCd source code distributions between November2009 and June 2010. Seehttp://seclists.org/nmap-dev/2010/q2/826.[Vlatko Kosturjak, Ron, David]
Ports are now considered open during a SYN scan if a SYN packet(without the ACK flag) is received in response. This can be due toan extremely rare TCP feature known as a simultaneous open or splithandshake connection. seehttp://bit.ly/tcp-sh andhttp://seclists.org/nmap-dev/2010/q2/723. [Jah]
[Ncat]In listen mode, the --exec and --sh-exec options now accept asingle connection and then exit, just like in normal listen mode.Use the --keep-open option to get the old default inetd-likebehavior. This was suggested by David Millis. [David]
[NSE]Addedftp-libopie.nse by Gutek. This script checks for anoff-by-one stack overflow vulnerability in libopie by giving the FTPservice an overly long name. Seehttp://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc fordetails.
[NSE]Addedntp-monlist.nse which discovers NTP server, peer andclient hosts associated with a scanned target by sending NTPv2Private Mode 'monitor' and 'peers' commands to the target. [Jah]
[NSE]Addedhttp-php-version.nse from Gutek. This script retrievesversion-specific pages through a couple of magic PHP queries, whichcan identify the PHP version even when a server doesn't advertiseit.
[NSE]New scriptdns-fuzz launches a fuzzing attack against DNSservers. Added a new category - fuzzer - for scripts like this.[Michael Pattrick]
David made many improvements to the NSEDoc for individual scripts,including adding @output sections to scripts which didn't have them.He also improved the generated HTML with features likeauto-generating usage strings if the scripts don't include their ownand allowing the giant sidebar lists of scripts/libraries to expandand contract. Seehttps://nmap.org/nsedoc/.
UDP payloads are now stored in an external data file, nmap-payloads,instead of being hard-coded in the executable. This makes it easierto add your own payloads or disable those you find problematic. [JayFink, David]
The Windows executable installer now uses LZMA compression insteadof zlib, making it about 15% smaller. Seehttp://seclists.org/nmap-dev/2010/q2/1011 for test results. [David]
Open XML elements are now closed in case of a fatal error, so theoutput should at least be well-formed. There are new attributes"exit" and "errormsg" in the finished element. "exit" is "success"or "error". When it is "error", the "errormsg" attribute containsthe error message. Thanks to Grant Bartlett, who found a typo in thenew output. [David]
Fixed name resolution in environments where gethostbyname can returnIPv6 (or other non-IPv4 addresses). In such an environment, Nmapwould wrongly use the first four bytes of the IPv6 address as anIPv4 address. You could force this, at least on Debian, by addingthe line "options inet6" to /etc/resolv.conf or by running withRES_OPTIONS=inet6 in the environment. This was reported by Mats ErikAndersson, who also suggested the fix. [David]
Fixed the assignment of interface aliases to directly connectedroutes on Linux, which was broken in 5.30BETA1 (it always assignedthe base interface instead of the alias). This was visible in thehost.interface variable passed to NSE scripts. The bug was reportedVictor Rudnev. [David]
When Nmap is passed a hostname such as google.com which resolves toseveral IP addresses, Nmap now prints each IP address. It stillonly scans the first one in the returned list. [David]
Nmap now works if you specify several target host names whichresolve to the same IP address. This can be useful when you arescanning virtual-hosted web servers and want to see NSE resultsspecific to each site name even though they reside on the samemachine. [David]
Made a list of current Nmap SVN committers:https://svn.nmap.org/nmap/docs/committers.txt
Added a new library, libnetutil, which contains about 2,700 lines ofnetworking related code which is now shared between Nmap and Nping(it was previously duplicated by each tool). [Luis, David]
[NSE]http-passwd.nse now also checks for boot.ini to supportWindows targets. [Gutek]
Removed --interactive mode, a miniature shell whose primary purposewas to hide command line arguments from the process list. It hadbeen broken (would segfault during the second scan) for at least 9months and was rarely used. The fact that it was broken was reportedby Juan Carlos Castro. [David]
Added a version probe, match line, and UDP payload for theserialnumberd service of Mac OS X Server. This service overridesfirewall settings to make itself visible, so it's useful for hostdiscovery. [Patrik]
Improved service detection match lines for:
- Oracle Enterprise Manager Agent and mupdate by Matt Selsky
- Twisted web server, Apple Filing Protocol, Apple Mac OS X PasswordServer, XAVi XG6546p Wireless Gateway, Sun GlassFishCommunications Server, and Comdasys, SIParator and Glassfish SIPby Patrik
- PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoringHTTPd by Tom Sellers
Improved our brute force password guessing list by mixing in somedata sent in by Solar Designer of John the Ripper fame.
[Zenmap]IP addresses are now sorted by octet rather than theirstring representation. For example, 10.1.1.2 is now sorted before10.1.1.10. This problem was reported by Norris Carden. [David]
[NSE]Added UDP header parsing support topacket.lua. [jah]
Fixed a bug in Libpcap which lead to Nmap hanging forever in somecases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3. The fix wasactually already available in upstream Libpcap, just not released.We also had to make Nmap build with its own Libpcap on 64-bit OS Xif an already-installed system Libpcap has this bug. [David]
Updated our WinPcap to the new 4.1.2 release. [Rob Nicholls]
[NSE]Fixed a bug inqscan.nse which gave an error if a confidencelevel of 0.9995 was used. Thanks to Marcin Hoffmann for noticingthe problem. [Kris]
[libpcap]Added a --disable-packet-ring option to force the use ofan older, slower packet capture mechanism on Linux. Before Linux2.6.27, the packet ring mechanism uses different-sized kernelstructures on 32- and 64-bit architectures, so a 32-bit program willnot run correctly on a 64-bit kernel. The older mechanism does nothave this flaw.
Fixed some errors in nmap-os-db, probably caused by incorrect stringreplacement during integration. This patch is from James Cook.
[Nsock, Ncat]Nsock has a new function, nsp_setbroadcast, thatallows setting the SO_BROADCAST option on sockets. Ncat now setsthis option unconditionally in connect mode to allow connections tobroadcast addresses (useful in UDP mode). [Daniel Miller]
Nmap now works with "teamed" network interfaces on Windows. In orderto distinguish the interfaces, their textual descriptions are nowcompared in addition to their MAC addresses. Without this, Nmapwould send on the wrong interface and not receive any replies. Asymptom of this problem was all scans failing except when--unprivileged was used. Norris Carden reported this bug. [David]
[Ncat]When receiving a connection/datagram in listen mode, Ncat nowprints the connecting source port along with the IP address (whenverbosity is enabled). [Rebellis]
Fixed a problem where the time variable used in some port scanningalgorithms (for probe timeouts, etc) could vary based on thedebugging level. [Kris]
Moved the parse_long function from ncat to nbase for better reuse,and used it to simplify netmask parsing code. [William Pursell]
Added EPROTO to the list of known error codes in service scan. DanielMiller reported that an EPROTO was causing Nmap to exit after sendingthe Sqlping probe during service scan. The error message was"Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocolerror)". We suspect this was caused by a forged ICMP packet sent by anactive firewall. [David]
[NSE]Improvedsmtp-commands.nse to work against more mail servers,made it take ansmtp-commands.domain script argument, and rewrote itin the style of other smtp scripts. [Jasey DePriest]
[NSE]Madesmtp-commands run for the services smtp, smtps,submission rather than just smtp. The other smtp scripts already dothis. [David]
[NSE]Thedns-recursion script now marks the port as open when itgets a response. [Olivier M]
[Nping]A big correctness and code cleanliness audit was performedwhich resulted in many bugs being fixed and much more code beingshared with Nmap rather than duplicated. A structured testingscript system was also created. [Luis, David]
[Nping]Now allows a --count value of zero to run almostindefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]
[Nping]Fixed --data argument parsing. The value passed was notactually making it into outgoing packets. Reported by TimPoth. [Luis]
[Nping]When a RST packet is received in response to a connectionattempt in TCP-Connect mode, Nping now properly prints "Connectionrefused" rather than "Operation now in progress". [Luis]
[Nping]Fixed a bug which caused failure when the first suppliedtarget was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.comtcpdump.com). [Luis]
[Nping]Fixed some bugs in the BPF filter creation to avoid captureand printing of packets Nping sent or which are destined for anotherprocess. [Luis]
[Nping]Fixed a bug which prevented ARP replies from being displayedproperly. [Luis]
[Nping]Fixed a bug that caused ICMP Router Advertisement entries tobe set in host byte order rather than proper network byteorder. [Luis]
[Nping]Fixed a segfault caused by bad --data values. [Greg Skoczek]
The Mac OS X installer is now built with MacPorts 1.9.1 rather than1.8.2. Among other changes, this fixes a segmentation fault reportedby some OS X 10.6.3 users.
Nsock now supports an option to remove its Pcap support. Thisallows the same Nsock to be shared with Nmap (which needs thatsupport) and Ncrack (which doesn't.) Pcap support can be disabled byspecifying --disable-pcap at configure time on UNIX, or by selectingthe DebugNoPcap or ReleaseNoPcap configurations in Visual C++ onWindows.
Sped up compilation by not building both shared and static libdnetlibraries--we only use the static one. [David]
[NSE]Improved error handling and reporting and re-designed communicationclass in RPC library with patch from Djalal Harouni. [Patrik]
Upgraded the included libpcap to version 1.1.1. [David]
[NSE]Add some special-use IPv4 addresses to isPrivate which aredescribed in RFC 5736 and RFC 5737, published in Jan 2010. Improveperformance of isPrivate for IPv4 addresses by using ip_in_rangeless frequently. Add an extra return value to isPrivate - when thefirst return value is true, the second return value will now be astring representing the special use assignment in which the suppliedaddress is located. [jah]
Fix compilation on OpenSolaris. We had to make the libdnet autoconfcheck for PF_PACKET Linux-specific. Recent versions of OpenSolarissupport PF_PACKET, but not in a way which is entirely compatiblewith the Linux approach. This problem was reported by Darren Reed. Afew other minor compatibility changes were made as well. [David]
[NSE]Added script arguments "username" and "password" toftp-bounceto override the default anonymous:IEUser@ login combination. [Kris]
[NSE]Added port number sorting todns-service-discovery.nse. [Patrik]
[NSE]Added an snmpWalk() function to the SNMP library and updatedscripts to use it. [Patrik]
[NSE]Fixed thisdns.lua error reported by Eugene Alexeev:nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value)[Jah]
Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13.
Updated IANA IP address space assignment list for random IP (-iR)generation. [Kris]
Created a new directory for storing todo lists for Nmap and relatedprojects. You can see what we're working on and planning byvisitinghttps://nmap.org/svn/todo/.
[NSE]Removed explicit time limit checking fromms-sql-brute,pgsql-brute,mysql-brute,ldap-brute, andafp-brute. Theunpwdblibrary does this automatically now. [David]
[NSE]Correct global access errors inafp.lua reported by Patrick Donnelly[Patrik]
[NSE]Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis"name in the MySQL library. [Kris]
Cleaned up our Winpcap header file directory, and also updated tothe latest files from the official developer pack(WpdPack_4_1_1.zip). [Fyodor]
[NSE]Fixed a bug which would preventrpcinfo.nse from returning anyresults for RPC programs which could not be matched to aname. [Patrik]
[NSE]Theftp-anon script is now much smarter about parsing serverresponses and detecting successful (or not) logins. It now knowshow to send the ACCT command where appropriate as well. [RobNicholls]
Normalized a bunch of version detection entries with "webserver" inthe description. In most cases this was changed to "httpd".
[Ncat]Fixed the --crlf option not to insert an extra \r byte in thecase that one system read ends with \r and the next begins with \n(should be rare). [David]
[NSE]Fixed bug inrpc.lua library that incorrectly required file handlesto be 32 octets when calling the ReadDir function. The bug was reported byDjalal Harouni. [Patrik]

Nmap 5.30BETA1 [2010-03-29]§

[NSE]Added 37 scripts, bringing the total to 117! They aredescribed individually in the CHANGELOG, but here is the list of newones:afp-brute afp-path-vuln afp-showmount couchdb-databases couchdb-stats daap-get-library db2-das-info dns-service-discovery http-methods http-vmware-path-vuln ipidseq jdwp-version ldap-brute ldap-rootdse ldap-search lexmark-config mongodb-databases mongodb-info mysql-brute mysql-databases mysql-empty-password mysql-users mysql-variables nfs-acls nfs-dirlistnfs-statfs pgsql-brute qscan smtp-enum-users snmp-interfaces snmp-netstat snmp-processes snmp-win32-services snmp-win32-shares snmp-win32-software snmp-win32-users ssl-enum-ciphers.Learn more about any of these at:https://nmap.org/nsedoc/
[NSE]New scriptafp-path-vuln detects and can exploit a major MacOS X AFP directory traversal vulnerability (CVE-2010-0533)discovered by Nmap developer Patrik Karlsson. Seehttps://nmap.org/nsedoc/scripts/afp-path-vuln.html andhttp://bit.ly/nmapafp.
An ALPHA TEST VERSION of Nping, a packet generator written by LuisMartinGarcia and Fyodor last summer, is now included in the Nmapdistribution. While it works, we consider the application unfinishedand we hope to improve it greatly as a Summer of Code project thissummer and then do an official release. Seehttps://nmap.org/nping/.
[NSE]Added RPC library and three new NFS scripts. Modified therpcinfo andnfs-showmount scripts to use the new library. The newscripts are:
- nfs-acls shows the owner and directory mode of NFS exports(https://nmap.org/nsedoc/scripts/nfs-acls.html).
- nfs-dirlist lists the contents of NFS exports(https://nmap.org/nsedoc/scripts/nfs-dirlist.html)
- nfs-statfs shows file system statistics for NFS exports(https://nmap.org/nsedoc/scripts/nfs-statfs.html).
[Patrik]
[NSE]Added the newdns-service-discovery script which uses DNS-SDto identify services. DNS-SD is one part of automatic configurationtechnologies known by names such as Bonjour, Rendezvous, andZeroconf. This one script can provide as much information as a fullport scan in some cases. Seehttps://nmap.org/nsedoc/scripts/dns-service-discovery.html . [PatrikKarlsson]
[NSE]New scriptafp-brute for brute force authentication attemptsagainst the Apple AFP filesharing protocol. Seehttps://nmap.org/nsedoc/scripts/afp-brute.html . [Patrik]
[NSE]Added a new scriptafp-showmount which displays Apple AFPshares and their permissions. Seehttps://nmap.org/nsedoc/scripts/afp-showmount.html . [Patrik]
[NSE]Added theqscan script to repeatedly probe ports on a host togather round-trip times for each port. The script then uses thesetimes to group together ports with statistically equivalent roundtrip times. Ports in different groups could be the result of thingssuch as port forwarding to hosts behind a NAT. It is based on workby Doug Hoyte. This script also utilizes the new NSE raw IP sendingfunctionality. Seehttps://nmap.org/nsedoc/scripts/qscan.html . [Kris]
[NSE]Added a new script,db2-das-info.nse, that connects to the IBMDB2 Administration Server (DAS) exports the server profile. Noauthentication is required for this request. The script will alsoset the port product and version if a version scan is requested. Seehttps://nmap.org/nsedoc/scripts/db2-das-info.html . [Patrik Karlsson,Tom Sellers]
[NSE]Added a new library for ASN.1 parsing and adapted the SNMPlibrary to make use of it. Added 5 SNMP scripts that use the newlibraries:
- snmp-netstat shows listening and connectedsockets (https://nmap.org/nsedoc/scripts/snmp-netstat.html).
- snmp-processes shows process information including name, pid, path& parameters (https://nmap.org/nsedoc/scripts/snmp-processes.html).
- snmp-win32-services shows the names of running Windows services(https://nmap.org/nsedoc/scripts/snmp-win32-services.html).
- snmp-win32-shares shows the names and path of Windows shares(https://nmap.org/nsedoc/scripts/snmp-win32-shares.html).
- snmp-win32-software shows a list of installed Windows software(https://nmap.org/nsedoc/scripts/snmp-win32-software.html).
- snmp-win32-users shows a list of local Windows users(https://nmap.org/nsedoc/scripts/snmp-win32-users.html).
[Patrik]
[NSE]Added thesnmp-interfaces script by Thomas Buchanan, whichenumerates network interfaces over SNMP. Seehttps://nmap.org/nsedoc/scripts/snmp-interfaces.html .
[NSE]Addedhttp-vmware-path-vuln.nse, which checks for a criticaland easy to exploit path-traversal vulnerability in VMWare(CVE-2009-3733). Seehttps://nmap.org/nsedoc/scripts/http-vmware-path-vuln.html . [Ron]
[NSE]Added a new library for LDAP and three new scripts by Patrik:
- ldap-brute uses theunpwdb library to guess credentials for LDAP(https://nmap.org/nsedoc/scripts/ldap-brute.html).
- ldap-rootdse retrieves the LDAP root DSA-specific Entry (DSE)(https://nmap.org/nsedoc/scripts/ldap-rootdse.html).
- ldap-search queries a LDAP directory for eitherall, or a number of pre-defined object types(https://nmap.org/nsedoc/scripts/ldap-search.html).
[NSE]Added a new library for PostgreSQL and the scriptpgsql-brutethat uses it to guess credentials. Seehttps://nmap.org/nsedoc/scripts/pgsql-brute.html . [Patrik]
[NSE]Added 5 new MySQL NSE scripts and a MySQL library by Patrik Karlsson:
- mysql-brute uses theunpwdb library to guess credentials for MySQL(https://nmap.org/nsedoc/scripts/mysql-brute.html).
- mysql-databases queries MySQL for a list of databases(https://nmap.org/nsedoc/scripts/mysql-databases.html).
- mysql-empty-password attempts to authenticate anonymously or asroot with an empty password(https://nmap.org/nsedoc/scripts/mysql-empty-password.html).
- mysql-users queries MySQL for a list of database users(https://nmap.org/nsedoc/scripts/mysql-users.html).
- mysql-variables queries MySQL for its variables and theirsettings (https://nmap.org/nsedoc/scripts/mysql-variables.html).
Improved the passwords.lst database used by NSE by combining severalleaked password databases collected by Ron Bowes. The size of thedatabase has been increased from 200 to 5000.
Zenmap's "slow comprehensive scan profile" has been modified to usethe best 7-probe host discovery combination we were able to find inextensive empirical testing(http://www.bamsoftware.com/wiki/nmap/EffectivenessOfPingProbes).That combination is "-PE -PP -PS21,22,23,25,80,113,31339-PA80,113,443,10042 -PO". [David]
Switched to -Pn and -sn and as the preferred syntax for skippingping scan and skipping port scan, respectively. Previously the -PNand -sP options were recommended. This establishes a more regularsyntax for some options that disable phases of a scan:
- -n no reverse DNS
- -Pn no host discovery
- -sn no port scan
We also felt that the old -sP ("ping scan") option was a bitmisleading because current versions of Nmap can go much further(including -sC and --traceroute) even with port scans disabled. Wewill retain support for the previous option names for the foreseeablefuture.
[NSE]Added theipidseq script to classify a host's IP ID sequencenumbers in the same way Nmap does. This can be used to test hosts'suitability for Nmap's Idle Scan (-sI), i.e. check if a host is anidle zombie. This is the first script to use the new raw IP sendingfunctionality in NSE. Seehttps://nmap.org/nsedoc/scripts/ipidseq.html . [Kris]
[NSE]Added thessl-enum-ciphers script by Mak Kolybabi. It liststhe ciphers and compressors supported by SSL/TLS servers. Seehttps://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html .
[NSE]Added two new scripts for the MongoDB database from MartinHolst Swende.mongodb-info(https://nmap.org/nsedoc/scripts/mongodb-info.html) gets informationlike the version number, memory use, and operating system, whilemongodb-databases(https://nmap.org/nsedoc/scripts/mongodb-databases.html) lists thedatabases and their size on disk.
[NSE]Added the scriptscouchdb-databases andcouchdb-stats, whichlist CouchDB databases and show access statistics, and a newjson.lua library they depend on. Seehttps://nmap.org/nsedoc/scripts/couchdb-databases.html andhttps://nmap.org/nsedoc/scripts/couchdb-stats.html [Martin HolstSwende]
[NSE]Added the newlexmark-config script that lists productinformation and configuration for Lexmark printers. Seehttps://nmap.org/nsedoc/scripts/lexmark-config.html . [PatrikKarlsson]
[NSE]Added the newdaap-get-library script which uses the DigitalAudio Access Protocol to enumerate the contents of a library. Thecontents contain the name of the artist, album and song. Seehttps://nmap.org/nsedoc/scripts/daap-get-library.html . [Patrik]
[NSE]Addedjdwp-version.nse, a script by Michael Schierl that findsthe version of a Java Debug Wire Protocol server. This is adangerous service to find running as it does not provide anysecurity against malicious attackers who can inject their ownbytecode into the debugged process. Seehttps://nmap.org/nsedoc/scripts/jdwp-version.html .
[NSE]Added thesmtp-enum-users script from Duarte Silva, whichattempts to find user account names over SMTP by brute force testingusing RCPT, VRFY, and EXPN tests.
[NSE]Theunpwdb library now has a default time limit on theusernames and passwords iterators. This will prevent brute forcescripts from running for a long time when a service is slow. Thesenew script arguments control the limits:
- unpwdb.userlimit Limit on number of usernames.
- unpwdb.passlimit Limit on number of passwords.
- unpwdb.timelimit Time limit in seconds.
Pass 0 for any of these limits to disable it. For more details, seehttps://nmap.org/nsedoc/lib/unpwdb.html . [David]
When --open is used, Nmap no longer prints output for hosts whichdon't have any open ports. All output formats are treated the sameway, so if a host isn't shown in normal output, it won't be shown inXML output either.
[NSE]Added the scripthttp-methods from Bernd Stroessenreuther.This script sends an HTTP OPTIONS request to get the methodssupported by the server, highlights potentially risky methods, andoptionally tests each method to see if they are restricted by IPaddress or something similar. Seehttps://nmap.org/nsedoc/scripts/http-methods.html .
The -v and -d options are now handled in the same way. These threeforms are equivalent:
```
-v -v -v    -vvv    -v3-d -d -d    -ddd    -d3
```
Formerly, the -ddd and -v3 forms didn't work. Mak Kolybabi submitteda patch.
Fixed a libpcap compilation error on Solaris. This was actuallyfixed in libpcap's source control back in 2008, but they haven't madea release since then :(. They still seem to be actively developingthough, so let's hope for a release soon. Solaris compilation fixeswere made to Ncat and Nping as well.
Zenmap now lets you save scan results in normal Nmap text outputformat or (as before) as XML. The XML format still has the textversion embedded inside it, and is still the only format Zenmap canload again. The "Save to Directory" mode for saving multipleaggregated scans at once still always saves XML results. [David]
Fixed the packaging of x64 versions of WinPcap drivers in thewinpcap-nmap installer to ensure that 64-bit applications (such as64-bit Wireshark) work properly. [Rob Nicholls]
Fixed the Idle Scan (-sI) so that scanning multiple hosts doesn'tretest the zombie proxy and reinitialize all of the associated dataat the beginning of each run. [Kris]
[NSE]Raw packet sending at the IP layer is now supported, inaddition to the existing Ethernet sending functionality. Packets tosend start with an IPv4 header and can be sent to arbitraryhosts. For details, seehttps://nmap.org/book/nse-api.html#nse-api-networkio-raw [Kris]
Added version detection match line for the Arucer backdoor, which wasfound packaged with drivers for the Energizer USB recharger product(seehttp://www.kb.cert.org/vuls/id/154421). [Ron]
Fixed --resume to work again despite our recent changes to the Nmapoutput format. [jlanthea]
[Zenmap]Localized most of the remaining strings in the GUIinterface which were English-only. The actual textual Nmap resultsare still in English since Nmap, but the GUI is now almost fullylocalized. [David]
[Zenmap]Updated the localization files for the Frenchtranslation. [Gutek]
[Zenmap]Fixed an interface bug which could cause hostnames withunderscores like "host_a" to be rendered like "hosta" with the "a"underlined. Thanks to Toralf F. for the report, and David for thefix.
Nmap now honors routing table entries that override interfaceaddresses and netmasks. For example, with this configuration:
```
************************INTERFACES************************DEV  (SHORT) IP/MASK         TYPE     UP MACeth0 (eth0)  192.168.0.21/24 ethernet up 00:00:00:00:00:00.**************************ROUTES**************************DST/MASK       DEV  GATEWAY192.168.0.3/32 eth0 192.168.0.1192.168.0.0/24 eth0
```
Nmap will not consider 192.168.0.3 directly connected through eth0,even though it matches the interface's netmask. It won't try to ARPping 192.168.0.3, but will route traffic through 192.168.0.1.
[Ncat]The HTTP proxy server now accepts client connections overSSL. That means connections to the proxy can be encrypted andauthenticated. We haven't found any HTTP clients that directlysupport SSL connections to proxies, but you can use Ncat as a tunnelto an SSL-supporting Ncat proxy. This new feature was implemented byMarkus Klinik.
Updated our Mac OS X build system so that our binary packages arebuilt on Mac OS X 10.6 rather than 10.5. [David]
Fixed reading of the interface table on NetBSD. Running nmap--iflist would report "INTERFACES: NONE FOUND(!)" and any scan doneas root would fail with "WARNING: Unable to find appropriateinterface for system route to...". This was first reported by JayFink, and had already been patched in the NetBSD pkgsrctree. [David]
Fixed a bug in traceroute that could happen when directly connectedand routed targets were in the same hostgroup. If the first targetwas directly connected, the traceroute for all targets in the groupwould have a trace of one hop.
ARP requests now work with libpcap Linux "cooked" encapsulation.According tohttp://wiki.wireshark.org/SLL, this encapsulation isused on devices "where the native link layer header isn't availableor can't be used." Before this, attempting any ARP operation on suchan interface would fail with the error
```
read_arp_reply_pcap called on interfaces that is datatype 113  rather than DLT_EN10MB (1)
```
[David]
Fixed the display of route netmask bits in --iflist on little-endianarchitectures. Formerly, any mask less than /24 was shown as /0, andother masks were also wrong. [David]
Fixed an assertion failure which could occur when connecting to anSSL server:
```
nsock_core.c:199: socket_count_write_dec: Assertion `(iod->writesd_count)
```
This was observed when running thehttp-enum script but couldpossibly have happened in other situations. Thanks to Brandon forreporting the bug and testing. [David]
Added the function bignum_add to the nse_openssl library to supportBIGNUM addition [Patrik]
The redistributable Visual C++ runtime components installer(vcredist_x86.exe) has been upgraded to version 9.0.30729.4148. AxelPettinger reported that the previous version 9.0.30729.17, caused aWindows Update on Windows 7 because of Microsoft security advisoryMS09-035.
[Ncat]Fixed an error that could make programs run with --exec exitprematurely on Windows. The problem was related to a program writingtoo quickly into a non-blocking socket. A symptom was the message:
```
NCAT DEBUG: Subprocess ended with exit code 259.
```
Reported by David Millis. [David]
[Ncat]Fixed a bug that prevented detection of EOF from stdin onWindows. Reported by Adrian Crenshaw and Andy Zwirko. [David]
[Nsock]WSAEACCES was added to the list of known connect errorcodes. This error can happen on Windows when a port is blocked byWindows Firewall. Thanks to Taemun for reporting this andinvestigating.
XML output now only includes host elements for down hosts in verbosemode. This makes it consistent with the other output formats.

[NSE]Fixedhttp-enum so it uses the full path name for thefingerprints file. This prevents it from quitting with an error likethis:

NSE:http-enum: Attempting to parse fingerprint filenselib/data/http-fingerprints NSE:http-enum against10.99.24.140:443 threw an error! C:\ProgramFiles\Nmap\scripts\http-enum.nse:198: bad argument #1 to 'lines'(nselib/data/http-fingerprints: No such file or directory) stacktraceback:

[Kris, Brandon, Ron Meldau]

[NSE]Added a missing dirname function tohttp-favicon. Its absencewas causing this error message when a web page specified a relativeicon URL in a link element:
```
http-favicon.nse:141: variable 'dirname' is not declared
```
[David, Ron Meldau]
Fixed the parsing of libdnet DLPI interface names that contain morethan one string of digits. Joe Dietz reported that an interface withthe name e1000g0 was causing this error message on Solaris 9:
```
Warning: Unable to open interface e1000g0 -- skipping it.
```
[David]
[NSE]Added the function nmap.is_privileged() to tell a script if,as far as Nmap's concerned, it can do privileged operations. Forinstance, this can be used to determine whether a script can open araw socket or Ethernet interface. [Kris]
[NSE]Added the function nmap.get_ports() so scripts can iterateover a host's port table entries matching a given protocol andstate. [Kris, Patrick]
[Ncat]Fixed a handle leak with --exec and --sh-exec on Windows,found by Jon Greaves. One thread handle was being leaked per childprocess invocation. [David]
[NSE]nbstat.nse can now look up the MAC prefix vendor string. Otherscripts can now do the same thing using thedatafiles.parse_mac_prefixes function. [Thomas Buchanan]
Remove the PYTHONPATH and PYTHONHOME variables from the environmentbefore executing a sub-ndiff if they exist and if Zenmap is runningin a py2app bundle. These variables are set by py2app to pointinside our application bundle. Having them set in the environmentmakes Ndiff use the same settings because it is also a Pythonapplication. Deleting the variables is somewhat wrong, because theuser may have set those outside of Zenmap expecting them to be usedwith their system-installed Python programs. But this is at least noworse than before our build system update, because previously py2appwas stomping on the variables anyway. [David]
[Ncat]Fixed a segmentation fault caused by access to freed memory.It could be triggered by making multiple connections to a serverthat was constantly sending in SSL mode, such as:
```
ncat -l -k --ssl < /dev/zero
```
This bug was reported by Mak Kolybabi. [David]
[NSE]Moved thesmtp-open-relay.nse script out of the "demo"category after improvements by Duarte Silva. We have now met thegoal of removing all scripts from that category.
[NSE]Fixed a bug which preventedsmb-brute from properly detectingaccount lockouts, which could lead to lockouts of many accounts onthe target machine. Nowsmb-brute tries to check the lockout policybefore starting and refuses to run (unless you force it to with thesmblockout variable) if lockouts are enabled or if it locks out anaccount. [Ron]
[NSE]Rewrotesmb-enum-domains to be more generalized and rely onlibrary functions which will eventually be shared withsmb-brute. [Ron]
Qualified an assertion to allow zero-byte sends in Nsock. Withoutthis, an NSE script could cause this assertion failure by doingsocket:send(""):
```
nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
```
[David]
Added a service probe for Logitech SqueezeCenter command line interface[Patrik]
Improved PostgreSQL match lines by matching the line of the error to aspecific version [Patrik].
Added a mac_addr_next_hop member to the host tables used in NSE forscripts which need to know the MAC address of the next hop routerfor reaching a target host. [Michael Pattrick, KX].
Removed the nmap_service.exe helper program forsmb-psexec, as itwas still being flagged by malware detection even after thebit-flipping in the next release. In fact, the obfuscation backfiredand caused more false positives! You can now download it fromhttps://nmap.org/psexec/nmap_service.exe. (The script will remind youif you run the script and it's not installed.)
Added service probes and UDP payloads for games based on the Quake 2and Quake 3 engine, submitted by Mak Kolybabi.
[Ncat]Added support for HTTP digest authentication of proxies, asboth client and server. Previously only the less secure basicauthentication method was supported. [Venkat, David]
Improved the MIT Kerberos version detection signatures. [Matt Selsky]
[Ndiff]Show a nicer error message when an input file can't beloaded. Suggested by Derril Lucci, who also contributed a patch.
[NSE]Added a new libraryafp.lua which handles the Apple FilingProtocol (AFP) filesharing system. The library handlesauthentication and many other protocol features, and enables the newafp-path-vuln,afp-brute, andafp-showmount scripts. [Patrik]
Added an Apple Filing Protocol service probe that detects Netatalkservers. (Apple's AFP servers are coincidentally triggered by theSSLSessionReq probe.) [Patrik Karlsson]
[NSE]Fixedpacket.lua so that functions used to set packet headerfields (e.g. ip_set_ttl) also set the appropriate variables used toaccess the data (e.g. ip_ttl). [Kris]
Updated and corrected IANA assignment IP list for random IP (-iR)generation. Now even 001/8 has been allocated. [Kris]

Nmap 5.21 [2010-01-27]§

[Zenmap]Added a workaround for a Ubuntu Python packaging idiosyncrasy.As of version python2.6-2.6.4-0ubuntu3, Ubuntu's distutils modifiesself.prefix, a variable we use in the setup.py script. This wouldcause Zenmap to look in the wrong place for its configuration files,and show the dialog "Error creating the per-user configurationdirectory" with the specific error "[Errno 2] No such file ordirectory: '/usr/share/zenmap/config'". This problem was reported byChris Clements, who also helped debug. [David]
Fixed an error that occurred when UDP scan was combined with versionscan. UDP ports would appear in the state "unknown" at the end ofthe scan, and in some cases an assertion failure would be raised.This was an unintended side effect of the memory use reductionchanges in 5.20. The bug was reported by Jon Kibler. [David]
[NSE]Did some simple bit-flipping on the nmap_service.exe programused by thesmb-psexec script, to avoid its being falsely detectedas malware. [Ron]
[NSE]Fixed a bug inhttp.lua that could lead to an assertionfailure. It happened when there was an error getting the a responseat the beginning of a batch in http.pipeline. The symptoms of thebug were:
```
NSE: Received only 0 of 1 expected reponses.Decreasing max pipelined requests to 0.NSOCK (0.1870s) Write request for 0 bytes...nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
```
The error was reported by Brandon Enright and pyllyukko.
[NSE]Restored the ability of http.head to return a body if theserver returns one. This was lost in thehttp.lua overhaul from5.20. [David]
[NSE]Fixed the use of ourstrict.lua library on distributions thatinstall their ownstrict.lua. The error message was
```
nse_main.lua:97: attempt to call a boolean value
```
It was reported by Onur K. [Patrick]
Fixed handing of nameserver entries in /etc/resolv.conf so it couldhandle entries containing more than 16 bytes, which can occur withIPv6 addresses. Gunnar Lindberg reported the problem andcontributed an initial patch, then Brandon and Kris refined andimplemented it.
[NSE]Corrected a behavior change in http.request that wasaccidentally made in 5.20: it could return nil instead of a tableindicating failure. [David]
[NSE]Fixed the use of an undefined variable insmb-enum-sessions,reported by Brandon. [Ron]
Fixed a compiler error when --without-liblua is used. [Brandon]
[NSE]Fixed an error with runninghttp-enum.nse along with the--datadir option. The script would report the error
```
http-enum.nse:198: bad argument #1 to 'lines'  (nselib/data/http-fingerprints: No such file or directory)
```
The error was reported by Ron Meldau and Brandon. [Kris]
Added a function that was missing fromhttp-favicon.nse. Its absencewould cause the error
```
http-favicon.nse:141: variable 'dirname' is not declared
```
when a web page specified an relative icon URL through the linkelement. This bug was reported by Ron Meldau. [David]
Fixed a bug with the decoding of NMAP OID component values greaterthan 127. [Patrik Karlsson, David]

Nmap 5.20 [2010-01-20]§

Dramatically improved the version detection database, integrating2,596 submissions that users contributed since February 3, 2009!More than a thousand signatures were added, bringing the total to8,501. Many existing signatures were improved as well. Please keepthose submissions and corrections coming! Nmap prints a submissionURL and fingerprint when it receives responses it can't yetinterpret.
[NSE]Added a new script,oracle-sid-brute, which queries the OracleTNS-listener for default instance/sid names. The SID enumerationlist was prepared by Red Database security. Seehttps://nmap.org/nsedoc/scripts/oracle-sid-brute.html . [PatrikKarlsson]
[Ncat]The --ssl, --output, and --hex-dump options now work with--exec and --sh-exec. Among other things, this allows you to make aprogram's I/O available over the network wrapped in SSL encryptionfor security. It is implemented by forking a separate process tohandle network communications and relay the data to thesub-process. [Venkat, David]
Nmap now tries start the WinPcap NPF service on Windows if it is notalready running. This is rare, since our WinPcap installer startsNPF running at system boot time by default. Because starting NPFrequires administrator privileges, a UAC dialog for net.exe mayappear on Windows Vista and Windows 7 before NPF is loaded. OnceNPF is loaded, it generally stays loaded until you reboot or run"net stop npf". [David, Michael Pattrick]
The Nmap Windows installer and our WinPcap installer now have anoption /NPFSTARTUP=NO, which inhibits the installer from setting theWinPcap NPF service to start at system startup and at install-time.This option only affects silent mode (/S) because existing GUIcheckboxes allow you to configure this behavior during interactiveinstallation. [David]
[NSE]Replaced our runlevel system for managing the order of scriptexecution with a much more powerful dependency system. This allowsscripts to specify which other scripts they depend on (e.g. a bruteforce authentication script might depend on username enumerationscripts) and NSE manages the order. Dependencies only enforceordering, they cannot pull in scripts which the user didn'tspecify. Seehttps://nmap.org/book/nse-script-format.html#nse-format-dependencies[Patrick]
[Ncat]For compatibility with Hobbit's original Netcat, The -poption now works to set the listening port number in listen mode.So "ncat -l 123" can now be expressed as "ncat -l -p 123"too. [David]
A new script argument, http.useragent, lets you modifythe User-Agent header sent by NSE from its default of "Mozilla/5.0(compatible; Nmap Scripting Engine;https://nmap.org/book/nse.html)".Set it to the empty string to disable the User-Agententirely. [David, Tom Sellers, Jah]
[Zenmap]The locale setting had been taken from the Windows locale,which inadvertently made setting the locale with the LANGenvironment variable stop working. Now the LANG variable is examinedfirst, and if that is not present, the system-wide setting isused. This change allows users to keep Zenmap in its originalEnglish (or any of Zenmap's other languages) even if their system isset to use a different locale. [David]
[NSE]Thehttp-favicon script is now better at finding "linkrel=icon" tags in pages, and uses that icon in preference to/favicon.ico if found. If the favicon.uri script arg is given, onlythat is tried. Meanwhile, a giant (10 million web servers) faviconscan by Brandon allowed us to add about 40 more of the most popularicons to the DB. [David, Brandon]
[NSE]smb-psexec now works against Windows XP (as well asalready-supported Win2K and Windows 2003). The solution involvedchanging the seemingly irrelevant PID field in the SMB packet. Seehttp://seclists.org/nmap-dev/2010/q1/13. [Ron]
[NSE]Fixed a bug which kept the nselib/data/psexec subdirectory outof the Windows packages. We needed to add the /s and /e options toxcopy in our Visual C++ project file. [David]
[NSE]Overhauled ourhttp library to centralize HTTP parsing andmake it more robust. The biggest user-visible change is thathttp.request goes back to returning a parsed result table rather than rawHTTP data. Also the http.pipeline function no longer accepts theno-longer-used "raw" option. [David]
Fixed a bug in traceroute that could lead to a crash:
```
terminate called after throwing an instance of 'std::out_of_range'  what():  bitset::test
```
It happened when the preliminary distance guess for a target wasgreater than 30, the size of an internal data structure. David andBrandon tracked down the problem.
Fixed compilation of libdnet-stripped on platforms that don't havesocklen_t. [Michael Pattrick]
Added a service probe and match lines for the Logitech/SlimDevicesSqueezeCenter music server. [Patrik Karlsson]
Fixed the RTSPRequest version probe, which was accidentally modifiedto say "RTSP/2.0" rather than "RTSP/1.0" in 5.10BETA2. [Matt Selsky]
[NSE]Ourhttp library no longer allows cached responses from a GETrequest to be returned for a HEAD request. This could cause problemswith at least thehttp-enum script. [David]
Fixed a bug in the WinPcap installer: If the "Start the WinPcapservice 'NPF' at startup" box was unchecked and the "Start theWinPcap service 'NPF' now" box was checked, the second checkboxwould be ignored (the service would not be started now). [RobNicholls]

Nmap 5.10BETA2 [2009-12-24]§

Added 7 new NSE scripts for a grand total of 79! You can learn aboutthem all athttps://nmap.org/nsedoc/. Here are the new ones:
- nfs-showmount displays NFS exports like "showmount -e" does. Seehttps://nmap.org/nsedoc/scripts/nfs-showmount.html . [PatrikKarlsson]
- ntp-info prints the time and configuration variables provided byan NTP service. It may get such interesting information as theoperating system, server build date, and upstream time server IPaddress. Seehttps://nmap.org/nsedoc/scripts/ntp-info.html . [Richard Sammet]
- citrix-brute-xml uses theunpwdb library to guess credentials forthe Citrix PN Web Agent Service. Seehttps://nmap.org/nsedoc/scripts/citrix-brute-xml.html . [Patrik Karlsson]
- citrix-enum-apps andcitrix-enum-apps-xml print a list of publishedapplications from the Citrix ICA Browser or XML service,respectively. Seehttps://nmap.org/nsedoc/scripts/citrix-enum-apps.html andhttps://nmap.org/nsedoc/scripts/citrix-enum-apps-xml.html . [Patrik Karlsson]
- citrix-enum-servers andcitrix-enum-servers-xml print a listof Citrix servers from the Citrix ICA Browser or XML service,respectively. Seehttps://nmap.org/nsedoc/scripts/citrix-enum-servers.html andhttps://nmap.org/nsedoc/scripts/citrix-enum-servers-xml.html . [PatrikKarlsson]
We performed a memory consumption audit and made changes todramatically reduce Nmap's footprint. This improves performance onall systems, but is particularly important when running Nmap onsmall embedded devices such as phones. Our intensive UDP scanbenchmark saw peak memory usage decrease from 34MB to 6MB, while OSdetection consumption was reduced from 67MB to 3MB. Read about thechanges athttp://seclists.org/nmap-dev/2009/q4/663. Here are thehighlights:
- The size of the internal representation of nmap-os-db was reducedmore than 90%. Peak memory consumption in our OS detectionbenchmark was reduced from 67MB to 3MB. [David]
- The size of individual Port structures without service scanresults was reduced about 70%. [Pavel Kankovsky]
- When a port receives no response, Nmap now avoids allocating aPort structure at all, so scans against filtered hosts can belight on memory. [David]
David started a major service detection submission integrationrun. So far he has processed submissions since February for thefollowing services: imap, pop3, afp, sip, printer, transmission,svnserve, vmware, domain, backdoor,finger, freeciv, hp, imaps, irc,landesk, netbios-ssn, netsupport, nntp, oracle, radmin, routersetup,rtorrent, serv-u, shoutcast, ssh, tcpmux, torrent, utorrent, vnc andipp. The rest will come in the next release, along with full statson the additions.
Added service detection probe for Kerberos (udp/88) and IBM DB2DAS (523/UDP). [Patrik Karlsson]
Added a UDP payload and service detection probe for CitrixMetaFrame, which typically runs on 1604/udp. [Thomas Buchanan]
Added a UDP SIPOptions service detection probe corresponding to theTCP one. [Patrik Karlsson, Matt Selsky, David Fifield]
Updated service detection signatures for Microsoft SQL Server 2005to detect recent Microsoft security update (MS09-062), and alsoupdatedms-sql-info.nse to support MS SQL Server 2008detection. [Tom]
Nmap now provides Christmas greetings and a reminder of Xmas scan(-sX) when run in verbose mode on December 25. [Fyodor]
Removed a limitation ofsnmp.lua which only allowed it to properlyencode OID component values up to 127. The bug was reported byVictor Rudnev. [David]
Nmap script output now uses two spaces of indention rather thanthree for the first level. This better aligns with the standard set bythe stdnse.format_output function added in the last release. Outputnow looks like:8082/tcp open http Apache httpd 2.2.13 ((Fedora))|_http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)|_html-title: Nmap - Free Security Scanner For Network Exploration & Securit......Host script results:|smb-os-discovery:| OS: Unix (Samba 3.4.2-0.42.fc11)| Name: Unknown\Unknown|_ System time: 2009-11-24 17:19:21 UTC-8|_smbv2-enabled: Server doesn't support SMBv2 protocol[Fyodor]
[NSE]Fixed (we hope) a deadlock we were seeing when doing afavicon.nse survey against millions of hosts. We now restore allthreads that are waiting on a socket lock when a thread relinquishesits lock. We expect only one of them to be able to grab the newlyfreed lock, and the rest to go back to waiting. [David, Patrick]
[Zenmap]Fixed a crash when filtering with inroute: in scans withouttraceroute data. (KeyError: 'hops') [David]
[NSE]Use a looser match pattern inauth-owners.nse for retrievingthe owner out of an identd response. Seehttp://seclists.org/nmap-dev/2009/q4/549. [Richard Sammet]
Improved some Cyrus pop3 and Polycom SoundStation sip matchlines. [Matt Selsky]
[Ncat]In the Windows version of netrun, we weren't noticing when acommand fails to be executed (when CreateProcess fails). We now seethe return value and close the socket to disconnect theclient. [David]
[NSE]Updatedhttp-iis-webdav-vuln to run against SSL-enabledservers [Ron]
[NSE]Improved db2-info to set port product and state (rather thanjust port.version.name and confidence) when a DB2 service ispositively identified. Error reporting was improved as well. [Tom]

Nmap 5.10BETA1 [2009-11-23]§

Added 14 new NSE scripts for a grand total of 72! You can learnabout them all athttps://nmap.org/nsedoc/. Here are the new ones:
- smb-psexec implements remote process execution similar to theSysinternals' psexec tool (or Metasploit's psexec "exploit"),allowing a user to run a series of programs on a remote machineand read the output. This is great for gathering information aboutservers, running the same tool on a range of system, or eveninstalling a backdoor on a collection of computers. Seehttps://nmap.org/nsedoc/scripts/smb-psexec.html [Ron]
- dhcp-discover sends out DHCP probes on UDP/67 and displays allinteresting results (or, with verbosity, all results).Optionally, multiple probes can be sent and the MAC address can berandomized in an attempt to exhaust the DHCP server's address pooland potentially create a denial of service condition. Seehttps://nmap.org/nsedoc/scripts/dhcp-discover.html . [Ron]
- http-enum enumerates URLs used by popular web applications andservers and reports which ones exist on a target web server. Seehttps://nmap.org/nsedoc/scripts/http-enum.html . [Ron, Andrew Orr,Rob Nicholls]
- ssl-cert retrieves and prints a target server's SSLcertificate. Seehttps://nmap.org/nsedoc/scripts/ssl-cert.html . [David]
- x11-access checks whether access to an X11 server is allowed (aswith "xhost +" for example). Seehttps://nmap.org/nsedoc/scripts/x11-access.html . [jlanthea]
- db2-info enhances DB2 database instance detection. It providesdetection when version probes fail, but will default to theversion detection probe value if that is more precise. It alsodetects the server platform and database instance name. The DB2version detection port ranges were broadened to 50000-50025 and60000-60025 as well. [Tom]
- smbv2-enabled checks if the smbv2 protocol is enabled on targetservers. SMBv2 has already suffered from at least one majorsecurity vulnerability. Seehttps://nmap.org/nsedoc/scripts/smbv2-enabled.html . [Ron]
- http-favicon obtains the favicon file (/favicon.ico or whatever isspecified by the HTML link tag) and tries to identify its source(such as a certain web application) using a database lookup. Seehttps://nmap.org/nsedoc/scripts/http-favicon.html . [Vladz]
- http-date obtains the Date: header field value from an HTTP serverthen displays it along with how much it differs from localtime. Seehttps://nmap.org/nsedoc/scripts/http-date.html . [David]
- http-userdir-enum attempts to enumerate users on a system bytrying URLs with common usernames in the Apache mod_userdir format(e.g.http://target-server.com/~john). Seehttps://nmap.org/nsedoc/scripts/http-userdir-enum.html . [Jah]
- pjl-ready-message allows viewing and setting the status message onprinters which support the Printer Job Language (many HP printersdo). Seehttps://nmap.org/nsedoc/scripts/pjl-ready-message.html .[Aaron Leininger]
- http-headers performs a GET request for the root folder ("/") of aweb server and displays the HTTP headers returned. Seehttps://nmap.org/nsedoc/scripts/http-headers.html . [Ron]
- http-malware-host is designed to discover hosts that are servingmalware (perhaps because they were compromised), but so far itonly checks for one specific attack. Seehttps://nmap.org/nsedoc/scripts/http-malware-host.html . [Ron]
- smb-enum-groups displays a list of groups on the remote systemalong with their membership (like enum.exe -G). Seehttps://nmap.org/nsedoc/scripts/smb-enum-users.html [Ron]
Nmap's --traceroute has been rewritten for better performance.Probes are sent in parallel to individual hosts, not just across allhosts as before. Trace consolidation is more sophisticated, allowingcommon traces to be identified sooner and fewer probes to be sent.The older traceroute could be very slow (taking minutes per target)if the target did not respond to the trace probes, and this newtraceroute avoids that. In a trace of 110 hosts in a /24 over theInternet, the number of probes sent dropped 50% from 1565 to 743,and the time taken dropped 92% from 95 seconds to 7.6seconds. Traceroute now uses an ICMP echo request probe if noworking probes against the target were discovered duringscanning. [David]
[Zenmap]After performing or loading a scan, you can now filterresults to just the hosts you are interested in by pressing Ctrl+L(or the "Filter Hosts" button) to open the host filtering interface.This makes it easy to select just Linux hosts, or those running acertain version of Apache, or whatever interests you. You can easilymodify the filter or remove it to see the whole scan again. Seehttps://nmap.org/book/zenmap-filter.html . [Josh Marlow]
For some UDP ports, Nmap will now send a protocol-specific payloadthat is more likely to get a response than an empty packet is. Thisimproves the effectiveness of probes to those ports for hostdiscovery, and also makes an open port more likely to be classifiedopen rather than open|filtered. The ports and payloads are definedin payload.cc. The ports that have a payload are 7 (echo),53 (domain), 111 (rpcbind), 123 (ntp), 137 (netbios-ns), 161 (snmp),177 (xdmcp), 500 (isakmp), 520 (route), 1645 and 1812 (radius),2049 (nfs), 5353 (zeroconf), and 10080 (amanda). [David]
Integrated 1,349 fingerprints (and 81 corrections) submitted by Nmapusers! They resulted in 342 new fingerprints (a 17% increase),including Google's Android Linux system for smart phones, Mac OS X10.6 (Snow Leopard), the Chumby, and a slew number of printers, broadbandrouters, and other devices (40 new vendors). Seehttp://seclists.org/nmap-dev/2009/q4/416 [David]
[NSE]For all the services which are commonly tunneled over SSL(pop3, http, imap, irc, smtp, etc.), we audited the scripts toensure they can support that tunneling. The com.tryssl functionwas added for easy SSL detection. Seehttps://nmap.org/nsedoc/lib/comm.html [Joao]
Nmap now prefers to display the hostname supplied by the user insteadof the reverse-DNS name in most places. If a reverse DNS recordexists, and it differs from the user-supplied name, it is printedlike this:
```
Nmap scan report for www.google.com (74.125.53.103)rDNS record for 74.125.53.103: pw-in-f103.1e100.net
```
And in XML it looks like:
```
<hostnames>  <hostname name="openbsd.org" type="user"/>  <hostname name="cvs.openbsd.org" type="PTR"/></hostnames>
```
Host latency is now printed more often. Seehttp://seclists.org/nmap-dev/2009/q4/199 for a summary of otheroutput changes. [David]
Ndiff now shows changes in script (NSE) output for each targethost (in both text output format and XML). [David]
We now print output for down hosts, even when doing scanning beyondjust a ping scan. This always prints to XML and grepable output,and is printed to normal and interactive output in verbose mode. Theformat for printing a down host has changed slightly: "Nmap scanreport for 1.1.1.1 [host down]" [David]
[NSE]Default socket parallelism has been doubled from 10 to 20,which doubles speed in some situations. Seehttp://seclists.org/nmap-dev/2009/q3/161. [Patrick]
Version detection's maximum socket concurrency has been increasedfrom 10-20 based on timing level to 20-40. This can dramaticallyspeed up version detection when there are many open ports in a hostgroup being scanned. [Fyodor]
The Nmap source tarball (and RPMs) now included man pagetranslations (16 languages so far). Nmap always installs the Englishman page, and installs the translations by default. If you only wantsome of the translations, set the LINGUAS environmental variable tothe language codes you are interested in (e.g. "es de"). You canspecify the configure option --disable-nls or set LINGUAS to theempty string to avoid installation of any man page translations. TheRPM always installs them. [David]
[NSE]Added a function for scripts to format their output in aconsistent way. Seehttps://nmap.org/nsedoc/lib/stdnse.html#format_output. [Ron]
[NSE]Now supports worker threads so that a single script canperform multiple network operations concurrently. This patch alsoincludes condition variables for synchronization. Seehttps://nmap.org/nsedoc/lib/stdnse.html#new_thread,https://nmap.org/nsedoc/lib/nmap.html#condvar, andhttp://seclists.org/nmap-dev/2009/q4/294.
Fixed a problem in which the Nmap installer wrongly reported thatthe Microsoft Visual C++ 2008 Redistributable Package (vcredist.exe)failed to install. We had to update a registry key--seehttp://seclists.org/nmap-dev/2009/q3/164. [Jah]
Added support for connecting to nameservers over IPv6. IPv6 addressescan be used in /etc/resolv.conf or with the --dns-servers option. Theparallel reverse DNS resolver still only support IPv4 addresses, butit can look them up over IPv6. [Ankur Nandwani]
Zenmap now includes ports in the services view whenever Nmap foundthem "interesting," whatever their state. Previously they were onlyincluded if the state was "open", "filtered", or "open|filtered",which led to confusing behavior when a closed port showed up in theServices column but clicking on the service showed no ports in thedisplay. [David]

[Ncat]Now has configure-time ASCII art just like Nmap does:

.       .\`-"'"-'/ } 6 6 {==. Y ,==  /^^^\  . /     \  )  Ncat: A modern interpretation of classic Netcat(  )-(  )/-""---""---   /

/ Ncat \_/

(     ____ \_.=|____E

[NSE]Added HTTP pipelining support to the HTTP library and and tothehttp-enum,http-userdir-enum, and sql-injection.nsescripts. Pipelining can increase speed dramatically for scriptswhich make many requests.
[NSE]The HTTP library now caches responses from http.get orhttp.head so that resources aren't requested multiple times duringthe same Nmap run even if several scripts request them. Seehttp://seclists.org/nmap-dev/2009/q3/733. [Patrick]
[Ncat, Ndiff]The exit codes of these programs now reflect whetherthey succeeded. For Ncat, 0 means the connection was successful, 1indicates a network error, and 2 indicates any other error. ForNdiff, 0 means the scans were equal, 1 means they were different,and 2 indicates a runtime error. [David]
[Ncat]In verbose mode, Ncat now prints the number of bytes read andwritten after the client connection is terminated. Ncat also nowprints elapsed time. For example, "Ncat finished: 16 bytes sent, 566bytes received in 8.05 seconds." [Venkat]
[NSE]telnet-brute.nse now uses the unpw database instead of ahard coded list. [Ron]
[NSE]ssl-cert.nse now supports TLS negotiation against SMTP portsthat support it. [Tom Sellers, David]
[NSE]Scripts that are listed by name with the --script option nowhave their verbosity level automatically increased by one. Manywill print negative results ("no infection found") at a higherverbosity level. The idea is that if you ask for a scriptspecifically, you are more interested in such results.[David, Patrick]
Upgraded our Winpcap installer to use the new WinPcap version 4.1.1.A bug which could prevent proper uninstallation of previous versionswas fixed at the same time. Later we made it set some registry keysfor compatibility with the official Winpcap project installer (seehttp://seclists.org/nmap-dev/2009/q4/237). [Rob Nicholls]
[Ncat]Ncat now prints a message like "Connection refused." bydefault when a socket error occurs. This used to require -v, butprinting no message at all could make a failed connection look likesuccess in a case like
```
ncat remote < short-file
```
Zenmap no longer displays down hosts in the GUI. [Josh]
The Ndiff man page was dramatically improved with examples andsample output. Seehttps://nmap.org/book/ndiff-man.html .[David]
[NSE]At debug level 2 or higher (-d2), Nmap now prints all activescripts (running & waiting) and a backtrace whenever a key ispressed. This can be quite helpful in debugging deadlocks and otherscript/NSE problems. [Patrick]
Nmap now allows you to specify --data-length 0, and that is now thedocumented way to disable the new UDP protocol-specific probepayload feature. [David]
Fixed compilation of our libdnet on Debian GNU/kFreeBSD (patch fromPetr Salinger).
Our Windows packages are now built on Windows 7, though they are32-bit binaries and should continue to work on Win2K and later.
Fixed a bug that could cause an infinite loop ("Unable to findlistening socket in get_rpc_results") in RPC scan. The loop wouldhappen when scanning a port that sent no responses, and there was atleast one other port to scan. Thanks to Lionel Cons for reportingthe problem. [David]
[NSE]Thedns-zone-transfer and whois script argument table syntax has beenimproved so you don't need curly braces.
[NSE]smb-enum-shares.nse now checks whether or not a share iswritable by attempting to write a file (and deleting it if it'ssuccessful). Significantly cleaned up the code, as well. [Ron]
The nselib/data directory is now installed. It was not installedbefore because of an error in the Makefile. The scripts that wouldnot have worked after installation because they were missing datafiles arehttp-enum.nse,http-favicon.nse,http-iis-webdav-vuln.nse,http-userdir-enum.nse, smb-pwdump.nse,pop3-brute.nse,smb-brute.nse, andsnmp-brute.nse. [David]
Upgraded the included libpcap to 1.0.0. [David]
Optimize MAC address prefix lookup by using an std::map rather thana custom hash table. This increases performance and code simplicityat the cost of some extra memory consumption. In one test, thisreduced the time of a single target ARP ping scan from 0.59 secondsto 0.13. [David]
Added -Pn and -sn as aliases for -PN and -sP, respectively. Theywill eventually become the recommended and documented way to disablehost discovery (ping scanning) and port scanning. They are moreconsistent and also match the existing -n option for disablingreverse DNS resolution. [David]
Fixed an error in the handling of exclude groups that used IPv4ranges. Si Stransky reported the problem and provided a number ofuseful test cases inhttp://seclists.org/nmap-dev/2009/q4/276. Theerror caused various assertion failures along the lines of
```
TargetGroup.cc:465: intTargetGroup::get_next_host(sockaddr_storage*, size_t*):Assertion `ipsleft > 1' failed.
```
[David]
[NSE]Improved the authentication used by the smb-* scripts. Instead oflooking in a bunch of places (registry, command-line, etc) for theusernames/passwords, a table is kept. This lets us store any numberof accounts for later use, and remove them if they stop working. Thisalso fixes a bug where typing in a password incorrectly would lockout an account (since it wouldn't stop trying the account in question).[Ron]
Removed IP ID matching in packet headers returned in ICMP errors.This was already the case for some operating systems that are knownto mangle the IDs of sent IP packets. Requiring such a match couldoccasionally cause valid replies to be ignored. Seehttp://seclists.org/nmap-dev/2009/q2/580 for an example of hostorder affecting scan results due to this phenomenon. [David]
[NSE]The HTTP library now handles chunked transfer decoding morerobustly. Seehttp://seclists.org/nmap-dev/2009/q3/13 [David]
[NSE]Unexpected error messages from scripts now include the targethost and port number. [David]
[NSE]Fixed many libraries which were inappropriately using globalvariables, meaning that multiple scripts running concurrently couldoverwrite each others values. NSE now automatically checks for thisproblem at runtime, and we have a static code checker(check_globals) available as well. See this whole threadhttp://seclists.org/nmap-dev/2009/q3/70. [Patrick]
Added some additional matching rules to keep a reply to a SYN probefrom matching an ACK probe to the same port, or vice versa, in pingscans that include both scan types. Such a mismatch could cause anineffective timing ping or traceroute probe to be selected. [David]
[Zenmap]There is a new command-line option, --confdir, which setsthe per-user configuration directory. Its value defaults to$HOME/.zenmap. This was suggested by Jesse McCoppin. [David]
Open bpf devices in read/write mode, not read-only, in libdnet onBSD. This is to work around a bug in Mac OS X 10.6 that causesincoming traffic to become invisible. [David]
"make install" now removes from the Nmap script directory somescripts which only existed in previous versions of Nmap but weren'tdeleted during upgrades. [David]
[NSE]Added the reconnect_ssl method for sockets. We sometimes needto reconnect a socket with SSL because the initial communication onthe socket is done without SSL. See this thread for more details:http://seclists.org/nmap-dev/2009/q4/3 [Patrick, Tom Sellers]
[Zenmap]Fixed a crash that could occur when entering certaincharacters in the target entry (those whose UTF-8 encoding containsa byte that counts as whitespace in the Windows locale):
```
File "zenmapGUI\ScanNotebook.pyo", line 184, in _target_entry_changedFile "zenmapCore\NmapOptions.pyo", line 719, in render_stringUnicodeDecodeError: 'utf8' codec can't decode byte 0xc3 in position 1:  unexpected end of data
```
For more details on this curious problem, seehttp://seclists.org/nmap-dev/2009/q4/82 [David]
[NSE]There is a new function, nmap.bind, to set the source addressof a socket. [David]
[Nsock]Made it a fatal error instead of silent memory corruptionwhen an attempt is made to use a file descriptor whose number is notless than FD_SETSIZE. This applies only on non-Windows platformswhere FD_SETSIZE is a limit on the value of file descriptors as wellas a limit on the number of descriptors in the set. The error willlook like
```
nsock_core.c:186: Attempt to FD_SET fd 1024, which is not lessthan FD_SETSIZE (1024). Try using a lower parallelism.
```
Thanks to Brandon Enright for discovering the problem and much helpdebugging it, and to Jay Fink for submitting an initial patch. [David]
[Ncat]Fixed proxy connections in connect mode on Windows. Becausethe dup function does not work on Windows, an assertion failurewould be raised reading
```
(fh >= 0 && (unsigned)fd < (unsigned)_nhandle)
```
[David]
[Ncat]Fixed the combination of --max-conns and --exec on Windows.The count of connected clients was not decreased when the programspawned by --exec finished. With --max-conns 5, for example, no moreconnections would be allowed after the fifth, even if some of theearlier ones had ended. Jon Greaves reported the problem and Venkatcontributed a patch.
[Ncat]The code that manages the count of connected clients has beenmade robust with respect to signals. The code was contributed bySolar Designer.
The files read by the -iL (input from file) and --excludefileoptions now support comments that start with # and go to the end ofthe line. [Tom Sellers]
[Zenmap]On Windows, Zenmap no longer uses the cmd.exe shell to runNmap sub-processes. This means that canceling a scan will kill theNmap process as it does on other platforms (previously it would justkill the shell). It also means that that scanning will work as auser whose name contains characters like '&' that are significant tothe shell. Mike Crawford and Nick Marsh reported bugs related tothis. [David]
[NSE]All scripts (except for those in "version" or "demo"categories) are now classified in either the "safe" or "intrusive"categories, based on how likely they are to cause problems when runagainst other machines on the network. Those classifications alreadyexisted, but weren't used consistently. [Fyodor]
Added a check for a SMBv2 vulnerability (CVE-2009-3103) tosmb-check-vulns. Due to its nature (it performs a DoS, then checksif the system is still online), the script isn't run by default andrequires a special script-arg to work. [Ron]
Fixed an integer overflow in uptime calculation which could occurwhen a target with a low TCP timestamp clock frequency uses largetimestamp values, such that a naive uptime calculation shows a boottime before the epoch. Also fixed a printf format specifier mismatchthat was revealed by the bug. Toby Simmons reported the problem andhelped with the fix. [David]
[NSE]The HTTP library now supports HTTP cookies. [Joao Correa]
Fixed a compile error on NetBSD. It was
```
tcpip.cc:2948: error: pointer of type 'void *' used in arithmetic
```
Thanks to Jay Fink for reporting the problem and submitting a patch.
[Zenmap]If you have any hosts or services selected, they willremain selected after aggregating another scan or running a filter(as long as they are still up and visible). Previously the selectionwas lost whenever the scan inventory was changed. This isparticularly important due to the new host filter system. [David]
[Zenmap]New translation: Russian (contributed by Alexander Khodyrev).Updated translations: French and German.
Nmap now generates IP addresses withoutduplicates (until you cyclethrough all the allowed IPs) thanks to a new collision-free 32-bitnumber generator in nbase_rnd.c. Seehttp://seclists.org/nmap-dev/2009/q3/695 [Brandon]
There is a new OS detection pseudo-test, SCAN.DC, which records howthe network distance in SCAN.DS was calculated. Its value can be "L"for localhost, "D" for a direct connection, "I" for an ICMP TTLcalculation, and "T" for a traceroute hop count. This is mainly forthe benefit of OS integration, when it is sometimes important todistinguish between DS=1%DC=I (probably the result of forged TTLs)and DS=1%DC=D (a true one-hop connection.) [David]
Canonicalized the list of OS detection device types to a smaller setwith descriptions:https://svn.nmap.org/nmap/docs/device-types.txt .[David, Fyodor, Doug]
[Ncat]The --idle-timeout option now exits when *both* stdin and thesocket have been idle for the given time. Previously it would exitwhen *either* of them had been idle, meaning that the program wouldquit contrary to your expectation when downloading a large filewithout sending anything, for example. [David]
[Ncat]Ncat now always prefixes its own output messages with "Ncat: "or "NCAT DEBUG: " to make it clear that they are not coming from theremote host. This only matters when output goes to a terminal, wherethe standard output and standard error streams are mixed. [David]
Nmap's Nbase library now has a new hexdump() function which producesoutput similar to Wireshark. nmap_hexdump() is a wrapper whichprints the output using Nmap's log_write facility. The old hdump()and lamont_dump() functions have been removed. [Luis]
Added explicit casts to (int)(unsigned char) for arguments to ctype functioncalls in nmap, ncat and nbase. Thanks to Solar Designer for pointing outthe need and fix for this. [Josh]
Ncat now supports wildcard SSL certificates. The wildcard character(*) can be in commonname field or in DNS field of SubjectAlternative Name (SAN) Extension of SSL certificate. Matching Rules:
- '*' should be only on the leftmost component of FQDN. (*.example.combut not www.*.com or www.example*.com).
- The leftmost component should contain only '*' and it should befollowed by '.' (*.example.com but not *w.example.com orw*.example.com).
- There should be at least three components in FQDN. (*.example.com butnot *.com or *.com.). [venkat]
Nmap now handles the case when a primary network interface (venet0)does not have an address assigned but its aliases do (venet0:1etc.). This could result in the error messages
```
Failed to find device venet0 which was referenced in /proc/net/routeFailed to lookup subnet/netmask for device (venet0): venet0: no IPv4 address assigned
```
This was observed under OpenVZ. [Dmitry Levin]
[Ncat]The --ssl-cert, --ssl-key, and --ssl-trustfile options nowautomatically turn on SSL mode. Previously they were ignored if--ssl was not also used. [David]
[Nsock]Now Nsock supports pure TLSv1 and SSLv3 servers in additionto the (already supported and far more common) SSLv2 and SSLv23servers. Ncat currently never uses SSLv2 for security reasons, soit is unaffected by this change.
[Ncat]Implemented basic SCTP client functionality (server alreadyexists). Only the default SCTP stream is used. This is also calledTCP compatible mode. While it allows Ncat to be used for manuallyprobing open SCTP ports, more complicated services making use ofmultiple streams or depending on specific message boundaries cannotbe talked to successfully. [Daniel Roethlisberger]
[Ncat]Implemented SSL over SCTP in both client (connect) and server(listen) modes. [Daniel Roethlisberger]
Nmap now filters received ARP packets based on their target addressaddress field, not the destination address in the enclosing ethernetframe. Some operating systems, including Windows 7 and Solaris 10,are known to at least sometimes send their ARP replies to thebroadcast address and Nmap wouldn't notice them. The symptom of thiswas that root scans wouldn't work ("Host seems down") but non-rootscans would work. Thanks to Mike Calmus and Vijay Sankar forreporting the problem, and Marcus Haebler for suggesting thefix. [David]
The -fno-strict-aliasing option is now used unconditionally whenusing GCC. It was already this way, in effect, because a testagainst the GCC version number was reversed: <= 4 rather than >= 4.Solar Designer reported the problem.
Nmap now prints a warning instead of a fatal error when the hardwareaddress of an interface can't be found. This is the case forFireWire interfaces, which have a hardware address format notsupported by libdnet. Thanks to Julian Berdych for the bug report.[David]
Zenmap's UI performance has improved significantly thanks tooptimization of the update_ui() function. In particular, this speedsup the new host filter system. [Josh]
Add a service probe for DNS-based service discovery (DNS-SD). Seehttp://seclists.org/nmap-dev/2009/q3/0610.html . [David]
Made RPC grinding work from service detection again by changing thelooked-for service name from "rpc" to "rpcbind", the name it has innmap-service-probes. Also removed some dead code. [David]
Fixed a log_write call and a pfatal call to use a syntax which issafer from format strings bugs. This allows Nmap to build with thegcc -Wformat -Werror=format-security options. [Guillaume Rousse,Dmitry Levin]
A bug in Nsock was fixed: On systems where a non-blocking connectcould succeed immediately, connections that were requested to betunneled through SSL would actually be plain text. This could beverified with an Ncat client and server running on localhost. Thiswas observed to happen with localhost connections on FreeBSD 7.2.Non-localhost connections were likely not affected. The bug wasreported by Daniel Roethlisberger. [David]
Ncat proxy now hides the proxy's response ("HTTP/1.0 200 OK" orwhatever it may be). Before, if you retrieved a file through aproxy, it would have the "HTTP/1.0 200 OK" stuck to the top ofit. For this Ncat uses blocking sockets until the proxy negotiationis done and once it is successful, Nsock takes over for rest of theconnection.[Venkat]
[NSE]socket garbage collection was rewritten for better performanceand to ensure that socket slots are immediately available to othersafter a socket is closed. Seehttp://seclists.org/nmap-dev/2009/q2/0624.html . [Patrick]
[NSE]Fixed a rare but possible segfault which could occur if thensock binding attempted to push values on the stack of a threadwhich had already ended due to an error, and if that internal Luastack was already completely full. This bug is very hard toreproduce with a SEGFAULT but is usually visible when Lua assertionchecks are turned on. A socket handler routine must be called AFTERa thread has ended in error. [Patrick]
[Ncat]Fixed an error that would cause Ncat to use 100% CPU inbroker mode after a client disconnected or a read error happened.[Kris, David]
[NSE]--script-args may now have whitespace in unquoted strings (butsurrounding whitespace is ignored). For example,--script-args 'greeting = This is a greeting' Becomes:{ ["greeting"] = "This is a greeting" } [Patrick]
[Ncat]Using --send-only in conjunction with the plain listen orbroker modes now behaves as it should: nothing will be read from thenetwork end. Ncat previously read and discarded any datareceived. [Kris]
[Nsock]Added a socket_count abstraction that counts the number ofread or write events pending on a socket, for the purpose ofmaintaining an fd_set. The bit is set in the fd_set whenever thecount is positive, and cleared when it is zero. The reason for doingthis was that write bits were not being properly cleared when usingNcat with SSL in connect mode, such that a client send would causeNcat to use 100% CPU until it received something from theserver. See the thread athttp://seclists.org/nmap-dev/2009/q2/0413.html . This change willalso make it easier to use a different back end than select in thefuture. [David]
[Nsock]Added compilation dependency generation (makefile.dep)[David]
[Ncat]The --broker option now automatically implies --listen. [David]
Fixed a logic error in getinterfaces_siocgifconf. The check forincreasing the capacity of the list of interfaces was off byone. This caused a crash on initialization for systems with morethan 16 network interfaces. [David]
Added Apache JServe protocol version detection probe and signaturesand some some other nmap-service-probes patches. [Tom Sellers]
Fixed two memory leaks in ncat_posix.c and a bug where an open file was notbeing closed in libdnet-stripped/src/intf.c [Josh Marlow]
[Zenmap]Added profile editor support for the Nmap SCTP options:-PY, -sY and -sZ. [Josh Marlow]
Fixed a bug in --data-length parsing which in some cases couldresult in useless buffer allocations and unpredictable payloadlengths. Seehttp://seclists.org/nmap-dev/2009/q2/0763.html [Luis]
The configure script now allows cross-compiling by assuming thatlibpcap is recent enough to use rather than trying to compile andrun a test program. Libpcap will always be recent enough when Nmap'sincluded copy is used. [Mike Frysinger]
Updated the IANA assignment IP list for random IP (-iR)generation. The Mac OS prefix file was updated aswell. [Kris, Fyodor]
[Zenmap]Fix a bug which could cause a crash in the (very rare) casewhere Nmap would produce port tags in XML output without a stateattribute. [David]
Added a convenience top-level BSDmakefile which automaticallyredirects BSD make to GNU make on BSD systems. The Nmap Makefilerelies on numerous GNU Make extensions. [Daniel Roethlisberger]

Nmap 5.00 [2009-07-16]§

Bumped up version number to 5.00!
[NSE]http-open-proxy script fixed to avoid false positives from badpattern matching and to properly declare some formerly-globalvariables as local. [Joao]

Nmap 4.90RC1 [2009-06-25]§

[Zenmap]Fixed a display hanging problem on Mac OS X reported byChristopher Caldwell athttp://seclists.org/nmap-dev/2009/q2/0721.html . This was done byadding gtk2 back to macports-1.8.0-universal.diff and removing thedependency on shared-mime-info so it doesn't expect /usr/share/mimefiles at runtime. Also included GDK pixbuf loaders statically ratherthan as external loadable modules. [David]
Fixed a memory bug (access of freed memory) when loading excludetargets with --exclude. This was reported to occasionally cause acrash. Will Cladek reported the bug and contributed an initialpatch. [David]
Zenmap application icons were regenerated using the newer SVGrepresentation of the Nmap eye. [David]

Nmap 4.85BETA10 [2009-06-12]§

The host discovery (ping probe) defaults have been enhanced toinclude twice as many probes. The default is now "-PE -PS443 -PA80-PP". In exhaustive testing of 90 different probes, this emerged asthe best four-probe combination, finding 14% more Internet hoststhan the previous default, "-PE -PA80". The default for non-rootusers is -PS80,443, replacing the previous default of -PS80. Inaddition, ping probes are now sent in order of effectiveness (-PEfirst) so that less effective probes may not have to be sent. ARPping is still the default on local ethernet networks. [David,Fyodor]
Added SCTP port scanning support to Nmap. SCTP is a layer 4 protocolused mostly for telephony related applications. This brings thefollowing new features:
- SCTP INIT chunk port scan (-sY): open ports return an INIT-ACKchunk, closed ones an ABORT chunk. This is the SCTP equivalentof a TCP SYN stealth scan.
- SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,closed ports return an ABORT chunk.
- SCTP INIT chunk ping probes (-PY): host discovery using SCTPINIT chunk packets.
- SCTP-specific IP protocol scan (-sO -p sctp).
- SCTP-specific traceroute support (--traceroute).
- The ability to use the deprecated Adler32 algorithm as specifiedin RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
- 42 well-known SCTP ports were added to the nmap-services file.
- The server scanme.csnc.ch has been set up for your SCTP scantesting pleasure. But note that SCTP doesn't pass through mostNAT devices. Seehttp://seclists.org/nmap-dev/2009/q2/0669.html .
Part of the work on SCTP support was kindly sponsored byCompass Security AG, Switzerland. [Daniel Roethlisberger]
[NSE]Addedhttp-iis-webdav-vuln.nse, which detects the recentlydiscovered WebDAV unicode bug in MS IIS 5.1/6.0 web server which canallow arbitrary users to access password protected folders withoutauthentication. Seehttps://nmap.org/svn/scripts/http-iis-webdav-vuln.nse. [Ron]
The Nmap Reference Guide has been translated to German by OpenSource Press and Indonesian by Tedi Heriyanto. You can now read itin 16 languages athttps://nmap.org/docs.html . We're always lookingfor more translations of Nmap and its documentation--if you'd liketo help, seehttp://seclists.org/nmap-dev/2009/q2/0667.html .
Open Source Press completed and released the German translation ofthe official Nmap book (Nmap Network Scanning). Learn more athttps://nmap.org/book/#translations.
[NSE]Addedsocks-open-proxy.nse for scanning networks for openSOCKS proxy servers. Seehttps://nmap.org/nsedoc/scripts/socks-open-proxy.html . [Joao Correa]
[NSE]http-open-proxy.nse has been updated to attempt HEAD andCONNECT methods as well as previously supported GET method. Itstill tries to reachhttp://www.google.com through the proxy bydefault, but now also offers an argument for specifying a differentURL. [Joao Correa]
[Ncat]There is a backwards-incompatible change in the way thatlisten mode works. The new default behavior is to accept only oneconnection, and quit when the connection ends. This was necessary toprevent data loss in some situations; some programs require Ncat tosend an EOF before they flush their internal buffers and finishprocessing the last bit of data. Seehttp://seclists.org/nmap-dev/2009/q2/0528.html for more information.Use the new -k or --keep-open option to get the old behavior, inwhich Ncat will accept multiple simultaneous connection, combine alltheir input, and accept more connections after a disconnection.[Daniel Roethlisberger, David]
Ncat handling of newlines on Windows has been improved. CRLF isautomatically converted to a bare LF when input is from the console,but left untouched when it is from a pipe or a file. No newlinetranslation is done on output (where it was being done before). Thismakes it possible to transfer binary files with Ncat on Windowswithout any corruption, while still being able to interactively ncatinto UNIX shells and other processes which require barenewlines. Ncat clients now work the same way on UNIX and Windows inthat respect. For cases where you do want \r\n line endings (suchas connections to web and email servers or Windows cmd.exe shells),specify -C whether your client is running on UNIX orWindows. [David]
Nmap RPM packages (x86 and x86-64) are now built with OpenSSLsupport (statically linked in to avoid dependencies). They are alsonow built on CentOS 5.3 for compatibility with RHEL, Fedora, andother distributions. Please let us know if you discover anycompatibility problems (or other issues) with the new RPMs. [Fyodor]
[Zenmap]The Topology tab now has a "Save Graphic" button thatallows saving the current topology display as a PNG, postscript,PDF, and SVG image. [Joao Medeiros, David]
Changed the default UDP ping (-PU) port from 31338 to 40125. Thisappears to be a better port based on David's empirical testing.
[NSE]Added theimap-capabilities script, which uses the CAPABILITYcommand to determine the capabilities of a target IMAP mail server.A simple supporting IMAP library was added as well. Seehttps://nmap.org/nsedoc/scripts/imap-capabilities.html . [Brandon]
[NSE]Brandon Enright from UCSD reports that, thanks to all the NSEfixes in this release, he no longer sees any Nmap crashes in hislarge scale scans. Seehttp://seclists.org/nmap-dev/2009/q2/0639.html .
Zenmap now works on RHEL/CentOS since it no longer requires thehashlib library (which was introduced in Python 2.5, but RHEL 5still uses 2.4) and removing the pysqlite2 requirement (RHEL doesnot offer that module). It is still desirable to have pysqlite2when available, since it enables Zenmap searching and databasesaving features. [David]
Ncat can now send SSL certificates in connect mode for clientauthentication by using the --ssl-cert and --ssl-key options. Thespecified certificates are only sent when requested by theserver. [Venkat]
Nmap can now handle -PS and -PA at the same time when running nmapas non-root or using IPv6. It now combines the two port lists [JoshMarlow]
[Ncat]SSL in listen mode now works on systems like BSD in which asocket inherits its blocking or non-blocking status from thelistening socket. [David, Daniel Roethlisberger]
The --packet-trace/--version-trace options now shows the names ofversion detection probes as they are sent, making the versiondetection process easier to understand and debug. [Tom Sellers]
The GPG detached signatures for Nmap releases now use the morestandard .asc extension rather than .gpg.txt. They can still befound athttps://nmap.org/dist/sigs/ and the .gpg.txt versions forprevious releases are still available for compatibility reasons. Forinstructions on verifying Nmap package integrity, seehttps://nmap.org/book/install.html#inst-integrity. [Fyodor]
[Zenmap]Fixed two bugs: 1) When two scans are performed in Zenmapand aggregated, the first one was being modified in the process,preventing you from doing diffs in the "compare scans" dialogue orproperly saving the first scan individually. 2) If you start twoscans, then the faster one finishes and you cancel and remove theslower one while still in progress, much of the results from bothscans are lost. [Josh Marlow]
[Ncat]When connecting to an SSL service in verbose mode, Ncat nowprints confirmation of the SSL connection, some certificateinformation, and a cert fingerprint. For example:SSL connection to 64.147.188.3:443. Electronic Frontier FoundationSHA-1 fingerprint: 28BE B476 2E49 7ED5 3A9B 4D79 AD1E 69A9 82DB C75A
[NSE]Clean up output (generally reducing default verbosity) for thep2p-conficker, smb-check-vulns, andhttp-iis-webdav-vuln scripts. Ingeneral, we don't ask scripts to report that a host is clean unlessNmap's verbosity level (-v) is at least one or two. [Ron, Fyodor]
[Zenmap]Added the -PS22,25,80 option found in the Quick Tracerouteprofile to some of the Intense scan profiles for improved hostdiscovery. [Josh Marlow]
Fixed a bug with the --defeat-rst-ratelimit option which preventedit from working properly. See this thread:http://seclists.org/nmap-dev/2009/q2/0476.html . [Josh]
[Ndiff]Avoid printing a "Not shown:" line if there weren't anyports in the non-shown (extraports) list. [David]
[Ncat]Fixed Ncat compilation with versions of OpenSSL before 0.9.7.Previously it would fail in ncat_openssl.c with the message"structure has no member named `it'". The problem was reported byJaroslav Fojtik. [David]
[NSE]Removed the packet.hextobin(str) and packet.bintohex(str)functions. They are redundant since you get the same functionalityby calling bin.pack("H", str) and bin.unpack("H", str),respectively. [Patrick]
[NSE]Fixed the parsing of --script-args, which was only acceptingalphanumeric characters and underscores in values. Now a key, value,or array value may be a sequence of any characters except '{', '}',',', '=', and all space characters. You may overcome thisrestriction by using quotes (single or double) to allow allcharacters within the quotation marks. You may also use the quotedelimiter inside the sequence so long as it is escaped by abackslash. Seehttp://seclists.org/nmap-dev/2009/q2/0211.html . [Patrick]
[NSE]When a script ends for any reason, all of its mutexes are nowunlocked. This prevents a permanent (and painful to debug) deadlockwhen a script crashes without unlocking a mutex. Seehttp://seclists.org/nmap-dev/2009/q2/0533.html . [Patrick]
Fixed a bug wherein nmap would not display the post-scan count ofraw packets sent during a SYN ping scan (-sP -PS). [Josh Marlow]
Changed the ICMP ping probes to use a random non-zero ICMP id.David's empirical testing found that some hosts drop probes when theICMP id is 0 [Josh Marlow]
[NSE]Fixed a --script argument processing bug in which Nmap wouldabort when an expression matches a set of scripts which were loadedby other expressions first (a simple example is "--scriptdefault,DEFAULT". [Patrick]
[Zenmap]Operating system icons are now always loaded as PNGs, even onplatforms which support SVG images. That is much faster, and Zenmapcurrently never scales the images anyway. [Josh]
[Ncat]The Nmap Windows uninstaller now removes the Ncat CA list(ca-bundle.crt) which has been installed since 4.85BETA9. [Jah]
Optimized some Nmap version detection match lines for slightlybetter performance. Seehttp://seclists.org/nmap-dev/2009/q2/0328.html . [Brandon]
[NSE]Upon connection failure, a socket now immediately unlocks its"socket lock" to allow other pending socket connections to succeedsooner. This slightly improves scan speeds by eliminating the waitfor garbage collection to free the resource. [Patrick]
[NSE]Corrected a bug in nse_nsock.cc that could result in a crashfrom the use of an invalid Lua state if a thread is collected due totimeout or other rare reasons. Essentially, the callbacks from thensock library were returning to an already-collected Lua state. Wenow maintain a reference to the Lua State Thread in the nsockuserdata environment table to prevent early collection. This is atemporary patch for the stable release pending a more detailedreview of the NSE nsock library binding. [Patrick]
[NSE]When an NSE script in the database (script.db) is requestedbut not found on the filesystem, Nmap now prints a warning ratherthan aborting. We accidentally shipped with such a phantom script(smb-check-vulns-2.nse) in 4.85BETA8. [Patrick]
Fixed a bug where an ICMP echo, timestamp, or address mask replycould be matched up with the wrong ICMP probe if more than one ICMPprobe type was being sent (as with the new default ping). This leadto timing calculation problems. [David]
Improved the host expression parser to better handle a few caseswhere invalid target specifiers would case Nmap to scan unintendedhosts. Seehttp://seclists.org/nmap-dev/2009/q2/0319.html . [Jah]
[Zenmap]Fixed a crash, introduced in 4.85BETA4, that happened whensearching scan results by date. [David]The error message was: File "zenmapGUI\SearchGUI.pyo", line 816, inset_date TypeError: argument must be sequence of length 9, not 3
Patched configure.ac to detect Lua include and library files in"lua5.1" subdirectories of /usr/include and the like. Debianapparently puts them there. We still check the likes of/usr/include/lua.h and /usr/include/lua/lua.h as well. [JanChristoph Nordholz]
Improved nsock's fselect() to be a more complete replacement forselect() on the Windows platform. In particularly, any or all of theFD sets can be null or empty descriptor sets. This fixes an error("nsock_loop error 10022") which would occur when you ran ncat--send-only on Windows. [David]
The --with-openssl= directive now works for specifying the SSLlocation to the nsock library. It was previously not passing theproper include file path to the compiler. [Fyodor]
The --traceroute feature is now properly disabled for IPv6 pingscans (-6 -sP) since IPv6 traceroute is not currentlysupported. [Jah]
Fixed an assertion failure which could occur on at least SPARC LinuxThe error looked like "nsock_core.c:294: handle_connect_result:Assertion `0' failed. Aborted". [David Fifield, Fabio Pedretti]
Nmap's make install target now uses $(INSTALL) rather than cp tocopy NSE scripts and libraries to ensure that file permissions areset properly. [Fyodor]
Improved the Oracle DB version detection signatures. [Tom Sellers]
[NSE]Remove the old nse_macros.h header file. This involvedremoving the SCRIPT_ENGINE_* status defines, moving the likes ofSCRIPT_ENGINE_LUA_DIR to nse_main.h, removing the last remaining useof SCRIPT_ENGINE_TRY, and moving the FILES and DIRS defines tonse_fs.h. [Patrick]
Cleaned up the libpcre build system a bit by removing Makefile.amand modifying configure.ac to prevent unnecessary removal ofpcre_chartables.cc in some instances. [Fyodor]
Fixed a bug which would cause Nmap to sometimes miscount the numberof hosts scanned and produce warnings such as "WARNING: No targetswere specified, so 0 hosts scanned" when --traceroute and -sP werecombined. [Jah]
Changed Nmap and Ncat's configure.ac files to check in moresituations whether -ldl is required for compilation and add it wherenecessary. [Fyodor]
When building Nmap RPMs using the spec file, you can now pass in anopenssl argument, the contents of which are passed to ./configure's--with-openssl option. So you can pass rpmbuild an option such as--define "openssl /usr/local/ssl". [Fyodor]
Fixed the make distclean target to avoid a failure which could occurwhen you ran it right after a make clean (it might have failed inother situations as well). [David]
Updated nmap-mac-prefixes with the latest MAC address prefix datafromhttp://standards.ieee.org/regauth/oui/oui.txt as of5/20/09. [Fyodor]
Ncat now makes sockets blocking before handing them off to anotherprogram with --exec or --sh-exec. This is to resolve a failure wherethe command "ncat --exec /usr/bin/yes localhost" would stop sendingbecause yes would send data so quickly that kernel send bufferscould not keep up and socket writes would start generating EAGAINerrors. [Venkat]
Ncat now ignores SIGPIPE in listen mode. This fixes the command"yes | ncat -l --keep-open --send-only", which was failing after thefirst client disconnected due to a broken pipe signal when Ncatwould try to write more date before realizing that the client hadclosed the connection.
Version detection can now detect Ncat's --chat mode. [David]

Nmap 4.85BETA9 [2009-05-12]§

Integrated all of your 1,156 of your OS detection submissions andyour 50 corrections since January 8. Please keep them coming! Thesecond generation OS detection DB has grown 14% to more than 2,000fingerprints! That is more than we ever had with the first system.The 243 new fingerprints include Microsoft Windows 7 beta, Linux2.6.28, and much more. Seehttp://seclists.org/nmap-dev/2009/q2/0335.html . [David]
[Ncat]A whole lot of work was done by David to improve SSLsecurity and functionality:
- Ncat now does certificate domain and trust validation againsttrusted certificate lists if you specify --ssl-verify.
- [Ncat]To enable SSL certificate verification on systems whosedefault trusted certificate stores aren't easily usable byOpenSSL, we install a set of certificates extracted from Windowsin the file ca-bundle.crt. The trusted contents of this file areadded to whatever default trusted certificates the operatingsystem may provide. [David]
- Ncat now automatically generates a temporary keypair andcertificate in memory when you request it to act as an SSL serverbut you don't specify your own key using --ssl-key and --ssl-certoptions. [David]
- [Ncat]In SSL mode, Ncat now always uses secure connections,meaning that it uses only good ciphers and doesn't useSSLv2. Certificates can optionally be verified with the--ssl-verify and --ssl-trustfile options. Nsock provides theoption of making SSL connections that prioritize either speed orsecurity; Ncat uses security while version detection and NSEcontinue to use speed. [David]
[NSE]Added Boolean Operators for --script. You may now use ("and","or", or "not") combined with categories, filenames, and wildcarded filenamesto match a set files. Parenthetical subexpressions are allowed forprecedence too. For example, you can now run:
```
nmap --script "(default or safe or intrusive) and not http-*" scanme.nmap.org
```
For more details, seehttps://nmap.org/book/nse-usage.html#nse-args. [Patrick]
[Ncat]The HTTP proxy server now works on Windows too. [David]
[Zenmap]The command wizard has been removed. The profile editor hasthe same capabilities with a better interface that doesn't requireclicking through many screens. The profile editor now has its own"Scan" button that lets you run an edited command line immediatelywithout saving a new profile. The profile editor now comes upshowing the current command rather than being blank. [David]
[Zenmap]Added an small animated throbber which indicates that ascan is still running (similar in concept to the one on theupper-right Firefox corner which animates while a page isloading). [David]
Regenerate script.db to remove references to non-existentsmb-check-vulns-2.nse. This caused the following error messages whenpeople used the --script=all option: "nse_main.lua:319:smb-check-vulns-2.nse is not a file!" The script.db entries are nowsorted again to make diffs easier to read. [David, Patrick]
Fixed --script-updatedb on Windows--it was adding bogus backslashespreceding file names in the generated script.db. Reported byMichael Patrick athttp://seclists.org/nmap-dev/2009/q2/0192.html,and fixed by Jah. The error message was also improved.
The official Windows binaries are now compiled with MS Visual C++2008 Express Edition SP1 rather than the RTM version. We also nowdistribute the matching SP1 version of the MS runtime components(vcredist_x86.exe). A number of compiler warnings were fixedtoo. [Fyodor,David]
Fixed a bug in the new NSE Lua core which caused it to roundfractional runlevel values to the next integer. This could causedependency problems for the smb-* scripts and others which rely onfloating point runlevel values (e.g. thatsmb-brute at runlevel 0.5will run beforesmb-system-info at the default runlevel of 1).
The SEQ.CI OS detection test introduced in 4.85BETA4 now has someexamples in nmap-os-db and has been assigned a MatchPoints value of50. [David]
[Ncat]When using --send-only, Ncat will now close the networkconnection and terminate after receiving EOF on standard input.This is useful for, say, piping a file to a remote ncat where youdon't care to wait for any response. [Daniel Roethlisberger]
[Ncat]Fix hostname resolution on BSD systems where a recentlyfixed libc bug caused getaddrinfo(3) to fail unless a socket typehint is provided. Patch originally provided by Hajimu Umemoto ofFreeBSD. [Daniel Roethlisberger]
[NSE]Fixed bug in the DNS library which caused the error message"nselib/dns.lua:54: 'for' limit must be a number". [Jah]
Fixed Solaris 10 compilation by renaming a yield structure whichconflicted with a yield function declared in unistd.h on thatplatform. [Pieter Bowman, Patrick]
[Ncat]Minor code cleanup of Ncat memory allocation and stringduplication calls. [Ithilgore]
Fixed a bug which could cause -iR to only scan the first host groupand then terminate prematurely. The problem related to the wayhosts are counted by o.numhosts_scanned. [David]
Fixed a bug in the su-to-zenmap.sh script so that, in the caseswhere it calls su, it uses the proper -c option rather than-C. [Michal Januszewski, Henry Gebhardt]
Overhaul the NSE documentation "Usage and Examples" section and addmany more examples:https://nmap.org/book/nse-usage.html [David]
[NSE]Made hexify in nse_nsock.cc take an unsigned char * to workaround an assertion in Visual C++ in Debug mode. The isprint,isalpha, etc. functions from ctype.h have an assertion that thevalue of the character passed in is <= 255. If you pass a characterwhose value is >= 128, it is cast to an unsigned int, making it alarge positive number and failing the assertion. This is the samething that was reported inhttp://seclists.org/nmap-dev/2007/q2/0257.html, in regard tonon-ASCII characters in nmap-mac-prefixes. [David]
[NSE]Fixed a segmentation fault which could occur in scripts whichuse the NSE pcap library. The problem was reported by Lionel Consand fixed by Patrick.
[NSE]Port script start/finish debug messages now show the targetport number as well as the host/IP. [Jah]
Updated IANA assignment IP list for random IP (-iR)generation. [Kris]
[NSE]Fixed http.table_argument so that user-supplied HTTP headersare now properly sent in HTTP requests. [Jah]

Nmap 4.85BETA8 [2009-04-21]§

Ncat's HTTP proxy now supports the GET, HEAD, and POST methods inaddition to the CONNECT tunneling method, so it can be used as aproxy with an ordinary web browser.[David]
Ncat can now run as an authenticated proxy in HTTP proxy mode. Use--proxy-auth to provide a username and password that will be requiredof proxy users. Only the insecure (not encrypted) Basic authenticationmethod is supported. [David]
Ndiff's text output has been redone to look more like Nmap outputand be easier to read. See the Ndiff README file for an example. TheXML output is now based on Nmap's XML output as well. Zenmap's diffviewer now shows the new output with syntax highlighting. [David]
The new versions of the Conficker Internet worm ban infected systemsfrom visiting Insecure.Org and Nmap.Org. We take that as acompliment to the effectiveness of our remote Conficker scanner.They also ban DNS substrings "honey" (for the Honeynet Project),"doxpara" (for Dan Kaminsky's site), "tenablese" for TenableSecurity, "coresecur" for Core Security Technologies, and"iv.cs.uni" for those meddlesome (to the Conficker authors)researchers at the University of Bonn. For people who can't reachnmap.org due to infection, I've mirrored this release athttp://sectools.org/nmap/. [Fyodor]
New Conficker versions eliminate the loophole we were using todetect them with smb-check-vulns,nse, so we've added new methodswhich work with the newest variants. Here are the Conficker-relatedimprovements since BETA7:
- Added newp2p-conficker script which detects Conficker using itsP2P update ports rather than MSRPC. This is based on some newresearch by Symantec. Seehttps://nmap.org/nsedoc/scripts/p2p-conficker.html [Ron]
- Since new Conficker variants prevent detection by our previousMSRPC check in smb-check-vulns, we've added a new check which stillworks. It involves calling netpathcanonicalize on "\" rather than"\..\" and checking for a different return value. It was discoveredby Felix Leder and Tillmann Werner. [Ron]
- Improved smb-check-vulns Conficker error message text to be moreuseful. [David]
- smb-check-vulns now defaults to using basic login rather thanextended logins as this seems to work better on somemachines. [Ron]
- Recommended command for a fast Conficker scan (combine into 1 line):nmap -p139,445 --scriptp2p-conficker,smb-os-discovery,smb-check-vulns--script-args checkconficker=1,safe=1 -T4 [target networks]
- Recommended command for a more comprehensive (but slower) scan:nmap --scriptp2p-conficker,smb-os-discovery,smb-check-vulns -p---script-args checkall=1,safe=1 -T4 [target networks]
[NSE]The Nmap Script Engine core (C++) was rewritten in Lua forcode simplicity and extensibility. Seehttp://seclists.org/nmap-dev/2009/q2/0090.html andhttp://seclists.org/nmap-dev/2009/q1/0047.html . [Patrick]
[Zenmap]The "Cancel" button has been restored to the main screen.It will cancel the scan that is currently being displayed. [David]
Fixed an SMB library bug which could case a nil-pointer exceptionwhen scanning broken SMB implementations. Reported by SteveHorejsi. [Ron]
[Ndiff]The setup.py installation script now suggests installing thepython-dev package in a certain error situation. Previously theerror message it printed was misleading:
```
error: invalid Python installation: unable to open/usr/lib/python2.6/config/Makefile (No such file or directory)
```
The change was suggested by Aaron Leininger. [David]
[Nbase]The checksum functions now have an nbase_ prefix. Thisshould prevent name collisions with internal but exported functionsin shared libraries Nmap links against (e.g. adler32() in zlib).Such collisions seem to confuse the runtime linker on some platforms.[Daniel Roethlisberger]
Fixedbanner.nse to remove surrounding whitespace from banners. Forexample, this avoids a superfluous carriage return and newline at theend of SSH greetings. [Patrick]
Expanded and tweaked the product/version/info of service scans in anattempt to reduce the number of warnings like "Warning: Servicescanfailed to fill info_template...". Parts of this change include:
- Improved the text of the warning to be less confusing
- Increased the internal version info buffer to 256 chars from 128
- Increased the final version string length to 160 from 128 chars
- Changed the behavior when constructing the final version string sothat if it runs out of space, rather than dropping the output of thattemplate it truncates the template with ...
- Fixed the printing of unneeded spaces between templates when one of thetemplates isn't going to be printed at all.
[Brandon]
Improved the service scan DB to remove certain problematic regexpatterns which could lead to PCRE_MATCHLIMIT errors. For example,instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to".*" as long as the DOTALL (/s) modifier was set. [Brandon]
Changed some error() calls (which were more informational than errormessages) to use log_write() instead, and changed a few f?printf()calls into error() or log_write(). [Brandon]
[Ncat]Fixed a bug in the resolve() function which could cause Ncatto resolve names using the wrong address family (such as AF_INETrather than AF_INET6) in some rare cases. [Daniel Roethlisberger]
[Zenmap]Worked around a GTK+ bug on Windows reported by Henry Nymann.It caused a crash when opening the Hosts Viewer on a host that had OSinformation. A window appeared saying simply "Runtime Error!". [David]
[Zenmap]Gracefully handle unrecognized port states in the hostsviewer. Apparently old versions of Nmap can return a state of"unknown". This prevents this crash:
```
File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__File "radialnet\gui\NodeNotebook.pyo", line 257, in __create_widgets
```
KeyError: u'unknown'[David]
Rewrote the debugging error message "Found whacked packet protocol17 in get_ping_pcap_result" because we decided that receiving a UDPpacket during TCP ping scan is not egregious enough to qualify as"whacked". [David]

Nmap 4.85BETA7 [2009-04-1]§

Improvements to the Conficker detection script (smb-check-vulns):
- Reduce false negative rate. We (and all the other scanners) usedto require the 0x57 return code as well as a canonicalized pathstring including 0x5c450000. Tenable confirmed an infected systemwhich returned a 0x00000000 path, so we now treat any hostingreturning code 0x57 as likely infected. [Ron]
- Add workaround for crash in older versions of OpenSSL which wouldoccur when we received a blank authentication challenge stringfrom the server. The error looked like: evp_enc.c(282): OpenSSLinternal error, assertion failed: inl > 0". [Ron]
- Add helpful text for the two most common errors seen in theConficker check in smb-check-vulns.nse. So instead of sayingthings like "Error: NT_STATUS_ACCESS_DENIED", output is like:| Conficker: Likely CLEAN; access was denied.| | If you have a login, try using --script-args=smbuser=xxx,smbpass=yyy| | (replace xxx and yyy with your username and password). Also try| |_ smbdomain=zzz if you know the domain. (Error NT_STATUS_ACCESS_DENIED)The other improved message is forNT_STATUS_OBJECT_NAME_NOT_FOUND. [David]
The NSEDoc portal athttps://nmap.org/nsedoc/ now provides downloadlinks from the script and module pages to browse or download recent versionsof the code. It isn't quite as up-to-date as obtaining them fromsvn directly, but may be more convenient. For an example, seehttps://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html . [David, Fyodor]
A copy of the Nmap public svn repository (/nmap, plus its zenmap,nsock, nbase, and ncat externals) is now available athttps://nmap.org/svn/. We'll be updating this regularly, but it maybe slightly behind the SVN version. This is particularly usefulwhen you need to link to files in the tree, since browsers generallydon't handle svn:// repository links. [Fyodor]
Declare a couplemsrpc.lua variables as local to avoid a potentialdeadlock betweensmb-server-stats.nse instances. [Ron]

Nmap 4.85BETA6 [2009-03-31]§

Fixed some bugs with the Conficker detection script(smb-check-vulns) [Ron]:
- SMB response timeout raised to 20s from 5s to compensate forslow/overloaded systems and networks.
- MSRPC now only signs messages if OpenSSL is available (avoids anerror).
- Better error checking for MS08-067 patch
- Fixed forgotten endian-modifier (caused problems on big-endiansystems such as Solaris on SPARC).
Host status messages (up/down) are now uniform between ping scanningand port scanning and include more information. They used to varyslightly, but now all look like
```
Host <host> is up (Xs latency).Host <host> is down.
```
The new latency information is Nmap's estimate of the round triptime. In addition, the reason for a host being up is now printed forport scans just as for ping scans, with the --reason option. [David]
Version detection now has a generic match line for SSLv3 servers,which matches more servers than the already-existing set of specificmatch lines. The match line found 13% more SSL servers in a test.Note that Nmap will not be able to do SSL scan-through against asmall fraction of these servers, those that are SSLv3-only orTLSv1-only, because that ability is not yet built into Nsock. Thereis also a new version detection probe that works against SSLv2-onlyservers. These have shown themselves to be very rare, so that probeis not sent by default. Kristof Boeynaems provided the patch and didthe testing.
[Zenmap]A typo that led to a crash if the ndiff subprocessterminated with an error was fixed. [David] The message was
```
File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
```
UnboundLocalError: local variable 'error_test' referenced before assignment
[Zenmap]A crash was fixed:
```
File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed
```
KeyError: "Syst\xc3\xa8me d'Exploitation"The text could be different, because the error was caused bytranslating a string that was also being used as an index into aninternal data structure. The string will be untranslated until thatpart of the code can be rewritten. [David]
[Zenmap]A bug was fixed that caused a crash when doing a keyword:or target: search over hosts that had a MAC address. [David]The crash output was
```
File "zenmapCore\SearchResult.pyo", line 86, in match_keywordFile "zenmapCore\SearchResult.pyo", line 183, in match_target
```
TypeError: argument of type 'NoneType' is not iterable
Fixed a bug which prevented all comma-separated --script argumentsfrom being shown in Nmap normal and XML output files where they showthe original Nmap command. [David]
Fixed ping scanner's runtime statistics system so that instead ofsaying "0 undergoing Ping Scan" it gives the actual number of hosts inthe group (e.g. 4096). [David]
[Zenmap]A crash was fixed in displaying the "Error creating theper-user configuration directory" dialog:
```
File "zenmap", line 104, in <module>File "zenmapGUI\App.pyo", line 129, in run
```
UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
```
invalid data
```
The crash would only happen to users with paths containingmultibyte characters in a non-UTF-8 locale, who also had some errorpreventing the creation of the directory. [David]

Nmap 4.85BETA5 [2009-03-30]§

Ron (in just a few hours of furious coding) added remote detectionof the Conficker worm to smb-check-vulns. It is based on newresearch by Tillmann Werner and Felix Leder. You can scan yournetwork for Conficker with a command like: nmap -PN -T4 -p139,445 -n-v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
Ndiff now includes service (version detection) and OS detectiondifferences. [David]
[Ncat]The --exec and --sh-exec options now work in UDP mode likethey do in TCP mode: the server handles multiple concurrent clientsand doesn't have to be restarted after each one. Marius Sturmprovided the patch.
[Ncat]The -v option (used alone) no longer floods the screen withdebugging messages. With just -v, we now only print the mostimportant status messages such as "Connected to ...", a startupbanner, and error messages. At -vv, minor debugging messages areenabled, such as what command is being executed by --sh-exec. With-vvv you get detailed debugging messages. [David]
[Ncat]Chat mode now lets other participants know when someoneconnects or disconnects, and it also broadcasts a current list ofparticipants at such times. [David]
[Ncat]Fixed a socket handling bug which could occur when youredirect Ncat stdin, such as "ncat -l --chat < /dev/null". The nextuser to connect would end up with file descriptor 0 (which isnormally stdin) and thus confuse Ncat. [David]
[Zenmap]The "Scan Output" expanders in the diff window now behavemore naturally. Some strange behavior on Windows was noted by Jah.[David]
The following OS detection tests are no longer included in OSfingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,and SI were found not be helpful in distinguishing operating systemsbecause they didn't vary. TOS and TOSI were disabled in 4.85BETA1but now they are not included in prints at all. [David]
The compile-time Nmap ASCII dragon is now more ferocious thanks tobetter teeth alignment. [David]
Version 4.85BETA4 had a bug in the implementation of the new SEQ.CItest that could cause a closed-port IP ID to be written into thearray for the SEQ.TI test and cause erroneous results. The bug wasfound and fixed by Guillaume Prigent.
Nbase has grown routines for calculating Adler32 and CRC32Cchecksums. This is needed for future SCTP support. [DanielRoethlisberger]
[Zenmap]Zenmap no longer shows an error message when running Nmapwith options that cause a zero-length XML file to be produced (like--iflist). [David]
Fixed an off-by-one error in printableSize() which could cause Nmapto crash while reporting NSE results. Also, NmapOutputTable's memoryallocation strategy was improved to conserve memory. [Brandon,Patrick]
[Zenmap]We now give the --force option to setup.py for installationto ensure that it replaces all files. [David]
Nmap's --packet-trace, --version-trace, and --script-trace now usean Nsock trace level of 2 rather than 5. This removes somesuperfluous lines which can flood the screen. [David]
[Zenmap]Fixed a crash which could occur when loading the help URLif the path contains multibyte characters. [David]
[Ncat]The version number is now matched to the Nmap release it camewith rather than always being 0.2. [David]
Fixed a strtok issue between load_exclude andTargetGroup::parse_expr that caused only the first exclude ona line to be loaded as well as an invalid read into free()'dmemory in load_exclude(). [Brandon, David]
NSE's garbage collection system (for cleaning up sockets fromcompleted threads, etc.) has been improved. [Patrick]

Nmap 4.85BETA4 [2009-3-15]§

Added two new SMB/MSRPC NSE scripts by Ron Bowes:
- smb-brute.nse: Bruteforce to discover SMB accounts. Has advancedfeatures, such as lockout detection, username validation, usernameenumeration, and optimized case detection.
- smb-pwdump.nse: Uses executables from the Pwdump6 project to dumppassword hashes from a remote machine (and optionally crack themwith Rainbow Crack). Pwdump6 files have to be downloadedseparately
[Ncat]The --exec and --sh-exec options now work on Windows. Thiswas a big job, considering that Windows doesn't even have a fork()call and has all sorts of socket idiosyncrasies. [David]
Doug performed one of the largest version detection integration runsever, processing 1,746 submissions and 18 corrections. We are nowcurrent with all submissions up to February 3. Keep them coming.The version detection database has grown to 5,476 signatures for 510application protocols. Doug posted his notes on the integration athttp://hcsw.org/blog.pl/37. We now have 1,868 http serversignatures, and the number of gopher signatures has bumped up from 5to 6.
Released the new Ncat guide which contains practical real-life Ncatusage examples for Ncat's major features. It complements the moreoption-centric man page. Read it here:https://nmap.org/ncat/guide/[David, Fyodor]
Ndiff is now included in the Windows zip distribution. For spacereasons, it is not an executable compiled with py2exe as in theexecutable installer, rather it is the Ndiff source code (ndiff.py)and a batch file wrapper (ndiff.bat). Because it's not precompiled,it's necessary to have a Python interpreter installed. [David]
The new --stats-every option takes a time interval that controls howoften timing status updates are printed. It's intended to be usedwhen Nmap is run by another program as a subprocess. Thanks toAleksandar Petrinic for the initial implementation. [David]
[NSE]A new function stdnse.sleep allows a script to sleep for agiven time (and yield control to other scripts). [David]
[Ncat]In --chat mode (formerly --talk), the server now announces toeveryone when someone connects or disconnects. Besides letting youknow who's connected, this also informs you of your "user name" assoon as you connect. [David]
[Ncat]Ncat now works interactively on Windows. Before,peculiarities in the way Windows handles reading from the keyboardmeant that typing interactively into Ncat would cause it to quitwith a write timeout. [David]
Refactored SMB and MSRPC NSE scripts significantly, moving much ofthe code into thesmb.lua andmsrpc.lua modules where it can beleveraged by other scripts. For example, the user enumerationfunctions are used bysmb-brute.nse. [Ron Bowes]
[Ncat]The syntax accepted by the --allow, --deny, --allowfile, and--denyfile options is now the same as Nmap's target specifications.Additionally any errors in the allow or deny specifications arereported when the program starts, not deferred until a connection isreceived. [David]
You can now use '-' by itself in a target IP specification to mean0-255, so you could scan 192.168.-.-. An asterisk can also still beused as an octet wildcard, but then you have to deal with shellescaping on many platforms. [David]
Nmap was discovered in another movie! In the Russian filmKhottabych, teenage hacker Gena uses Nmap (and telnet) to hackMicrosoft. In response, MS sends a pretty female hacker to flushhim out. More details and screenshots:https://nmap.org/movies/#khottabych .
Improved operating system support for thesmb-enum-sessions NSEscript; previous revisions worked on Windows 2003 or Windows 2000,but never both. Currently, it is tested and working on bothversions. [Ron Bowes]
Implemented file-management functions in SMB, including file upload,file download, and file delete. Only leverages by smb-pwdump.nse atthe moment, these functions give scripts the ability to performchecks against the filesystem of a server. [Ron Bowes]
[Zenmap]A crash was fixed that occurred when you ran a scanthat didn't produce any host output (like "nmap --iflist") and thentried to remove it from the inventory. [David]The crash looked like
```
ValueError: list.remove(x): x not in list
```
[Ncat]In --chat mode, the server escapes potentially dangerouscontrol characters (in octal) before sending them toclients. [David]
[Ndiff]Added a workaround for a bug in PyXML. The bug would cause acrash that looked like "KeyError: 0". [David]
[Zenmap]Fixed a crash when something that looked like a formatspecifier (like %y) appeared in a profile. The error message was
```
ValueError: unsupported format character 'y' (0x79)
```
[David]
A bug was fixed in route finding on BSD Unix. The libdnet functionaddr_stob didn't handle the special case of the sa_len member ofstruct sockaddr being equal to 0 and accessed unrelated memory pastthe end of the sockaddr. A symptom of this was the fatal error
```
nexthost: failed to determine route to ...
```
which was caused by the default route being assigned a netmask otherthan 0.0.0.0. [David]
Added bindings for the service control (SVCCTL) and at service (ATSVC)services. These are both related to running processes on the remotesystem (identical to how PsExec-style scripts work). These bindingsare used by smb-pwdump.nse. [Ron Bowes]
Refactored SMB authentication code into its own module,smbauth.lua.Improved scripts' ability to store and retrieve login informationdiscovered by modules such assmb-brute.nse. [Ron Bowes]
Added message signing to SMB. Connections will no longer fail if theserver requires message signatures. This is a rare case, but comes upon occasion. If a server allows but doesn't require message signing,smb.lua will negotiate signing. This improves security by preventingman in the middle attacks. [Ron Bowes]
Fixed thedaytime.nse script to work for UDP again (it was checkinga "proto" field when the field name is actually "protocol"). [Jah]
Implemented extended security negotiations in the NSE SMBmodule. Creates no noticeable change from the user's perspective,but it's a more modern protocol. [Ron Bowes]
Nmap wins LinuxQuestions.Org Network Security Application of theYear for the sixth year in a row! Seehttp://seclists.org/nmap-dev/2009/q1/0395.html .
[Zenmap]Removed some unnecessary (mostly GTK+-related) files fromthe Windows installer--nmap-4.85BETA4-setup.exe is now smaller thanit has ever been since Nmap 4.22SOC6, which was released in August2007! [David]
Fixed the install-zenmap make target for Solaris portability.Solaris /bin/sh does not have test(1) -e. [Daniel Roethlisberger]
Version detection used to omit the "ssl/" service name prefix if anSSL-tunneled port didn't respond to any version probes. Now it keeps"ssl/" as an indication that SSL was discovered, even if the servicebehind it wasn't identified. Kristof Boeynaems reported the problemand contributed a patch. [David]
[Ncat]The --talk option has been renamed --chat. --talk remains as anundocumented alias.
There is a new OS detection test named SEQ.CI. Like TI and II, CIclassifies the target's IP ID sequence generation algorithm. CI isbased on the responses received to the probes sent to a closed port.The algorithm for closed ports has been observed to differ from thatfor open ports on some operating systems (though we don't yet knowwhich ones). The new test won't have an effect until newfingerprints containing it are added to nmap-os-db. We got the ideafrom some notes sent in by Dario Ciccarone. [David, Fyodor]
OS fingerprints now include the SEQ.II test (ICMP IP ID sequencegeneration) even if there are no other SEQ test results. Theprevious omission of SEQ.II in that case was a bug. [David]
[Ncat]The --send-only and --recv-only options now work in listenmode as well as connect mode. [David]
[Ncat]An error in formatting bytes with the high bit set in hexdump output was fixed. [David]
[Zenmap]New translation: Croatian (contributed by Vlatko Kosturjak).
Fixed a DNS decoding bug indns-zone-transfer.nse that createdgarbage output and could crash Zenmap by including 0x0C bytes in XMLfiles. The Zenmap crash looked like
```
SAXParseException: .../zenmap-XXXXXX.xml:39:290: not well-formed(invalid token)
```
Thanks to Anino Belan and Eric Nickel for sending in affected logfiles. [David]
[NSEDoc]Scripts that use modules automatically have the scriptarguments defined by those modules included in their documentation.It's no longer necessary to manually supply @args for the argumentsin the modules you use. For those who haven't seen the NSEDoc portalyet, check outhttps://nmap.org/nsedoc/. [David]
An integer overflow in the scan progress meter was fixed. It causednonsense output like
```
UDP Scan Timing: About 11.34% done; ETC: 03:21 (-688:-41:-48 remaining)
```
during very long scans. [Henri Doreau]
[Zenmap]A better method of detecting the system locale is used, soit should not be necessary to set the LANG environment variable onWindows to get internationalized text. Thanks to Dirk Loss for thesuggestion. [David]
[Ncat]Added a number of automated tests for ensuring that Ncat isworking correctly. They are in /ncat/test in SVN. [David]
[Ncat]Now builds again when using the --without-openssloption. [David]
[Zenmap]Fix auto-scroll behavior while Nmap is producing output, asthat previously failed in some cases involving wide lines inoutput. [David]
[Zenmap]The network topology feature (Radialnet) has beeninternationalized so its strings will be localized as well (as soonas the relevant language's translation files are updated. To helpout, seehttps://nmap.org/book/zenmap-lang.html . Some remaining searchinterface elements were internationalized as well. [David]
Improved the efficiency of the xml_convert() routine which handlesXML escaping. It was so inefficient that this stupid little routinewas noticeably slowing Nmap down in some cases. [David]
Removed 9 OS detection device types which only had one or twoinstances in our whole database (ATM, TV, oscilloscope, etc.) andmade some other cleanups as well. We plan to enhance this evenfurther for the next release. [Fyodor, David, Doug]
[Zenmap]Removed some unnecessary GTK+ files from the filesinstalled by the Windows executable installer. [David]
[Zenmap]Tweaked the file format of the topology icons(firewall.png, padlock.png, etc.) in an attempt to improvecompatibility with some versions of GTK+. This may fix a crash like
```
File "radialnet/gui/Image.py", line 53, in get_pixbuf  self.__cache[icon + image_type] = gtk.gdk.pixbuf_new_from_file(file)GError: Couldn't recognize the image file format for file 'radialnet/padlock.png'
```
Thanks to Trevor Bain for a report and help debugging. [David]
Removed a bunch of unnecessary files (mostly GTK related) from theWin32 exe installer to reduce its size. [David]
Fixed an NSE crash (assertion error) which looked like"nsock_core.c:293: handle_connect_result: Assertion `0'failed". Brandon reported the bug, which was fixed by Doug andDavid. Seehttp://seclists.org/nmap-dev/2009/q1/0546.html .

Nmap 4.85BETA3 [2009-2-2]§

Revert the temporary GTK DLL workaround (r11899) which addedduplicate DLL files to the distribution. David found that using adifferent GTK download fixed the problem (seedocs/win32-installer-zenmap-buildguide.txt) and Fyodor was able toreproduce and implement.
The conditions for printing OS fingerprints to XML output are nowthe same as are used to decide whether to print them in the otherformats. So they will be printed if submission is desirable,otherwise they are only printed if debugging is enabled or verbosityis 2 or higher. [Tom Sellers]
Removed some Brazilian poetry/lyrics from Zenmap source code(NmapOutputViewer.py). We've seen enough of it in the debug logs. "Enao se entrega, nao".
Fix Ncat compilation with the MingW windows compiler. [Gisle Vanem]
Corrected some NSE libraries (datafiles, tab) which were using theold arg table interface. [Patrick]

[Zenmap]Fixed a crash that happened when running a scan directlyfrom the command wizard without saving a profile [David]:

NmapParser.py", line 417, in set_target  self.ops.target_specs = target.split()AttributeError: 'NoneType' object has no attribute 'split'

Fixed an NSEpop3 library error which gave a message such as:SCRIPT ENGINE (506.424s): ./scripts/pop3-capabilities.nse againsta.b.1.47:995 ended with error: ./scripts/pop3-capabilities.nse:32:bad argument #1 to 'pairs' (table expected, got string) [Jah]
Upgraded the OpenSSL binaries shipped in our Windows installer toversion 0.9.8j. [Kris]
Updated IANA assignment IP list for random IP (-iR)generation. [Kris]

Nmap 4.85BETA2 [2009-1-29]§

Added some duplicate GTK DLLs to Windows installer, as a temporaryfix for this issue:http://seclists.org/nmap-dev/2009/q1/0207.htmlThe problem caused a warning message complaining of problems findinglibrsvg-2-2.dll to pop up 32 times before Zenmap would start. We'restill looking for a better fix. [Fyodor, Rob, Jah]
Made a few improvements to nmap.xsl (details:http://seclists.org/nmap-dev/2009/q1/0210.html) [Tom Sellers]
[Zenmap]New translation: French (contributed by Gutek)
Updated the mswin32 installer build guide and posted it tohttps://svn.nmap.org/nmap/docs/win32-installer-zenmap-buildguide.txt [Fyodor]
The xampp-default-auth.nse script was renamed toftp-brute.nse sinceit has become more general.

Nmap 4.85BETA1 [2009-1-23]§

Added Ncat, a much-improved reimplementation of the venerable Netcattool which adds modern features and makes use of Nmap's efficientnetworking libraries. Features include SSL support, proxyconnections (client or server, socks4 or connect-based, with orwithout authentication, optionally chained), TCP and UDP connectionredirection, connection brokering (facilitating connections betweenmachines which are behind NAT gateways), and much more. It iscross-platform (Linux, Windows, Mac, etc.) and supports IPv6 as wellas standard IPv4. Seehttps://nmap.org/ncat/ for details. It is nowincluded in our binary packages (Windows, Linux, and Mac OS X), andbuilt by default. You can skip it with the --without-ncat configureoption. Thanks to Kris and David for their great work on this!
Added the Ndiff utility, which compares the results of two Nmapscans and describes the new/removed hosts, newly open/closed ports,changed operating systems, etc. This makes it trivial to scan yournetworks on a regular basis and create a report (XML or text format)on all the changes. Seehttps://nmap.org/ndiff/ and ndiff/README formore information. Ndiff is included in our binary packages and builtby default, though you can prevent it from being built by specifyingthe --without-ndiff configure flag. Thanks to David and MichaelPattrick for their great work on this.
Released Nmap Network Scanning: The Official Nmap Project Guide toNetwork Discovery and Security Scanning. From explaining portscanning basics for novices to detailing low-level packet craftingmethods used by advanced hackers, this book suits all levels ofsecurity and networking professionals. A 42-page reference guidedocuments every Nmap feature and option, while the rest of the bookdemonstrates how to apply those features to quickly solve real-worldtasks. It was briefly the #1 selling computer book on Amazon.Translations to the German, Korean, and Brazilian Portugueselanguages are forthcoming. More than half of the book is alreadyfree online. For more, seehttps://nmap.org/book/.
David spent more than a month working on algorithms to improve portscan performance while retaining or improving accuracy. The changesare described athttp://seclists.org/nmap-dev/2009/q1/0054.html . Hewas able to reduce our "benchmark scan time" (which involves manydifferent scan types from many source networks to many targets) from1879 seconds to 1321 without harming accuracy. That is a 30% timereduction!
Introduced the NSE documentation portal, which documents every NSEscript and library included with Nmap. Seehttps://nmap.org/nsedoc/.Script documentation was improved substantially in the process.Scripts and libraries must use the new NSEDoc format, which isdescribed athttps://nmap.org/book/nsedoc.html . Thanks to Patrickand David for their great work on this.
The 2nd Generation OS Detection System was dramatically improved forimproved accuracy. After substantial testing, David and Fyodor madethe following changes:
- The "T" (TTL test) result ranges were widened to prevent minorrouting (and device hardware inconsistency) variations from causingso many matches to fail.
- The TG (TTL guess) results were canonicalized. Nmap is onlycapable of assigning the values 0x20, 0x40, 0x80, and 0xFF forthese tests, yet many fingerprints had different values. This wasdue to bugs in our fingerprint integration tools.
- The U1.TOS and IE.TOSI tests (both having to do with the IP Typeof Service field) have been effectively eliminated (MatchPointsset to 0). These proved particularly susceptible to false resultsdue to networking hardware along the packet route manipulating theTOS header field.
- An important bug in OS detection's congestion control algorithmswas fixed. It could lead to Nmap sending packets much too quicklyin some cases, which hurt accuracy.
Integrated all of your OS detection fingerprint submissions andcorrections up to January 8. The DB has grown more than 17% to1,761 fingerprints. Newly detected services include Mac OS X10.5.6, Linux 2.6.28, iPhone 2.1, and all manner of WAPs, VoIPphones, routers, oscilloscopes, employee timeclocks, etc. Keep thosesubmissions coming!
Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmapto interrogate Windows machines much more completely. He addedthree new nselib modules: msrpc, netbios, and smb. As the namessuggest, they contain common code for scripts using MSRPC, NetBIOS,and SMB. These modules allow scripts to extract a great deal ofinformation from hosts running Windows, particularly Windows2000. New or updated scripts using the modules are:
- nbstat.nse: get NetBIOS names and MAC address.
- smb-enum-domains.nse: enumerate domains and policies.
- smb-enum-processes.nse: allows a user with administratorcredentials to view a tree of the processes running on theremote system (uses HKEY_PERFORMANCE_DATA hive).
- smb-enum-sessions.nse: enumerate logins and SMB sessions.
- smb-enum-shares.nse: enumerate network shares.
- smb-enum-users.nse: enumerate users and information about them.
- smb-os-discovery.nse: get operating system over SMB (replacesnetbios-smb-os-discovery.nse).
- smb-security-mode.nse: determine if a host uses user-level orshare-level security, and what other security features itsupports.
- smb-server-stats.nse: grab statistics such as network trafficcounts.
- smb-system-info.nse: get lots of information from the registry.
A problem that caused OS detection to fail for most hosts in acertain case was fixed. It happened when sending raw Ethernet frames(by default on Windows or on other platforms with --send-eth) tohosts on a switched LAN. The destination MAC address was wrong formost targets. The symptom was that only one out of each scan groupof 20 or 30 hosts would have a meaningful OS fingerprint. Thanks goto Michael Head for running tests and especially Trent Snyder fortesting and finding the cause of the problem. [David]
Zenmap now runs ndiff to for its "Compare Results" function. Thiscompletely replaces the old diff view. The diff window size is nowmore flexible for user resizing as well. [David]
Added a Russian translation of the Nmap Reference Guide by GuzAlexander. We now have translations in 15 languages available fromhttps://nmap.org/docs.html . More volunteer translators are welcome,as we are still missing some important languages. Translationinstructions are available from that docs.html page.
Update Windows installer to handle Windows 7 (tested with the Betabuild 7000) [Rob Nicholls]
Improved port scan performance by changing the list of high priorityports which Nmap shifts closer to the beginning of scans becausethey are more likely to be responsive. We based the change onempirical data from large-scale scanning. The new port list is:
```
21, 22, 23, 25, 53, 80, 110, 111, 113, 135, 139, 143, 199, 256,443, 445, 554, 587, 993, 995, 1025, 1720, 1723, 3306, 3389, 5900,8080, 8888
```
[Fyodor, David]
[NSE]Almost all scripts were renamed to be more consistent. Theyare now all lowercase and most of them start with the name of theservice name they query. Words are separated by hyphens. [David,Fyodor]
[NSE]Now that scripts are better named, the "Id" field has beenremoved and the script name (sans the .nse or directory pathinformation) is used in script output instead. [David]
[NSE]Addedbanner.nse, a simple script which connects to open TCPports and prints out anything sent in the first five seconds by thelistening service. [Jah]
[NSE]Added a new OpenSSL library with functions for multiprecisioninteger arithmetic, hashing, HMAC, symmetric encryption andsymmetric decryption. [Sven]
[Zenmap]Internationalization has been fixed [David]. CurrentlyZenmap has two translations:
- German by Chris Leick
- Brazilian Portuguese by Adriano Monteiro Marques (partial)
For details on using an existing translation or localizing Zenmapinto your own native language, seehttps://nmap.org/book/zenmap-lang.html . [David]
Zenmap no longer outputs XML elements and attributes that are not inthe Nmap XML DTD. This was done mostly by removing things fromZenmap's output, and adding a few new optional things to the NmapDTD. A scan's profile name, host comments, and interactive textoutput are what were added to nmap.dtd. The .usr filename extensionfor saved Zenmap files is deprecated in favor of the .xml extensioncommonly used with Nmap. Because of these changes thexmloutputversion has been increased to 1.03. [David]
The NSE registry now persists across host groups so that valuesstored in it will remain until they are explicitly removed or Nmapexecution ends. [David]
Enhanced the AS Numbers script (ASN.nse) to better consolidateresults and bail out if the DNS server doesn't support the ASNqueries. [Jah]
Complete re-write of the marshaling logic for Microsoft RPC calls.[Ron Bowes]
Added a script that checks for ms08-067-vulnerable hosts(smb-check-vulns.nse) using the smb nselib. It also checks for anunfixed denial of service vulnerability Ron discovered in theWindows 2000 registry service. [Ron Bowes]
[Zenmap]Text size is larger on Mac OS X thanks to a new includedgtkrc file. [David]
Reduced memory consumption for some longer-running scans by removingcompleted hosts from the lists after two minutes. These hosts arekept around in case there is a late response, but this draws theline on how long we wait and hence keep this information in memory.Seehttp://seclists.org/nmap-dev/2008/q3/0902.html for more. [Kris]
The Windows installer now uses Zenmap binaries built using Python2.6.1 rather than 2.5.1 [Fyodor]
When a system route can't be matched up directly with an interfaceby comparing addresses, Nmap now tries to match the route throughanother route. This helps for instance with a PPP connection wherethe default route's gateway address is routed through a differentroute, the one associated with the address of the PPP device. Theproblem would show itself as an inability to scan through thedefault route and the error message
```
WARNING: Unable to find appropriate interface for system route to ...
```
[David]
Removed a code comment which simply declared /* WANKER ALERT! */ forno good reason. [Fyodor]
NSE prints messages in debugging mode whenever a script starts orfinishes. [Patrick, David]
[Ncat]The -l option can now be specified w/o a port number tolisten on Ncat's default port number (31337).
[Zenmap]The Nmap output window now scrolls automatically as a scanprogresses. [David]
[NSE]We now have a canonical way for scripts to check fordependency libraries such as OpenSSL. This allows them to handlethe issue gracefully (by exiting or doing some of their work ifpossible) rather than flooding the console with error messages asbefore. Seehttps://nmap.org/nsedoc/lib/openssl.html . [Pattrick,David, Fyodor]
Nmap now reports a proper error message when you combine an IPv6scan (-6) with random IPv4 address selection (-iR). [Henri Doreau]
Nmap now builds with the _FORTIFY_SOURCE=2 define. With modernversions of GCC, this adds extra buffer overflow protection andother security checks. It is described athttp://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html . [David,Doug]
The --excludefile option correctly handles files with no terminatingnewline instead of claiming "Exclude file line 0 was too long toread." [Henri Doreau]
[NSE]Changed thedatafiles library to remove constraining inputchecks, move nmap.fetch_file() to read_from_file(), and makeget_array() and get_assoc_array() into normal functions. [Sven]
[NSE]Fixed some bugs and typos in thedatafiles library. [Jah]
Nsock handles a certain Windows connect error, WSAEADDRNOTAVAIL(errno 10049), preventing an assertion failure that looked like
```
Strange connect error from 203.65.42.255 (10049): No such file or directoryAssertion failed: 0, file .\src\nsock_core.c, line 290
```
The error could be seen by running a version scan against abroadcast address. Thanks to Tilo Köppe and James Liu for reportingthe problem. [David]
An "elapsed" attribute has been added to the XML output (in the"finished" tag), representing the total Nmap scanning time inseconds (floating point). [Kris]
Fixed a division by zero error in the packet rate measuring codethat could cause a display of infinity packets per seconds near thestart of a scan. [Jah]
Substantially updated the Nmap Scripting Engine guide/chapter(https://nmap.org/book/nse.html) so that it is up-to-date with allthe latest NSE improvements.
Fixed a bug in the IP validation code which would have let a speciallycrafted reply sent from a host on the same LAN slip through and causeNmap to segfault. Thanks to ithilgore of sock-raw.homeunix.org forthe very detailed bug report. [Kris]
[Zenmap]The crash reporter further enhances user privacy by showingall the information that will be submitted so you can edit it toremove identifying information such as the name of your homedirectory. If you provide an email address the report will be markedprivate so it will not appear on the public bug tracker. [David]
[Zenmap]Zenmap now parses and records XSL stylesheet informationfrom Nmap XML files, so files saved by Zenmap will be viewable in aweb browser just like those produced by Nmap. [David]
A possible Lua stack overflow in the DNS module was fixed. Lua detectsthese sorts of overflows and quits. [David]
[NSE]Improved html-title script to support http-alt and https-alt(with SSL) and to handle a wider variety of redirects. [Jah]
NSE scripts that require a list of DNS servers (currently onlyASN.nse) now work when IPv6 scanning. Previously it gave an errormessage: "Failed to send dns query. Response from dns.query(): 9".[Jah, David]
[Zenmap]Added a workaround for a crash
```
GtkWarning: could not open display
```
on Mac OS X 10.5. The problem is caused by setting the DISPLAYenvironment variable in one of your shell startup files; thatshouldn't be done under 10.5 and removing it will make otherX11-using applications work better. Zenmap will now handle thesituation automatically. [David]
http-auth.nse now properly checks for default authenticationcredentials. A bug prevented it from working before. [VlatkoKosturjak]
Renamed irc-zombie.nse toauth-spoof and improved its descriptionand output a bit. [Fyodor]
Removed some unnecessary "demo" category NSE scripts: echoTest,chargenTest, showHTTPVersion, and showSMTPVersion.nse. MoveddaytimeTest from the "demo" category to "discovery". RemovedshowHTMLTitle from the "demo" category, but it remains in the"default" and "safe" categories. This leaves justsmtp-open-relay inthe undocumented "demo" category. [Fyodor]
[NSE]Removed ripeQuery.nse because we now have the much more robustwhois.nse which handles all the major registries. [Fyodor]
[NSE]Removed showSSHVersion.nse. Its only real claim to fame wasthe ability to trick some SSH servers (including at least OpenSSH4.3p2-9etch3) into not logging the connection. This trick doesn'tseem to work with newer versions of OpenSSH, as myopenssh-server-4.7p1-4.fc8 does log the connection. Without thestealth advantage, the script has no real benefit over versiondetection or the upcomingbanner grabbing script. [Fyodor]
[Zenmap]Profile updates: The -sS option was added to the "Intensescan plus UDP" and "Slow comprehensive scan" profiles. The -PN (pingonly) option was added to "Quick traceroute". [David]
[NSE]Thesmtp-commands script output is now more compact. [JaseyDePriest, David]
[Zenmap]Added a simple workaround for a bug in PyXML (an add-onPython XML library) that caused a crash. The crash would happen whenloading an XML file and looked like "KeyError: 0". [David]
A crash caused by an incorrect test condition was fixed. It wouldhappen when running a ping scan other than a protocol ping, withoutdebugging enabled, if an ICMP packet was received referring to apacket that was not TCP, UDP, or ICMP. Thanks to Brandon Enright andMatt Castelein for reporting the problem. [David]
[Zenmap]The keyboard shortcut for "Save to Directory" has beenchanged from Ctrl+v to Ctrl+Alt+s so as not to conflict with theusual paste shortcut. [Jah, Michael]
Nmap now quits if you give a "backwards" port or protocol range like-p 20-10. The issue was noted by Arturo "Buanzo" Busleiman. [David]
Fixed a bug which caused Nmap to infer an improper distance againstsome hosts when performing OS detection against a group whosedistance varies between members. [David, Fyodor]
[Zenmap]Host information windows are now like any other windows,and will not become unclosable by having their controls offscreen.Thanks to Robert Mead for the bug report.
[NSE]showHTMLTitle can now follow (non-standard) relativeredirects, and may do a DNS lookup to find if the redirected-to hosthas the same IP address as the scanned host. [Jah]
[NSE]Enhanced the tohex() function in thestdnse library to supportstrings and added options to control the formatting. [Sven]
[NSE]The http module tries to deal with non-standards-compliantHTTP traffic, particularly responses in which the header fields areseparated by plain LF rather than CRLF. [Jah, Sven]
[Zenmap]The help function now properly converts the pathname of thelocal help file to a URL, for better compatibility with differentweb browsers. [David]This should fix the crashWindowsError: [Error 2] The system cannot find the file specified:'file://C:\\Program Files\\Nmap\\zenmap\\share\\zenmap\\docs\\help.html'
[NSE]Fixed a number of small bugs in the Nmap library(nse_nmaplib.cc), as described athttp://seclists.org/nmap-dev/2008/q4/0663.html [Patrick]
The HTTP_open_proxy.nse script was updated to match Google WebServer's changed header field: "Server: gws" instead of"Server: GWS/". [Vlatko Kosturjak]
Enhanced the ssh service detection signatures to properlydetect protocol version 2 services. [Matt Selsky]
Nsock now uses fselect() to work around problems with select() notworking properly on non-socket descriptors on Windows. This wasneeded for Ncat to work properly on that platform. Seehttp://seclists.org/nmap-dev/2008/q3/0766.html . [Kris]
Removed trailing null bytes from Ncat's responses in HTTP proxymode. [David]
[NSE]daytime.nse now runs against TCP ports in addition to the UDPports it already handled. The output format was alsoimproved. [David]
XML output now contains the full path to nmap.xml on Windows. Thepath is converted to a file:// URL to provide better compatibilityacross browsers. [Jah]
Made DNS timeouts in NSE a bit more aggressive at higher timinglevels such as -T4 and -T5. [Jah]
A script could be executed twice if it was given with the --scriptoption, also in the "version" category, and version detection (-sV)was requested. This has been fixed. [David]
Fixed port number representation in some Nmap and Nsock messageoutput. Incorrect conversion modifiers caused high ports to wraparound and be shown as negative values. [Kris]
Upgraded the shipped libdnet library to version 1.12 (with ourmodifications). [Kris]
Upgraded the OpenSSL binaries shipped in our Windows installer toversion 0.9.8i. [Kris]
[NSE]The SSLv2-support script no longer prints duplicate cyphers ifthey exist in the server's supported cypher list. [Kris]
Fix compilation w/IPv6 support on Solaris by checking for inet_addrin -lnsr before using APR_CHECK_WORKING_GETNAMEINFO inconfigure. [David]
Removed the nbase_md5.* and nbase_sha1.* files because ournew nse_openssl library includes that functionality. [David]
The robots.txt NSE script is now silent when there are nointeresting results, rather than printing that robots.txt "is emptyor has no disallowed entries". [Kris]
Fixed a file (socket) descriptor leak which could occur when connectscan probes receive certain unusual error messages (includingEHOSTUNREACH, and EHOSTDOWN). This led to error messages such as"Socket creation in sendConnectScanProbe: Too many open files (24)"[David]
[Zenmap]Made floating host details windows into normal top-levelwindows. This avoids a problem where the edge of a window could beoff the edge of a screen and it would not be closable. The bug wasreported by Robert Mead. [David]
Use TIMEVAL_AFTER(...) instead of TIMEVAL_SUBTRACT(...) > 0 whendeciding whether a probe response counts as a drop for scan delaypurposes. This prevents an integer overflow which couldsubstantially degrade scan performance. [David]
Reorganized macosx/Makefile to make it easier to add in new packagessuch as Ncat and Ndiff. Also removed the bogus clean-nmap andclean-zenmap targets. [David]
[Zenmap]Fixed a crash related to the use of NmapOptions inScanNotebook.py using the old interface (ops.num_random_targes,ops.input_filename) rather than the newer dict-styleinterface. [Jah]
Split parallel DNS resolution and system DNS resolution intoseparate functions. Previously system DNS resolution was encapsulatedinside the parallel DNS function, inside a big if block. Now the ifis on the outside and decides which of the two functions tocall. [David]
[NSE]Remove "\r\r" in script output. If you print "\r\n", theWindows C library will transform it to "\r\r\n". So we just print"\n" with no special case for Windows. Also fixedshowSMTPversion.nse so that it doesn't print "\r\r" in the firstplace. [David]
Updated IANA assignment IP list for random IP (-iR)generation. [Kris]
OS scan point matching code can now handle tests worth zeropoints. We now assign zero points to ignore a couple tests whichproved ineffective. [David]
[Zenmap]Catch the exceptions that are caused when there's no XMLoutput file, an empty one, or one that's half-complete. You cancause these three situations, respectively, with: "nmap -V", "nmap--iflist", or "nmap 0". Also remove the target requirement for scansbecause you should be able to run commands such as "nmap --iflist"from Zenmap. [David]
[Zenmap]Guard against the topology graph becoming empty in themiddle of an animation. This could happen if you removed a scanfrom the list of scans during an animation. The error looked like:
```
File "usr/lib/python2.5/site-packages/radialnet/gui/RadialNet.py",line 1533, in __livens_up AttributeError: 'NoneType' object has noattribute 'get_nodes'
```
[David]
[Zenmap]Fixed a crash which could occur when you entered a commandcontaining only whitespace. David fixed various other possiblecrashes found in the crash report tracker too. Zenmap users reallyare capable of finding every possible edge case which could cause acrash :).

Nmap 4.76 [2008-9-12]§

There is a new "external" script category, for NSE scripts whichrely on a third-party network resource. Scripts that send data toanywhere other than the target are placed in this category. Initialmembers are ASN.nse, dns-safe-recursion-port.nse,dns-safe-recursion-txid.nse, ripeQuery.nse, HTTP_open_proxy.nse, andwhois.nse [David]
[Zenmap]A crash was fixed that affected Windows users withnon-ASCII characters in their user names. [David]The error looked like this (with many variations):
```
UnicodeDecodeError: 'utf8' codec can't decode byte 0x9c in position 28:unexpected code byte
```

[Zenmap]Several corner-case crashes were fixed: [David]

File "radialnet\gui\NodeNotebook.pyo", line 429, in __create_widgetsKeyError: 'tcp'File "radialnet\gui\RadialNet.pyo", line 1531, in __livens_upAttributeError: 'NoneType' object has no attribute 'get_nodes'File "zenmapGUI\MainWindow.pyo", line 308, in _create_ui_managerGError: Odd character '\'File "radialnet/gui/ControlWidget.py", line 104, in __create_widgetsAttributeError: 'module' object has no attribute 'STOCK_INFO'File "radialnet\util\integration.pyo", line 385, in make_graph_from_hostsKeyError: 'hops'

[Zenmap]A crash was fixed that happened when opening the HostsViewer with an empty list of hosts. [David]The error message was

File "radialnet\gui\HostsViewer.pyo", line 167, in __cursor_callbackTypeError: GtkTreeModel.get_iter requires a tree path as its argument

Improvedrpcinfo.nse to correctly parse a wider variety of serverresponses. [Sven Klemm]
[Zenmap]Fixed a data encoding bug which could cause the crashreporter itself to crash! [David]
Nmap's Windows self-installer now correctly registers/deletes thenpf (WinPcap) service during install/uninstall. Also the silentinstall mode was improved to avoid a case where the WinPcapuninstaller was (non-silently) shown. [Rob Nicholls]
Nmap's Windows self-installer now checks whether the MS Visual C++runtime components have already been installed to avoid running itagain (which doesn't hurt anything, but slows downinstallation). [Rob Nicholls]
Fixed an assertion failure where raw TCP timing ping probes werewrongly used during a TCP connect scan:nmap: scan_engine.cc:2843: UltraProbe* sendIPScanProbe(UltraScanInfo*,
```
HostScanStats*, const probespec*, u8, u8):Assertion `USI->scantype != CONNECT_SCAN' failed.
```
Thanks to LevelZero for the report. [David]
Update the NSE bit library to replace deprecated use ofluaL_openlib() with luaL_register(). This fixes a build error whichoccurred on systems which have Lua libraries installed butLUA_COMPAT_OPENLIB not defined [Sven]
[Zenmap]The automatic crash reporter no longer requires an emailaddress. [David]
[Zenmap]Highlighting of hostnames was improved to avoid wrongfulhighlighting of certain elapsed times, byte counts, and othernon-hostname data. The blue highlight effects are now more subtle(no longer bold, underlined, or italic) [David]
[Zenmap]A warning that would occur when a host had the same servicerunning on more than one port was removed. Thanks to Toralf Försterfor the bug report. [David]
```
GtkWarning: gtk_box_pack_start: assertion `child->parent == NULL' failed  self.pack_start(widget, expand=False, fill=False)
```

Nmap 4.75 [2008-9-7]§

[Zenmap]Added a new Scan Topology system. The idea is that if weare going to call Nmap the "Network Mapper", it should at least beable to draw you a map of the network! And that is what this newsystem does. It was achieved by integrating the RadialNet Nmapvisualization tool (http://www.dca.ufrn.br/~joaomedeiros/radialnet),into Zenmap. Joao Medeiros has been developing RadialNet for morethan a year. For details, complete with some of the most beautifulZenmap screen shots ever, visithttps://nmap.org/book/zenmap-topology.html . The integration work wasdone by SoC student Vladimir Mitrovic and his mentor David Fifield.
[Zenmap]Another exciting new Zenmap feature is Scan Aggregation.This allows you to visualize and analyze the results of multiplescans at once, as if they were from one Nmap execution. So you mightscan one network, analyze the results a bit, then scan some of themachines more intensely or add a completely new subnet to thescan. The new results are seamlessly added to the old, as describedathttps://nmap.org/book/zenmap-scanning.html#aggregation. [David,Vladimir]
Expanded nmap-services to include information on how frequently eachport number is found open. The results were generated by scanningtens of millions of IPs on the Internet this summer, and augmentedwith internal network data contributed by some largeorganizations. [Fyodor]
Nmap now scans the most common 1,000 ports by default in eitherprotocol (UDP scan is still optional). This is a decrease from1,715 TCP ports and 1,488 UDP ports in Nmap 4.68. So Nmap is fasterby default and, since the port selection is better thanks to theport frequency data, it often finds more open ports aswell. [Fyodor]
Nmap fast scan (-F) now scans the top 100 ports by default in eitherprotocol. This is a decrease from 1,276 (TCP) and 1,017 (UDP) inNmap 4.68. Port scanning time with -F is generally an order ofmagnitude faster than before, making -F worthy of its "fast scan"moniker. [Fyodor]
The --top-ports option lets you specify the number of ports you wishto scan in each protocol, and will pick the most popular ports foryou based on the new frequency data. For both TCP and UDP, the top10 ports gets you roughly half of the open ports. The top 1,000(out of 65,536 possible) finds roughly 93% of the open TCP ports andmore than 95% of the open UDP ports. [Fyodor, Doug Hoyte]
David integrated all of your OS detection fingerprint and correctionsubmissions from March 11 until mid-July. In the process, wereached the 1500-signature milestone for the 2nd generation OSdetection system. We can now detect the newest iPhones, Linux2.6.25, OS X Darwin 9.2.2, Windows Vista SP1, and even the NintendoWii. Nmap now has 1,503 signatures, vs. 1,320 in 4.68. Integrationis now faster and more pleasant thanks to the new OSassistapplication developed by Nmap SoC student Michael Pattrick. Seehttp://seclists.org/nmap-dev/2008/q3/0089.html andhttp://seclists.org/nmap-dev/2008/q3/0139.html for more details.
Nmap now works with Windows 2000 again, after being broken by ourIPv6 support improvements in version 4.65. A couple new dependenciesare required to run on Win2K, as described athttps://nmap.org/book/inst-windows.html#inst-win2k .
[Zenmap]Added a context-sensitive help system to the ProfileEditor. You can now mouse-over options to learn more about whatthey are used for and their proper argument syntax. [Jurand Nogiec]
When Nmap finds a probe during ping scan which elicits a response,it now saves that information for the port scan and later phases.It can then "ping" the host with that probe as necessary to collecttiming information even if the host is not responding to the normalport scan packets. Previously, Nmap's port scan timing pings couldonly use information gathered during that port scan itself. Anumber of other "port scan ping" system improvements were made atthe same time to improve performance against firewalled hosts. Forfull details, seehttp://seclists.org/nmap-dev/2008/q3/0647.html[David, Michael, Fyodor]
--traceroute now uses the timing ping probe saved from hostdiscovery and port scanning instead of finding its own probe. Thetiming ping probe is always the best probe Nmap knows about foreliciting a response from a target. This will have the most effecton traceroute after a ping scan, where traceroute would sometimespick an ineffective probe and traceroute would fail even though thetarget was up. [David]
Added dns-safe-recursion-port and dns-safe-recursion-txid(non-default NSE scripts) which use the 3rd party dns-oarc.netlookup to test the source port and transaction ID randomness ofdiscovered DNS servers (assuming they allow recursion at all).These scripts, which test for the "Kaminsky" DNS bugs, werecontributed by Brandon Enright.
Added whois.nse, which queries the Regional Internet Registries(RIRs) to determine who the target IP addresses are assignedto. [Jah]
[Zenmap]Overhauled the default list of scan profiles based onnmap-dev discussion. Users now have a much more diverse and usefulset of default profile options. And if they don't like any of thosecanned scan commands, they can easily create their own in theProfile Editor! [David]
Fyodor made a number of performance tweaks, such as:
- increase host group sizes in many cases, so Nmap will now commonlyscan 64 hosts at a time rather than 30
- align host groups with common network boundaries, such as /24 or/25
- Increase maximum per-target port-scan ping frequency to one every1.25 seconds rather than every five. Port scan pings happenagainst heavily firewalled hosts and the like when Nmap is notreceiving enough responses to normal scan to properly calculatetiming variables and detect packet drops.
Added a new NSE binlib library, which offers bin.pack() andbin.unpack() functions for dealing with storing values in andextracting them from binary strings. For details, seehttps://nmap.org/book/nse-library.html#nse-binlib . [PhilipPickering]
Added a new NSE DNS library. See this thread:http://seclists.org/nmap-dev/2008/q3/0310.html [Philip Pickering]
Added new NSE libraries for base64 encoding, SNMP, and POP3 mailoperations. They are described athttp://seclists.org/nmap-dev/2008/q3/0233.html . [Philip Pickering]
Added NSE scripts popcapa (retrieves POP3 server capabilities) andbrutePOP3 (brute force POP3 authentication cracker) which make useof the new POP3 library. [Philip Pickering]
Added the SNMPcommunitybrute NSE script, which is a brute forcecommunity string cracker. Also modified SNMPsysdescr to use the newSNMP library. [Philip Pickering]
Fixed the SMTPcommands script so that it can't return multiplevalues (which was causing problems). Thanks to Jah for tracking downthe problem and sending a fix for SMTPcommands. Then Patrick fixedNSE so it can handle misbehaving scripts like this without causingmysterious side effects.
Added a new NSE Unpwdb (username/password database) library foreasily obtaining usernames or passwords from a list. The functionsusernames() and passwords() return a closure which returns a newlist entry with every call, or nil when the list is exhausted. Youcan specify your own username and/or password lists via the scriptarguments userdb and passdb, respectively. [Kris]
Nmap's Nsock-utilizing subsystems (DNS, NSE, version detection) havebeen updated to support the -S and --ip-options flags. [Kris]
A new --max-rate option was added, which complements --min-rate. Itallows you to specify the maximum byte rate that Nmap is allowed tosend packets. [David]
Added --ip-options support for the connect() scan (-sT). [Kris]
Nsock now supports binding to a local address and setting IPv4options with nsi_set_localaddr() and nsi_set_ipoptions(),respectively. [Kris]
Added IPProto Ping (-PO) support to Traceroute, and fixed support forIPProto Scan (-sO) and the ICMP Pings (-PE, -PP, -PM) in Tracerouteas well. These could cause Nmap to hang during Traceroute. [Kris]
[Zenmap]Added a "Cancel" button for cancelling a scan in progresswithout losing any Nmap output obtained so far. [Jurand Nogiec]
Improve the netbios-smb-os-discovery NSE script to improve targetport selection and to also decode the system's timestamp from an SMBresponse. [Ron at SkullSecurity]
Nmap now avoids collapsing large numbers of ports in open|filteredstate (e.g. just printing that 500 ports are in that state ratherthan listing them individually) if verbosity or debugging levels aregreater than two. See this thread:http://seclists.org/nmap-dev/2008/q3/0312.html . [Fyodor]
The NSEhttp library now supports chunked encoding. [Sven Klemm]
The NSEdatafiles library now has generic file parsing routines, andthe parsing of the standard nmap data files (e.g. nmap-services,nmap-protocols, etc.) now uses those generic routines. NSE scriptsand libraries may find them useful for dealing with their own datafiles, such as password lists. [Jah]
Passed the big revision 10,000 milestone in the Nmap project SVNserver:http://seclists.org/nmap-dev/2008/q3/0682.html
Added some Windows and MinGW compatibility patches submitted byGisle Vanem.
Improved nse_init so that compilation/runtime errors in NSE scriptsno longer cause the script engine to abort. [Patrick]
Fix a cosmetic bug in --script-trace hex dump output which resultingin bytes with the highest bit set being prefixed with ffffff. [SvenKlemm]
Removed the nselib-bin directory. The last remaining shared NSEmodule, bit, has been made static by Patrick. Shared modules werebroken for static builds of Nmap, such as those in the RPMS. We alsohad the compilation problems (particularly on OpenBSD) with sharedmodules which lead us to make PCRE static a while back. [David]
Updatedrpcinfo NSE script to use the new pack/unpack (binlib)functions, use the newtab library, include better documentation, andfix some bugs. [Sven Klemm]
Add useful details to the error message printed when an NSE scriptfails to load (due to syntax error, etc.) [Patrick]
Fix a bug in the NSEhttp library which would cause some scripts togive the error: SCRIPT ENGINE: C:\ProgramFiles\Nmap\nselib/http.lua:77: attempt to call field 'parse' (a nilvalue) [Jah]
Fixed a couple of Makefile problems (race condition) which couldlead to build failures when launching make in parallel mode (e.g.-j4). [Michal Januszewski, Chris Clements]
Added new addrow() function to NSEtab library. It allowsdevelopers to add a whole row at once rather than doing a separateadd() call for each column in a row. [Sven Klemm]
Completion time estimates provided in verbose mode or when you hit akey during scanning are now more accurate thanks to algorithmimprovements by David.
Fixed a number of NSE scripts which used print_debug()incorrectly. Seehttp://seclists.org/nmap-dev/2008/q3/0470.html . [Sven Klemm]
[Zenmap]The Ports/Hosts view now provides full version detectionvalues rather than just a simple summary. [Jurand Nogiec]
[Zenmap]When you edit the command-entry field, then change thetarget selection, Nmap no longer blows away your edits in favor ofusing your current profile. [Jurand Nogiec]
Nsock now returns data from UDP packets individually, preserving thepacket boundary, rather than concatenating the data from multiplepackets into a single buffer. This fixes a problem related to ourreverse-DNS system, which can only handle one DNS packet at a time.Thanks to Tim Adam of ManageSoft for debugging the problem andsending the patch. Doug Hoyte helped with testing, and it wasapplied by Fyodor.
[Zenmap]Fixed a crash which would occur when you try to compare twofiles, either of which has more than one extraports element. [David]
Added the undocumented (except here) --nogcc option which disablesglobal/group congestion control algorithms and so each member of ascan group of machines is treated separately. This is just anexperimental option for now. [Fyodor]
[Zenmap]The Ports/Hosts display now has different colors for openand closed ports. [Vladimir]
Fixed Zenmap so that it displays all Nmap errors. Previously, onlystdout was redirected into the window, and not stderr. Now they areboth redirected. [Vladimir]
NSE can now be used in combination with ping scan (e.g. "-sP--script") so that you can execute host scripts without needing toperform a port scan. [Kris]
[NSE]Category names are now case insensitive. [Patrick]
[NSE]Each thread for a script now gets its own action closure (andupvalues). See:http://seclists.org/nmap-dev/2008/q2/0549.html[Patrick]
[NSE]The script_scan_result structure has been changed to a class,ScriptResult, which now holds a Script's output in an std::string.This removes the need to use malloc and free to manage this memory.A similar change was made to the run_record structure. [Patrick]
[NSE]Fixed a socket exhaustion deadlock which could prevent ascript scan from ever finishing. Now, rather than limit the totalnumber of sockets which can be open, we limit the number of scriptswhich can have sockets open at once. And once a script has onesocket opened, it is permitted to open as many more as itneeds. [Patrick]
A hashing library (code from OpenSSL) was added to NSE. hashlibcontains md5 and sha1 routines. [Philip Pickering]
Fixed host discovery probe matching when looking at the returned TCPdata in an ICMP error message. This could formerly lead toincorrectly discarded responses and the debugging error message:"Bogus trynum or sequence number in ICMP error message" [Kris]
Fixed a segmentation fault in Nsock which occurred when callingnsock_write() with a data length of -1 (which means the data is aNUL-terminated string and Nsock should take the length itself) andthe Nsock trace level was at least 2. [Kris]
The NSE Comm library now defaults to trying to read as many bytes asare available rather than lines if neither the "bytes" nor "lines"options are given. Thanks to Brandon for reporting a problem whichhe noticed in the dns-test-open-recursion script. [Kris]
Updated zoneTrans.nse to replace length bytes in returned domainnames to periods itself rather than relying on NSE's old behavior ofreplacing non-printable characters with periods. Thanks to RobNicholls for reporting the problem. [Kris]
Some Zenmap crashes have been fixed: trying to "refresh" the outputof a scan loaded from a file, and trying to re-save a file loadedfrom the command line in some circumstances. [David]
[Zenmap]The file selector now remembers what directory it was lastlooking at. [David]
Added an extra layer of validity checking to received packets(readip_pcap), just to be extra safe. Seehttp://seclists.org/nmap-dev/2008/q3/0644.html . [Kris]
Zenmap defaults to showing files matching both *.xml and *.usr inthe file selector. Previously it only showed those matching *.usr.The new combined format will be XML and .usr will be deprecated.Seehttp://seclists.org/nmap-dev/2008/q3/0093.html .
Nmap avoids printing the sending rate in bytes per second during aTCP connect scan. Because the number of bytes per probe is notknown, it used to print current sending rates: 11248.85 packets / s,0.00 bytes / s. Now it will print simply print rates like "11248.85packets / s". [David]
[Zenmap]Nmap's installation process now include .desktop fileswhich install menu items for launching Zenmap as a privileged ornon-privileged process on Linux. This will mainly affect people whoinstall nmap and Zenmap directly from the source code. [Michael]
Improved performance of IP protocol scan by fixing a bug related totiming calculations on ICMP probe responses. See r8754 svn log forfull details. [David]
Nmap --reason output no longer falsely reports a localhost-responseduring -PN scans. Seehttp://seclists.org/nmap-dev/2008/q3/0188.html . [Michael]
[Zenmap]The higwidgets Python package has moved so it is now asubpackage of zenmapGUI. This avoids naming conflicts with Umit,which uses a slightly different version of higwidgets. [David]
A bug that could cause some host discovery probes to be incorrectlyinterpreted as drops was fixed. This occurred only when the IPprotocol ping (-PO) option was combined with other pingtypes. [David]
A new scanflags attribute has been added to XML output, which listsall user specified --scanflags for the scan. nmap.dtd has beenmodified to account for this. [Michael]
The loading of the nmap-services file has been made muchfaster--roughly 9 times faster in common cases. This is importantfor the new (much larger) frequency augmented nmap-servicesfile. [David]
Added a script (ASN.nse) which uses Team Cymru's DNS interface todetermine the routing AS numbers of scanned IP addresses. They evenset up a special domain just for Nmap queries. The script is stillexperimental and non-default. [Jah, Michael]
[Zenmap]Clicking "Cancel" in a file chooser in the diff interfaceno longer causes a crash. [David]
The shtool build helper script has been updated to version 2.0.8. Anolder version of shutil caused installation to fail when the localewas set to et_EE. Thanks to Michal Januszewski for the bugreport. [David]
[Zenmap]Removed services.dmp and os_dmp.dmp and all the files thatreferred to them. They are not needed with the new searchinterface. Also removed an unused search progress bar. And somebroken fingerprint submission code. Yay for de-bloating! [David]
[Zenmap]Added "%F" to the Exec link in the new Zenmap desktopfile. We expect (hope) that this will allow dragging and droppingXML files onto the icon. [David]
[Zenmap]The -o[XGASN] options can now be specified, just as you canat the console. [Vladimir]
[Zenmap]You can now shrink the scan window below its defaultsize thanks to NmapOutputViewer code enhancements. [David]
[Zenmap]Removed optional use of the Psyco Python optimizer sinceZenmap is not the kind of CPU-bound application which benefits fromPsyco.
[Zenmap]You can now select more than one host in the "Ports /Hosts" view by control-clicking them in the column at left.
[Zenmap]The profile editor now offers the --traceroute option.
Zenmap now uses Unicode objects pervasively when dealing with Nmaptext output, though the only internationalized text Nmap currentlyoutputs is the user's time zone. [David]
Unprintable characters in NSE script output (which really shouldn'thappen anyway) are now printed like \xHH, where HH is thehexadecimal representation of the character. Seehttp://seclists.org/nmap-dev/2008/q3/0180.html . [Patrick]
Nmap sometimes sent packets with incorrect IP checksums,particularly when sending the UDP probes in OS detection. This hasbeen fixed. Thanks to Gisle Vanem for reporting and investigating thebug. [David]
Fixed the --without-liblua configure option so that it worksagain. [David]
In the interest of forward compatibility, the xmloutputversionattribute in Nmap XML output is no longer constrained to be acertain string ("1.02"). The xmloutputversion should be taken asmerely advisory by authors of parsers.
Zenmap no longer leaves any temporary files lying around. [David]
Nmap only prints an uptime guess in verbose mode now, because insome situations it can be very inaccurate. See the discussion athttp://seclists.org/nmap-dev/2008/q3/0392.html . [David]

Nmap 4.68 [2008-6-28]§

Doug integrated all of your version detection submissions andcorrections for the year up to May 31. There were more than 1,000new submissions and 18 corrections. Please keep them coming! Anddon't forget that corrections are very important, so do submit themif you ever catch Nmap making a version detection or OS detectionmistake. The version detection DB has grown to 5,054 signaturesrepresenting 486 service protocols. Protocols span the gamut fromabc, acap, access-remote-pc, activefax, and activemq, to zebedee,zebra, zenimaging, and zenworks. The most popular protocols arehttp (1,672 signatures), telnet (519), ftp (459), smtp (344), andpop3 (201).
Nmap compilation on Windows is now done with Visual C++ Express 2008rather than 2005. Windows compilation instructions have beenupdated athttps://nmap.org/book/inst-windows.html#inst-win-source .[Kris]
The Nmap Windows self-installer now automatically installs the MSVisual C++ 2008 runtime components if they aren't already installedon a system. These are some reasonably small DLLs that aregenerally necessary for applications compiled with Visual C++ (withdynamic linking). Many or most systems already have these installedfrom other software packages. The lack of these components led tothe error message "The Application failed to initialize properly(0xc0150002)." with Nmap 4.65. A related change is that Nmap onWindows is now compiled with /MD rather than /MT so that itconsistently uses these runtime libraries. The patch was created byRob Nicholls.
Added advanced search functionality to Zenmap so that you can locateprevious scans using criteria such as which ports were open, keywordsin the target names, OS detection results, etc. Try it out withCtrl-F or "Tools->Search Scan Results". [Vladimir]
Nmap's special WinPcap installer now handles 64-bit Windows machinesby installing the proper 64-bit npf.sys. [Rob Nicholls]
Added a new NSE Comm (common communication) library for commonnetwork discovery tasks such as banner-grabbing (get_banner()) andmaking a quick exchange of data (exchange()). 16 scripts wereupdated to use this library. [Kris]
The Nmap Scripting Engine now supports mutexes for gracefullyhandling concurrency issues. Mutexes are documented athttps://nmap.org/book/nse-api.html#nse-mutex . [Patrick]
Added a UDP SNMPv3 probe to version detection, along with 9 vendormatch lines. The patch was from Tom Sellers, who contributed otherprobes and match lines to this release as well.
Added a new timing_level() function to NSE which reports the Nmaptiming level from 0 to 5, as set by the Nmap -T option. The defaultis 3. [Thomas Buchanan]
Update the HTTP library to use the new timing_level functionality toset connection and response timeouts. An error preventing the newtiming_level feature from working was also fixed. [Jah]
Optimized the doAnyOutstandingProbes() function to make Nmap a bitfaster and more efficient. This makes a particularly big differencein cases where --min-rate is being used to specify a very highpacket sending rate. [David]
Fixed an integer overflow which prevented a target specification of"*.*.*.*" from working. Support for the CIDR /0 is now alsoavailable for those times you wish to scan the entireInternet. [Kris]
The robots.nse script has been improved to print output morecompactly and limit the number of entries of large robots.txt filesbased on Nmap verbosity and debugging levels. [Eddie Bell]
The Nmap NSE scripts have been re-categorized in a more logicalfashion. The new categories are described athttps://nmap.org/book/nse-usage.html#nse-categories . [Kris]
Improve AIX support by linking against -lodm and -lcfg on thatplatform. [David]
Updated showHTMLTitle NSE script to follow one HTTP redirect ifnecessary as long as it is on the same server. [Jah]
Michael Pattrick and David created a new OSassist application whichstreamlines the OS fingerprint submission integration process andprevents certain previously common errors. OSassist isn't part ofNmap, but the system was used to integrate some submissions for thisrelease. 13 fingerprints were added during OSassist testing, andsome existing fingerprints were improved as well. Expect many morefingerprints coming soon.
Improved the mapping from dnet device names (like eth0) and WinPcapnames (like \Device\NPF_{28700713...}). You can see this mappingwith --iflist, and the change should make Nmap more likely to workon Windows machines with unusual networking configurations. [David]
Service fingerprints in XML output are no longer be truncated to2kb. [Michael]
Some laptops report the IP Family as NULL for disabled WiFi cards.This could lead to a crash with the "sin->sin_family == AF_INET6"assertion failure. Nmap no longer quits when this isencountered. [Michael]
On systems without the GNU getopt_long_only() function, Nmap has itsown replacement. That replacement used to call the system'sgetopt() function if it exists. But the AIX and Solaris getopt()functions proved insufficient/buggy, so Nmap now always calls itsown internal getopt() now from its getopt_long_only()replacement. [David]
Integrated several service match lines from Tom Sellers.
An error was fixed where Zenmap would crash when trying to load fromthe recent scans database a file containing non-ASCIIcharacters. The error looked like
```
pysqlite2.dbapi2.OperationalError: Could not decode to UTF-8 column  'nmap_xml_output' with text'<?xml version="1.0" encoding="iso-8859-1"?><nmaprun profile="nmap -T Aggressive -n -v %s" scanner="nmap" hint=""
```
The error would be seen when such a scan was found in using thesearch interface. [David]
Fix a Zenmap crash which occurred when local.getpreferredencoding()returns "None". Similarly, deal with the case when a "X-MAC-KOREAN"is returned by this function. Both problems were found with theZenmap crash reporter. [David]
A whole bunch of internal Zenmap cleanup was done by David to makethe code more logical and remove dead code.
Install icons and pixmaps under /usr/share/zenmap/{icons,pixmaps} sothey don't get mixed in with the files in/usr/share/{icons,pixmaps}. [Jurand Nogiec]
Fixed a Zenmap command entry problem where Zenmap would lose acustom command you had entered into the command entry field if youchanged the target field after entering the custom command. [JurandNogiec]
The Zenmap crash reporter now includes a stack trace rather thanjust the exception name. [David]
Zenmap now executes the proper Nmap command by honoring thenmap_command_path variable in zenmap.conf. [Jurand Nogiec]
Fixed a bug which caused -PN to erroneously bail out forunprivileged users. Thanks to Jabra (jabra(a)spl0it.org) for thereport. [Kris]
Fixed several Nmap NSE memory leaks found with Valgrind. [Kris]
Migrated some stray malloc()/realloc() calls to the Nbasesafe_malloc()/safe_realloc() versions which guard against certainerrors.
Fixed a bunch of subtle bugs, some of which could have resulted ina crash, reported by Ilja van Sprundel. [Kris]
Fixed several byte-order bugs in Traceroute. [Kris]
Fixed a crash in RateMeter::update() which could lead to an errorsaying "diff >= 0.0" assertion failed. I think the problem wasactually caused by SMP machines which didn't sync the clock timeperfectly. This lead to gettimeofday() sometimes reporting thattime decreased by some microseconds. Now Nmap is willing totolerate decreases of up to 1 millisecond in this function. [Fyodor]
Nmap now returns correct values for --iflist in windows evenif interface aliases have been set. Previously it would misreportthe windevices and not list all interfaces. [Michael]
Nmap no longer crashes with an 'assert' error when its told toaccess a disabled WiFi NIC on some laptops. [Michael]
Upgraded the OpenSSL shipped for Windows to 0.9.8h. [Kris]
The NSEhttp library was updated to gracefully handle certain bogus(non-)http responses. [Jah]
The zoneTrans.nse script now takes a "domain" script argument tospecify the desired domain name to transfer. You can narrow thescope down with the form "zoneTrans={domain=xxx}". [Kris]
Increase write buffer length for Nmap output on Windows. This shouldprevent error messages like: "log_vwrite: vsnprintf failed. Evenafter increasing bufferlen to 819200, Vsnprintf returned -1 (logt ==1)." Thanks to prozente0 for the report. [Fyodor]
Fixed the --script-updatedb command, which was claiming to be"Aborting database update" even when the update was performedperfectly. Seehttp://seclists.org/nmap-dev/2008/q2/0623.html .Thanks to Jah for the report.

Nmap 4.65 [2008-6-1]§

A Mac OS X Nmap/Zenmap installer is now available from the Nmapdownload page! It is rather straightforward, but detailedinstructions are available anyway athttps://nmap.org/book/inst-macosx.html . As a universal installer,it works on both Intel and PPC Macs. It is distributed as a diskimage file (.dmg) containing an mpkg package. The installed Nmapdoes include OpenSSL support. It also supports AuthorizationServices so that Zenmap can run as root. David created thisinstaller. He wants to thank Benson Kalahar and Vlad Alexa forextensive testing of the nine test releases.
The Windows version of Nmap now supports OpenSSL just as the UNIXversions have for years. Both the .zip and executable installerbinary packages we ship from the Nmap download page now includeOpenSSL. [Kris, Thomas Buchanan]
We now compile in IPv6 support on Windows. In order to use this,you need to have IPv6 set up. It is installed by default on Vista,but must be downloaded from Microsoft for XP. Seehttp://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx . [Kris]
Seven Google-sponsored Summer of Code students began working onexciting Nmap projects full times. The winning students and theirNmap development projects are described athttp://seclists.org/nmap-dev/2008/q2/0132.html .
Our WinPcap installer now starts the NPF driver running as aservice immediately upon installation and after restarts. You candisable this with new check-boxes. This behavior is important forVista and Windows Server 2008 machines when User AccountControl (UAC) is enabled. [Rob Nicholls]
Nmap and Nmap-WinPcap silent installation now works. Nmap canbe silently installed with the /S option to the installer.If you install Nmap from the zip file, you can install justWinPcap silently with the /S option to thatinstaller. [Rob Nicholls]
Our WinPcap installer is now included with the Nmap Win32 zipfile. [Fyodor]
Numerous miscellaneous improvements were made to our Win32installer, such as using the "Modern" NSIS UI for WinPcap,improving the option description labels, and showing a finishpage in all cases. [Rob Nicholls]
The nmap-dev and nmap-hackers mailing list RSS feeds at seclists.orgnow include message excerpts to make it easier to identifyinteresting messages and speed the process of reading through thelist. Feeds for all other mailing lists archived at SecLists.Orghave been similarly augmented. For details, seehttp://seclists.org/nmap-dev/2008/q2/0333.html . [David]
A new "default" Nmap Scripting Engine category was added. Onlyscripts in this category now run by default (except for "version"scripts which run when version detection was requested).Previously, any scripts in the "safe" or "intrusive" categories wererun. 21 scripts are now in this default category. [Kris]
The NSE HTTP library now uses the host name specified on the commandline when making requests, which improves script scanning againstweb servers with virtual hosts. Thanks to Sven Klemm for the patch.
Added some new and improved version detection signatures. [Brandon]
Fixed an OS detection bug that prevented the R1.UID test result frombeing recorded properly when scanning certain printers fromlittle-endian computers. Updated nmap-os-db to compensate forsignatures that had an incorrect U1.RID value. [Michael]
Updated to include the latest MAC Address prefixes from the IEEE innmap-mac-prefixes [Fyodor]
Updated the SMTPcommands NSE script to work better against Postfixand reduce verbosity. [Jasey DePriest, Fyodor]
Reorganized the way ping probes are handled internally. Rather thanbeing stored in the NmapOps structure, they are now stored withinthe individual scan_lists structures. This is a cleanerorganization. [Michael]
Fix grepable output's "Ignored State" reporting. Only one ignoredstate (the one with the highest numbers of ports) is shown. [David]
Update to Lua version 5.1.3 [Patrick]
Add NSEstdnse library to include tobinary, tooctal, and tohexfunctions. [Patrick]
Fixed a bug which caused the Zenmap crash reporter to, uh,crash. [David]
NSE engine was cleaned up significantly. nse_auxiliar was removed,and file system manipulation functions were moved from nse_init.ccinto a new nse_fs.cc file. Numerous interfaces between Nmap and Luawere improved. Most of these functions are now callable directly byLua. [Patrick]
Fixed a bug in the showOwner NSE script which caused it to try UDPports instead of just TCP ports. This made it very slow in thecommon case where there are many UDP ports in the open|filteredstate. Thanks to Jasey DePriest for reporting the problem and Jahfor tracking it down and fixing it.
Nbase now generates pseudo-random numbers itself rather than using/dev/urandom on Linux and the terrible rand() function on Windows.The new system uses ARC4 based on libdnet'simplementation. [Brandon]
Made a number of updates and improvements to the Zenmap Users' Guideathttps://nmap.org/book/zenmap.html . [David]
Fixed the way Zenmap handles command-line entry to prevent yourcustom command-line to be overwritten with the current profile'scommand just because you edited the target field. [Jurand]
Nsock was improved to better support reading from non-networkdescriptors such as stdin. This is important for the upcoming Ncatproject Mixter is working on. [Mixter]
A bug was fixed that could cause Zenmap to crash when loading aresults file that had multibyte characters in it. The error lookedlike:Gtk-ERROR **: file gtktextsegment.c: line 196(_gtk_char_segment_new): assertion failed:(gtk_text_byte_begins_utf8_char (text))[David]
Removed a superfluous test for the existence of the C++ compiler inthe configure script. The test was not robust when configured withCXX="ccache g++". Thanks to Rainer Müller for the report.
Optimized cached DNS lookups so they are equally efficient whenrunning on big-endian or little-endian systems. [Michael]
Fixed the nmap_command_path Zenmap configuration variable so that itis actually used to start the specified Nmap executablepath. [Jurand Nogiec]
Nmap now reports scan start and end times for individual hostswithin a larger scan. The information is added to the XML hostelement like so: <host starttime="1198292349" endtime="1198292370">It is also printed in normal output if -d or "-v -v" arespecified. [Brandon, Kris, Fyodor]
"make uninstall" now uninstalls Zenmap as well as Nmap. Theuninstall_zenmap script now deletes directories that wereinstalled. [David]
Fixed a bug which caused Nmap to send bad checksums on Solaris 10x86. This was due to a workaround for an Ancient Solaris 2.1 bugwhich activated when the OS string matched "solaris2.1*". Theproblem has now been resolved until Solaris 20 comes out and hitsour "solaris2.2*" bug workarounds. Thanks to Nathan Bills for theproblem report. Fixed by Fyodor.
Fixed a minor memory leak in getpts_simple which occurs when noports are to be added to 'list'. 'porttbl' is now free'd regardlessof how the function returns. [Michael]
Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs.On Windows, this ID has to be a numeric index. On Linux and someother OS's, this ID can instead be an interface name. Some examplesof this syntax:
```
fe80::20f:b0ff:fec6:15af%2fe80::20f:b0ff:fec6:15af%eth0
```
[Kris]
The Zenmap installer and uninstaller are more careful about escapingfilenames and dealing with an installation root (DESTDIR). [David]
Since assert() calls are used for various security-related tests,their safety is now ensured by keeping NDEBUG undefined throughoutNmap, Nbase and Nsock. [Kris]
Fix a couple bugs in the way the Nmap build system checked for anexisting LUA library. A bashism caused one test to fail on systemwhich don't use bash as /bin/sh, and another bug fixed --with-libluaconfigure option for specifying your own liblua. [DanielRoethlisberger]
The NSE nmap.registry.args table is now available, albeit empty,when --script-args isn't used. Now scripts don't need to check ifit's nil before attempting to index it. [Kris]
Changed SSLv2-support.nse so that it only enumerates the list ofavailable ciphers with a verbosity level of at least two or withdebugging enabled. [Kris]
Replaced kibuvDetection.nse with version detection match lines whichwork better than the script. [Kris, Brandon]
Removed mswindowsShell.nse as there is a version detection NULLprobe match which does the same thing. [Brandon, Fyodor, Kris]
Updated IANA assignment IP list for random IP (-iR)generation. [Kris]

Nmap 4.62 [2008-5-3]§

Added a new --min-rate option that allows specifying a minimum rateat which to send packets. This allows you to override Nmap'scongestion control algorithms and request that Nmap try to keep atleast the rate you specify. The rate is given in packets persecond. Read more in the Nmap man page(https://nmap.org/book/man-performance.html) [David]
Create /nmap/macosx directory in SVN with files necessary to buildbinary Mac OS X Nmap/Zenmap packages. We are trying to createbinary installer packages which are as useful and easy to use as theWindows installer. This has involved a lot of work by David. Wearen't quite yet distributing the results on the Nmap download page,but testing our beta versions is useful. You can find the latestuniversal (PPC and Intel) binary test version by looking at DavidFifield's posts athttp://seclists.org/nmap-dev/2008/q2/author.html .You can also read /nmap/macosx/README in svn for more info.
Nmap 2008 Summer of Code students have began working (though fulltime doesn't start until late May). Learn about the winners andtheir projects athttp://seclists.org/nmap-dev/2008/q2/0132.html .
Brandon added/modified a whole bunch of version detection signaturesbased on systems discovered when scanning UCSD's network.
Reformat Nmap COPYING file (e.g. remove C comment markers, reduceline length) during Nmap windows build so that it looks much betterwhen presented by the Windows executable (NSIS) installer. Thanksto Jah for the patch, which was modified slightly by Fyodor.
Added NSE Datafiles library which reads and parses Nmap's nmap-*data files for scripts. The functions (parse_protocols(),parse_rpc() and parse_services()) return tables with numbers(e.g. port numbers) indexing names (e.g. service names). Therpcinfo.nse script was also updated to use this library. [Kris]
Fixed a bug in the nbase random number generator (and the way itinteracted with Nmap and MS Windows) which causedduplicates in someinstances. Thanks to Jah for reporting the problem and working withBrandon Enright, Fyodor and Kris to fix it.
It turns out that hours contain 60 minutes, not 24. Fixed a scanstatus message which was rolling over the hours columnprematurely. [David]
Added scripting options to Zenmap profile editor and command wizardto make use of NSE. [David]
Zenmap now prints an exception message rather than segfaulting whenit can't open a display (such as when trying to connect to an Xserver as an unauthorized user). Thanks to Aaron Leininger for theinitial report and Guilherme Polo for suggesting the fix.
Now ports in the "unfiltered" state can be selected for attention byNSE scripts. [Kris]
Nbase random number generation system now avoids having a high-bitof zero in every other byte on Windows due to Windows having such alow RAND_MAX. [Jah]
Added release dates for each Nmap version to this CHANGELOG goingback to Nmap 3.00 (July 31, 2002). Dates are in MM/DD/YY format.If someone wants to track down dates for the last 22% of the file(pre-3.00), you are welcome to do so and send a patch. SearchingGoogle for the version number and site:seclists.org seems to workwell. [Fyodor]
Nmap RPM builds now use the versions of libdnet, libpcap, libpcre,and liblua included with Nmap rather than whatever happens to beinstalled on the build system. [David]
Zenmap can now be installed in and run in directories with a spacein the name. [David]
Fixed an assertion failure ("Target.cc:396: voidTarget::stopTimeOutClock(const timeval*): Assertion'htn.toclock_running == true' failed.") caused when a host had NSEscripts in multiple runlevels. This also fixes --host-timeoutbehavior in NSE. [Kris]
Reduce the maximum number of socket descriptors which Nmap isallowed to open concurrently. This resoles a bug which could cause"Too many open files" error on Mac OS X when not running asroot. [David]
Canonicalized service names between nmap-service-probes (versiondetection DB) and nmap-services (port scanning DB). [Kris]
Removed the "class" attribute from the tcpsequence element in XMLoutput. For a long time it had always been "unknown class" becauseNmap doesn't calculate a class anymore. The XML output version hasbeen increased from 1.01 to 1.02. [David]
Fixed a bug on Win32 which caused an infinite loop when Nmapencountered certain broadcast addresses. [Dudi Itzhakov]
Fix MingW compilation by adding a signal.h include tomain.cc. [Gisle Vanem]
Fix the test in our build system to determine if liblua is alreadyavailable or not. For example, the test needed to link with -lmsince some systems require that. [David]
Added TIMEVAL_BEFORE and TIMEVAL_AFTER macros to test whether onetimeval is earlier than another while avoiding possible integeroverflows in a naive approach we were using previously. [David]
Adjusted a bunch of code to avoid compilation warning messages onsome Linux machines. [Andrew J. Bennieston]
Fixed the NmapArpCache so that it actually works. Previously, Nmapwas always falling back to the system ARP cache. Of course thisraises the question of whether NmapArpCache is needed in the firstplace. [Daniel Roethlisberger]
Fix a Zenmap bug which could cause the error message"zenmapCore.NmapOptions.OptionNotFound: No option named '' found!"if you create a new profile without checking any options then try toedit it. [David]
Zenmap now shows a more helpful error message when there is an errorin executing Nmap. [David]
Zenmap now creates the directory ~/.zenmap-etc to storeautomatically generated GTK+ and Pango files. They used to go in theapplication bundle but that doesn't work on a read-only file systemor disk image. This is what Wireshark does (~/.wireshark-etc),although the directory could be called anything. It doesn't have topersist across sessions.
Added a mechanism in Zenmap for including extra executable searchpaths on specific platforms, so we can include /usr/local/bin inPATH on Mac OS X by default and add the Nmap install directory onWindows. [David]
We now use --no-strip when building Zenmap Mac OS X packages toprevent many mysterious warnings which occur when the binary isstripped. [David]
When Zenmap invokes Nmap, it now copies the whole environment forthe Nmap invocation rather than just providing $PATH. Windows mayneed this to do proper name resolution. [David]
Corrected uptime parsing and reporting in SNMPsysdesr.nse for anuptime of less than 46 hours. [Kris]
Modified the use of CXXFLAGS, CFLAGS, and CPPFLAGS in Nmap buildsystem to work better when building Mac OS X universalbinaries. [David]
Added many additional PCRE option flags to the list returned by theNSE pcre.flags() function. [Kris]
Changed the NSE function nmap.set_port_state() so that it checks tosee if the requested port is already in the requested state. Thisprevents "Duplicate port" messages during the script scan and theinaccurate "script-set" state reason. [Kris]
Canonicalize NSE script license text--more than half did not evenspell license correctly. They all still say that they are underNmap's license, just with consistent capitalization and spelling,and now a link to Nmap legal page athttps://nmap.org/book/man-legal.html .
Updated ripeQuery.nse to not print extraneous whitespace. [Kris]
Switched telnet brute force password cracking NSE (bruteTelnet.nse)to vulnerability category so it isn't executed by default. It cantake too long to run. [Eddie]
NSE status messages now print host name and IP, rather than just thehost name (which was blank when Nmap didn't know it). [Jah]
Allocate 128 characters for the idle scan ScanProgressMetertitle. Previously it was 32 characters. The "idle scan against " andthe \0 terminator take up 19 characters, leaving only 13, whichisn't enough to represent all IP addresses, let alone hostnames. Bug reported by Stephan Fijneman, fixed by David.

Nmap 4.60 [2008-3-15]§

Nmap has moved. Everything athttp://insecure.org/nmap/ can now befound athttps://nmap.org . That should save your fingers from alittle bit of typing. Even though transparent redirectors are inplace for the old URLs, please update your links and bookmarks. Andif you don't have a link to Nmap on your web site, now is a goodtime to add one :).
All of your OS detection fingerprints up until March 10, 2008 havenow been integrated by David. The second generation database hasgrown from 1,085 fingerprints representing 421 operatingsystems/devices, to 1,304 fingerprints representing 478 systems.That is an increase of more than 20%. New fingerprints were addedfor Mac OS X Tiger, iPod Touch, the La Fonera WAP, FreeBSD 7.0,Linux 2.6.24, Windows 2008, Vista, OpenBSD 4.2, and of coursehundreds of broadband routers, VoIP phones, printers, some crazyoscilloscope, etc. We get a ton of new fingerprint submissions, butnot as many corrections. Please remember to visithttps://nmap.org/submit/ if Nmap gives you bad results, whether theyare completely wrong or just a slight mistake (like Nmap says Linux2.6.20-2.6.23, but you're running 2.6.24). Of course you need to becertain you know exactly what is running on the target before you dothis.
All of your service fingerprints and corrections submitted untilJanuary 14, 2008 have now been integrated by Doug. As usual, he hasdocumented his adventures athttp://hcsw.org/blog.pl/33 . More thana hundred signatures were added, growing the database to 4,645signatures for 457 services. Corrections are welcome for servicedetection too -- visithttps://nmap.org/submit/ if you get incorrect results.
Nmap now saves the target name (if any) specified on the commandline, since this can differ from the reverse DNS results. It can beparticularly important when doing HTTP tests against virtual hosts.The data can be accessed from target->TargetName() from Nmap properand host.targetname from NSE scripts. The NSE HTTP library now usesthis for the Host header. Thanks to Sven Klemm for adding thisuseful feature.
Added NSE HTTP library which allows scripts to easily fetch URLswith http.get_url() or create more complex requests withhttp.request(). There is also an http.get() function which takescomponents (hostname, port, and path) rather than a URL. TheHTTPAuth, robots, and showHTMLTitle NSE scripts have been updated touse this library. Sven Klemm wrote all of this code.
Fixed an integer overflow in the DNS caching code that caused nmapto loop infinitely once it had expunging the cache of olderentries. Thanks to David Moore for the report, and Eddie Bell forthe fix.
Fixed another integer overflow in the DNS caching code which causedinfinite loops. [David]
Added IPv6 host support to the RPC scan. Attempting this before(via -sV) caused a segmentation fault. Thanks to Will Cladek forthe report. [Kris]
Fixed an event handling bug in NSE that could cause execution ofsome in-progress scripts to be excessively delayed. [Marek]
A new NSE table library (tab.lua) allows scripts to deliver betterformatted output. The Zone transfer script (zoneTrans.nse) has beenupdated to use this new facility. [Eddie]
Rewrote HTTPpasswd.nse to use Sven's excellent HTTP library and todo some much-needed cleaning up. [Kris]
Added a new MsSQL version detection probe and a bunch of match linesdeveloped by Tom Sellers.
Added a new service detection probe and signatures for the memcachedservice [Doug]
Added new service detection probes and signatures for the BeastTrojan and Firebird RDBMS. [Brandon Enright]
Fixed a crash in Zenmap which occurred when attempting to edit orcreate a new profile based on an existing one when there wasn't oneselected. The error message was:
```
'NoneType' object has no attribute 'toolbar'
```
Now a new Profile Editor is opened. Thanks to D1N (d1n@inbox.com)for the report. [Kris]
Fixed another crash in Zenmap which occurred when exiting theProfile Editor (while editing an existing profile) by clicking the"X", then going to edit the same profile again. The error messagewas: "No option named '' found!". Now the same window that appearswhen clicking Cancel comes up when clicking "X". Thanks to Davidfor reporting this bug. [Kris]
Another Zenmap bug was fixed: ports consolidated into "extra ports"groups are now counted and shown in the "Host Details" tab. Theclosed, filtered and scanned port counts in this tab didn't containthis information before so they were usually very inaccurate. [Kris]
Another Zenmap bug was fixed: the --scan-delay and --max-scan-delaybuttons ("amount of time between probes") under the Advanced tab inthe Profile Editor were backwards. [Kris]
Added the UDP Scan (-sU) and IPProto Ping (-PO) to Zenmap's ProfileEditor and Command Wizard. [Kris]
Reordered the UDP port selection for Traceroute: a closed port isnow chosen before an open one. This is because an open UDP port isusually due to running version detection (-sV), so a Tracerouteprobe wouldn't elicit a response. [Kris]
Add Famtech Radmin remote control software probe and signatures tothe Nmap version detection DB. [Tom Sellers, Fyodor]
Add "Connection: Close" header to requests from HTTP NSE scripts sothat they finish faster. [Sven Klemm]
Update SSLv2-support NSE script to run against more services whichare likely SSL. [Sven Klemm]
A bunch of service name canonicalization was done in the Nmapversion detection file by Brandon Enright (e.g. capitalizing D-Linkand Netgear consistently).
Upgraded the shipped LibPCRE from version 7.4 to 7.6. [Kris]
Updated to latest (as of 3/15) autoconf config.sub/config.guessfiles fromhttp://cvs.savannah.gnu.org/viewvc/config/?root=config.[Fyodor]
We now escape newlines, carriage returns, and tabs (\n\r\t) in XMLoutput. While those are allowed in XML attributes, they getnormalized which can make formatting the output difficult forapplications which parse Nmap XML. [Joao Medeiros, David, Fyodor]
The Zenmap man page is now installed on Unix when "make install" isrun. This was supposed to work before, but didn't. [Kris]
Fixed a man page bug related to our DocBook to Nroff translationsoftware producing incorrect Nroff output. The man page no longeruses the ".nse" string which was being confused with the Nroffno-space mode command. [Fyodor]
Fixed a bug in which some NSE error messages were improperly escapedso that a message including "c:\nmap" would end up with a newlinebetween "c:" and "map".
Updated IANA assignment IP list for random IP (-iR)generation. [Kris]
The DocBook XML source code to the Nmap Scripting Engine docs(https://nmap.org/book/nse.html) is now in SVN under docs/scripting.xml .

Nmap 4.53 [2008-1-12]§

Improved Windows executable installer by making uninstall work betteron systems which changed the default install path. The shortcut isalso now deleted properly on Vista. [Rob Nicholls]
Windows installer is now generated using NSIS 2.34 rather than2.13. [Fyodor]
Added UPnP-info NSE script by Thomas Buchanan. It gathersinformation from the UPnP service (UDP port 1900) which listens onmany network devices such as routers, printers, and networked mediaplayers.
Fixed a --traceroute bug (assertion failure crash) which occurredwhen the first hop of the first host in a tracegroup (referencetrace) times out. Thanks to Sebastián García for the bug report andtesting, and Eddie for the patch.
Fix a problem which prevented proper port number matching inNSE scripts (port_or_service function) due to a variableshadowing bug. [Sven Klemm]
Improvedrpcinfo.nse to better sort and display available RPCservices. [Sven Klemm]

Nmap 4.52 [2008-1-1]§

Fixed Nmap WinPcap installer to use CurrentVersion registry key onWindows rather than VersionNumber to more reliably detect Vistamachines. This should prevent the XP version of Packet.dll frombeing installed on Vista. [Rob Nicholls]
The Nmap Scripting Engine (NSE) now supports run-time interactionand the Nmap --host-timeout option. [Doug]
Added nmap.fetchfile() function for scripts so they can easily findNmap's nmap-* data files (such as the OS/version detection DBs, portnumber mapping, etc.) [Kris]
Updatedrpcinfo.nse to use nmap.fetchfile() to read from nmap-rpcinstead of having a huge table of RPC numbers. This reduced thescript's size by nearly 75%. [Kris]
Fixed multiple NSE scripts that weren't always properly closing theirsockets. The error message was:"bad argument #1 to 'close' (nsock expected, got no value)" [Kris]
Added a new version detection probe for the Trend Micro OfficeScanproduct line. [Tom Sellers, Doug]

Nmap 4.51BETA [2007-12-21]§

David wrote a detailed Zenmap guide:https://nmap.org/book/zenmap.html
Addedrpcinfo.nse script, which contacts a listening RPC portmapperand reports the listening services and port information (likerpcinfo -p does). The script was written by Sven Klemm. Fyodorthen enhanced the RPC number list with all of the entries fromnmap-rpc.
Added a new NSE script (MySQLinfo) which prints MySQL server informationsuch as the protocol and version numbers, status, thread id, capabilities,and password salt. [Kris]
Nmap's output options (-oA, -oX, etc.) now support strftime()-likeconversions in the filename. %H, %M, %S, %m, %d, %y, and %Y areall the same as in strftime(). %T is the same as %H%M%S, %R is thesame as %H%M, and %D is the same as %m%d%y. A % followed by anyother character just yields that character (%% yields a %). Thismeans that "-oX 'scan-%T-%D.xml'" uses an XML file in the form of"scan-144840-121307.xml". [Kris]
Fixed WinPcap installer to install the right version of Packet.dllon Windows Vista. [Fyodor]
Fixed our WinPcap installer so that it waits for a WinPcap uninstall(if needed) to complete before trying to install the new WinPcap.[Jah]
Fix a bunch of warning/error messages which contained an extranewline. [Brandon Enright]
Fixed an error when attempting to scan localhost as an unprivilegeduser on Windows (nmap --unprivileged localhost). The error was:
```
Skipping SYN Stealth Scan against localhost (127.0.0.1) becauseWindows does not support scanning your own machine (localhost) thisway.
```
Now connect scan is used instead of SYN scan. [David]
Fixed a bug that prevented the --resume option from working onWindows. The error message was:..\utils.cc(996): CreateFileMapping(), file 'testresume', length 103,mflags 000 00006: The parameter is incorrect.(87)[Fixed by David, reported by Rob Nicholls]
Zenmap's new web page (https://nmap.org/zenmap/) is now shown in theZenmap about dialogue.
On Windows, paths beginning with \ are now considered absolute whenused with the --script option. jah (jah(a)zadkiel.plus.com) suggestedthis. [David]
Zenmap no longer double-spaces its output (by inadvertentlyduplicating newlines) when viewing scan results that were saved to afile. [Joao Medeiros]
Upgraded the shipped LibPCRE from version 7.2 to 7.4. [Kris]
Fixed Zenmap crash that occurred when selecting Help from the CompareResults window. [Kris]
Updated robots.nse to prevent printing robots.txt comments. [Kris]
Many version detection match lines were improved to match even whennewlines appear in binary data returned by the service. [Fixed byDoug, suggested by Lionel Cons]

Nmap 4.50 [2007-12-13]§

Bumped up the version number to the big 10th anniversary 4.50release! Seehttp://insecure.org/stf/Nmap-4.50-Release.html .

Nmap 4.49RC7 [2007-12-10]§

A Zenmap crash was fixed. Scanning once, then scanning another targeton the same scan tab caused an ImportError ("list index out of range")in zenmapGUI/ScanNotebook.py. Joao Medeiros reported thebug. [David]
Updated a couple of version detection signatures due to problemreports by Lionel Cons. [Doug]

Nmap 4.49RC6 [2007-12-8]§

NSE scripts can now be specified by absolute path to the --scriptoption. This was supposed to work before, but didn't. [David]
Insert a path separator in returned paths in init_scandir onWindows. Otherwise options such as "--scripts=scripts" (wherescripts is a directory) were failing with error messages about beingunable to access things like "C:\Nmap\scriptsanonFTP.nse" (should be"C:\Nmap\scripts\anonFTP.nse"). [David]
Add some "local" declarations to xamppDefaultPass.nse to avoiderrors like: "SCRIPT ENGINE: [string "Global Access"]:1: Attemptedto change the global 'socket' ..." [David]
NSE "shortports" function now by default matches ports in the"open|filtered" state as well as "open" ones. [Diman]
Nsock msevent_new and msevent_delete calls fixed to handle NULL I/Odescriptors. This should fix a reported bus error crash. [Diman]
Prevent old bit.dll and pcre.dll files from being installed innselib directory by Windows executable installer. Bit.dll is stillinstalled in nselib-bin where it belongs. Thanks to Rob Nicholls forreporting the problem. [Fyodor]

Nmap 4.49RC5 [2007-12-8]§

Don't install the orphaned and incomplete Zenmap HTML documentation.Instead point to the Nmap documentation site, which is provides morecomprehensive and up-to-date Nmap docs. We're rapidly improving theonline Zenmap docs as well. Of course the Nmap and (new!) Zenmapman pages are still installed on Unix. [Fyodor]
Fix mswin32/Makefile so that the new nselib-bin directory isproperly included in the Nmap win32 zipfile distribution. Thanksto Rob Nicholls for reporting the problem. [Fyodor]
Fix host reason reported when the target is found to be "down" dueto no response. Nmap now reports "no-response" rather than"unknown-reason" [Kris]

Nmap 4.49RC4 [2007-12-7]§

David did a huge OS fingerprint integration marathon, going throughall of your submissions (more than 1600) since August 20. The 2ndgeneration database has grown more than 30% to 1,085 entries! Manyof the existing fingerprints were improved as well. Notable new orgreatly improved entries include the iPhone, iPod Touch, Mac OS XLeopard FreeBSD 7.0, Linux 2.6.23, Nokia cell phones (E61, E65, E70,E90, N95), and OpenBSD 4.2. Of course there were all manner of newprinters, cable/DSL routers, switches, enterprise routers, IPphones, cell phones and a heap of obscure equipment such as theBeaconMedaes medical gas alarm. Windows Vista fingerprints werealso improved significantly. Please keep those OS fingerprintsubmissions and corrections coming!
Doug integrated all of your version detection fingerprints andcorrections since October 4. The DB now has an incredible 4,542signatures for 449 service protocols. The service protocols withthe most signatures are http (1,473), telnet (459), ftp (423), smtp(327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46)and nntp (44).
Included the netbios-smb-os-discovery.nse script which uses NetBIOSand SMB queries to guess OS version. This script was written byJudy Novak and contributed by Sourcefire.
Canonicalized the interface type numbers used internally bylibdnet. Also Libdnet now recognizes devices with typeINTF_TYPE_IEEE80211 as Ethernet devices. This ought to makewireless network scanning work on Windows Vista. For more backgroundseehttp://seclists.org/nmap-dev/2007/q4/0391.html . [David]
Documented the "--script all" option in the man page and NSEarticle. This option executes all scripts in the NSE databaseregardless of category. [Fyodor]
NSE scripts can now be specified by name without the .nseextension. So instead of using "--scriptbruteTelnet.nse,HTTPpasswd.nse,SQLInject.nse,robots.nse", you canjust pass "--script bruteTelnet,HTTPpasswd,SQLInject,robots". [Kris]
Removed some auto-generated files from the new nselib-bin directoryas they could cause compatibility problems. Also updatedmswin32/Makefile to reflect the new nselib-bin DLL location [David]
ripeQuery.nse was updated to avoid printing some uselessinformation. [Kris]
Compatibility with systems that have the pcre.h header file in itsown pcre directory should now be fixed for real. [Fyodor]
Enhanced the radmind service detection signature and added adeprecated radmind port to nmap-services. [Matt Selsky]
Zenmap now gives better errors to stdout when it can't even pop up adialog box (such as when PyGTK can't be loaded). [David]
Fixed a Zenmap crash which occurred on Mac OS X and possibly otherplatforms. The error message said: "object of type'ScanHostDetailsPage' has no len()". [David]
Fixed a crash which occurred when an NSE script calledset_port_version() at times that version scanning was notenabled. [Diman]
Fixed the NSIS installer so that it does not include some excessfiles (mswin32/* and .svn). Thanks to Alan Jones for reporting theproblem. [Fyodor]
Renamed some Zenmap Python packages to allow Zenmap and Umit to beinstalled at the same time. [David]
Updated nmap-mac-prefixes with the latest IEEE data. Also addedback Cooperative Linux virtual NIC which was inadvertently removed ina previous release. [Fyodor]

Nmap 4.23RC3 [2007-11-27]§

Zenmap now has a man page! It isn't very long yet, but covers thebasics. Thanks to David for writing this.
A new NSE script, promiscuous.nse, scans devices on a local networklooking for sniffers (devices running in promiscuous mode). Thisscript is from Marek Majkowski and is the first to use the NSE pcapextension system (which he also wrote). The script is only in thediscovery category for now so it does not run by default. Specifyit by name for now. We may make it default after the upcomingstable release.
Nmap can now handle IP aliases on Windows. A given device such aseth0 might have several IP addresses. Nmap will use the primaryaddress, so you need to use -S if you want to specify a differentone. [David]
An exception (rather than luaL_argerror) is now thrown when an SSLconnection is attempted but OpenSSL isn't available. [David]
There is now an nmap.have_ssl NSE function so you can avoid doingNSE probes when SSL isn't available. [David]
Zenmap gives clearer error messages when an import error occurs orZenmap's dump files aren't found. [David]
Zenmap now looks for its data files relative to the directory of thezenmap script to allow running from the build/svn directory. [David]
NSE C modules are now installed into an nselib-bin directory. Thiswas needed to make the dns-test-open-recursion and zoneTrans NSEscripts work properly, since they use the NSE bit library(bit.so). [Diman, Fyodor]
Axillary autoconf scripts such as config.guess, config.sub,depcomp, install-sh, and ltmain.sh were deleted from Nmapsubdirectories because configure is smart enough to use the ones fromthe parent directory. This decreases the Nmap source tarball and svncheckout sizes. [David]
Nmap now compiles on systems which have the libPCRE include file inpcre/pcre.h rather than just pcre.h. Thanks to Lionel Cons for thereport. [Fyodor]
Nmap binary is now stripped again, but it now uses -x to avoidstripping dynamically loaded NSE functions on Mac OS X. [David]
Normalized Zenmap's handling of results files specified on thecommand line. In some cases, Zenmap would ignore specified resultsfiles just because some unrelated options were used. [David]
configure.ac now uses literal directory names rather than variablereferences in calls to AC_CONFIG_SUBDIRS. This removes an annoyingwarning message which has existed for years when you regenerateconfigure. [David]
Fixed a configure.ac error which prevented you from specifying analternative libnsock directory. [David]
Check for Python in configure only if Zenmap is requested, and bailout if Zenmap is explicitly requested (--with-zenmap) and Python isnot available. [David]
Removed some unimplemented Zenmap command-line options and functioncalls. [David]

Nmap 4.23RC2 [2007-11-18]§

Static code analysis company Coverity generously offered to scan theNmap code base for flaws, and Kris volunteered to go through theirreport and fix the ones which were actual/possible problems ratherthan false positives. Their system proved quite useful, and about adozen potential problems were fixed. For details, see Kris'11/15/07 SVN commits.
Improved the Zenmap RPM file so that it should work on either Python2.4 or Python 2.5 machines. It should also work on any platform (x86,x86_64, etc.) [David]
WinPcap updated from version 4.0.1 to the new 4.0.2 release. [David]
Added PPTP version detection NSE script (PPTPversion.nse) fromThomas Buchanan. Nmap now ships with 38 NSE scripts.
A number of Solaris compilation fixes were added. Hopefully itworks for more Solaris users now. We also fixed an alignment issuewhich could cause a bus error on Solaris. [David]
When an NSE script changes the state of a port (e.g. fromopen|filtered to open), the --reason flag is now changed to"script-set". Also, the port state reason is now available to NSEscripts through a "reason" element in the port-table. Thanks toMatthew Boyle for the patch.
When version detection changes the state of a port, the reason fieldis now updated as well (to udp-response or tcp-response asapplicable). Thanks to Thomas Buchanan for the patch.
Reworded an error message after a woman reported that it was "highlyoffensive and sexist". She also noted that "times have changed andmany women now use your software" and "a sexist remark like the oneabove should have no place in software." The message was: "TCP/IPfingerprinting (for OS scan) requires root privileges. Sorry,dude.". I checked svn blame to call out the insensitive,chauvinistic jerk who wrote that error message, but it was me :).
We received a bug report through Debian entitled "Nmap is aclairvoyant" because when you run it with -v on September 1 1970, itreports "Happy -27th Birthday to Nmap, may it live to be 73!". Wehave decided that clairvoyance is a feature and ignored the report.
We no longer strip the Nmap binary before installing it, as that wasleading to a runtime error on Mac OS X: "lazy symbol binding failed:Symbol not found: _luaL_openlib". Unfortunately, the unstrippedNmap binary can be much larger (e.g. 4MB vs. 800KB) so we areworking on a better fix which allows us to continue stripping thebinary on other platforms.
Zenmap configuration/customization files renamed from ~/.umit to~/.zenmap and umit.conf to zenmap.conf, etc. [David]
Fixed a Zenmap bug where if you try to edit a profile and thenclick cancel, that profile ends up deleted. [Luis A. Bastiao]
The NSE shortport rules now allow for multiple matching states(e.g. open or open|filtered) to be specified. This silently failedbefore. [Eddie]
Regenerate configure scripts with Autoconf 2.61 and updateconfig.guess and config.sub files with the latest versions fromhttp://cvs.savannah.gnu.org/viewvc/config/?root=config . [David]

Nmap 4.23RC1 [2007-11-10]§

NmapFE is now gone. It had a good run as the default Nmap GUIfor more than 8 years (since April 1999). But after two years ofdevelopment, Zenmap is ready to take its place. Zenmap is portableand provides a much better interface to executing and (especially)viewing and analyzing Nmap results. David did the honors ofremoving NmapFE.
We have lost another old friend as well: 1st generation OSdetection system. Nmap revolutionized OS detection when this wasreleased in October 1998 and it served us well for more than 9 yearsas the database grew to 1,684 fingerprints. But the 2nd generationsystem incorporates everything we learned during all those years andhas proven itself even more effective. I couldn't bear to kill thismyself, so David did the dirty work.
There is no longer any artificial limit on the number of ports orprotocols that can be used for host discovery. Port lists for pingscan now use the same syntax as the -p option except that T:, U:,and P: are not allowed. This means that you can do
```
nmap -PS1-1000 targetnmap -PAhttp,https targetnmap -PU'[-]' target
```
[David]
Zenmap is now available packaged in RPM format. Since Zenmap iswritten in Python, we no longer have to have separate x86 and x86_64versions like we did with NmapFE (and like we still do withNmap). [David]
Fixed a crash (assertion failure) which could occur during ARP Pingscan [Kris]
Fixed Zenmap so that it can handle asterisks in the command line(e.g. "nmap 192.168.*.*" or "nmap -phttp* localhost") [David]
Change the Zenmap bug report dialogue to now give instructions forreporting issues to nmap-dev. [David]
Modified higwidgets/higdialogs.py for compatibility with oldversions of PyGTK. [David]
Updated IANA assignment IP list for random IP (-iR)generation. [Kris]
Fixed a number of spelling errors in the Reference Guide (man page)[Doug]

Nmap 4.22SOC8 [2007-10-28]§

Removed the old massping() system, since the functionality has nowbeen migrated into the existing ultra_scan() system (which is usedfor port scanning too). Thanks to David for doing the migration,which involved a lot of work and testing. The new system isfrequently faster and more accurate than massping(), and some of thenew algorithms benefit port scans too.
Renamed Umit to Zenmap to reduce confusion between the version weship with Nmap as the integrated GUI and the version maintainedseparately at umit.sourceforge.net. We are excited about Zenmap andexpect to remove NmapFE in the near future
Integrated all of your Q3 service detection submissions! We havenow surpassed 4500 signatures and are approaching 500 serviceprotocols. Wow! Thanks to Doug for doing the integration. Hisnotes on the crazy and interesting services discovered this quarterare athttp://hcsw.org/blog.pl/31 .
Added a new ping type: IPProto Ping. Use -PO (that is the letter Oas in prOtOcOl, not a zero). This is similar to protocol scan (-sO)in that it sends IP headers with different protocols in the hope ofeliciting a response from targets. The default is to send withprotocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP tunnel), but you canspecify different protocol numbers on the command line the same wayyou specify TCP/UDP ports to -PS or -PU. To reduce confusion, we nowrecommend that -PN be used when you don't want pings done ratherthan using the old -P0 (zero). [Kris]
The SMTPcommands.nse script was updated to support the HELP query inaddition to EHLO [Jasey DePriest]
Added --ttl support for connect() scans (-sT). [Kris]
Combine the Zenmap setup scripts into one portable setup.py ratherthan having separate versions for Windows, Unix, and Mac OS X.
Removed a bunch of unnecessary/incomplete code and data files fromZenmap. [David]
In Nbase, switched from GNU's getopt() replacement functions toBen Sittler's BSD-licensed (but GNU compatible) functions. [Kris]
Include nmap.h in portreasons.h. This fixes a compilation problemreported on OpenBSD. [David]
Change PCRE from an NSELib module back to statically linked code dueto OpenBSD compilation problems. Seehttp://seclists.org/nmap-dev/2007/q4/0085.html [David]
Fix a problem with --reason printing the wrong host discoveryreasons when ICMP destination unreachable packets arrived. [Kris]
Nmap has better dependency tracking now such that it no longerbuilds the executable every time you type 'make'. This was causingproblems where 'make; sudo make install' would create a root-ownednmap executable because it was rebuilt as part of 'makeinstall'. [David]

Nmap 4.22SOC7 [2007-10-11]§

Integrated all of your OS detection new fingerprint submissions andcorrection reports. The grew more DB more than 18% to 825fingerprints. Keep those submissions coming! [David]
Made a number of significant improvements to host discoveryalgorithms for better performance and reliability. [David]
Fixed a bug which prevented the first OS detection guess from beingincluded in XML output. This only applies when no exact matcheswere found. Thanks to Martyn Tovey of Netcraft for reporting theproblem and helping to track it down in the code.
Improve the script scan scheduling system to prevent the system fromrunning out of sockets by executing too many scripts concurrentlyduring large scans. Thanks to Brandon Enright for finding the bugand Stoiko for fixing it.
Added nmap.verbosity() and nmap.debugging() functions for scripts todetermine the Nmap verbosity/debugging level. [Kris]
Fixed a crash (assertion error) which occurred when the first hop ofthe first system (reference trace) times out. [Eddie]
UMIT no longer rewrites a bunch of script files to replace variablessuch as VERSION and REVISION in the SVN working directory. [David,Adriano]
UMIT icon loading code simplified and made platformindependent. [David]
Removed PIL dependency from UMIT package generation system. We nowuse GTK to put the version number in the splash screen. [Adriano]
UMIT no longer crashes just because documentation files aremissing. [Adriano]
Removed unnecessary recent_scans.txt and target_list.txt files fromUMIT. Some unnecessary copies of Nmap data files were removed aswell. [David, Adriano]
Updated the *.dmp preprocessed Nmap data files used by UMIT, andalso updated the scripts used to create them. [David]
WinPcap installer was updated so that on Windows Vista it uses adifferent Packet.dll and omits WanPacket.dll. [Eddie]
Unix installation now places NSELib dynamic libraries in 'libexec'rather than 'share' directories, since they are architecturedependent. Thanks to Christoph J. Thompson for the patch.
Fix bug related to users providing custom libpcre location toconfigure (reported by Daniel Johnson, fixed by Stoiko). A patchfrom Marek Majkowski which caps the number of sockets opened by NSEscripts was also applied.
The UMIT version number is automatically updated to be the same asthe Nmap version number rather than always being 0.9.4. [David]
UMIT now sorts port numbers numerically rather than alphabetically[Adriano]
Three UMIT data files (options.xml, profile_editor.xml, andwizard.xml) are installed in the shared UMIT data directory(e.g. /usr/share/umit/misc) rather than in every user's ~/.umitdirectory. [David]
Added HTTPtrace demo NSE script by Kris, who also updated hisHTTPpasswd script.
A bunch of capitalization/spelling canonicalization changes weremade to Nmap output. For example: ftp to FTP and idlescan toidle scan.
Made some improvements to the nmap.xsl stylesheet for convertingNmap XML results to HTML reports. It now does a better job atremoving empty sections and headers. Thanks to Henrik Lund Kramshoejfor the patch.
Updated nmap-mac-prefixes with the latest IEEE data.
Disabled auto-generation of libpcre/pcre_chartables.c because thatwas useless for our purposes and could also cause some versioncontrol related problems. [David]
Updated IANA assignment IP list for random IP (-iR)generation. [Kris]

Nmap 4.22SOC6 [2007-8-29]§

Included David's major massping migration project. The sameunderlying engine is now used for ping scanning as for portscanning. We hope this will lead to better performance andaccuracy, as well as helping to de-bloat Nmap. Please test it outand report your results to nmap-dev! For more details, seehttp://seclists.org/nmap-dev/2007/q3/0277.html
Fixed UMIT bug which occurred when installing to a non-standarddirectory (e.g. a home directory). This caused Python to not be ableto find the necessary files. [Kris]
Added an NSE script (HTTPpasswd.nse) for finding directory traversalproblems and /etc/password files on web servers. [Kris]
Fixed an error related to version scans against SSL services onUNIX. The error said "nsock_connect_ssl called - but nsock wasbuilt w/o SSL support. QUITTING". Thanks to Jasey DePriest fortracking down the problem and David Fifield for fixing it.
Removed win_dependencies cruft from UMIT directory. [Kris]
Upgraded Libpcap from version 0.9.4 to 0.9.7 [Kris]
Removed the effectively empty XML elements for traceroute hops whichtimed out. [Eddie]
Fixed (I hope) a problem with running Nmap on Mac OS X machines withVMWare Fusion running. The error message started with:"getinterfaces: Failed to open ethernet interface (vmnet8). Apossible cause on BSD operating systems is running out of BPFdevices ...." For more details, seehttp://seclists.org/nmap-dev/2007/q3/0254.html .
Check that --script arguments are reasonable when Nmap starts ratherthan potentially waiting for a bunch of port scanning to finishfirst. [Stoiko]
Fixed (we hope) a UMIT problem which resulted in the error message:"NameError: global name 'S_IRUSR' is not defined". [Adriano]
Removed an error message which used to appear when you quit UMIT onWindows. The message used to say "Errors occurred - See the logfile[filename] for details." [Adriano]
Fix permissions on files installed by Umit so that it should workeven if you do 'make install' from an account with a 077 umask.
Add a feature to Umit that lets you search your unsavedscans. [Eddie]
Added back a previously removed feature which allows you to specify'rnd' as one of your decoys (-D option) to let Nmap choose a randomIP. You also use a format such as rnd:5 to generate five randomdecoys. [Kris]
Reference guide (man page) updates to the NSE section, and somegeneral cleanup.
When Nmap finishes, it now says "Nmap done" rather than "Nmap runcompleted". No need to waste pixels on excess verbiage.

Nmap 4.22SOC5 [2007-8-18]§

The Windows installer should actually install UMIT properly now.
Remove umit.db from the installation process. Let Umit create a newone on its own when needed.
Fixed the UMIT portion of the Windows installer build system todetect certain heinous errors (like not being able to find Python)and bail out. [Kris]
Prevent scripts directory from containing .svn cruft when using theWin32 installer (thanks to David Fifield for the patch).

Nmap 4.22SOC3 [2007-8-16]§

Umit is now included in the Nmap Windows executable installer.Please give it a try and let us know what you think! Kris put a lotof work into getting this set up.
Added four new NSE scripts: HTTP proxy detection (Arturo 'Buanzo'Busleiman), DNS zone transfer attempt (Eddie), detecting SQLinjection vulnerabilities on web sites (Eddie), and fetching anddisplaying portions of /robots.txt from web servers (Eddie).
All of your 2nd Quarter 2007 Nmap version detection fingerprintswere integrated by Doug. The DB now contains 4,347 signatures for439 service protocols. Doug describes the highlights (craziestservices found) in his integration report athttp://hcsw.org/blog.pl/29 .
NSE now supports raw IP packet sending and receiving thanks to apatch from Marek Majkowski. Diman handled testing and applied thepatch.
Nmap now has Snprintf() and Vsnprintf() as safer alternatives to thestandard version. The problem is that the Windows version of thesefunctions (_snprintf, _vsnprintf) doesn't properly terminate stringswhen it has to truncate them. These wrappers ensure that the stringwritten is always truncated. Thanks to Kris for doing the work.
Upgraded libpcre from version 6.7 to 7.2 [Kris]
Merged various Umit bug fixes from SourceForge trunk: "missing importwebbrowser on umit", "Missing markup in 'OS Class' onHostDetailsPage", "some command line options are now working(target, profile, verbose, open result file and run an nmapcommand)", "removing unused functions import from os.path","verbosity works on command line"
Eddie fixed several Umit bugs. Umit now sets the file saveextension to .usr unless the user specifies something else. Thedetails highlight regular expression was improved and an error message was addedwhen no target was specified and -iR and -iL aren't used.
reason.cc/reason.h renamed to portreasons.cc/.h because a reason.hin the Windows platform SDK was causing conflicts. [Kris]
Fixed a bug in --iflist which would lead to crashes. Thanks toMichael Lawler for the report, and Eddie for the fix.
Finished updating WinPcap to 4.01 (a few static libraries weremissed) [Eddie]
Added NSE support for buffered data reads. [Stoiko]
Added new --script-args option for passing arguments to NSE scripts[Stoiko]
Performed a bunch of OS fingerprint text canonicalization thanks toreports of dozens of capitalization inconsistencies from Suicidal Bob.
Fixed an assertion failure which could be experienced when scriptscan was requested without also requesting version scan. [Stoiko]
Fixed an output bug on systems like Windows which return -1 whenvsnprintf is passed a too-small buffer rather than returning thesize needed. Thanks to jah (jah(a)zadkiel.plus.com) for the report.
Added sys/types.h include to portreasons.h to help OpenBSD compilation.Thanks to Olivier Meyer for the patch.
Many hard coded function names and instances of __FUNCTION__ werechanged to __func__ [Kris]
Configure scripts for Nmap, Nbase, and Nsock were optimized toremove redundant checks. This improves compilation timeperformance. [Eddie]
Updated IANA assignment IP list for random IP (-iR)generation. [Kris]

Nmap 4.22SOC2 [2007-7-11]§

NSE compilation fixes by Stoiko and Kris

Nmap 4.22SOC1 [2007-7-8]§

The UMIT graphical Nmap frontend is now included (as an ALPHA TESTrelease) with the Nmap tarball distribution. It isn't yet in theRPMs or the Windows distributions. UMIT is written with Python/GTKand has many huge advantages over NmapFE. It installs from the Nmapsource tarballs as part of the "make install" process unless youspecify --without-umit to configure. Please give UMIT a try (theexecutable is named umit) and let us know the results! We hope toinclude UMIT in the Windows Nmap distributions soon.
Added more Nmap Scripting Engine scripts, bringing the total to 31.The new ones are bruteTelnet (Eddie Bell), SMTPcommands (JaseyDePriest), iax2Detect (Jasey),nbstat (Brandon Enright),SNMPsysdescr (Thomas Buchanan), HTTPAuth (Thomas),finger (Eddie),ircServerInfo (Doug Hoyte), and MSSQLm (Thomas Buchanan).
Added the --reason option which explains WHY Nmap assigned a portstatus. For example, a port could be listed as "filtered" becauseno response was received, or because an ICMP network unreachablemessage was received. [Eddie]
Integrated all of your 2nd generation OS detection submissions,increasing the database size by 68% since 4.21ALPHA4 to 699fingerprints. The 2nd generation database is now nearly half (42%)the size of the original. Please keep those submissions coming sothat we can do another integration round before the SoC program endson August 20! Thanks to David Fifield for doing most of theintegration work!
Integrated version detection submissions. The database has grown bymore than 350 signatures since 4.21ALPHA4. Nmap now has 4,236signatures for 432 service protocols. As usual, Doug Hoyte deservescredit for the integration marathon, which he describes athttp://hcsw.org/blog.pl .
Added the NSE library (NSELib) which is a library of usefulfunctions (which can be implemented in LUA or as loadable C/C++modules) for use by NSE scripts. We already have libraries for bitoperations (bit), list operations (listop), URL fetching andmanipulation (url), activation rules (shortport), and miscellaneouscommonly useful functions (stdnse). Stoiko added the underlyingfunctionality, though numerous people contributed to the libraryroutines.
Added --servicedb and --versiondb command-line options which allowyou to specify a custom Nmap services (port to port number translationand port frequency) file or version detection database. [DavidFifield]
The build dependencies were dramatically reduced by removingunnecessary header includes and moving header includes from .hfiles to .cc as well as adding some forward declarations. Thisreduced the number of makefile.dep dependencies from 1469 to 605.This should make Nmap compilation faster and prevent someportability problems. [David Fifield]
Upgraded from WinPcap 3.1 to WinPcap 4.01 and fixed a WinPcap installererror. [Eddie]
In verbose mode, Nmap now reports where it obtains data files (such asnmap-services) from. [David Fifield]
Canonicalized a bunch of OS classes, device types, etc. in the OSdetection and version scanning databases so they are namedconsistently. [Doug]
If we get a ICMP Protocol Unreachable from a host other than ourtarget during a port scan, we set the state to 'filtered' rather than'closed'. This is consistent with how port unreachable errors work forudp scan. [Kris]
Relocated OSScan warning message (could not find 1 closed and 1 openport). Now output.cc prints the warning along with a targets OSScanresults. [Eddie]
Fixed a bug which caused port 0 to be improperly used for gen1 OSdetection in some cases when your scan includes port 0 (it isn'tincluded by default). Thanks to Sebastian Wolfgarten for the reportand Kris Katterjohn for the fix.
The --iflist table now provides WinPcap device names onWindows. [Eddie]
The Nmap reference guide (man page) DocBook XML source is now in theSVN repository at svn://svn.insecure.org/nmap/docs/refguide.xml .
NSE now has garbage collection so that if you forget to close asocket before exiting a script, it is closed for you. [Stoiko]
The <portused> tag in XML output now provides the open TCP port usedfor OS detection as well as the closed TCP and UDP ports which werereported previously. [Kris]
XML output now has a <times> tag for reporting final timeinformation which was already printed in normal output in verbosemode (round trip time, rtt variance, timeout, etc.) [Kris]
Changed the XML output format so that the <extrareasons> tag (partof Eddie's --reason patch) falls within the <extraports> tag. [Kris]
Nmap now provides more concise OS fingerprints for submission thanksto better merging. [David Fifield]
A number of changes were made to the Windows build system to handleversion numbers, publisher field, add/remove program support,etc. [Eddie]
The Nmap -A option now enables the traceroute option too [Eddie]
Improved how the Gen1 OS Detection system selects which UDP ports tosend probes to. [Kris]
Updated nmap-mac-prefixes to latest IEEE data as of 5/18/07. Alsoremoved some high (greater than 0x80) characters from some companynames because they were causing this error on Windows when Nmap iscompiled in Debug mode:isctype.c Line 56: Expression: (unsigned)(c + 1) <= 256".Thanks to Sina Bahram for the initial report and Thomas Buchanan fortracking down the problem.
Added a SIP (IP phone) probe from Matt Selsky to nmap-service-probes.
Fixed a bug which prevented the NSE scripts directory from appearingin the Win32 .zip version of Nmap.
Fixed a bug in --traceroute output. It occurred when a traced host couldbe fully consolidated, but only the first hop number was outputted. [Kris]
The new "rnd" option to -D allows you to ask Nmap to generate randomdecoy IPs rather having to specify them all yourself. [Kris]
Fixed a Traceroute bug relating to scanning through the localhostinterface on Windows (which previously caused a crash). Thanks toAlan Jones for the report and Eddie Bell for the fix.
Fixed a traceroute bug related to tracing between interfaces of amulti-homed host. Thanks to David Fifield for reporting the problemand Eddie Bell for the fix.
Service detection (-sV) and OS detection (-O) are now (rightfully)disabled when used with the IPProto Scan (-sO). Using the ServiceScan like this led to premature exiting, and the OS Scan led to grossinaccuracies. [Kris]
Updated IANA assignment IP list for random IP (-iR) generation. [Kris]

Nmap 4.21ALPHA4 [2007-3-20]§

Performed another big OS detection run. The DB has grown almost 10%to 417 fingerprints. All submissions up to February 6 have beenprocessed. Please keep them coming!
Fixed XML output so that the opening <os> tag is printed again. Theline which prints this was somehow removed when NSE was integrated.Thanks to Joshua Abraham for reporting the problem.
Fixed a small bug in traceroute progress output which didn'tproperly indicate completion. [Kris]
Fixed a portability problem related to the new traceroutefunctionality so that it compiles on Mac OS X. Thanks to ChristopheThil for reporting the problem and sending the 1-line fix.
Updated nmap-mac-prefixes to include the latest MAC prefix (OUI)data from the IEEE as of March 20, 2007.

Nmap 4.21ALPHA3 [2007-3-16]§

Just fixed a packaging problem with the 4.21ALPHA2 release (thanksto Alan Jones for reporting it).

Nmap 4.21ALPHA2 [2007-3-15]§

Performed a huge OS detection submission integration marathon. Morethan 500 submissions were processed, increasing the 2nd generationOS DB size 65% to 381 fingerprints. And many of the existing oneswere improved. We still have a bit more than 500 submissions (sentafter January 16) to process. Please keep those submissions coming!
Integrated all of your Q32006 service fingerprint submissions. Thenmap-service-probe DB grew from 3,671 signatures representing 415service protocols to 3,877 signatures representing 426 services. Bigthanks to version detection czar Doug Hoyte for doing this. Notablechanges are described athttp://hcsw.org/blog.pl?a=20&b=20 .
Nmap now has traceroute support, thanks to an excellent patch byEddie Bell. The new system uses Nmap data to determine which sort ofpackets are most likely to slip through the target network andproduce useful results. The system is well optimized for speed andbandwidth efficiency, and the clever output system avoids repeatingthe same initial hops for each target system. Enable thisfunctionality by specifying --traceroute.
Nmap now has a public Subversion (SVN) source code repository. Seethe announcement athttp://seclists.org/nmap-dev/2006/q4/0253.htmland then the updated usage instructions athttp://seclists.org/nmap-dev/2006/q4/0281.html .
Fixed a major accuracy bug in gen1 OS detection (some debugging codewas accidentally left in). Thanks to Richard van den Berg for findingthe problem.
Changed the IP protocol scan so that it sends proper IGMP headers whenscanning that protocol. This makes it much more likely that the hostwill respond, proving that it's "open". [Kris]
Improved the algorithm for classifying the TCP timestamp frequencyfor OS detection. The new algorithm is described athttps://nmap.org/book/osdetect-methods.html#osdetect-ts .
Fixed the way Nmap detects whether one of its data files (such asnmap-services) exists and has permissions which allow it to be read.
Added a bunch of nmap-services port listings from Stephanie Wen.
Update IANA assignment IP list for random IP (-iR) generation.Thanks to Kris Katterjohn for the patch.
Fix nmap.xsl (the transform for rendering Nmap XML results as HTML)to fix some bugs related to OS detection output. Thanks to TomSellers for the patch.
Fixed a bug which prevented the --without-liblua compilation optionfrom working. Thanks to Kris Katterjohn for the patch.
Fixed a bug which caused nmap --iflist to crash (and might havecaused crashes in other circumstances too). Thanks to KrisKatterjohn for the report and Diman Todorov for the fix.
Applied a bunch of code cleanup patches from Kris Katterjohn.
Some scan types were fixed when used against localhost. The UDP Scandoesn't find its own port, the TCP Scan won't print a message (with -d)about an unexpected packet (for the same reason), and the IPProto Scanwon't list every port as "open" when using --data-length >= 8. [Kris]
The IPProto Scan should be more accurate when scanning protocol 17 (UDP).ICMP Port Unreachables are now checked for, and UDP is listed as "open"if it receives one rather than "open|filtered" or "filtered". [Kris]
The --scanflags option now also accepts "ECE", "CWR", "ALL" and "NONE" asarguments. [Kris]
The --packet-trace option was added to NmapFE. The Ordered Ports (-r)option in now available to non-root users on NmapFE as well. [Kris]

Nmap 4.21ALPHA1 [2006-12-10]§

Integrated the Nmap Scripting Engine (NSE) into mainline Nmap.Diman Todorov and I have been working on this for more than six months, andwe hope it will expand Nmap's capabilities in many cool ways. We'reaccepting (and writing) general purpose scripts to put into Nmapproper, and you can also write personal scripts to deal with issuesspecific to your environment. The system is documented athttps://nmap.org/book/nse.html .
Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE(http://standards.ieee.org/regauth/oui/oui.txt) as of December 7.

Nmap 4.20 [2006-12-7]§

Integrated the latest OS fingerprint submissions. The 2ndgeneration DB size has grown to 231 fingerprints. Please keep themcoming! New fingerprints include Mac OS X Server 10.5 pre-release,NetBSD 4.99.4, Windows NT, and much more.
Fixed a segmentation fault in the new OS detection systemwhich was reported by Craig Humphrey and Sebastian Garcia.
Fixed a TCP sequence prediction difficulty indicator bug. The indexis supposed to go from 0 ("trivial joke") to about 260 (OpenBSD).But some systems generated ISNs so insecurely that Nmap wentberserk and reported a negative difficulty index. This generallyonly affects some printers, crappy cable modems, and MicrosoftWindows (old versions). Thanks to Sebastian Garcia for helping metrack down the problem.

Nmap 4.20RC2 [2006-12-2]§

Integrated all of your OS detection submissions since RC1. The DBhas increased 13% to 214 fingerprints. Please keep them coming!New fingerprints include versions of z/OS, OpenBSD, Linux, AIX,FreeBSD, Cisco CatOS, IPSO firewall, and a slew of printers andmisc. devices. We also got our first Windows 95 fingerprint,submitted anonymously of course :).
Fixed (I hope) the "getinterfaces: intf_loop() failed" error whichwas seen on Windows Vista. The problem was apparently inintf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX toMAX_IF_TYPE rather than 32). Thanks to Dan Griffin(dan(a)jwsecure.com) for tracking this down!
Applied a couple minor bug fixes for IP optionssupport and packet tracing. Thanks to Michal Luczaj(regenrecht(a)o2.pl) for reporting them.
Incorporated SLNP (Simple Library Network Protocol) versiondetection support. Thanks to Tibor Csogor (tibi(a)tiborius.net) forthe patch.

Nmap 4.20RC1 [2006-11-20]§

Fixed (I hope) a bug related to Pcap capture on Mac OS X. Thanks toChristophe Thil for reporting the problem and to Kurt Grutzmacherand Diman Todorov for helping to track it down.
Integrated all of your OS detection submissions since ALPHA11. TheDB has increased 27% to 189 signatures. Notable additions includethe Apple Airport Express, Windows Vista RC1, OpenBSD 4.0, a SonyTiVo device, and tons of broadband routers, printers, switches, andLinux kernels. Keep those submissions coming!
Upgraded the included LibPCRE from version 6.4 to 6.7. Thanks toJochen Voss (voss(a)seehuhn.de) for the suggestion (he found some bugsin 6.4)

Nmap 4.20ALPHA11 [2006-11-2]§

Integrated all of your OS detection submissions, bringing thedatabase up to 149 fingerprints. This is an increase of 28% fromALPHA10. Notable additions include FreeBSD 6.1, a bunch of HPLaserJet printers, and HP-UX 11.11. We also got a bunch of moreobscure submissions like Minix 3.1.2a and "Ember InSight Adapter forprogramming EM2XX-family embedded devices". Who doesn't have a fewof those laying around? I'm hoping that all the obscure submissionsmean that more of the mainstream systems are being detected out ofthe box! Please keep those submissions (obscure or otherwise)coming!

Nmap 4.20ALPHA10 [2006-10-23]§

Integrated tons of new OS fingerprints. The DB now contains 116fingerprints, which is up 63% since the previous version. Please keepthe submissions coming!

Nmap 4.20ALPHA9 [2006-10-13]§

Integrated the newly submitted OS fingerprints. The DB now contains71 fingerprints, up 27% from 56 in ALPHA8. Please keep them coming!We still only have 4.2% as many fingerprints as the gen1 database.
Added the --open option, which causes Nmap to show only open ports.Ports in the states "open|closed" and "unfiltered" might be open, sothose are shown unless the host has an overwhelming number of them.
Nmap gen2 OS detection used to always do 2 retries if it fails tofind a match. Now it normally does just 1 retry, but does 4 retriesif conditions are good enough to warrant fingerprint submission.This should speed things up on average. A new --max-os-tries optionlets you specify a higher lower maximum number of tries.
Added --unprivileged option, which is the opposite of --privileged.It tells Nmap to treat the user as lacking network raw socket andsniffing privileges. This is useful for testing, debugging, or whenthe raw network functionality of your operating system is somehowbroken.
Fixed a confusing error message which occurred when you specified aping scan or list scan, but also specified -p (which is only used forport scans). Thanks to Thomas Buchanan for the patch.
Applied some small cleanup patches from Kris Katterjohn

Nmap 4.20ALPHA8 [2006-9-30]§

Integrated the newly submitted OS fingerprints. The DB now contains56, up 33% from 42 in ALPHA7. Please keep them coming! We still onlyhave 3.33% as many signatures as the gen1 database.
Nmap 2nd generation OS detection now has a more sophisticatedmechanism for guessing a target OS when there is no exact match in thedatabase (seehttps://nmap.org/book/osdetect-guess.html )
Rewrote mswin32/nmap.rc to remove cruft and hopefully reduce someMFC-related compilation problems we've seen. Thanks to KX(kxmail(a)gmail.com) for doing this.
NmapFE now uses a spin button for verbosity and debugging options sothat you can specify whatever verbosity (-v) or debugging (-d) levelyou desire. The --randomize-hosts option was also added to NmapFE.Thanks to Kris Katterjohn for the patches.
A dozen or so small patches to Nmap and NmapFE by Kris Katterjohn.
Removed libpcap/Win32 and libpcap/msdos as Nmap doesn't use them.This reduces the Nmap tar.bz2 by about 50K. Thanks to Kris Katterjohnfor the suggestion.

Nmap 4.20ALPHA7 [2006-9-12]§

Did a bunch of Nmap 2nd generation fingerprint integration work.Thanks to everyone who sent some in, though we still need a lot more.Also thanks to Zhao for a bunch of help with the integration tools.4.20ALPHA6 had 12 fingerprints, this new version has 42. The old DB(still included) has 1,684.
Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE(http://standards.ieee.org/regauth/oui/oui.txt) as of September 6, 2006.Also added the unregistered PearPC virtual NIC prefix, as suggestedby Robert Millan (rmh(a)aybabtu.com).
Applied some small internal cleanup patches by Kris Katterjohn.

Nmap 4.20ALPHA6 [2006-9-2]§

Fixed a bug in 2nd generation OS detection which would (usually) preventfingerprints from being printed when systems don't respond to the 1stICMP echo probe (the one with bogus code value of 9). Thanks toBrandon Enright for reporting and helping me debug the problem.
Fixed some problematic Nmap version detection signatures which couldcause warning messages. Thanks to Brandon Enright for the initial patch.

Nmap 4.20ALPHA5 [2006-8-31]§

Worked with Zhao to improve the new OS detection system withbetter algorithms, probe changes, and bug fixes. We'renow ready to start growing the new database! If Nmap gives youfingerprints, please submit them at the given URL. The DB is stillextremely small. The new system is extensively documented athttps://nmap.org/book/osdetect.html .
Nmap now supports IP options with the new --ip-options flag. Youcan specify any options in hex, or use "R" (record route), "T"(record timestamp), "U") (record route & timestamp), "S [route]"(strict source route), or "L [route]" (loose source route). Specify--packet-trace to display IP options of responses. For furtherinformation and examples, seehttps://nmap.org/book/man.html andhttp://seclists.org/nmap-dev/2006/q3/0052.html . Thanks to MarekMajkowski for writing and sending the patch.
Integrated all 2nd quarter service detection fingerprintsubmissions. Please keep them coming! We now have 3,671 signaturesrepresenting 415 protocols. Thanks to version detection czar DougHoyte for doing this.
Nmap now uses the (relatively) new libpcap pcap_get_selectable_fdAPI on systems which support it. This means that we no longer needto hack the included Pcap to better support Linux. So Nmap will nowlink with an existing system libpcap by default on that platform ifone is detected. Thanks to Doug Hoyte for the patch.
Updated the included libpcap from 0.9.3 to 0.9.4. The changes Imade are in libpcap/NMAP_MODIFICATIONS . By default, Nmap will nowuse the included libpcap unless version 0.9.4 or greater is alreadyinstalled on the system.
Applied some nsock bugfixes from Diman Todorov. These don't affectthe current version of Nmap, but are important for his NmapScripting Engine, which I hope to integrate into mainline Nmap inSeptember.
Fixed a bug which would occasionally cause Nmap to crash with themessage "log_vwrite: write buffer not large enough". I thought Iconquered it in a previous release -- thanks to Doug Hoyte for finding acorner case which proved me wrong.
Fixed a bug in the rDNS system which prevented us from queryingcertain authoritative DNS servers which have recursion explicitlydisabled. Thanks to Doug Hoyte for the patch.
--packet-trace now reports TCP options (thanks to Zhao Lei for thepatch). Thanks to the --ip-options addition also found in thisrelease, IP options are printed too.
Cleaned up Nmap DNS reporting to be a little more useful andconcise. Thanks to Doug Hoyte for the patch.
Applied a bunch of small internal cleanup patches by Kris Katterjohn(katterjohn(a)gmail.com).
Fixed the 'distclean' make target to be more comprehensive. Thanksto Thomas Buchanan (Thomas.Buchanan(a)thecompassgrp.net) for thepatch.

Nmap 4.20ALPHA4 [2006-7-4]§

Nmap now provides progress statistics in the XML output in verbosemode. Here are some examples of the format (etc is "estimated timeuntil completion) and times are in UNIX time_t (seconds since 1970) format.

<taskbegin task="SYN Stealth Scan" time="1151384685" /><taskprogress task="SYN Stealth Scan" time="1151384715"              percent="13.85" remaining="187" etc="1151384902" /><taskend task="SYN Stealth Scan" time="1151384776" /><taskbegin task="Service scan" time="1151384776" /><taskend task="Service scan" time="1151384788" />

Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.

Updated the Windows installer to give an option checkbox forperforming the Nmap performance registry changes. The default is todo so. Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.
Applied several code cleanup patches from Marek Majkowski.
Added --release-memory option, which causes Nmap to release allaccessible memory buffers before quitting (rather than let the OS doit). This is only useful for debugging memory leaks.
Fixed a bug related to bogus completion time estimates when yourequest an estimate (through runtime interaction) right when Nmap isstarting a subsystem (such as a port scan or version detection).Thanks to Diman Todorov for reporting the problem and Doug Hoyte forwriting a fix.
Nmap no longer gets random numbers from OpenSSL when it is availablebecause that turned out to be slower than Nmap's other methods(e.g. /dev/urandom on Linux, /dev/arandom on OpenBSD, etc.). Thanksto Marek Majkowski for reporting the problem.
Updated the Windows binary distributions (self-installer and .zip)to include the new 2nd generation OS detection DB (nmap-os-db).Thanks to Sina Bahram for reporting the problem.
Fixed the --max-retries option, which wasn't being honored. Thanksto Jon Passki (jon.passki(a)hursk.com) for the patch.

Nmap 4.20ALPHA3 [2006-6-29]§

Added back Win32 support thanks to a patch by KX
Fixed the English translation of TCP sequence difficulty reported byBrandon Enright, and also removed fingerprint printing for 1stgeneration fingerprints (I don't really want to deal with thoseanymore). Thanks to Zhao Lei for writing this patch.
Fix a problem which caused OS detection to be done in some caseseven if the user didn't request it. Thanks to Diman Todorov for thefix.

Nmap 4.20ALPHA2 [2006-6-24]§

Included nmap-os-db (the new OS detection DB) within the release.Oops! Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for catchingthis problem with 4.20ALPHA1.
Added a fix for the crash in the new OS detection which would comewith the message "Probe doesn't exist! Probe type: 1. Probe subid: 1"

Nmap 4.20ALPHA1 [2006-6-24]§

Integrated initial 2nd generation OS detection patch! The system isdocumented athttps://nmap.org/book/osdetect.html . Thanks to Zhao Leifor helping with the coding and design.
portlist.cc was refactored to remove some code duplication. Thanksto Diman Todorov for the patch.

Nmap 4.11 [2006-6-23]§

Added a dozens of more detailed SSH version detection signatures, thanksto a SSH huge survey and integration effort by Doug Hoyte. Theresults of his large-scale SSH scan are posted athttp://seclists.org/nmap-dev/2006/Apr-Jun/0393.html .
Fixed the Nmap Makefile (actually Makefile.in) to correctly handleinclude file dependencies. So if a .h file is changed, all of the.cc files which depend on it will be recompiled. Thanks to DimanTodorov (diman(a)xover.mud.at) for the patch.
Fixed a compilation problem on solaris and possibly other platforms.The error message looked like "No rule to make target `inet_aton.o',needed by `libnbase.a'". Thanks to Matt Selsky(selsky(a)columbia.edu) for the patch.
Applied a patch which helps with HP-UX compilation by linking in thenm library (-lnm). Thanks to Zakharov Mikhail(zmey20000(a)yahoo.com) for the patch.
Added version detection probes for detecting the Nessus daemon.Thanks to Adam Vartanian (flooey(a)gmail.com) for sending the patch.

Nmap 4.10 [2006-6-12]§

Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE(http://standards.ieee.org/regauth/oui/oui.txt) as of May 31, 2006.Also added a couple unregistered OUI's (for QEMU and Bochs)suggested by Robert Millan (rmh(a)aybabtu.com).
Fixed a bug which could cause false "open" ports when doing a UDPscan of localhost. This usually only happened when you scan tens ofthousands of ports (e.g. -p- option).
Fixed a bug in service detection which could lead to a crash when"--version-intensity 0" was used with a UDP scan. Thanks to MakotoShiotsuki (shio(a)st.rim.or.jp) for reporting the problem and DougHoyte for producing a patch.
Made some AIX and HP-UX portability fixes to Libdnet and NmapFE.These were sent in by Peter O'Gorman(nmap-dev(a)mlists.thewrittenword.com).
When you do a UDP+TCP scan, the TCP ports are now shown first (innumerical order), followed by the UDP ports (also in order). Thiscontrasts with the old format which showed all ports together innumerical order, regardless of protocol. This was at first a "bug",but then I started thinking this behavior may be better. If youhave a preference for one format or the other, please post yourreasons to nmap-dev.
Changed mass_dns system to print a warning if it can't find anyavailable DNS servers, but not quit like it used to. Thanks to DougHoyte for the patch.

Nmap 4.04BETA1 [2006-5-31]§

Integrated all of your submissions (about a thousand) from the firstquarter of this year! Please keep 'em coming! The DB has increasedfrom 3,153 signatures representing 381 protocols in 4.03 to 3,441signatures representing 401 protocols. No other tool comes close!Many of the already existing match lines were improved too. Thanksto Version Detection Czar Doug Hoyte for doing this.
Nmap now allows multiple ignored port states. If a 65K-port scanhad, 64K filtered ports, 1K closed ports, and a few dozen openports, Nmap used to list the dozen open ones among a thousand linesof closed ports. Now Nmap will give reports like "Not shown: 64330filtered ports, 1000 closed ports" or "All 2051 scanned ports on192.168.0.69 are closed (1051) or filtered (1000)", and omit all ofthose ports from the table. Open ports are never ignored. XMLoutput can now have multiple <extraports> directive (one for eachignored state). The number of ports in a single state before it isconsolidated defaults to 26 or more, though that number increases asyou add -v or -d options. With -d3 or higher, no ports will beconsolidated. The XML output should probably be augmented to givethe extraports directive 'ip', 'tcp', and 'udp' attributes whichspecify the corresponding port numbers in the given state in thesame listing format as the nmaprun.scaninfo.services attribute, butthat part hasn't yet been implemented. If you absolutely need theexact port numbers for each state in the XML, use -d3 for now.
Nmap now ignores certain ICMP error message rate limiting (ratherthan slowing down to accommodate it) in cases such as SYN scan wherean ICMP message and no response mean the same thing (port filtered).This is currently only done at timing level Aggressive (-T4) orhigher, though we may make it the default if we don't hear problemswith it. In addition, the --defeat-rst-ratelimit option has beenadded, which causes Nmap not to slow down to accommodate RST ratelimits when encountered. For a SYN scan, this may cause closedports to be labeled 'filtered' because Nmap refused to slow downenough to correspond to the rate limiting. Learn more about thisnew option athttps://nmap.org/book/man.html . Thanks to MartinMacok (martin.macok(a)underground.cz) for writing the patch thatthese changes were based on.
Moved my Nmap development environment to Visual C++ 2005 Expressedition. In typical "MS Upgrade Treadmill" fashion, Visual Studio2003 users will no longer be able to compile Nmap using the newsolution files. The compilation, installation, and executioninstructions athttps://nmap.org/book/inst-windows.html have beenupgraded.
Automated my Windows build system so that I just have to type asingle make command in the mswin32 directory. Thanks to ScottWorley (smw(a)pobox.com>, Shane & Jenny Walters(yfisaqt(a)waltersinamerica.com), and Alex Prinsier(aphexer(a)mailhaven.com) for reading my appeal in the 4.03CHANGELOG and assisting.
Changed the PortList class to use much more efficient datastructures and algorithms which take advantage of Nmap-specificbehavior patterns. Thanks to Marek Majkowski(majek(a)forest.one.pl) for the patch.
Fixed a bug which prevented certain TCP+UDP scan commands, such as"nmap -sSU -p1-65535 localhost" from scanning both TCP and UDP.Instead they gave the error message "WARNING: UDP scan was requested,but no udp ports were specified. Skipping this scan type". Thanks toDoug Hoyte for the patch.
Nmap has traditionally required you to specify -T* timing optionsbefore any more granular options like --max-rtt-timeout, otherwise thegeneral timing option would overwrite the value from your morespecific request. This has now been fixed so that the more specificoptions always have precedence. Thanks to Doug Hoyte for this patch.
Fixed a couple possible memory leaks reported by Ted Kremenek(kremenek(a)cs.stanford.edu) from the Stanford University softwarestatic analysis lab ("Checker" project).
Nmap now prints a warning when you specify a target name whichresolves to multiple IP addresses. Nmap proceeds to scan only thefirst of those addresses (as it always has done). Thanks to DougHoyte for the patch. The warning looks like this:Warning: Hostname google.com resolves to 3 IPs. Using 66.102.7.99.
Disallow --host-timeout values of less than 1500ms, print a warningfor values less than 15s.
Changed all instances of inet_aton() into calls to inet_pton()instead. This allowed us to remove inet_aton.c from nbase. Thanks toKX (kxmail(a)gmail.com) for the patch.

When debugging (-d) is specified, Nmap now prints a report on thetiming variables in use. Thanks to Doug Hoyte for the patch. Thereport loos like this:

---------- Timing report ----------  hostgroups: min 1, max 100000  rtt-timeouts: init 250, min 50, max 300  scan-delay: TCP 5, UDP 1000  parallelism: min 0, max 0  max-retries: 2, host-timeout 900000-----------------------------------

Modified the WinPcap installer file to explicitly uninstall anexisting WinPcap (if you select that you wish to replace it) ratherthan just overwriting the old version. Thanks to Doug Hoyte formaking this change.
Added some P2P application ports to the nmap-services file. Thanksto Martin Macok for the patch.
The write buffer length increased in 4.03 was increased even furtherwhen the debugging or verbosity levels are more than 2 (e.g. -d3).Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for the patch. Thegoal is to prevent you from ever seeing the fatal error:"log_vwrite: write buffer not large enough -- need to increase"
Added a note to the Nmap configure dragon that people sick of himcan submit their own ASCII art to dev@nmap.org . If youare wondering WTF I am talking about, it is probably because onlymost elite Nmap users -- the ones who compile from source on UNIX --get to see the 'l33t ASCII Art.

Nmap 4.03 [2006-4-22]§

Updated the LibPCRE build system to add the -fno-thread-jumps optionto gcc when compiling on the new Intel-based Apple Mac OS X systems.Hopefully this resolves the version detection crashes that severalpeople have reported on such systems. Thanks to Kurt Grutzmacher(grutz(a)jingojango.net) for sending the configure.ac patch.
Made some portability fixes to keep Nmap compiling with the newestVisual Studio 2005. Thanks to KX (kxmail(a)gmail.com) forsuggesting them.
Service fingerprints are now provided in the XML output wheneverthey would appear in the interactive output (i.e. when a serviceresponse with data but is unrecognized). They are shown in a new'servicefp' attribute to the 'service' tag. Thanks to Brandon Enright(bmenrigh(a)ucsd.edu) for sending the patch.
Improved the Windows build system -- mswin32/Makefile now takes careof packaging Nmap and creating the installers once Visual Studio (GUI)is done building the Release version of mswin32/nmap.sln. If someoneknows how to do this (build) step on the command line (using theMakefile), please let me know. Or if you know how to at least make'Release' (rather than Debug) the default configuration, that would bevaluable.
WinPcap 3.1 binaries are now shipped in the Nmap tarball, along witha customized installer written by Doug Hoyte. That new WinPcapinstaller is now used by the Nmap self-installer (if you requestWinPcap installation). Some Nmap users were uncomfortable with a"phone home" feature of the official WinPcap installer. It connectsback to CACE Technologies, ostensibly to display news and (morerecently) advertisements. Our new installer omits that feature, butshould be otherwise perfectly compatible with WinPcap 3.1.
Fixed (I hope) a problem where aggressive --min-parallelizationoption values could cause Nmap to quit with the message "box(300, 100,15) called (min,max,num)". Thanks to Richard van den Berg(richard.vandenberg(a)ins.com) for reporting the problem.
Fixed a rare crash bug thanks to a report and patch from GangaBhavani (GBhavani(a)everdreamcorp.com)
Increased a write buffer length to keep Nmap from quitting with themessage "log_vwrite: write buffer not large enough -- need toincrease". Thanks to Dave (dmarcher(a)pobox.com) for reporting theissue.

Nmap 4.02ALPHA2 [2006-3-8]§

Updated to a newer XSL stylesheet (for XML to HTML outputtransformation) by Benjamin Erb. This new version includes IPaddress sorting, removal of javascript requirements, some newaddress, hostname, and Nmap version information, and various minortweaks and fixes.
Cleaned up the Amiga port code to use atexit() rather than theprevious macro hack. Thanks to Kris Katterjohn (katterjohn(a)gmail.com)for the patch. Applied maybe half a dozen new other code cleanuppatches from him as well.
Made some changes to various Nmap initialization functions whichhelp ALT Linux (altlinux.org) and Owl (openwall.com) developers runNmap in a chroot environment. Thanks to Dmitry V. Levin(ldv(a)altlinux.org) for the patch.
Cleaned up the code a bit by making a bunch (nearly 100) globalsymbols (mostly function calls) static. I was also able to removedsome unused functions and superfluous config.h.in defines. Thanksto Dmitry V. Levin (ldv(a)altlinux.org) for sending a list ofcandidate symbols.
Nmap now tests for the existence of data files using stat(2) ratherthan testing whether they can be opened for reading (with fopen).This is because some device files (tape drives, etc.) may react badlyto being opened at all. Thanks to Dmitry V. Levin(ldv(a)altlinux.org) for the suggestion.
Changed Nmap to cache interface information rather than opening andclosing it (with dnet's eth_open and eth_close functions) all thetime.
Applied a one-character Visual Studio 2005 compatibility patch fromkx (kxmail(a)gmail.com). It changed getch() into _getch() on Windows.

Nmap 4.02ALPHA1 [2006-3-13]§

Added the --log-errors option, which causes most warnings and errormessages that are printed to interactive-mode output (stdout/stderr)to also be printed to the normal-format output file (if youspecified one). This will not work for most errors related to badcommand-line arguments, as Nmap may not have initialized its outputfiles yet. In addition, some Nmap error/warning messages use adifferent system that does not yet support this option.
Rewrote much of the Nmap results output functions to be moreefficient and support --log-errors.
Fixed a flaw in the scan engine which could (in rare cases)lead to a deadlock situation that prevents a scan from completing.Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for reportingand helping to debug the problem.
If the pcap_open_live() call (initiates sniffing) fails, Nmap nowtries up to two more times after waiting a little while. This isattempt to work around a rare bug on Windows in which thepcap_open_live() fails for unknown reasons.
Fixed a flaw in the runtime interaction in which Nmap would includehosts currently being scanned in the number of hosts "completed"statistic.
Fixed a crash in OS scan which could occur on Windows when a DHCPlease issue causes the system to lose its IP address. Nmap stillquits, but at least it gives a proper error message now. Thanks toGanga Bhavani (GBhavani(a)everdreamcorp.com) for the patch.
Applied more than half a dozen small code cleanup patches fromKris Katterjohn (katterjohn(a)gmail.com).
Modified the configure script to accept CXX when specified as anabsolute path rather than just the executable name. Thanks toDaniel Roethlisberger (daniel(a)roe.ch) for this patch.

Nmap 4.01 [2006-2-9]§

Fixed a bug that would cause bogus reverse-DNS resolution onbig-endian machines. Thanks to Doug Hoyte, Seth Miller, Tony Doan,and Andrew Lutomirsky for helping to debug and patch the problem.
Fixed an important memory leak in the raw ethernet sending system.Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) foridentifying the bug and sending a patch.
Fixed --system-dns option so that --system_dns works too. Errormessages were changed to reflect the former (preferred) name.Thanks to Sean Swift (sean.swift(a)bradford.gov.uk) and PeterVanEeckhoutte (Peter.VanEeckhoutte(a)saraleefoodseurope.com) forreporting the problem.
Fixed a crash which would report this message:"NmapOutputTable.cc:143: void NmapOutputTable::addItem(unsigned int,unsigned int, bool, const char*, int): Assertion `row < numRows'failed." Thanks to Jake Schneider (Jake.Schneider(a)dynetics.com) forreporting and helping to debug the problem.
Whenever Nmap sends packets with the SYN bit set (except for OSdetection), it now includes the maximum segment size (MSS) tcpoption with a value of 1460. This makes it stand out less as almostall hosts set at least this option. Thanks to Juergen Schmidt(ju(a)heisec.de) for the suggestion.
Applied a patch for a Windows interface reading bug in the aDNSsubsystem from Doug Hoyte.
Minor changes to recognize DragonFly BSD in configurescripts. Thanks to Joerg Sonnenberger (joerg(a)britannica.bec.de)for sending the patch.
Fixed a minor bug in an error message starting with "eth_send of ARPpacket returned". Thanks to J.W. Hoogervorst(J.W.Hoogervorst(a)uva.nl) for finding this.

Nmap 4.00 [2006-1-31]§

Added the '?' command to the runtime interaction system. It prints alist of accepted commands. Thanks to Andrew Lutomirski(luto(a)myrealbox.com) for the patch.
See the announcement athttp://www.insecure.org/stf/Nmap-4.00-Release.html for high-levelchanges since 3.50.

Nmap 3.9999 [2006-1-28]§

Generated a new libpcre/configure to cope with changes in LibPCRE6.4
Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE(http://standards.ieee.org/regauth/oui/oui.txt)
Updated nmap-protocols with the latest IEEE internet protocolsassignments (http://www.iana.org/assignments/protocol-numbers).
Updated the Nmap version number and related fields that MS VisualStudio places in the binary. This was done by editingmswin32/nmap.rc.

Nmap 3.999 [2006-1-26]§

Added runtime interaction support to Windows, thanks to patches fromAndrew Lutomirski (luto(a)myrealbox.com) and Gisle Vanem (giva(a)bgnett.no).
Changed a couple lines of tcpip.cc (put certain IP header fields inhost byte order rather than NBO) to (hopefully) support Mac OS X onIntel. Thanks to Kurt Grutzmacher (grutz(a)jingojango.net) for thepatch.
Upgraded the included LibPCRE from version 6.3 to 6.4. There was areport of version detection crashes on the new Intel-based MACs with6.3.
Fixed an issue in which the installer would malfunction in rareissues when installing to a directory with spaces in it. Thanks toThierry Zoller (Thierry(a)Zoller.lu) for the report.

Nmap 3.99 [2006-1-25]§

Integrated all remaining 2005 service submissions. The DB now hassurpassed 3,000 signatures for the first time. There now are 3,153signatures for 381 service protocols. Those protocols span thegamut from abc, acap, afp, and afs to zebedee, zebra, andzenimaging. It even covers obscure protocols such as http, ftp,smtp, and ssh :). Thanks to Version Detection Czar Doug Hoyte forhis excellent work on this.
Created a Windows executable installer using the open source NSIS(Nullsoft Scriptable Install System). It handles Pcap installation,registry performance changes, and adding Nmap to your cmd.exeexecutable path. The installer source files are in mswin32/nsis/ .Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) forcreating the initial version.
Fixed a backward compatibility bug in which Nmap didn't recognizethe --min_rtt_timeout option (it only recognized the newlyhyphenated --min-rtt-timeout). Thanks to Joshua D. Abraham(jabra(a)ccs.neu.edu) for the bug report.
Fixed compilation to again work with gcc-derivatives such asMingW. Thanks to Gisle Vanem (giva(a)bgnett.no) for sending thepatches

Nmap 3.98BETA1 [2006-1-22]§

Added run time interaction as documented athttps://nmap.org/book/man-runtime-interaction.html .While Nmap is running, you can now press 'v' to increase verbosity,'d' to increase the debugging level, 'p' to enable packet tracing,or the capital versions (V,D,P) to do the opposite. Any other key(such as enter) will print out a status message giving the estimatedtime until scan completion. This only works on UNIX for now. Do wehave any volunteers to add Windows support? You would need tochange a handful of UNIX-specific termio calls with the Windowsequivalents. This feature was created by Paul Tarjan(ptarjan(a)stanford.edu) as part of the Google Summer of Code.
Reverse DNS resolution is now done in parallel rather than one at atime. All scans of large networks (particularly list, ping andjust-a-few-ports scans) should benefit substantially from thischange. If you encounter any problems, please let us know. The new--system_dns option was added so you can use the (slow) systemresolver if you prefer that for some reason. You can specify acomma separated list of DNS server IP addresses for Nmap to use withthe new --dns_servers option. Otherwise, Nmap looks in/etc/resolve.conf (UNIX) or the system registry (Windows) to obtainthe nameservers already configured for your system. This excellentpatch was written by Doug Hoyte (doug(a)hcsw.org).
Added the --badsum option, which causes Nmap to use invalid TCP orUDP checksums for packets sent to target hosts. Since virtually allhost IP stacks properly drop these packets, any responses receivedare likely coming from a firewall or IDS that didn't bother toverify the checksum. For more details on this technique, seehttp://www.phrack.org/phrack/60/p60-0x0c.txt . The author of thatpaper, Ed3f (ed3f(a)antifork.org), is also the author of this patch(which I changed it a bit).
The 26 Nmap commands that previously included an underscore(--max_rtt_timeout, --send_eth, --host_timeout, etc.) have beenrenamed to use a hyphen in the preferred format(i.e. --max-rtt-timeout). Underscores are still supported forbackward compatibility.
More excellent NmapFE patches from Priit Laes (amd(a)store20.com)were applied to remove all deprecated GTK API calls. This alsoeliminates the annoying Gtk-Critical and Gtk-WARNING runtime messages.
Changed the way the __attribute__ compiler extension is detected sothat it works with the latest Fedora Core 4 updates (and perhaps othersystems). Thanks to Duilio Protti (dprotti(a)fceia.unr.edu.ar) forwriting the patch. The compilation error message this fixes wasusually something like: "nmap.o(.rodata+0x17c): undefined referenceto `__gthrw_pthread_cancel(unsigned long)"
Added some exception handling code to mswin32/winfix.cc to preventNmap from crashing mysteriously when you have WinPcap 3.0 or earlier(instead of the required 3.1). It now prints an error message insteadasking you to upgrade, then reduces functionality to connect()-onlymode. I couldn't get it working with the C++ standard try/catch()blocks, but as soon as I used the nonstandard MS conventions(__try/__except(), everything worked fine. Shrug.
Stripped the firewall API out of the libdnet included with Nmapbecause Nmap doesn't use it anyway. This saves space and reduces thelikelihood of compilation errors and warnings.
Modified the previously useless --noninteractive option so that itdeactivates runtime interaction.

Nmap 3.96BETA1 [2005-12-29]§

Added --max_retries option for capping the maximum number ofretransmissions the port scan engine will do. The value may be as lowas 0 (no retransmits). A low value can increase speed, though at therisk of losing accuracy. The -T4 option now allows up to 6 retries,and -T5 allows 2. Thanks to Martin Macok(martin.macok(a)underground.cz) for writing the initial patch, which Ichanged quite a bit. I also updated the docs to reflect this neatnew option.
Many of the Nmap low-level timing options take a value inmilliseconds. You can now append an 's', 'm', or 'h' to the valueto give it in seconds, minutes, or hours instead. So you can specify a45 minute host timeout with --host_timeout 45m rather than specifying--host_timeout 2700000 and hoping you did the math right and have thecorrect number of zeros. This also now works for the--min_rtt_timeout, --max_rtt_timeout, --initial_rtt_timeout,--scan_delay, and --max_scan_delay options.
Improved the NmapFE port to GTK2 so it better-conforms to the newAPI and you don't get as many annoying messages in your terminalwindow. GTK2 is prettier and more functional too. Thanks to PriitLaes (amd(a)store20.com) for writing theseexcellent patches.
Fixed a problem which led to the error message "Failed to determinedst MAC address for target" when you try to run Nmap using adialup/PPP adapter on Windows rather than a real ethernet card. Dueto Microsoft breaking raw sockets, Nmap no longer supports dialupadapters, but it should now give you a clearer error message thanthe "dst MAC address" nonsense.
Debian GNU/kFreeBSD is now supported thanks to a patch to libdnet'sconfigure.in by Petr Salinger (Petr.Salinger(a)t-systems.cz).
Tried to update to the latest autoconf only to find that therehasn't been a new version in more than two years :(. I was able tofind new config.sub and config.guess files athttp://cvs.savannah.gnu.org/viewcvs/config/config/ , so I updated tothose.
Fixed a problem with the -e option when run on Windows (or UNIX with--send_eth) when run on an ethernet network against an external(routed) host. You would get the message "NmapArpCache() can onlytake IPv4 addresses. Sorry". Thanks to KX (kxmail(a)gmail.com) forhelping to track down the problem.
Made some changes to allow source port zero scans (-g0). Nmap usedto refuse to do this, but now it just gives a warning that it may notwork on all systems. It seems to work fine on my Linux box. Thanksto Bill Dale (bill_dale(a)bellsouth.net) for suggesting this feature.
Made a change to libdnet so that Windows interfaces are listed asdown if they are disconnected, unplugged, or otherwise unavailable.
Ceased including foreign translations in the Nmap tarball as theytake up too much space. HTML versions can be found athttps://nmap.org/docs.html , while XML and NROFF versionsare available fromhttps://svn.nmap.org/nmap/docs/man-xlate/ .
Changed INSTALL and README-WIN32 files to mostly just reference thenew Nmap Install Guide athttps://nmap.org/book/install.html .
Included docs/nmap-man.xml in the tarball distribution, which is theDocBook XML source for the Nmap man page. Patches to Nmap that areuser-visible should include patches to the man page XML source ratherthan to the generated Nroff.
Fixed Nmap so it doesn't crash when you ask it to resume a previousscan, but pass in a bogus file rather than actual Nmap output. Thanksto Piotr Sobolewski (piotr_sobolewski(a)o2.pl) for the fix.

Nmap 3.95 [2005-12-8]§

Fixed a crash in IPID Idle scan. Thanks to Ron(iago(a)valhallalegends.com>, Bakeman (bakeman(a)physics.unr.edu),and others for reporting the problem.
Fixed an inefficiency in RPC scan that could slow things down andalso sometimes resulted in the spurious warning message: "Unable tofind listening socket in get_rpc_results"
Fixed a 3.94ALPHA3 bug that caused UDP scan results to be listed asTCP ports instead. Thanks to Justin M Cacak (jcacak(a)nebraska.edu)for reporting the problem.

Nmap 3.94ALPHA3 [2005-12-6]§

Updated NmapFE to build with GTK2 rather than obsolete GTK1. Thanksto Mike Basinger (dbasinge(a)speakeasy.net) and Meethune Bhowmick(meethune(a)oss-institute.org) for developing thepatch. I made some changes as well to prevent compilation warnings.The new NmapFE now seems to work, though I do get "Gtk-CRITICAL"assertion error messages. If someone has time to look into this, thatwould be appreciated.
Fixed a compilation problem on Mac OS X and perhaps other platformswith a one-line fix to scan_engine.cc. Thanks to Felix Gröbert(felix(a)groebert.org) for notifying me of the problem.
Fixed a problem that prevented the command "nmap -sT -PT [targets]"from working from a non-privileged user account. The -PT optiondoesn't change default behavior in this case, but Nmap should (and nowdoes) allow it.
Applied another VS 2005 compatibility patch from KX (kxmail(a)gmail.com).
Define INET_ADDRSTRLEN in tcpip.h if the system doesn't define itfor us. This apparently aids compilation on Solaris 2.6 and 7.Thanks to Albert Chin (nmap-hackers(a)mlists.thewrittenword.com) forsending the patch..

Nmap 3.94ALPHA2 [2005-12-4]§

Put Nmap on a diet, with changes to the core port scanning routine(ultra_scan) to substantially reduce memory consumption, particularlywhen tens of thousands of ports are scanned.
Fixed a problem with the -S and option on Windows reporting "Failedto resolve/decode supposed IPv4 source address". The -D (decoy)option was probably broken on that platform too. Thanks to KX(kxmail(a)gmail.com) for reporting the problem and tracking down apotential solution.
Better handle ICMP type 3, code 0 (network unreachable) responses toport scan packets. These are rarely seen when scanning hosts thatare actually online, but are still worth handling.
Applied some small fixes so that Nmap compiles with Visual C++2005 Express, which is free from Microsoft athttp://msdn.microsoft.com/vstudio/express/visualc/ . Thanks to KX(kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com)
Removed foreign translations of the old man page from thedistribution. Included the following contributed translations(nroff format) of the new man page:
- Brazilian Portuguese by Lucien Raven (lucienraven(a)yahoo.com.br)
- Portuguese (Portugal) by José Domingos (jd_pt(a)yahoo.com) andAndreia Gaita (shana.ufie(a)gmail.com).
Added --thc option (undocumented)
Modified libdnet-stripped/src/eth-bsd.c to allow for up to 128 bpfdevices rather than 32. This prevents errors like "Failed to openethernet interface (fxp0)" when there are more than 32 interfacealiases. Thanks to Krok (krok(a)void.ru) for reporting the problemand even sending a patch.

Nmap 3.94ALPHA1 [2005-11-27]§

Wrote a new man page from scratch. It is much more comprehensive(more than twice as long) and (IMHO) better organized than theprevious one. Read it online athttps://nmap.org/book/man.htmlor docs/nmap.1 from the Nmap distribution. Let me know if you haveany ideas for improving it.
Wrote a new "help screen", which you get when running Nmap withoutarguments. It is also reproduced in the man page and athttps://svn.nmap.org/nmap/docs/nmap.usage.txt . I gave up tryingto fit it within a 25-line, 80-column terminal window. It is now 78lines and summarizes all but the most obscure Nmap options.
Version detection softmatches (when Nmap determines the serviceprotocol such as smtp but isn't able to determine the app name such asPostfix) can now parse out the normal match line fields such ashostname, device type, and extra info. For example, we may not knowwhat vendor created an sshd, but we can still parse out the protocolnumber. This was a patch from Doug Hoyte (doug(a)hcsw.org).
Fixed a problem which caused UDP version scanning to fail to printthe matched service. Thanks to Martin Macok(martin.macok(a)underground.cz) for reporting the problem and DougHoyte (doug(a)hcsw.org) for fixing it.
Made the version detection "ports" directive (innmap-service-probes) more comprehensive. This should speed up scans abit. The patch was done by Doug Hoyte (doug(a)hcsw.org).
Added the --webxml option, which does the same thing as--stylesheethttps://svn.nmap.org/nmap/docs/nmap.xsl , withoutrequiring you to remember the exact URL or type that whole thing.
Fixed a crash occurred when the --exclude option was used withnetmasks on certain platforms. Thanks to Adam(nmapuser(a)globalmegahost.com) for reporting the problem and toGreg Darke (starstuff(a)optusnet.com.au) for sending a patch (Imodified the patch a bit to make it more efficient).
Fixed a problem with the -S and -e options (spoof/setsource address, and set interface by name, respectively). The problemreport and a partial patch were sent by Richard Birkett(richard(a)musicbox.net).
Fixed a possible aliasing problem in tcpip.cc by applying a patch sent in byGwenole Beauchesne (gbeauchesne(a)mandriva.com). This problemshouldn't have had any effect on users since we already include the-fno-strict-aliasing option whenever gcc 4 is detected, but itbrings us closer to being able to remove that option.
Fixed a bug that caused Nmap to crash if an nmap-service-probes filewas used which didn't contain the Exclude directive.
Fixed a bunch of typos and misspellings throughout the Nmap sourcecode (mostly in comments). This was a 625-line patch by Saint Xavier(skyxav(a)skynet.be).
Nmap now accepts target list files in Windows end-of-line format (\r\n)as well as standard UNIX format (\n) on all platforms. Passing aWindows style file to Nmap on UNIX didn't work before unless you randos2unix first.
Removed Identd scan support from NmapFE since Nmap no longersupports it. Thanks to Jonathan Dieter (jdieter99(a)gmx.net) for thepatch.
Integrated all of the September version detection fingerprintsubmissions. This was done by Version Detection Czar Doug Hoyte(doug(a)hcsw.org) and resulted in 86 new match lines. Please keepthose submissions coming!
Fixed a divide-by-zero crash when you specify rather boguscommand-line arguments (a TCP scan with zero tcp ports). Thanks toBart Dopheide (dopheide(a)fmf.nl) for identifying the problem andsending a patch.
Fixed a minor syntax error in tcpip.h that was causing problems withGCC 4.1. Thanks to Dirk Mueller (dmuell(a)gmx.net) for reportingthe problem and sending a fix.

Nmap 3.93 [2005-9-12]§

Modified Libpcap's configure.ac to compile with the-fno-strict-aliasing option if gcc 4.X is used. This preventscrashes when said compiler is used. This was done for Nmap in 3.90, but isapparently needed for pcap too. Thanks to Craig Humphrey(Craig.Humphrey(a)chapmantripp.com) for the discovery.
Patched libdnet to include sys/uio.h in src/tun-linux.c. This isapparently necessary on some Glibc 2.1 systems. Thanks to Rob Foehl(rwf(a)loonybin.net) for the patch.
Fixed a crash which could occur when a ridiculously short--host_timeout was specified on Windows (or on UNIX if --send_eth wasspecified). Nmap now also prints a warning if you specify ahost_timeout of less than 1 second. Thanks to Ole Morten Grodaas(grodaas(a)gmail.com) for discovering the problem.

Nmap 3.91 [2005-9-11]§

Fixed a crash on Windows when you -P0 scan an unused IP on a localnetwork (or a range that contains unused IPs). This could alsohappen on UNIX if you specified the new --send_eth option. Thanksto Jim Carras (JFCECL(a)engr.psu.edu) for reporting the problem.
Fixed compilation on OpenBSD by applying a patch from Okan Demirmen(okan(a)demirmen.com), who maintains Nmap in the OpenBSD Portscollection.
Updated nmap-mac-prefixes to include OUIs assigned by the IEEE sinceApril.
Updated the included libpcre (used for version detection) fromversion 4.3 to 6.3. A libpcre security issue was fixed in 6.3, butthat issue never affected Nmap.
Updated the included libpcap from 0.8.3 to 0.9.3. I also changedthe directory name in the Nmap tarball from libpcap-possiblymodifiedto just libpcap. As usual, the modifications are described in theNMAP_MODIFICATIONS in that directory.

Nmap 3.90 [2005-9-8]§

Added the ability for Nmap to send and properly route raw ethernetpackets containing IP datagrams rather than always sending thepackets via raw sockets. This is particularly useful for Windows,since Microsoft has disabled raw socket support in XP for no goodreason. Nmap tries to choose the best method at runtime based onplatform, though you can override it with the new --send_eth and--send_ip options.
Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests todetermine whether hosts on a LAN are up, rather than relying onhigher-level IP packets (which can only be sent after a successfulARP request and reply anyway). This is much faster and morereliable (not subject to IP-level firewalling) than IP-based probes.The downside is that it only works when the target machine is on thesame LAN as the scanning machine. It is now used automatically forany hosts that are detected to be on a local ethernet network,unless --send_ip was specified. Example usage: nmap -sP -PR192.168.0.0/16 .
Added the --spoof_mac option, which asks Nmap to use the given MACaddress for all of the raw ethernet frames it sends. The MAC givencan take several formats. If it is simply the string "0", Nmapchooses a completely random MAC for the session. If the givenstring is an even number of hex digits (with the pairs optionallyseparated by a colon), Nmap will use those as the MAC. If less than12 hex digits are provided, Nmap fills in the remainder of the 6bytes with random values. If the argument isn't a 0 or hex string,Nmap looks through the nmap-mac-prefixes to find a vendor namecontaining the given string (it is case insensitive). If a match isfound, Nmap uses the vendor's OUI (3-byte prefix) and fills out theremaining 3 bytes randomly. Valid --spoof_mac argument examples are"Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and"Cisco".
Applied an enormous nmap-service-probes (version detection) updatefrom SoC student Doug Hoyte (doug(a)hcsw.org). Version 3.81 had1064 match lines covering 195 service protocols. Now we have 2865match lines covering 359 protocols! So the database size has nearlytripled! This should make your -sV scans quicker and moreaccurate. Thanks also go to the (literally) thousands of you whosubmitted service fingerprints. Keep them coming!
Applied a massive OS fingerprint update from Zhao Lei(zhaolei(a)gmail.com). About 350 fingerprints were added, and manymore were updated. Notable additions include Mac OS X 10.4 (Tiger),OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (alongwith a new "robotic pet" device type category), the latest Linux 2.6kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO3.8.X, and Solaris 10. Of course there are also tons of newbroadband routers, printers, WAPs and pretty much any other deviceyou can coax an ethernet cable (or wireless card) into!
Added 'leet ASCII art to the configurator! ARTIST NOTE: If you thinkthe ASCII art sucks, feel free to send me alternatives. Note thatonly people compiling the UNIX source code get this (ASCII artistunknown).
Added OS, device type, and hostname detection using the servicedetection framework. Many services print a hostname, which may bedifferent than DNS. The services often give more away as well. IfNmap detects IIS, it reports an OS family of "Windows". If it seesHP JetDirect telnetd, it reports a device type of "printer". Ratherthan try to combine TCP/IP stack fingerprinting and service OSfingerprinting, they are both printed. After all, they couldlegitimately be different. An IP that gives a stack fingerprintmatch of "Linksys WRT54G broadband router" and a service fingerprintof Windows based on Kazaa running is likely a common NAT setup ratherthan an Nmap mistake.
Nmap on Windows now compiles/links with the new WinPcap 3.1header/lib files. So please upgrade to 3.1 fromhttp://www.winpcap.org before installing this version of Nmap.While older versions may still work, they aren't supported with Nmap.
The official Nmap RPM files are now compiled statically for bettercompatibility with other systems. X86_64 (AMD Athlon64/Opteron)binaries are now available in addition to the standard i386. NmapFERPMs are no longer distributed by Insecure.Org.
Nmap distribution signing has changed. Release files are now signedwith a new Nmap Project GPG key (KeyID 6B9355D0). Fyodor has alsogenerated a new key for himself (KeyID 33599B5F). The Nmap key hasbeen signed by Fyodor's new key, which has been signed by Fyodor'sold key so that you know they are legit. The new keys are availableathttps://svn.nmap.org/nmap/docs/nmap_gpgkeys.txt , asdocs/nmap_gpgkeys.txt in the Nmap source tarball, and on the publickeyserver network. Here are the fingerprints:
```
pub  1024D/33599B5F 2005-04-24     Key fingerprint = BB61 D057 C0D7 DCEF E730  996C 1AF6 EC50 3359 9B5Fuid  Fyodor <fyodor@insecure.org>sub  2048g/D3C2241C 2005-04-24.pub  1024D/6B9355D0 2005-04-24     Key fingerprint = 436D 66AB 9A79 8425 FDA0  E3F8 01AF 9F03 6B93 55D0uid  Nmap Project Signing Key (http://www.insecure.org/)sub  2048g/A50A6A94 2005-04-24
```
Fixed a crash problem related to non-portable varargs (vsnprintf)usage. Reports of this crash came from Alan William Somers(somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).This patch was prevalent on Linux boxes running an Opteron/Athlon64CPU in 64-bit mode.
Fixed crash when Nmap is compiled using gcc 4.X by adding the-fno-strict-aliasing option when that compiler is detected. Thanksto Greg Darke (starstuff(a)optusnet.com.au) for discovering thatthis option fixes (hides) the problem and to Duilio J. Protti(dprotti(a)flowgate.net) for writing the configure patch to detectgcc 4 and add the option. A better fix is to identify and rewritelines that violate C99 alias rules, and we are looking into that.
Added "rarity" feature to Nmap version detection. This causesobscure probes to be skipped when they are unlikely to help. Eachprobe now has a "rarity" value. Probes that detect dozens ofservices such as GenericLines and GetRequest have rarity values of1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.When interrogating a port, Nmap always tries probes registered tothat port number. So even WWWOFFLEctrlstat will be tried againstport 8081 and mydoom will be tried against open ports between 3127and 3198. If none of the registered ports find a match, Nmap triesprobes that have a rarity less than or equal to its currentintensity level. The intensity level defaults to 7 (so that most ofthe probes are done). You can set the intensity level with the new--version_intensity option. Alternatively, you can just use--version_light or --version_all which set the intensity to 2 (onlytry the most important probes and ones registered to the portnumber) and 9 (try all probes), respectively. --version_light ismuch faster than default version detection, but also a bit lesslikely to find a match. This feature was designed and implementedby Doug Hoyte (doug(a)hcsw.org).
Added a "fallback" feature to the nmap-service-probes database.This allows a probe to "inherit" match lines from other probes. Itis currently only used for the HTTPOptions, RTSPRequest, andSSLSessionReq probes to inherit all of the match lines fromGetRequest. Some servers don't respond to the Nmap GetRequest (forexample because it doesn't include a Host: line) but they do respondto some of those other 3 probes in ways that GetRequest match linesare general enough to match. The fallback construct allows us tobenefit from these matches without repeating hundreds of signaturesin the file. This is another feature designed and implementedby Doug Hoyte (doug(a)hcsw.org).
Fixed crash with certain --excludefile or--exclude arguments. Thanks to Kurt Grutzmacher(grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) forreporting the problem, and to Duilio J. Protti(dprotti(a)flowgate.net) for debugging the issue and sending thepatch.
Updated random scan (ip_is_reserved()) to reflect the latest IANAassignments. This patch was sent in by Felix Groebert(felix(a)groebert.org).
Included new Russian man page translation bylocco_bozi(a)Safe-mail.net
Applied patch from Steve Martin (smartin(a)stillsecure.com) whichstandardizes many OS names and corrects typos in nmap-os-fingerprints.
Fixed a crash found during certain UDP version scans. The crash wasdiscovered and reported by Ron (iago(a)valhallalegends.com) and fixedby Doug Hoyte (doug(a)hcsw.com).
Added --iflist argument which prints a list of system interfaces androutes detected by Nmap.
Fixed a protocol scan (-sO) problem which led to the error message:"Error compiling our pcap filter: syntax error". Thanks to MichelArboi (michel(a)arboi.fr.eu.org) for reporting the problem.
Fixed an Nmap version detection crash on Windows which led to theerror message "Unexpected error in NSE_TYPE_READ callback. Errorcode: 10053 (Unknown error)". Thanks to Srivatsan(srivatsanp(a)adventnet.com) for reporting the problem.
Fixed some misspellings in docs/nmap.xml reported by Tom Sellers.
Applied some changes from Gisle Vanem (giva(a)bgnett.no) to makeNmap compile with Cygwin.
XML "osmatch" element now has a "line" attribute giving thereference fingerprint line number in nmap-os-fingerprints.
Added a distcc probes and a bunch of smtp matches from Dirk Mueller(mueller(a)kde.org) to nmap-service-probes. Also added AFS versionprobe and matches from Lionel Cons (lionel.cons(a)cern.ch). Andeven more probes and matches from Martin Macok(martin.macok(a)underground.cz)
Fixed a problem where Nmap compilation would use header files fromthe libpcap included with Nmap even when it was linking to a systemlibpcap. Thanks to Solar Designer (solar(a)openwall.com) and OkanDemirmen (okan(a)demirmen.com) for reporting the problem.
Added configure option --with-libpcap=included to tell Nmap to usethe version of libpcap it ships with rather than any that may already beinstalled on the system. You can still use --with-libpcap=[dir] tospecify that a system libpcap be installed rather than the shippedone. By default, Nmap looks at both and decides which one is likelyto work best. If you are having problems on Solaris, try--with-libpcap=included .
Changed the --no-stylesheet option to --no_stylesheet to beconsistent with all of the other Nmap options. Though I'm starting tolike hyphens a bit better than underscores and may change all of theoptions to use hyphens instead at some point.
Added "Exclude" directive to nmap-service-probes grammar whichcauses version detection to skip listed ports. This is helpful forports such as 9100. Some printers simply print any data sent tothat port, leading to pages of HTTP requests, SMB queries, X Windowsprobes, etc. If you really want to scan all ports, specify--allports. This patch came from Doug Hoyte (doug(a)hcsw.org).
Added a stripped-down and heavily modified version of Dug Song'slibdnet networking library (v. 1.10). This helps with the new rawethernet features. My (extensive) changes are described inlibdnet-stripped/NMAP_MODIFICATIONS
Removed WinIP library (and all Windows raw sockets code) since MShas gone and broken raw sockets. Maybe packet receipt via rawsockets will come back at some point. As part of this removal, theWindows-specific --win_help, --win_list_interfaces, --win_norawsock,--win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,and --win_trace options have been removed.
Changed the interesting ports array from a 65K-member array ofpointers into an STL list. This noticeable reduces memory usage insome cases, and should also give a slight runtime performanceboost. This patch was written by Paul Tarjan (ptarjan(a)gmail.com).
Removed the BSDFIX/BSDUFIX macros. The underlying bug inFreeBSD/NetBSD is still there though. When an IP packet is sentthrough a raw socket, these platforms require the total length andfragmentation offset fields of an IP packet to be in host byte orderrather than network byte order, even though all the other fieldsmust be in NBO. I believe that OpenBSD fixed this a while back.Other platforms, such as Linux, Solaris, Mac OS X, and Windows takeall of the fields in network byte order. While I removed the macro,I still do the munging where required so that Nmap still works onFreeBSD.
Integrated many nmap-service-probes changes from Bo Jiang(jiangbo(a)brandeis.edu)
Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri(eilon(a)aristo.tau.ac.il)
Added some new RPC services to nmap-rpc thanks to a patch fromvlad902 (vlad902(a)gmail.com).
Fixed a bug where Nmap would quit on Windows whenever it encountereda raw scan of localhost (including the local ethernet interfaceaddress), even when that was just one address out of a whole networkbeing scanned. Now Nmap just warns that it is skipping raw scans whenit encounters the local IP, but continues on to scan the rest of thenetwork. Raw scans do not currently work against local IP addressesbecause WinPcap doesn't support reading/writing localhost interfacesdue to limitations of Windows.
The OS fingerprint is now provided in XML output if debugging isenabled (-d) or verbosity is at least 2 (-v -v). This patch wassent by Okan Demirmen (okan(a)demirmen.com)
Fixed the way tcp connect scan (-sT) response to ICMP networkunreachable responses (patch by Richard Moore(rich(a)westpoint.ltd.uk).
Update random host scan (-iR) to support the latest IANA-allocatedranges, thanks to patch by Chad Loder (cloder(a)loder.us).
Updated GNU shtool (a helper program used during 'make install' toversion 2.0.2, which fixes a predictable temporary filenameweakness discovered by Eric Raymond.
Removed addport element from XML DTD, since it is no longer used(suggested by Lionel Cons (lionel.cons(a)cern.ch)
Added new --privileged command-line option and NMAP_PRIVILEGEDenvironmental variable. Either of these tell Nmap to assume thatthe user has full privileges to execute raw packet scans, OSdetection and the like. This can be useful when Linux kernelcapabilities or other systems are used that allow non-root users toperform raw packet or ethernet frame manipulation. Without thisflag or variable set, Nmap bails on UNIX if geteuid() isnonzero.
Changed the RPM spec file so that if you define "static" to 1 (bypassing --define "static 1" to rpmbuild), static binaries are built.
Fixed Nmap compilation on Solaris x86 thanks to a patch from SimonBurr (simes(a)bpfh.net).
ultra_scan() now sets pseudo-random ACK values (rather than 0) forany TCP scans in which the initial probe packet has the ACK flag set.This would be the ACK, Xmas, Maimon, and Window scans.
Updated the Nmap version number, description, and similar fieldsthat MS Visual Studio places in the binary. This was done by editingmswin32/nmap.rc as suggested by Chris Paget (chrisp(a)ngssoftware.com)
Fixed Nmap compilation on DragonFly BSD (and perhaps some othersystems) by applying a short patch by Joerg Sonnenberger which omitsthe declaration of errno if it is a #define.
Fixed an integer overflow that prevented Nmap from scanning2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1). Problemnoted by Justin Cranford (jcranford(a)n-able.com). While /1 scansare now possible, don't expect them to finish during your bathroombreak. No matter how constipated you are.
Increased the buffer size allocated for fingerprints to prevent Nmapfrom running out and quitting (error message: "Assertion`servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz(mhatz(a)blackcat.com) for the report. (Actually this was done in aprevious version, but I forgot which one.)
Changed from CVS to Subversion source control system (whichrocks!). Neither repository is public (I'm paranoid because both CVSand SVN have had remotely exploitable security holes), so the mainchange users will see is that "Id" tags in file headers use the SVNformat for version numbering and such.

Nmap 3.81 [2005-2-7]§

Nmap now ships with and installs (in the same directory as otherdata files such as nmap-os-fingerprints) an XSL stylesheet forrendering the XML output as HTML. This stylesheet was written byBenjamin Erb ( seehttp://www.benjamin-erb.de/nmap/ for examples).It supports tables, version detection, color-coded port states, andmore. The XML output has been augmented to include anxml-stylesheet directive pointing to nmap.xsl on the localfile system. You can point to a different XSL file by providing thefilename or URL to the new --stylesheet argument. Omit thexml-stylesheet directive entirely by specifying --no-stylesheet.The XML to HTML conversion can be done with an XSLT processor suchas Saxon, Sablot, or Xalan, but modern browsers can do this on thefly -- simply load the XML output file in IE or Firefox. Somefeatures don't currently work with Firefox's on-the-fly rendering.Perhaps some Mozilla wizard can fix that in either the XSL or thebrowser itself. I hate having things work better in IE :). It isoften more convenient to have the stylesheet loaded from a URLrather than the local file system, allowing the XML to be rendered onany machine regardless of whether/where the XSL is installed. Forprivacy reasons (avoid loading of an external URL when you viewresults), Nmap uses the local file system by default. If you wouldlike the latest version of the stylesheet loaded from the web whenrendering, specify --stylesheethttps://svn.nmap.org/nmap/docs/nmap.xsl .
Fixed fragmentation option (-f). One -f now sets sends fragmentswith just 8 bytes after the IP header, while -ff sends 16 bytes toreduce the number of fragments needed. You can specify your ownfragmentation offset (must be a multiple of 8) with the new --mtuflag. Don't also specify -f if you use --mtu. Remember that somesystems (such as Linux with connection tracking) will defragment inthe kernel anyway -- so test first while sniffing with ethereal.These changes are from a patch by Martin Macok(martin.macok(a)underground.cz).
Nmap now prints the number (and total bytes) of raw IP packets sentand received when it completes, if verbose mode (-v) is enabled. Thereport looks like:
```
Nmap finished: 256 IP addresses (3 hosts up) scanned in 30.632 seconds               Raw packets sent: 7727 (303KB) | Rcvd: 6944 (304KB)
```
Fixed (I hope) an error which would cause the Windows version ofNmap to abort under some circumstances with the error message"Unexpected error in NSE_TYPE_READ callback. Error code: 10053(Unknown error)". Problem reported by "Tony Golding"(biz(a)tonygolding.com).
Added new "closed|filtered" state. This is used for Idle scan, sincethat scan method can't distinguish between those two states. Nmappreviously just used "closed", but this is more accurate.
Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered"instead of "open" when they fail to receive any response from thetarget port. After all, it could just as easily be filtered as open.This is the same change that was made to UDP scan in 3.70. Also aswith UDP scan, adding version detection (-sV) will change the statefrom open|filtered to open if it confirms that they really are open.
Fixed a bug in ACK scan that could cause Nmap to crash with themessage "Unexpected port state: 6" in some cases. Thanks to GlynGeoghegan (glyng(a)corsaire.com) for reporting the problem.
Change IP protocol scan (-sO) so that a response from the targethost in any protocol at all will prove that protocol is open. Asbefore, no response means "open|filtered", an ICMP protocolunreachable means "closed", and most other ICMP error messages mean"filtered".
Patched a libpcap issue that prevented read timeouts from beinghonored on Solaris (thus slowing down Nmap substantially). Theproblem report and patch were sent in by Ben Harris(bjh21(a)cam.ac.uk).
Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, andUDP headers when scanning protocols 1, 6, and 17, respectively. Anempty IP header is still sent for all other protocols. This shouldprevent the error messages such as "sendto in send_ip_packet:sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation notpermitted" that Linux (and perhaps other systems) would give whenthey try to interpret the raw packet. This also makes it morelikely that these protocols will elicit a response, proving that theprotocol is "open".
The windows build now uses header and static library files fromWinPcap 3.1Beta4. It also now prints out the DLL version you areusing when run with -d. I would recommend upgrading to 3.1Beta4 ifyou have an older WinPcap installed.
Nmap now prints a warning message on Windows if WinPcap is not found(it then reverts to raw sockets mode if available, as usual).
Added an NTP probe and matches to the version detection database(nmap-service-probes) thanks to a submission from MartinMacok (martin.macok(a)underground.cz).
Applied several Nmap service detection database updates sent in byMartin Macok (martin.macok(a)underground.cz).
The XML nmaprun element now has a startstr attribute which gives thehuman readable calendar time format that a scan started. Similarlythe finished element now has a timestr attribute describing when thescan finished. These are in addition to the existing nmaprun/startand finished/time attributes that provided the start and finish timein UNIX time_t notation. This should help in development ofXSLT stylesheets for Nmap XML output.
Fixed a memory leak that would generally consume several hundredbytes per down host scanned. While the effect for most scans isnegligible, it was overwhelming when Scott Carlson(Scott.Carlson(a)schwab.com) tried to scan 16.8 million IPs(10.0.0.0/8). Thanks to him for reporting the problem. Also thanksto Valgrind (http://valgrind.kde.org ) for making it easy to debug.
Fixed a crash on Windows systems that don't include the iphlpapiDLL. This affects Win95 and perhaps other variants. Thanks to GangaBhavani (GBhavani(a)everdreamcorp.com) for reporting the problem andsending the patch.
Ensured that the device type, os vendor, and os family OSfingerprinting classification values are scrubbed for XML compliancein the XML output. Thanks to Matthieu Verbert(mve(a)zurich.ibm.com) for reporting the problem and sending a patch.
Rewrote the host IP (target specification) parser for easiermaintenance and to fix a bug found by Netris (netris(a)ok.kz)
Changed to Nmap XML DTD to use the same xmloutputversion (1.01) asnewer versions of Nmap. Thanks to Laurent Estieux(laurent.estieux(a)free.fr) for reporting the problem.
Fixed compilation on some HP-UX 11 boxes thanks to a patch by PetterReinholdtsen (pere(a)hungry.com).
Fixed a portability problem on some OpenBSD and FreeBSD machinesthanks to a patch by Okan Demirmen (okan(a)demirmen.com).
Applied Martin Macok's (martin.macok(a)underground.cz) "cosmeticspatch", which fixes a few typos and minor problems.

Nmap 3.75 [2004-10-18]§

Implemented a huge OS fingerprint database update. The number offingerprints increased more than 20% to 1,353 and many of theexisting ones are much improved. Notable updates include the fourthedition of Bell Lab's Plan9, Grandstream's BugeTone 101 IP Phone,and Bart's Network Boot Disk 2.7 (which runs MS-DOS). Oh, and Linuxkernels up to 2.6.8, dozens of new Windows fingerprints including XPSP2, the latest Longhorn warez, and many modified Xboxes, OpenBSD3.6, NetBSD up to 2.0RC4, Apple's AirPort Express WAP and OS X10.3.3 (Panther) release, Novell Netware 6.5, FreeBSD 5.3-BETA, abunch of Linksys and D-Link consumer junk, the latest Cisco IOS 12.2releases, a ton of miscellaneous broadband routers and printers, andmuch more.
Updated nmap-mac-prefixes with the latest OUIs from the IEEE.
Updated nmap-protocols with the latest IP protocols from IANA
Added a few new Nmap version detection signatures thanks to a patchfrom Martin Macok (martin.macok(a)underground.cz).
Fixed a crash problem in the Windows version of Nmap, thanks to apatch from Ganga Bhavani GBhavani(a)everdreamcorp.com).
Fixed Windows service scan crashes that occur with the error message"Unexpected nsock_loop error. Error code 10022 (Unknown error)". Itturns out that Windows does not allow select() calls with all threeFD sets empty. Lame. The Linux select() man page even suggestscalling "select with all three sets empty, n zero, and a non-nulltimeout as a fairly portable way to sleep with subsecond precision."Thanks to Gisle Vanem (giva(a)bgnett.no) for debugging help.
Added --max_scan_delay parameter. Nmap will sometimes increase thedelay itself when it detects many dropped packets. For example,Solaris systems tend to respond with only one ICMP port unreachablepacket per second during a UDP scan. So Nmap will try to detectthis and lower its rate of UDP probes to one per second. This canprovide more accurate results while reducing network congestion, butit can slow the scans down substantially. By default (with no -Toptions specified), Nmap allows this delay to grow to one second perprobe. This option allows you to set a lower or higher maximum.The -T4 and -T5 scan modes now limit the maximum scan delay for TCPscans to 10 and 5 ms, respectively.
Fixed a bug that prevented RPC scan (-sR) from working for UDP portsunless service detection (-sV) was used. -sV is still usually abetter approach than -sR, as the latter ONLY handles RPC. Thanks toStephen Bishop (sbishop(a)idsec.co.uk) for reporting the problem andsending a patch.
Fixed nmap_fetchfile() to better find custom versions of data filessuch as nmap-services. Note that the implicitly read directoryshould be ~/.nmap rather than ~/nmap . So you may have to move anycustomized files you now have in ~/nmap . Thanks to nnposter(nnposter(a)users.sourceforge.net) for reporting the problem andsending a patch.
Changed XML output so that the MAC address <address> element comesright after the IPv4/IPv6 <address> element. Apparently this isneeded to comply with the DTD (https://svn.nmap.org/nmap/docs/nmap.dtd ).Thanks to Adam Morgan (adam.morgan(a)Q1Labs.com) and Florian Ebner(Florian.Ebner(a)e-bros.de) for the problem reports.
Fixed an error in the Nmap RPM spec file reported by Pascal Trouvin(pascal.trouvin(a)wanadoo.fr)
Fixed a timing problem in which a specified large --send_delay wouldsometimes be reduced to 1 second during a scan. Thanks to MartinMacok (martin.macok(a)underground.cz) for reporting the problem.
Fixed a timing problem with sneaky and paranoid modes (-T1 and -T0)which would cause Nmap to continually scan the same port and neverhit other ports when scanning certain firewalled hosts. Thanks toCurtis Doty (Curtis(a)GreenKey.net) for reporting the problem.
Fixed a bug in the build system that caused most Nmap subdirectoriesto be configured twice. Changing the variable holding the name ofsubdirs from $subdirs to $nmap_cfg_subdirs resolved the problem --configure must have been using that variable name for its own internaloperations. Anyway, this should reduce compile time significantly.
Made a trivial change to nsock/src/nsock_event.c to work around a "abug in GCC 3.3.1 on FreeBSD/sparc64". I found the patch by diggingaround the FreeBSD ports tree repository. It would be nice if theFreeBSD Nmap port maintainers would report such things to me, ratherthan fixing it in their own Nmap tree and then applying the patch toevery future version. On the other hand, they deserve some sort of"most up-to-date" award. I stuck Nmap 3.71-PRE1 in the distdirectory for a few people to test, and made no announcement ordirect link. The FreeBSD crew found it and upgraded anyway :). Thegcc-workaround patch was apparently submitted to the FreeBSD folksby Marius Strobl (marius(a)alchemy.franken.de).
Fixed (I hope) an OS detection timing issue which would in somecases lead to the warning that "insufficient responses for TCPsequencing (3), OS detection may be less accurate." Thanks to AdamKerrison (adam(a)tideway.com) for reporting the problem.
Modified the warning given when files such as nmap-services exist inboth the compiled in NMAPDATADIR and the current working directory.That message should now only appear once and is more clear.
Fixed ping scan subsystem to work a little bit better when--scan_delay (or some of the slower -T templates which include a scandelay) is specified. Thanks to Shahid Khan (khan(a)asia.apple.com)for suggestions.
Taught connect() scan to properly interpret ICMP protocolunreachable messages. Thanks to Alan Bishoff(abishoff(a)arc.nasa.gov) for the report.
Improved the nmapfe.desktop file to better comply with standards.Thanks to Stephane Loeuillet (stephane.loeuillet(a)tiscali.fr) forsending the patch.

Nmap 3.70 [2004-8-31]§

Rewrote core port scanning engine, which is now named ultra_scan().Improved algorithms make this faster (often dramatically so) inalmost all cases. Not only is it superior against single hosts, butultra_scan() can scan many hosts (sometimes hundreds) in parallel.This offers many efficiency/speed advantages. For example, hostsoften limit the ICMP port unreachable packets used by UDP scans to1/second. That made those scans extraordinarily slow in previousversions of Nmap. But if you are scanning 100 hosts at once,suddenly you can receive 100 responses per second. Spreading thescan amongst hosts is also gentler toward the target hosts. Nmapcan still scan many ports at the same time, as well. If you findcases where ultra_scan is slower or less accurate, please send areport (including exact command-lines, versions used, and output, ifpossible) to Fyodor.
Added --max_hostgroup option which specifies the maximum number ofhosts that Nmap is allowed to scan in parallel.
Added --min_hostgroup option which specifies the minimum number ofhosts that Nmap should scan in parallel (there are some exceptionswhere Nmap will still scan smaller groups -- see man page). Ofcourse, Nmap will try to choose efficient values even if you don'tspecify hostgroup restrictions explicitly.
Rewrote TCP SYN, ACK, Window, and Connect() scans to useultra_scan() framework, rather than the old pos_scan().
Rewrote FIN, Xmas, NULL, Maimon, UDP, and IP Protocol scans to useultra_scan(), rather than the old super_scan().
Overhauled UDP scan. Ports that don't respond are now classified as"open|filtered" (open or filtered) rather than "open". The (somewhatrare) ports that actually respond with a UDP packet to the emptyprobe are considered open. If version detection is requested, itwill be performed on open|filtered ports. Any that respond to any ofthe UDP probes will have their status changed to open. This avoids athe false-positive problem where filtered UDP ports appear to beopen, leading to terrified newbies thinking their machine isinfected by back orifice.
Nmap now estimates completion times for almost all port scan types(any that use ultra_scan()) as well as service scan (versiondetection). These are only shown in verbose mode (-v). On scansthat take more than a minute or two, you will see occasional updateslike:SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining)New updates are given if the estimates change significantly.
Added --exclude option, which lets you specify a comma-separatedlist of targets (hosts, ranges, netblocks) that should be excludedfrom the scan. This is useful to keep from scanning yourself, yourISP, particularly sensitive hosts, etc. The new --excludefile readsthe list (newline-delimited) from a given file. All the work wasdone by Mark-David McLaughlin (mdmcl(a)cisco.com> and William McVey( wam(a)cisco.com ), who sent me a well-designed and well-testedpatch.
Nmap now has a "port scan ping" system. If it has received at leastone response from any port on the host, but has not receivedresponses lately (usually due to filtering), Nmap will "ping" thatknown-good port occasionally to detect latency, packet drop rate,etc.
Service/version detection now handles multiple hosts at once formore efficient and less-intrusive operation.
Nmap now wishes itself a happy birthday when run on September 1 inverbose mode! The first public release was on that date in 1997.
The port randomizer now has a bias toward puttingcommonly-accessible ports (80, 22, etc.) near the beginning of thelist. Getting a response early helps Nmap calculate response times anddetect packet loss, so the scan goes faster.
Host timeout system (--host_timeout) overhauled to support hostparallelization. Hosts times are tracked separately, so a host thatfinishes a SYN scan quickly is not penalized for an exceptionallyslow host being scanned at the same time.
When Nmap has not received any responses from a host, it can nowuse certain timing values from other hosts from the same scangroup. This way Nmap doesn't have to use absolute-worst-case(300bps SLIP link to Uzbekistan) round trip timeouts and such.
Enabled MAC address reporting when using the Windows versionof Nmap. Thanks to Andy Lutomirski (luto(a)stanford.edu) forwriting and sending the patch.
Workaround crippled raw sockets on Microsoft Windows XP SP2 scans.I applied a patch by Andy Lutomirski (luto(a)stanford.edu) whichcauses Nmap to default to WinPcap sends instead. The WinPcap sendfunctionality was already there for versions of Windows such as NT andWin98 that never supported Raw Sockets in the first place.
Changed how Nmap sends ARP requests on Windows to use the iphlpapiSendARP() function rather than creating it raw and reading theresponse from the Windows ARP cache. This works around a(reasonable) feature of Windows Firewall which ignored suchunsolicited responses. The firewall is turned on by default as ofWindows XP SP2. This change was implemented by Dana Epp(dana(a)vulscan.com).
Fixed some Windows portability issues discovered by Gisle Vanem(giva(a)bgnett.no).
Upgraded libpcap from version 0.7.2 to 0.8.3. This was an attemptto fix an annoying bug, which I then found was actually in my coderather than libpcap :).
Removed Ident scan (-I). It was rarely useful, and theimplementation would have to be rewritten for the new ultra_scan()system. If there is significant demand, perhaps I'll put it back insometime.
Documented the --osscan_limit option, which saves time by skippingOS detection if at least one open and one closed port are not found onthe remote hosts. OS detection is much less reliable against suchhosts anyway, and skipping it can save some time.
Updated nmapfe.desktop file to provide better NmapFE desktop supportunder Fedora Core and other systems. Thanks to Mephisto(mephisto(a)mephisto.ma.cx) for sending the patch.
Further nmapfe.desktop changes to better fit the freedesktopstandard. The patch came from Murphy (m3rf(a)swimmingnoodle.com).
Fixed capitalization (with a Perl script) of many over-capitalizedvendor names in nmap-mac-prefixes.
Ensured that MAC address vendor names are always escaped in XMLoutput if they contain illegal characters (particularly '&'). Thanksto Matthieu Verbert (mve(a)zurich.ibm.com) for the report and a patch.
Changed xmloutputversion in XML output from 1.0 to 1.01 to note thatthere was a slight change (which was actually the MAC stuff in 3.55).Thanks to Lionel CONS (lionel.cons(a)cern.ch) for the suggestion.
Many Windows portability fix and bug fixes, thanks to patch fromGisle Vanem (giva(a)bgnett.no). With these changes, he was able tocompile Nmap on Windows using MingW + gcc 3.4 C++ rather than MSVisual Studio.
Removed (addport) tags from XML output. They used to provide openports as they were discovered, but don't work now that the portscanners scan many hosts at once. They did not specify an IPaddress. Of course the appropriate (port) tags are still printedonce scanning of a target is complete.
Configure script now detects GNU/k*BSD systems (whatever those are),thanks to patch from Robert Millan (rmh(a)debian.org)
Fixed various crashes and assertion failures related to the newultra_scan() system, that were found by Arturo "Buanzo" Busleiman(buanzo(a)buanzo.com.ar), Eric (catastrophe.net), and Bill Petersen(bill.petersen(a)alcatel.com).
Fixed some minor memory leaks relating to ping and list scanning aswell as the Nmap output table. These were found with Valgrind (http://valgrind.kde.org/ ).
Provide limited --packet_trace support for TCP connect() (-sT)scans.
Fixed compilation on certain Solaris machines thanks to a patch byTom Duffy (tduffy(a)sun.com)
Fixed some warnings that crop up when compiling Nbase C files with aC++ compiler. Thanks to Gisle Vanem (giva(a)bgnett.no) for sendingthe patch.
Tweaked the License blurb on source files and in the man page. Itclarifies some issues and includes a new GPL exception thatexplicitly allows linking with the OpenSSL library. Some peoplebelieve that the GPL and OpenSSL licenses are incompatible withoutthis special exception.
Fixed some serious runtime portability issues on *BSD systems.Thanks to Eric (catastrophe.net) for reporting the problem.
Changed the argument parser to better detect bogus arguments to the-iR option.
Removed a spurious warning message relating to the Windows ARP cachebeing empty. Patch by Gisle Vanem (giva(a)bgnett.no).
Removed some C++-style line comments (//) from nbase, because some Ccompilers (particularly on Solaris) barf on those. Problem reportedby Raju Alluri <Raju.Alluri(a)Sun.COM>

Nmap 3.55 [2004-7-7]§

Added MAC address printing. If Nmap receives packet from a targetmachine which is on an Ethernet segment directly connected to thescanning machine, Nmap will print out the target MAC address. Nmapalso now contains a database (derived from the official IEEEversion) which it uses to determine the vendor name of the targetethernet interface. The Windows version of Nmap does not yet havethis capability. If any Windows developer types are interesting inadding it, you just need to implement IPisDirectlyConnected() intcpip.cc and then please send me the patch. Here are examples fromnormal and XML output:MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems)<address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" addrtype="mac" />
Updated the XML DTD to support the newly printed MAC addresses.Thanks to Thorsten Holz (thorsten.holz(a)mmweg.rwth-aachen.de) forsending this patch.
Added a bunch of new and fixed service fingerprints for versiondetection. These are from Martin Macok(martin.macok(a)underground.cz).
Normalized many of the OS names in nmap-os-fingerprints (fixedcapitalization, typos, etc.). Thanks to Royce Williams(royce(a)alaska.net) and Ping Huang (pshuang(a)alum.mit.edu) forsending patches.
Modified the mswine32/nmap_performance.reg Windows registry file touse an older and more compatible version. It also now includes thevalue "StrictTimeWaitSeqCheck"=dword:00000001 , as suggested by JimHarrison (jmharr(a)microsoft.com). Without that latter value, theTcpTimedWaitDelay value apparently isn't checked. Windows usersshould apply the new registry changes by clicking on the .reg file.Or do it manually as described in README-WIN32. This file is alsonow available in the data directory athttps://svn.nmap.org/nmap/docs/nmap_performance.reg
Applied patch from Gisle Vanem (giva(a)bgnett.no) which allows theWindows version of Nmap to work with WinPCAP 3.1BETA (and probablyfuture releases). The WinPcap folks apparently changed the encodingof adapter names in this release.
Fixed a ping scanning bug that would cause this error message: "nmap:targets.cc:196: int hostupdate (Target **, Target *, int, int, int,timeout_info *, timeval *, timeval *, pingtune *, tcpqueryinfo *,pingstyle): Assertion `pt->down_this_block > 0' failed." Thanks toBeirne Konarski (beirne(a)neo.rr.com) for reporting the problem.
If a user attempts -PO (the letter O), print an error suggestingthat they probably mean -P0 (Zero) to disable ping scanning.
Applied a couple patches (with minor changes) from Oliver Eikemeier(eikemeier(a)fillmore-labs.com) which fix an edge case relating todecoy scanning IP ranges that must be sent through differentinterfaces, and improves the Nmap response to certain error codesreturned by the FreeBSD firewall system. The patches are fromhttp://cvsweb.freebsd.org/ports/security/nmap/files/ .
Many people have reported this error: "checking for type of 6thargument to recvfrom()... configure: error: Cannot find type for 6thargument to recvfrom()". In most cases, the cause was a missing orbroken C++ compiler. That should now be detected earlier with aclearer message.
Fixed the FTP bounce scan to better detect filtered ports on thetarget network.
Fixed some minor bugs related to the new MAC address printingfeature.
Fixed a problem with UDP-scanning port 0, which was reported bySebastian Wolfgarten (sebastian(a)wolfgarten.com).
Applied patch from Ruediger Rissmann (RRI(a)zurich.ibm.com), whichhelps Nmap understand an EACCESS error, which can happen at leastduring IPv6 scans from certain platforms to some firewalled targets.
Renamed ACK ping scan option from -PT to -PA in the documentation.Nmap has accepted both names for years and will continue to doso.
Removed the notice that Nmap is reading target specifications from afile or stdin when you specify the -iL option. It was sometimesprinted to stdout even when you wanted to redirect XML or grepableoutput there, because it was printed during options processing beforeoutput files were handled. This change was suggested by Anders Thulin(ath(a)algonet.se).
Added --source_port as a longer, but hopefully easier to remember,alias for -g. In other words, it tries to use the constant sourceport number you specify for probes. This can help against poorlyconfigured firewalls that trust source port 20, 53, and the like.
Removed undocumented (and useless) -N option.
Fixed a version detection crash reported in excellent detail byJedi/Sector One (j(a)pureftpd.org).
Applied patch from Matt Selsky (selsky(a)columbia.edu) which helpsNmap build with OpenSSL.
Modified the configure/build system to fix library ordering problemsthat prevented Nmap from building on certain platforms. Thanks toGreg A. Woods (woods(a)weird.com) and Saravanan(saravanan_kovai(a)HotPop.com) for the suggestions.
Applied a patch to Makefile.in from Scott Mansfield(thephantom(a)mac.com) which enables the use of a DESTDIR variableto install the whole Nmap directory structure under a different rootdirectory. The configure --prefix option would do the same thing inthis case, but DESTDIR is apparently a standard that packagemaintainers like Scott are used to. An example usage is"make DESTDIR=/tmp/packageroot".
Removed unnecessarybanner printing in the non-root connect() pingscan. Thanks to Tom Rune Flo (tom(a)x86.no) for the suggestion anda patch.
Updated the headers at the top of each source file (mostly toadvance the copyright year to 2004 and note that Nmap is a registeredtrademark).
The SInfo line of submitted fingerprints now provides the target'sOUI (first three bytes of the MAC address) if available. Example:"M=00A0CC". To save a couple bytes, the "Time" field in SInfo hasbeen renamed to "Tm". The OUI helps identify the device vendor, andis only available when the source and target machines are on thesame ethernet network.

Nmap 3.50 [2004-1-18]§

Integrated a ton of service fingerprints, increasing the number ofsignatures more than 50%. It has now exceeded 1,000 for the firsttime, and represents 180 unique service protocols from acap, afp,and aim to xml-rpc, zebedee, and zebra.
Implemented a huge OS fingerprint update. The number offingerprints has increased more than 13% to 1,121. This is the firsttime it has exceeded 1000. Notable updates include Linux 2.6.0, MacOS X up to 10.3.2 (Panther), OpenBSD 3.4 (normal and pf "scrub all"),FreeBSD 5.2, the latest Windows Longhorn warez, and Cisco PIX 6.3.3.As usual, there are a ton of new consumer devices from ubiquitousD-Link, Linksys, and Netgear broadband routers to a number of new IPphones including the Cisco devices commonly used by Vonage. Linksyshas apparently gone special-purpose with some of their devices, suchas their WGA54G "Wireless Game Adapter" and WPS54GU2 wireless printserver. A cute little MP3 player called the Rio Karma was submittedmultiple times and I also received and integrated fingerprints for theHandspring Treo 600 (PalmOS).
Applied some man page fixes from Eric S. Raymond(esr(a)snark.thyrsus.com).
Added version scan information to grepable output between the lasttwo '/' delimiters (that space was previously unused). So the formatis now "portnum/state/protocol/owner/servicename/rpcinfo/versioninfo"as in "53/open/tcp//domain//ISC Bind 9.2.1/" and"22/open/tcp//ssh//OpenSSH 3.5p1 (protocol 1.99)/". Thanks toMadHat (madhat(a)unspecific.com) for sending a patch (although I didit differently). Note that any '/' characters in theversion (or owner) field are replaced with '|' to keep awk/cutparsing simple. The service name field has been updated so that itis the same as in normal output (except for the same sort ofescaping discussed above).
Integrated an Oracle TNS service probe and match lines contributedby Frank Berger (fm.berger(a)gmx.de). New probe contributions arealways appreciated!
Fixed a crash that could happen during SSL version detection due toSSL session ID cache reference counting issues.
Applied patch from Rob Foehl (rwf(a)loonybin.net) which fixes the--with_openssl=DIR configure argument.
Applied patch to nmap XML dtd (nmap.dtd) from Mario Manno(mm(a)koeln.ccc.de). This accounts for the new version scanningfunctionality.
Updated the Windows build system so that you don't have to manuallycopy nmap-service-probes to the output directory. I also updatedthe README-WIN32 to elaborate further on the build process.
Added configure option --with-libpcre=included which causes Nmap tobuild with its included version of libpcre even if an acceptableversion is available on the system.
Upgraded to Autoconf 2.59 (from 2.57). This should help HP-UXcompilation problems reported by Petter Reinholdtsen(pere(a)hungry.com) and may have other benefits as well.
Applied patch from Przemek Galczewski (sako(a)avet.com.pl) whichadds spaces to the XML output in places that apparently help certainolder XML parsers.
Made Ident-scan (-I) limits on the length and type of responsesstricter so that rogue servers can't flood your screen with 1024characters. The new length limit is 32. Thanks to Tom Rune Flo(tom(a)x86.no) for the suggestion and a patch.
Fingerprints for unrecognized services can now be a bit longer toavoid truncating as much useful response information. While thefingerprints can be longer now, I hope they will be less frequentbecause of all the newly recognized services in this version.
The nmap-service-probes "match" directive can now take a servicename like "ssl/vmware-auth". The service will then be reported asvmware-auth (or whatever follows "ssl/") tunneled by SSL, yet Nmapwon't actually bother initiating an SSL connection. This is usefulfor SSL services which can be fully recognized without the overheadof making an SSL connection.
Version scan now chops commas and whitespace from the end ofvendorproductname, version, and info fields. This makes it easier towrite templates incorporating lists. For example, the tcpmux service(TCP port 1) gives a list of supported services separated by CRLF.Nmap uses this new feature to print them comma separated withouthaving an annoying trailing comma as so (linewrapped):
```
match tcpmux m|^(sgi_[-.\w]+\r\n([-.\w]+\r\n)*)$|     v/SGI IRIX tcpmux//Available services: $SUBST(1, "\r\n", ",")/
```

Nmap 3.48 [2003-10-6]§

Integrated an enormous number of version detection servicesubmissions. The database has almost doubled in size to 663signatures representing the following 130 services:

3dm-http afp apcnisd arkstats bittorent chargen citrix-icacvspserver cvsup dantzretrospectdaytime dict directconnect domainecho eggdrop execfinger flexlm font-service ftp ftp-proxy gnatsgnutella-http hddtemp hp-gsg http http-proxy hylafax icecast identimap imaps imsp ipp irc ircbot irc-proxy issrealsecure jabberkazaa-http kerberos-sec landesk-rc ldap linuxconf lmtp lotusnoteslpd lucent-fwadm meetingmaker melange microsoft-ds microsoft-rdpmldonkey msactivesync msdtc msrpc ms-sql-m mstask mud mysqlnapster ncacn_http ncp netbios-ns netbios-ssn netrek netsaintnetstat netwareip networkaudio nntp nsclient nsunicast ntop-httpomniback oracle-mts oracle-tns pcanywheredata pksd pmud pop2 pop3pop3s poppass postgresql powerchute printer qotd redcarpetrendezvous rlogind rpc rsync rtsp sdmsvc sftp shell shivahosesieve slimp3 smtp smux snpp sourceoffice spamd ssc-agent ssh sslsvrloc symantec-av symantec-esm systat telnet time tinyfw upnpuucp veritasnetbackup vnc vnc-http vtun webster whois winswinshell wms X11 xfce zebra

Added the ability to execute "helper functions" in versiontemplates, to help clean up/manipulate data captured from a serverresponse. The first defined function is P() which includes onlyprintable characters in a captured string. The main impetus forthis is to deal with Unicode strings like"W\0O\0R\0K\0G\0R\0O\0U\0P\0" that many MS protocols send. Nmap cannow decode that into "WORKGROUP".
Added SUBST() helper function, which replaces strings in matchedappname/version/extrainfo strings with something else. For example,VanDyke Vshell gives abanner that includes"SSH-2\.0-VShell_2_2_0_528". A substring match is used to pick outthe string "2_2_0_528", and then SUB21ST(1,"_",".") is called on thatmatch to form the version number 2.2.0.528.
If responses to a probe fail to match any of the registered matchstrings for that probe, Nmap will now try against the registered "nullprobe" match strings. This helps in the case that the NULL probeinitially times out (perhaps because of initial DNS lookup) but thebanner appears in later responses.
Applied some portability fixes (particularly for OpenBSD) from ChadLoder (cloder(a)loder.us), who is also now the OpenBSD Nmap portmaintainer.
Applied some portability fixes from Marius Strobl(marius(a)alchemy.franken.de).
The tarball distribution of Nmap now strips the binary at installtime thanks to a patch from Marius Strobl(marius(a)alchemy.franken.de).
Fixed a problem related to building Nmap on systems that lack PCRElibs (and thus have to use the ones included by Nmap). Thanks to RemiDenis-Courmont (deniscr6(a)cti.ecp.fr) for the report and patch.
Alphabetized the service names in each Probe section innmap-service-probes (makes them easier to find and add to).
Fixed the problem several people reported where Nmap would quit witha "broken pipe" error during service scanning. Thanks to Jari Ruusu(jari.ruusu(a)pp.inet.fi) for sending a patch. The actual errormessage was "Unexpected error in NSE_TYPE_READ callback. Errorcode: 32 (Broken pipe)"
Fixed protocol scan (-sO), which I had broken when adding the newoutput table format. It would complain "NmapOutputTable.cc:128:failed assertion `row < numRows'". Thanks to Matt Burnett(marukka(a)mac.com) for notifying me of the problem.
Upgraded Libpcap to the latest tcpdump.org version (0.7.2) from0.7.1
Applied a patch from Peter Marschall (peter(a)adpm.de) which addsversion detection support to nmapfe.
Fixed a problem with XML output being invalid when service detectionwas done on SSL-tunneled ports. Thanks to the several people whoreported this - it means that folks are actually using the XMLoutput :).
Fixed (I hope) some Solaris Sun ONE compiler compilation problemsreported (w/patches) by Mikael Mannstrom (candyman(a)penti.org)
Fixed the --with-openssl configure option for people who haveOpenSSL installed in a path not automatically found by theircompilers. Thanks to Marius Strobl (marius(a)alchemy.franken.de) forthe patch.
Made some portability changes for HP-UX and possibly other types ofmachines, thanks to a patch from Petter Reinholdtsen (pere(a)hungry.com)
Applied a patch from Matt Selsky (selsky(a)columbia.edu) which fixescompilation on some Solaris boxes, and maybe others. The error said"cannot compute sizeof (char)"
Applied some patches from the NetBSD ports tree that Hubert Feyrer(hubert.feyrer(a)informatik.fh-regensburg.de) sent me. The NetBSDNmap ports page is athttp://www.NetBSD.org/packages/net/nmap/ .
Applied some Makefile patches from the FreeBSD ports tree that Ifound athttp://www.freebsd.org/cgi/cvsweb.cgi/ports/security/nmap/files/

Nmap 3.45 [2003-9-15]§

Integrated more service signatures from MadHat(madhat(a)unspecific.com), Brian Hatch (bri(a)ifokr.org), NielsHeinen (zillion(a)safemode.org), Solar Designer(solar(a)openwall.com), Seth Master(smaster(a)stanford.edu), and Curt Wilson(netw3_security(a)hushmail.com). We now have 378 signaturesrecognizing 86 unique service protocols.
Added new HTTPOptions and RTSPRequest probes suggested by MadHat(madhat(a)unspecific.com)
Changed the .spec file to compile Nmap RPMs without SSL support toimprove compatibility (Some users might not have OpenSSL, and eventhose who do might not have the right version (libopenssl.so.2 vslibopenssl.so.4, etc).
Applied a patch from Solar Eclipse (solareclipse(a)phreedom.org)which increases the allowed size of the 'extrainfo' version field from80 characters to 128. The main benefit is to allow longer apache moduleversion strings.
Fixed Windows compilation and improved the Windows port slightly (nomore macro to redefine read().
Applied some updates to README-WIN32 sent in by Kirby Kuehl(kkuehl(a)cisco.com). He improved the list of suggested registrychanges and also fixed a typo or two. He also attached a .reg fileautomate the Nmap connect() scan performance enhancing registrychanges. I am now including that with the Nmap Windows binary .zipdistribution (and in mswin32/ of the source distro).
Applied a one-line patch from Dmitry V. Levin (ldv(a)altlinux.org)which fixes a test Nmap does during compilation to see if an existinglibpcap installation is recent enough.

Nmap 3.40PVT17 [2003-9-12]§

Wrote and posted a new paper on version scanning tohttps://nmap.org/book/vscan.html . Updated nmap-service-probes andthe Nmap man page to simply refer to this URL.
Integrated more service signatures from my own scanning as well ascontributions from Brian Hatch (bri(a)ifokr.org), MadHat(madhat(a)unspecific.com), Max Vision (vision(a)whitehats.com), HDMoore (hdm(a)digitaloffense.net), Seth Master(smaster(a)stanford.edu), and Niels Heinen (zillion(a)safemode.org).MadHat also contributed a new probe for Windows Media Service. Manypeople set a LOT of signatures, which has allowednmap-service-probes to grow from 295 to 356 signatures representing85 service protocols!
Applied a patch (with slight changes) from Brian Hatch(bri(a)ifokr.org) which enables caching of SSL sessions so thatnegotiation doesn't have to be repeated when Nmap reconnects to the samebetween probes.
Applied a patch from Brian Hatch (bri(a)ifokr.org) which optimizes therequested SSL ciphers for speed rather than security. The list wasbased on empirical evidence from substantial benchmarking he did withtests that resemble nmap-service-scanning.
Updated the Nmap man page to discuss the new version scanningoptions (-sV, -A).
I now include nmap-version/aclocal.m4 in the distribution as this isrequired to rebuild the configure script (thanks to Dmitry V. Levin(ldv(a)altlinux.org) for notifying me of the problem).
Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) whichdetects whether the PCRE include file is <pcre.h> or <pcre
Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) whichfixes typos in some error messages. The patch apparently came fromthe highly-secure and stable Owl and Alt Linux distributions. Checkthem out athttp://www.openwall.com/Owl/ andhttp://www.altlinux.com/
Fixed compilation on Mac OS X - thanks to Brian Hatch(bri(a)ifokr.org> and Ryan Lowe (rlowe(a)pablowe.net) for giving meaccess to Mac OS X boxes.
Stripped down libpcre build system to remove libtool dependency andother cruft that Nmap doesn't need (this was mostly a response tolibtool-related issues on Mac OS X).
Added a new --version_trace option which causes Nmap to print out extensivedebugging info about what version scanning is doing (this is a subsetof what you would get with --packet_trace). You should usually usethis in combination with at least one -d option.
Fixed a port number printing bug that would cause Nmap servicefingerprints to give a negative port number when the actual port wasabove 32K. Thanks to Seth Master (smaster(a)stanford.edu) for findingthis.
Updated all the header text again to clarify our interpretation of"derived works" after some suggestions from Brian Hatch(bri(a)ifokr.org)
Updated the Nsock config.sub/config.guess to the same newer versionsthat Nmap uses (for Mac OS X compilation).

Nmap 3.40PVT16 [2003-9-6]§

Fixed a compilation problem on systems w/o OpenSSL that wasdiscovered by Solar Designer. I also fixed some compilationproblems on non-IPv6 systems. It now compiles and runs on mySolaris and ancient OpenBSD systems.
Integrated more services thanks to submissions from Niels Heinen(zillion(a)safemode.org).
Canonicalized the headers at the top of each Nmap/Nsock header sourcefile. This included clarifying our interpretation of derived works,updating the copyright date to 2003, making the header a bit wider,and a few other light changes. I've been putting this off for awhile, because it required editing about a hundred !#$# files!

Nmap 3.40PVT15 [2003-9-5]§

Fixed a major bug in the Nsock time caching system. This couldcause service detection to inexplicably fail against certain ports inthe second or later machines scanned. Thanks to Solar Designer and HDMoore for helping me track this down.
Fixed some *BSD compilation bugs found byZillion (zillion(a)safemode.org).
Integrated more services thanks to submissions from Fyodor Yarochkin(fygrave(a)tigerteam.net), and Niels Heinen(zillion(a)safemode.org), and some of my own exploring. There arenow 295 signatures.
Fixed a compilation bug found by Solar Designer on machines thatdon't have struct sockaddr_storage. Nsock now just uses "structsockaddr *" like connect() does.
Fixed a bug found by Solar Designer which would cause the Nmapportscan table to be truncated in -oN output files if the results arevery long.
Changed a bunch of large stack arrays (e.g. int portlookup[65536])into dynamically allocated heap pointers. The large stack variablesapparently caused problems on some architectures. This issue wasreported by osamah abuoun (osamah_abuoun(a)hotmail.com).

Nmap 3.40PVT14 [2003-9-4]§

Added IPv6 support for service scan.
Added an 'sslports' directive to nmap-service-probes. This tellsNmap which service checks to try first for SSL-wrapped ports. Thesyntax is the same as the normal 'ports' directive for non-ssl ports.For example, the HTTP probe has an 'sslports 443' line andSMTP-detecting probes have and 'sslports 465' line.

Integrated more services thanks to submissions from MadHat(madhat(a)unspecific.com), Solar Designer (solar(a)openwall.com), DugSong (dugsong(a)monkey.org), pope(a)undersec.com, and Brian Hatch(bri(a)ifokr.org). There are now 288 signatures, matching these 65service protocols:

chargen cvspserverdaytime domain echo execfinger font-serviceftp ftp-proxy http http-proxy hylafax ident ident imap imaps ippircbot ircd irc-proxy issrealsecure landesk-rc ldap meetingmakermicrosoft-ds msrpc mud mysql ncacn_http ncp netbios-ns netbios-ssnnetsaint netwareip nntp nsclient oracle-tns pcanywheredata pop3pop3s postgres printer qotd redcarpet rlogind rpc rsync rtsp shellsmtp snpp spamd ssc-agent ssh ssl telnet time upnp uucp vncvnc-http webster whois winshell X11

Added a Lotus Notes probe from Fyodor Yarochkin(fygrave(a)tigerteam.net).
Dug Song wins the "award" for most obscure service fingerprintsubmission. Nmap now detects Dave Curry's Webster dictionary serverfrom 1986 :).
Service fingerprints now include a 'T=SSL' attribute when SSLtunneling was used.
More portability enhancements thanks to Solar Designer and his Linux2.0 libc5 boxes.
Applied a patch from Gisle Vanem (giva(a)bgnett.no) which improvesWindows emulation of the UNIX mmap() and munmap() memory mapping calls.

Nmap 3.40PVT13 [2003-9-1]§

Added SSL-scan-through support. If service detection finds a port to beSSL, it will transparently connect to the port using OpenSSL and useversion detection to determine what service lies beneath. Thisfeature is only enabled if OpenSSL is available at build time. Anew --with-openssl=DIR configure option is available if OpenSSL isnot in your default compiler paths. You can use --without-opensslto disable this functionality. Thanks to Brian Hatch(bri(a)ifokr.org) for sample code and other assistance. Make sureyou use a version without known exploitable overflows. Inparticular, versions up to and including OpenSSL 0.9.6d and0.9.7-beta2 contained serious vulnerabilities described athttp://www.openssl.org/news/secadv_20020730.txt . Note that thesevulnerabilities are well over a year old at the time of thiswriting.
Integrated many more services thanks to submissions from BrianHatch, HellNBack ( hellnbak(a)nmrc.org ), MadHat, Solar Designer,Simple Nomad, and Shawn Wallis (swallis(a)ku.edu). The number ofsignatures has grown from 242 to 271. Thanks!
Integrated Novell Netware NCP and MS Terminal Server probes fromSimple Nomad (thegnome(a)nmrc.org).
Fixed a segfault found by Solar Designer that could occur whenscanning certain "evil" services.
Fixed a problem reported by Solar Designer and MadHat (madhat(a)unspecific.com ) where Nmap would bail when certain Apacheversion/info responses were particularly long. It could happen inother cases as well. Now Nmap just prints a warning.
Fixed some portability issues reported by Solar Designer( solar(a)openwall.com )

Nmap 3.40PVT12 [2003-8-24]§

I added probes for SSL (session startup request) and microsoft-ds(SMB Negotiate Protocol request).
I changed the default read timeout for a service probe from 7.5s to 5s.
Fixed a one-character bug that broke many scans when -sV was NOTgiven. Thanks to Blue Boar (BlueBoar(a)thievco.com) for the report.

Nmap 3.40PVT11 [2003-8-23]§

Integrated many more services thanks to submissions from SimpleNomad, Solar Designer, jerickson(a)inphonic.com, Curt Wilson, andMarco Ivaldi. Thanks! The match line count has risen from 201 to 242.
Implemented a service classification scheme to separate thevendor/product name from the version number and any extra info thatis provided. Instead of v/[big version string]/, the new matchlines include v/[vendor/productname]/[version]/[extrainfo]/ . Seethe docs at the top of nmap-service-probes for more info. Thisdoesn't change the normal output (which lumps them together anyway),but they are separate in the XML so that higher-level programs caneasily match against just a product name. Here are a few examplesof the improved service element:
```
<service name="ssh" product="OpenSSH" version="3.1p1"   extrainfo="protocol 1.99" method="probed" conf="10" /><service name="domain" product="ISC Bind" version="9.2.1"   method="probed" conf="10" /><state state="open" /><service name="rpcbind" version="2"   extrainfo="rpc #100000" method="probed" conf="10" /><service name="rndc" method="table" conf="3" />
```
I went through nmap-service-probes and added the vendor name to moreentries. I also added the service name where the product nameitself didn't make that completely obvious.
SCO Corporation of Lindon, Utah (formerly Caldera) has lately takento an extortion campaign of demanding license fees from Linux usersfor code that they themselves knowingly distributed under the termsof the GNU GPL. They have also refused to accept the GPL, claimingthat some preposterous theory of theirs makes it invalid. Meanwhilethey have distributed GPL-licensed Nmap in (at least) their"Supplemental Open Source CD". In response to these blatantviolations, and in accordance with section 4 of the GPL, we herebyterminate SCO's rights to redistribute any versions of Nmap in anyof their products, including (without limitation) OpenLinux,Skunkware, OpenServer, and UNIXWare.

Nmap 3.40PVT10 [2003-8-18]§

Added "soft matches". These are similar to normal match lines inthat they provide a regex for recognizing a service (but no version).But instead of stopping at softmatch service recognition, the scancontinues looking for more info. It only launches probes that areknown-capable of matching the softmatched service. If no versionnumber is found, at least the determined service is printed. Aservice print for submission is also provided in that case. So thisprovides more informative results and improves efficiency.
Cleaned up the Windows support a bit and did more testing andfixing. Windows service detection seems to be working fine for menow, although my testing is still pretty limited. This releaseincludes a Windows binary distribution and the README-WIN32 has beenupdated to reflect new compilation instructions.
More service fingerprints! Thanks to Solar Designer, Max Vision,Frank Denis (Jedi/Sector One) for the submissions. I also added abunch from my own testing. The number of match lines went from 179to 201.

Updated XML output to handle new version and service detectioninformation. Here are a few examples of the new output:

<port protocol="tcp" portid="22"><state state="open" /><service  name="ssh" version="OpenSSH 3.1p1 (protocol 1.99)" method="probed"  conf="10" /></port><port protocol="tcp" portid="111"><state state="open" /><service  name="rpcbind" version="2 (rpc #100000)" method="probed" conf="10" /></port><port protocol="tcp" portid="953"><state state="open" /><service  name="rndc" method="table" conf="3" /></port>

Fixed issue where Nmap would quit when ECONNREFUSED was returnedwhen we try to read from an already-connected TCP socket. FreeBSDdoes this for some reason instead of giving ECONNRESET. Thanks toWill Saxon (WillS(a)housing.ufl.edu) for the report.
Removed the SERVICEMATCH_STATIC match type fromnmap-service-probes. There wasn't much benefit of this over regularexpressions, so it isn't worth maintaining the extra code.

Nmap 3.40PVT9 [2003-8-16]§

Added/fixed numerous service fingerprints thanks to submissions fromMax Vision, MadHat, Seth Master. Match lines wentfrom 164 to 179.
The WinPcap libraries used in the Windows build process have beenupgraded to version 3.0.
Most of the Windows port is complete. It compiles and service scanworks (I didn't test very deeply) on my WinXP box with VS.Net 2003.I try to work out remaining kinks and do some cleanup for the nextversion. The Windows code was restructured and improved quite a bit,but much more work remains to be done in that area. I'll probablydo a Windows binary .zip release of the next version.
Various minor fixes

Nmap 3.40PVT8 [2003-8-12]§

Service scan is now OFF by default. You can activate it with -sV.Or use the snazzy new -A (for "All recommended features" or"Aggressive") option which turns on both OS detection and servicedetection.
Fixed compilation on my ancient OpenBSD 2.3 machine (a Pentium 60 :)
Added/fixed numerous service fingerprints thanks to submissions fromBrian Hatch, HD Moore, Anand R., and some of my own testing. Thenumber of match lines in this version grows from 137 to 164! Pleasekeep 'em coming!
Various important and not-so-important fixes for bugs I encounteredwhile test scanning.
The RPC grinder no longer prints a startup message if it has noRPC-detected ports to scan.
Some of the service fingerprint length limitations are relaxed a bitif you enable debugging (-d).

Nmap 3.40PVT7 [2003-8-10]§

Added a whole bunch of services submitted by Brian Hatch(bri(a)ifokr.org). I also added a few Windows-related probes.Nmap-service-probes has gone from 101 match strings to 137. Pleasekeep the submissions coming.
The question mark now only appears for ports in the OPEN state andwhen service detection was requested.
I now print a separator bar between service fingerprints when Nmapprints more than one for a given host so that users understand tosubmit them individually (suggested by Brian Hatch (bri(a)ifokr.org))
Fixed a bug that would cause Nmap to print "empty" servicefingerprints consisting of just a semi-colon. Thanks to Brian Hatch(bri(a)ifokr.org) for reporting this.

Nmap 3.40PVT6 [2003-8-8]§

Banner-scanned hundreds of thousands of machines for ports21,23,25,110,3306 to collect default banners. Where thebanner madethe service name/version obvious, I integrated them intonmap-service-probes. This increased the number of 'match' lines from27 to more than 100.
Created the service fingerprint submission page athttp://www.insecure.org/cgi-bin/servicefp-submit.cgi
Changed the service fingerprint format slightly for easierprocessing by scripts.
Applied a large portability patch from Albert Chin-A-Young(china(a)thewrittenword.com). This cleans up a number of things,particularly for IRIX, Tru64, and Solaris.
Applied NmapFE patch from Peter Marschall (peter(a)adpm.de) which"makes sure changes in the relay host and scanned port entry fieldsare displayed immediately, and also keeps the fields editable afterde- and reactivating them."

Nmap 3.40PVT4 [2003-7-28]§

Limited the size of service fingerprints to roughly 1024 bytes.This was suggested by Niels Heinen (niels(a)heinen.ws), because the previouslimit was excessive. The number of fingerprints printed is also nowlimited to 10.
Fixed a segmentation fault that could occur when ping-scanning largenetworks.
Fixed service scan to gracefully handle host_timeout occurrences whenthey happen during a service scan.
Fixed a service_scan bug that would cause an error when hosts senddata and then close() during the NULL probe (when we haven't sentanything).
Applied a patch from Solar Designer (solar(a)openwall.com) whichcorrects some errors in the Russian man page translation and also acouple typos in the regular man page. Then I spell-checked the manpage to reduce future instances of foreigners sending in diffs tocorrect my English :).

Nmap 3.40PVT3 [2003-7-28]§

Nmap now prints a "service fingerprint" for services that it isunable to match despite returning data. The web submission page itreferences is not yet available.
Service detection now does RPC grinding on ports it detects to berunning RPC.
Fixed a bug that would cause Nmap to quit with an Nsock error when--host_timeout was used (or when -T5 was used, which sets itimplicitly).
Fixed a bug that would cause Nmap to fail to print the OSfingerprint in certain cases. Thanks to Ste Jones(root(a)networkpenetration.com) for the problem report.

Nmap 3.40PVT2 [2003-7-26]§

Nmap now has a simple VERSION detection scheme. The 'match' lines innmap-service-probes can specify a template version string(referencing subexpression matches from the regex in a Perl-likemanner) so that the version is determined at the same time as theservice. This handles many common services in a highly efficientmanner. A more complex form of version detection (that initiatesfurther communication w/the target service) may be necessaryeventually to handle services that aren't as forthcoming withversion details.
The Nmap port state table now wastes less whitespace due to using a newand stingy NmapOutputTable class. This makes it easier to read, andalso leaves more room for version info and possibly other enhancements.
Added 's' option to match lines in nmap-service-probes. Just aswith the Perl 's' option, this one causes '.' in the regularexpression to match any character INCLUDING newline.
The WinPcap header timestamp is no longer used on Windows as itsometimes can be a couple seconds different than gettimeofday() (whichis really _ftime() on Windows) for some reason. Thanks to ScottEgbert (scott.egbert(a)citigroup.com) for the report.
Applied a patch by Matt Selsky (selsky(a)columbia.edu) which fixesconfigure.in in such a way that the annoying header file "present butcannot be compiled" warning for Solaris.
Applied another patch from Matt that (we hope) fixes the "presentbut cannot be compiled" warning -- this time for Mac OS X.
Port table header names are now capitalized ("SERVICE", "PORT", etc)

Nmap 3.40PVT1 [2003-7-17]§

Initial implementation of service detection. Nmap will now probeports to determine what is listening, rather than guessing based onthe nmap-services table lookup. This can be very useful forservices on unidentified ports and for UDP services where it is notalways clear (without these probes) whether the port is really openor just firewalled. It is also handy for when services are run onthe well-known-port of another protocol -- this is happening moreand more as users try to circumvent increasingly strict firewallpolicies.
Nmap now uses the excellent libpcre (Perl Compatible RegularExpressions) library fromhttp://www.pcre.org/ . Many systemsalready have this, otherwise Nmap will use the copy it now includes.If your libpcre is hidden away in some nonstandard place, give./configure the new --with-libpcre=DIR directive.
Nmap now uses the C++ Standard Template Library (STL). This makesprogramming easier, but if it causes major portability or bloatproblems, I'll reluctantly remove it.
Applied a patch from Javier Kohen (jkohen(a)coresecurity.com) whichnormalizes the names of many Microsoft entries in thenmap-os-fingerprints file.
Applied a patch by Florin Andrei (florin(a)sgi.com) to the Nmap RPMspec file. This uses the 'Epoch' flag to prevent the Redhat Networktool from marking my RPMs as "obsolete" and "upgrading" to earlierRedhat-built versions. A compilation flag problem is also fixed.

Nmap 3.30 [2003-6-28]§

Implemented the largest-ever OS fingerprint update! Roughly 300fingerprints were added/modified. These massive changes span thegamut from AIX 5.1 to the ZyXEL Prestige broadband router line.Notable updates include OpenBSD 3.3, FreeBSD 5.1, Mac OS X 10.2.6,Windows 2003 server, and more WAPs and broadband routers than youcan shake a stick at. Someone even submitted a fingerprint forDebian Linux running on the Microsoft Xbox. You have to love thatirony :). Thanks to everyone who submitted fingerprints using theURL Nmap gives you when it gets a clean reading but is stumped. Thefingerprint DB now contains almost 1000 fingerprints.
Went through every one of the fingerprints to normalize thedescriptions a bit. I also looked up what all of the devices are(thanks E*Bay and Google!). Results like "Nexland ISB Pro800 Turbo"and "Siemens 300E Release 6.5" are much more useful when you add thewords "cable modem" and "business phone system"
Added a new classification system to nmap-os-fingerprints. Inaddition to the standard text description, each entry is nowclassified by vendor name (e.g. Sun), underlying OS (e.g. Solaris),OS generation (e.g. 7), and device type ("general purpose", router,switch, game console, etc). This can be useful if you want to (say)locate and eliminate the SCO systems on a network, or find thewireless access points (WAPs) by scanning from the wired side.
Classification system described above is now used to print out a"device type" line and OS categories for matches. The free-formEnglish details are still printed as well. Nmap can sometimesprovide classifications even where it used to provide nothingbecause of "too many matches". These have been added to XML outputas well. They are not printed for the "grepable output", as Iconsider that format deprecated.
Nmap will now sometimes guess in the "no exact matches" case, evenif you don't use the secret --osscan_guess or -fuzzy options.
Applied another huge NmapFE patch from Peter Marschall(peter(a)adpm.de). This revamps the interface to use a tabbedformat that allows for many more Nmap options to be used. It alsocleans up some crufty parts of the code. Let me and Peter know whatyou think (and if you encounter any problems).
Windows and Amiga ports now use packet receive times from libpcap.Let me know if you get any "time computation problem" errors.
Updated version of the Russian man page translation from Alex Volkov(alex(a)cherepovets-city.ru).

Nmap 3.28 [2003-6-14]§

Fixed (I hope) an issue that would cause Nmap to print "Serious timecomputation problem in adjust_timeout ..." and quit. The ultimatecause was demonstrated by this --packet_trace snippet that RusselMiller (rmiller(a)duskglow.com) sent me:SENT (0.0500s) ICMP 0.0.0.0 > 127.0.0.1 Echo request (type=8/code=0) ...RCVD (0.0450s) ICMP 127.0.0.1 > 127.0.0.1 Echo reply (type=0/code=0) ...As you can see, the ping reply appears to come BEFORE the requestwas sent(!). This sort of thing happens on at least Linux andWindows. The send time is obtained from gettimeofday(timeval, NULL),while receive time libpcap packet header. If anyone knows why thisoccurs, or (even better) knows a good way to fix it, let me know.For now, I am allowing the response to come up to .05s "before" therequest. That is gross.
For years, Nmap has added -I/usr/local/include and -L/usr/local/libto the compiler line to grab local libraries. I have removed thisbehavior by default, and added a '--with-localdirs' configure optionthat adds it back. If Nmap fails to compile now without the aboveoption, please let me know. I can change the default back if thischange causes more problems than it solves. People (such as certainports tree packagers) who know they don't want /usr/local shouldspecify --without-localdirs rather than relying on that always beingthe default.
Fixed (I hope) a problem that led to the error message "Assertion`tqi->sockets[probe_port_num][seq] == -1' failed".
Fixed a problem that would cause Nmap on Windows to send ICMP pingpackets from 0.0.0.0 instead of the appropriate source IP. Thanksto Yeti (boxed(a)blueyonder.co.uk) for the report.
Applied some changes from Solar Designer (solar(a)openwall.com)which fix some typos and also suggest safer /tmp/ behavior in theHACKING file and Lithuanian man page. These changes are for theNmap package of his Openwall GNU/*/Linux (Owl) distribution.(http://www.openwall.com/Owl/)
For Solaris, I now define NET_SIZE_T to size_t rather than socklen_tin nmap.h. Isn't that exciting?!!! Hopefully this will helpcompilation on Solaris 2.6 (and perhaps earlier). If any Solarisusers notice new compilation problems, please let me know. Thanks toAl Smith (Al.Smith(a)aeschi.ch.eu.org) for reporting the issue.
Removed an errant getopt() prototype in nbase/getopt.h which shouldhopefully improve compilation on certain Solaris boxes and BSDvariants.
SCO operating systems are no longer supported due to their recent(and absurd) attacks against Linux and IBM. Bug reports relating toUnixWare will be ignored, or possibly even laughed at derisively.Note that I have no reason to believe anyone has ever used Nmap onSCO systems. UnixWare and OpenServer suck.
Fixed a problem with small --max_parallelism values when non-root pingscanning that would cause Nmap to say "sendconnecttcpquery: Couldnot scavenge a free socket!" and quit. Problem was reported byJustin A (justin(a)bouncybouncy.net) as Debian Bug #195463.
Applied (with a few modifications) a large NmapFE patch from PeterMarschall (peter(a)adpm.de). This patch adds a bunch more scan/pingoptions and cleans up some redundant NmapFE code.
Included new Russian man page translation by Alex Volkov(alex(a)cherepovets-city.ru)
Changed many single-quotes (') into double quotes (") in the manpage due to a disagreement over whether to represent them as (') or(\') in nroff.
Included --packet_trace support for Explicit Congestion Notification(RFC 2481/3168) flags thanks to a patch sent in by Maik Pfeil(root(a)bundesspionageministerium.de)
Included --packet_trace support for a few (unusual) ICMP types incase Nmap receives them. The patch was also sent by Maik Pfeil.
Fixed a problem with redirecting XML/Grep/Machine output to stdouton Windows (e.g. -oX - ). Problem was reported by Wei Jiang(Wei.Jiang(a)bindview.com)
Made "-g -Wall" compiler flags dependent on availability of gcc/g++sine some other compilers do not support them.
I spam-protected the email addresses in this file. I fervently hopethat within 5 years we will be able to defeat this scourge throughtechnology and laws, so that we may again list our email addressesopenly without fear of abuse by criminal spammers. Oh, and it wouldbe a shame if the spiders went through this whole page and onlyfound uce@ftc.gov, rhundt@fcc.gov, jquello@fcc.gov, sness@fcc.gov,president@whitehouse.gov, haesslich@loyalty.org, and rchong@fcc.gov.

Nmap 3.27 [2003-4-28]§

Nmap now compiles under Amiga thanks to patches sent by DiegoCasorran (dcr8520(a)amiga.org).
Fixed a backwards WIN32 ifdef that broke UDP and small-fragmentscans for some operating systems other than Linux and Windows.Thanks to Guido van Rooij (guido(a)gvr.org) for reporting the problemand sending a patch.
Applied patch from Marius Strobl (marius(a)alchemy.franken.de) which improvesthe definition of NET_SIZE_T on FreeBSD so that it compiles on64-bit platforms.

Nmap 3.26 [2003-4-24]§

Fixed Mac OS X Compilation (at least on most of the machinestested). You will probably need to type"./configure CPP=/usr/bin/cpp" instead of simply "./configure". Ifyou still have trouble, drop me an email. Thanks to everyone whoprovided or offered shell accounts!
Fixed a segmentation fault several people reported that wasintroduced in 3.25. This problem manifests itself intermittentlyin many normal situations involving large-network scanning. So all3.25 users are urged to upgrade. Pre-3.25 users should upgrade too,since 3.25 included so many improvements :).

Nmap 3.25 [2003-4-19]§

I added UDP-based "ping" scanning. The -PU option can take anoptional portlist like the TCP "ping" options (-PS, -PA), but it sendsa UDP packet to the targets and expects hosts that are up to replywith a port unreachable (or possibly a UDP response if the port isopen). This one is likely to work best against closed ports, sincemany open ports don't respond to empty requests.
Fixed (I hope) problem where Nmap would abort, complaining that"Assertion `pt->down_this_block > 0' failed". Thanks toray(a)24hoursecurity.org and mugz(a)x-mafia.com for reporting andhelping me debug this problem.
Fixed a GCC dependency reported by Ayamura Kikuchi(ayamura(a)keio.net)
Fixed an "assertion failure" which would cause Nmap to exit when youspecify a --max_rtt_timeout below 3000. Thanks to Tammy Rathbun(rathbun2(a)llnl.gov) and Jan Roger Wilkens (jrw(a)proseq.net) forreporting this.
Packet receive times are now obtained from libpcap rather thansimply using the time the packets are passed to Nmap. This shouldimprove performance slightly. I was not able to get this to workproperly on Windows (either pcap or raw) -- join the nmap-dev listif you have ideas.
Fixed bug that caused Nmap to ignore certain RST responses when youdo both -PS and -PA.
Modified ping scan to work better when many instances of Nmap areexecuted concurrently.
I'm now linking directly to the gzip compressed version of Nmap onthe homepage as well as the .bz2.
Fixed a portability problem that caused BSD Make to bail out.
Fixed a divide by zero error caused when non-root users (on UNIX)explicitly request ICMP pings (which require root privileges). Now itprints a warning and uses the normal non-root TCP connect() ping.Jaroslav Sladek (jup(a)matfyz.cz) found the bug and provided the patch.
Made Nmap more tolerant of corrupt nmap-services and nmap-protocolsfiles thanks to report & patch sent by Phix (phix(a)hush.com)
Added some more port numbers sent in by Seth Master(smaster(a)stanford.edu). He has been a frequent nmap-servicescontributor in the last couple months.
Added --packet_trace support to Windows
Removed superfluous "addport" line in the XML output (patch from MaxSchubert (nmap(a)webwizarddesign.com)).
Merged wintcpip.cc into tcpip.cc to avoid the headache ofmaintaining many nearly-identical functions.
Fixed an assertion failure crash related to combining port 0 scansand OS scan. Thanks to A.Jones(a)mvv.de for reporting this.
Fixed some compilation problems on systems without IPv6 support --patch sent by Jochen Erwied (Jochen.Erwied(a)mbs-software.info)
Applied patch from Jochen Erwied (Jochen.Erwied(a)mbs-software.info)which fixes the format strings used for printing certain timestamps.
Upgraded to autoconf 2.57, including the latest config.guess/config.sub
Renamed configure.ac files to configure.in as recommended by thelatest autoconf documentation.
Changed the wording of NmapFE Gnome entries to better-comply withGnome's Human Interface Guidelines (HIG). Suggested by Axel Krauth(krauth(a)fmi.uni-passau.de)

Nmap 3.20 [2003-3-18]§

The random IP input option (-iR) now takes an argument specifyinghow many IPs you want to scan (e.g. -iR 1000). Specify 0 for the oldnever-ending scan behavior.
Fixed a tricky memory leak discovered by Mugz (mugz(a)x-mafia.com).
Fixed output truncation problem noted by Lionel CONS (lionel.cons(a)cern.ch)
Fixed a bug that would cause certain incoming ICMP error messages tobe improperly ignored.

Nmap 3.15BETA3 [2003-3-16]§

Made numerous improvements to the timing behavior of "-T Aggressive"(same as -T4) scans. It is now recommended for regular use byimpatient people with a fast connection. "-T Insane" mode has alsobeen updated, but we only recommend that for, well, insane people.
Made substantial changes to the SYN/connect()/Window scanningalgorithms for improved speeds, especially against heavily filteredhosts. If you notice any timing problems (misidentified ports,etc.), please send me the details (including full Nmap output and adescription of what is wrong). Reports of any timing problems with-T4 would be helpful as well.
Changed Nmap such that ALL syn scan packets are sent from the portyou specify with -g. Retransmissions used to utilize successivelyhigher ports. This change has a downside in that some operatingsystems (such as Linux) often won't reply to the retransmissionsbecause they reuse the same connection specifier quad(srcip:srcport:dstip:dstport). Overall I think this is a win.
Added timestamps to "Starting nmap" line and each host port scan inverbose (-v) mode. These are in ISO 8601 standard format becauseunlike President Bush, we actually care about Internationalconsensus :).
Nmap now comes by default in .tar.bz2 format, which compresses about20% further. You can still find .tgz in the dist directory athttp://download.insecure.org/nmap/dist/?M=D .
Various other minor bug fixes, new services, fingerprints, etc.

Nmap 3.15BETA2 [2003-2-26]§

I added support for a brand new "port" that many of you may havenever scanned before! UDP & TCP "port 0" (and IP protocol 0) are nowpermitted if you specify 0 explicitly. An argument like "-p -40"would still scan ports 1-40. Unlike ports, protocol 0 IS now scannedby default. This now works for ping probes too (e.g., -PS, -PA).
Applied patch by Martin Kluge (martin(a)elxsi.info) which adds --ttloption, which sets the outgoing IPv4 TTL field in packets sent viaall raw scan types (including ping scans and OS detection). Thepatch "should work" on Windows, but hasn't been tested. A TTL of 0is supported, and even tends to work on a LAN:
```
14:17:19.474293 192.168.0.42.60214 > 192.168.0.40.135: S 326:326(0) [ttl 0]14:17:19.474456 192.168.0.40.135 > 192.168.0.42.60214: S 280:280(0) ack 326 (ttl 128)
```
Applied patch by Gabriel L. Somlo ( somlo(a)acns.colostate.edu ) whichextends the multi-ping-port functionality to nonroot and IPv6connect() users.
I added a new --datadir command line option which allows you tospecify the highest priority directory for Nmap data filesnmap-services, nmap-os-fingerprints, and nmap-rpc. Any files whicharen't in the given dir, will be searched for in the $NMAPDIRenvironmental variable, ~/nmap/, a compiled in data directory(e.g. /usr/share/nmap), and finally the current directory.
Fixed Windows (VC++ 6) compilation, thanks to patches from KevinDavis (computerguy(a)cfl.rr.com) and Andy Lutomirski(luto(a)stanford.edu)
Included new Latvian man page translation by"miscelerious options" (misc(a)inbox.lv)
Fixed Solaris compilation when Sun make is used rather than GNUmake. Thanks to Tom Duffy (tduffy(a)sun.com) for assistance.
Applied patch from Stephen Bishop (sbishop(a)idsec.co.uk) whichprevents certain false-positive responses when Nmap raw TCP ping scansare being run in parallel.
To emphasize the highly professional nature of Nmap, I changed allinstances of "fucked up" in error message text into "b0rked".
Fixed a problem with nmap-frontend RPMs that would cause a bogus/bin/xnmap link to be created (it should only create/usr/bin/xnmap). Thanks to Juho Schultz(juho.schultz(a)astro.helsinki.fi) for reporting the problem.
I made the maximum number of allowed routes and interfaces allowedon the scanning machine dynamic rather than hardcoded #defines of 1024and 128. You never know -- some wacko probably has that many :).

Nmap 3.15BETA1 [2003-2-19]§

Integrated the largest OS fingerprint DB updates ever! Thanks toeveryone who contributed signatures! New or substantially modifiedfingerprints included the latest Windows 2K/XP changes, Cisco IOS12.2-based routers and PIX 6.3 firewalls, FreeBSD 5.0, AIX 5.1,OpenBSD 3.2, Tru64 5.1A, IBM OS/400 V5R1M0, dozens of wireless APs,VOIP devices, firewalls, printers, print servers, cable modems,webcams, etc. We've even got some mod-chipped Xbox fingerprintsnow!
Applied NetBSD portability patch by Darren Reed(darrenr(a)reed.wattle.id.au)
Updated Makefile to better-detect if it can't make nmapfe andprovide a clearer error message. Also fixed a couple compilerwarnings on some *BSD platforms.
Applied patch from "Max" (nmap(a)webwizarddesign.com) which adds theport owner to the "addport" XML output lines which are printed (onlyin verbose mode, I think) as each open port is discovered.
I killed the annoying whitespace that is normally appended after theservice name. Now it is only there when an owner was found via -sI(in which case there is a fourth column and so "service" must beexactly 24 characters).

Nmap 3.10ALPHA9 [2002-12-25]§

Reworked the "ping scan" algorithm (used for any scan except -P0 or-sL) to be more robust in the face of low-bandwidth and congestedconnections. This also improves reliability in the multi-port andmulti-type ping cases described below.
"Ping types" are no longer exclusive -- you can now do combinationssuch as "-PS22,53,80 -PT113 -PN -PE" in order to increase your odds ofpassing through strict filters. The "PB" flag is now deprecatedsince you can achieve the same result via "PE" and "PT" options.
Applied patch (with modest changes) by Gabriel L. Somlo(somlo(a)acns.colostate.edu), which allows multiple TCP probe ports inraw (root) mode. See the previous item for an example.
Fixed a libpcap compilation issue noted by Josef 'Jupp' Schugt(deusxmachina(a)webmail.co.za) which relates to the definition (orlack thereof) of ARPHRD_HDLC (used for Cisco HDLC frames).
Tweaked the version number (-V) output slightly.

Nmap 3.10ALPHA7 [2002-12-18]§

Upgraded libpcap from version 0.6.2 to 0.7.1. Updated thelibpcap-possiblymodified/NMAP_MODIFICATIONS file to give a muchmore extensive list (including diffs) of the changes includedin the Nmap bundled version of Libpcap.
Applied patch to fix a libpcap alignment bug found by Tom Duffy(tduffy(a)sun.com).
Fixed Windows compilation.
Applied patch by Chad Loder (cloder(a)loder.us) of Rapid7 whichfixes OpenBSD compilation. I believe Chad is now the officialOpenBSD Nmap "port" maintainer. His patch also adjustedrandom-scan (-iR) to include the recently allocated 82.0.0.0/8space.
Fixed (I hope) a few compilation problems onnon-IPv6-enabled machines which were noted by Josef 'Jupp'Schugt (jupp(a)gmx.de)
Included some man page translations which were inadvertentlymissed in previous tarballs.
Applied patch from Matthieu Verbert (mve(a)zurich.ibm.com) whichplaces the Nmap man pages under ${prefix}/share/man rather than${prefix}/man when installed via RPM. Maybe the tarballinstall should do this too? Opinions?
Applied patch from R Anderson (listbox(a)pole-position.org) whichimproves the way ICMP port unreachables from intermediate hostsare handled during UDP scans.
Added note to man page related to Nmap US export control. Ibelieve Nmap falls under ECCN 5D992, which has no specialrestrictions beyond the standard export denial to a handful ofrogue nations such as Iraq and North Korea.
Added a warning that some hosts may be skipped and/or repeatedwhen someone tries to --resume a --randomize_hosts scan. Thiswas suggested by Crayden Mantelium (crayden(a)sensewave.com)
Fixed a minor memory leak noted by Michael Davis(mike(a)datanerds.net).

Nmap 3.10ALPHA4 [2002-11-11]§

Applied patch by Max Schubert (nmap(a)webwizarddesign.com) which addsan add-port XML tag whenever a new port is found open when Nmap isrunning in verbose mode. The new tag looks like:<addport state="open" portid="22" protocol="tcp"/>I also updated docs/nmap.dtd to recognize this new tag.
Added German translation of Nmap man page by Marc Ruef(marc.ruef(a)computec.ch). It is also available athttps://nmap.org/man/de/
Includes a brand new French translation of the man page by SebastienBlanchet. You could probably guess that it is available athttps://nmap.org/man/fr/
Applied some patches from Chad Loder (cloder(a)loder.us) which updatethe random IP allocation pool and improve OpenBSD support. Somewere from the OBSD Nmap patchlist.
Fixed a compile problem on machines without PF_INET6. Thanks toJosef 'Jupp' Schugt (deusxmachina(a)webmail.co.za) for noting this.

Nmap 3.10ALPHA3 [2002-9-15]§

Added --min_parallelism option, which makes scans more aggressiveand MUCH faster in certain situations -- especially againstfirewalled hosts. It is basically the opposite of --max_parallelism(-M). Note that reliability can be lost if you push it too far.
Added --packet_trace option, which tells Nmap to display all of thepackets it sends and receives in a format similar to tcpdump. Imostly added this for debugging purposes, but people wishing to learnhow Nmap works or for experts wanting to ensure Nmap is doingexactly what they expect. If you want this feature supported underWindows, please send me a patch :).
Fixed a segmentation fault in Idlescan (-sI).
Made Idlescan timing more conservative when -P0 is specified toimprove accuracy.
Fixed an infinite-loop condition that could occur during certaindropped-packet scenarios in an Idle scan.
Nmap now reports execution times to millisecond precision (ratherthan rounding to the nearest second).
Fixed an infinite loop caused by invalid port arguments. Problemnoted by fejed (fejed(a)uddf.net).

Nmap 3.10ALPHA2 [2002-8-31]§

Fixed compilation and IPv6 support on FreeBSD (tested on4.6-STABLE). Thanks to Niels Heinen (niels.heinen(a)ubizen.com) forsuggestions.
Made some portability changes based on suggestions by Josef 'Jupp'Schugt (jupp(a)gmx.de)
Fixed compilation and IPv6 support on Solaris 9 (haven't testedearlier versions).

Nmap 3.10ALPHA1 [2002-8-28]§

IPv6 is now supported for TCP scan (-sT), connect()-style pingscan (-sP), and list scan (-sL)! Just specify the -6 option and theIPv6 numbers or DNS names. Netmask notation is not currentlysupported -- I'm not sure how useful it is for IPv6, where even pettyend users may be allocated trillions of addresses (/80). If youneed one of the scan types that hasn't been ported yet, giveSebastien Peterson's patch a try athttp://nmap6.sourceforge.net/ .If there is demand, I may integrate more of that into Nmap.
Major code restructuring, which included conversion to C++ -- soyou'll need g++ or another C++ compiler. I accidentally let a C++requirement slip in a while back and found that almost everyone hassuch a compiler. Windows (VC++) users: see the README-WIN32 for newcompilation instructions.
Applied patch from Axel Nennker (Axel.Nennker(a)t-systems.com) whichadds a --without-nmapfe option to the configure script. This isuseful if your system doesn't have the proper libraries (e.g. GTK) orif you think GUIs are for sissies :).
Removed arbitrary max_parallelism (-M) limitations, as suggested byWilliam McVey ( wam(a)cisco.com ).
Added DEC OSF to the platforms that require the BSDFIX() macro dueto taking IP length and offset fields in host rather than network byteorder. Suggested by Dean Bennett (deanb(a)gbtn.net)
Fixed an debug statement C ambiguity discovered by Kronos(kronos(a)kronoz.cjb.net)

Nmap 3.00 [2002-07-31]§

Woohoo! :)

Nmap 2.99RC2 [2002-07-27]§

Fixed an important memory initialization bug which was causingcrashes on Mac OS X (and possibly other platforms). The problem waslocated by Pieter ten Pierick (P.tenPierick(a)chello.nl)
Various minor bugfixes/cleanup

Nmap 2.99RC1 [2002-07-20]§

Implemented the biggest OS fingerprint update since December 1999!More than 200 fingerprints were added/modified. This includesOpenBSD 3.1, Solaris 9, Mac OS 10.1.5, OS/400, FreeBSD 4.6, Thelatest MS WinXP changes, new CISCO equiptment, and loads of networkdevices such as VoIP phones, switches, printers, WAPs, etc.
Updated build system to work on MacOS X.
I removed "credit" lines from the nmap-os-fingerprints file out ofconcern that evil spammers might harvest the 602 addresses. Plusthose took up 28K and the size of nmap-os-fingerprints has alreadycaused trouble for some handheld devices. If anyone actually caresabout the "fame" of being listed, let me know and I'll put you backin. I still appreciate everyone who submits fingerprints! I justdon't want you to be spammed when the fingerprint file goes online.
Minor usage screen (nmap -h) fix suggested by Martin Kluge( martin(a)elxsi.info )
Insured that the initial pound (#) in C preprocessor directives isalways in column 1 (portability fix). Problem noted by ShamsherSran (ssran(a)bechtel.com)

Nmap 2.54BETA37 [2002-07-10]§

Made SYN scan the default for privileged (root) users. This offersfar better performance for Windows users due to their brokenconnect() call, and is usually even preferred on UNIX because it ismore stealthy and less likely to crash applications listening on thetarget host.
Fixed a problem noted by Ping Huang (pshuang(a)alum.mit.edu) relatingto -PI scans of a machine's own non-localhost interfaces (egscanning your ethernet address).
Applied patch from Patrice Goetghebeur (pgoetghebeur(a)mac.com) whichfixes PPP/SLIP support on Mac OS X.
Applied dozens of nmap-services portnumber mapping updatesresearched and sent by palante(a)subterrain.net
Updated nmap-rpc to the latest version from Eilon Gishri(eilon(a)aristo.tau.ac.il)
Fixed --resume option to better detect all of the previously scannedhosts in an -oN file (bug report from Adam.Scott(a)predictive.com )
Adjusted random IP generator (for -iR) to account for newlyallocated ip space fromhttp://www.iana.org/assignments/ipv4-address-space as noted by ChadLoder (cloder(a)acm.org)
Updated config.sub and config.guess to the versions inautomake-1.6.2 .
Applied patch from Markus A. Nonym (g17m0(a)lycos.com) which checksfor a recent version of GTK+ in ./configure before even trying tobuild NmapFE (avoids the previous ugly compiler errors).
Applied patch from benkj(a)gmx.it which fixes misbehavior when Nmapwould receive EOF (including ^D) in interactive mode.
Fixed format string bugs (not the security-related kind) found byTakehiro YONEKURA (yonekura(a)obliguard.com) and Kuk-hyeon Lee(errai(a)inzen.com)
Applied patch from Greg Steuck (greg-nmap-dev(a)nest.cx) which fixesan alignment problem in charpool.c that could cause bus errors on64-bit platforms.
Applied portability fix patch from Matt Christian (mattc(a)visi.com)

Nmap 2.54BETA36 [2002-06-13]§

Fixed major connect scan problem introduced in BETA35
Changed NmapFE to use the version number 2.54BETA36 rather than0.2.54BETA36. I had to do this because RedHat took the liberty ofreleasing a so-called "2.54BETA31" version of nmap-frontend in their7.3 distribution. Thus my upgrades were failing to install on suchsystems because a "later" version is already installed.

Nmap 2.54BETA35 [2002-06-13]§

Fixed an issue that could cause the abort message "Serious timecomputation problem in adjust_timeout ...". If you still see this,please let me know.
Fixed Windows compilation (and I really mean it this time -- testedmyself).
Applied configure script patch to recognize Solaris 2.10 when iteventually becomes available (from James Carlson(james.d.carlson(a)east.sun.com)
Applied some portability fixes from Albert Chin(china(a)thewrittenword.com)
Applied libpcap aclocal.m4 patch to enable debugging (-g) whencompiling libpcap with gcc. Patch from Ping Huang(pshuang(a)alum.mit.edu)
Restructured "TCP probe port" output message a bit as suggested byPing Huang (pshuang(a)alum.mit.edu)

Nmap 2.54BETA34 [2002-05-02]§

Windows compilation fixed thanks to new VC++ project file (nmap.dsp) sentby Evan Sparks (gmplague(a)sdf.lonestar.org) (I had forgotten to includethe new main.c).
Various nmap-services updates
Fixed a bunch of typos and capitalization issues innmap-os-fingerprints by applying patch sent in by Royce Williams(royce(a)alaska.net).

Nmap 2.54BETA33 [2002-04-26]§

Tons of OS fingerprint updates. More than 100 fingerprints added orchanged, including OpenBSD 3, FreeBSD 4.5, Solaris 9 pre-release,Commodor 64 (with the TFE Ethernet Card and uIP stack), Compaq iPAQ,Cisco IOS 12.2(8), AIX 5.1, IRIX 6.5.15, variousRedback/Racal/Juniper/BigIP/HP/Siemens/Brocade/Quantum devices,numerous printers/switches, KRONOS network clock, WTI Network PowerSwitch, Windows XP, and many more. Thanks to everyone whocontributed!
Applied fix for an important RPC scanning bug sent in by Pasi Eronen(pasi.eronen(a)nixu.com)
Applied fix for nasty OS fingerprinting bug found by WilliamRobertson (wkr(a)cs.ucsb.edu)
Do not show uptime when obviously spoofed (eg OpenBSD 3.0)
Slightly changed (I hope improved) the whitespace in Nmap output sothat messages relating to the same host are kept together (anddifferent hosts different separated by newlines).
Moved main() function into a new file, cleverly named main.c.

Nmap 2.54BETA32 [2002-04-01]§

Applied Windows pinging fix and from Andy Lutomirski(Luto(a)myrealbox.com)
Applied a few more Windows fixes from Andy.
Fixed a flaw in several error-checking statements noted by GiacomoCariello (jwk(a)bug.it)
Applied Win32 compilation fixes sent by Kirby Kuehl (kkuehl(a)cisco.com)and jens.vogt(a)bluewin.ch

Nmap 2.54BETA31 [2002-03-20]§

Added ICMP Timestamp and Netmask ping types (-PP and -PM). These(especially timestamp) can be useful against some hosts that do notrespond to normal ping (-PI) packets.
Documented the --data_length option and made it work with all theICMP ping types (echo request, netmask, and timestamp).
Added check for strings.h before including it in portlist.c . Thisfixes a compilation problem on some versions of Windows. Problemfirst noted by Michael Vorin (mvorin(a)hotmail.com)
Applied patch from Andy Lutomirski (Luto(a)myrealbox.com) which fixesa crash on some Windows platforms when timeouts occur.
Fixed "grepable output" (-oG) so that it prints IPID sequence classrather than printing the TCP ISN sequence index twice. Problemnoted by Russell Fulton (r.fulton(a)auckland.ac.nz)
Added mysterious, undocumented --scanflags option.
Applied patch from Andy Lutomirski (Luto(a)myrealbox.com) which fixessome important Windows bugs. Apparently this can cause a dramaticspeedup in some circumstances. The patch had other misc. changestoo.
Fix bug noted by Chris V (iselldrugstokidsonline(a)yahoo.com) in whichNmap could segmentation fault with the (bogus) command: './nmap -sO-p 1-65535 hostname' (protocol only can go up to 255). That beingsaid, Nmap should never segfault just because of bogus options.
Fixed problem noted by Maximiliano (emax25(a)arnet.com.ar) where Nmapwould get stuck in a (nearly) infinite loop when you try to "resume"a random host (-iR) scan.
Included a number of fingerprint updates, but I still have many moreweb submissions to go through. Also made some nmap-servicesportlist updates.
Included a bunch of fixes (mostly to prevent compiler warnings) fromWilliam McVey (wam(a)cisco.com)

Nmap 2.54BETA30 [2001-10-14]§

Added a Document Type Definition (DTD) for the Nmap XML outputformat (-oX) to the docs directory. This allows validating parsersto check nmap XML output files for correctness. It is also usefulfor application programmers to understand the XML output structure.The DTD was written by William McVey (wam(a)cisco.com) of Cisco SecureConsulting Services (http://www.cisco.com/go/securityconsulting ).
Merged in a number of Windows fixes/updates from Andy Lutomirski(Luto(a)myrealbox.com)
Merged in fixes/updates (mostly to the Windows functionality) fromMatt Hargett (matt(a)use.net)
Applied patch by Colin Phipps (cph(a)netcraft.com) which correctlyencodes special characters in the XML output.
Applied patch by William McVey (wam(a)cisco.com) which adds the uptimeinformation printed with -O to the XML output format.
Fixed byte-order bug in Windows packet matching code which caused-PS and -PT to fail. Bug found and patch sent by Tim Adam.
Fixed segfault problem with "-sU -F". Nobody reported this until Inoticed it :(. Anytime you see "Segmentation Fault" in the latestversion of Nmap, it is probably a bug -- please mail me the commandyou used, the OS/platform you are running on, and whether it isreproducable.
Added a convenience option "-oA (basefilename)". This tells Nmap tolog in ALL the major formats (normal, grepable, and XML). You givea base for the filename, and the output files will be base.nmap,base.gnmap, and base.xml.
Documented the --append_output option which tells Nmap to appendscan results to any output files you have specified rather thanoverwriting the files.
Integrate TIMEVAL_SEC_SUBTRACT() fix by Scott Renfro (scott(a)renfro.org)which improves timing accuracy.

Nmap 2.54BETA29 [2001-08-10]§

Integrated William McVey's multi-portlist patch. This allows you tospecify different port numbers when scanning both TCP & UDP. Forexample, if you want to UDP for 53,111 and 137 while TCP scanningfor 21-25,80,139,515,6000,8080 you could do: nmap -sSU -pU:53,111,137,T:21-25,80,139,515,6000,8080 target.com . Prior tothis patch, you had to either use different Nmap executions or scanboth UDP & TCP of each port. See the man page for more usage info.
Added/updated a bunch of fingerprints, including Windows XP releasecandidates #1 & #2, OpenBSD 2.9, various home gateways/cable modem,MacOS X 10.0.4, Linux 2.4.7, Guantlet Firewall 4.0a, a few Ciscorouters, and, most importantly, the Alcatel Advanced Reflexes IPPhone :). Many other fingerprints were updated as well.
Found and fixed some relatively major memory leaks based on reportssent in by H D Moore (hdm(a)secureaustin.com), mugz(mugz(a)x-mafia.org), and Steven Van Acker (deepstar(a)ulyssis.org)
Applied patch from Chad Loder (chad_loder(a)rapid7.com) which improvesrandom target host selection (-iR) by excluding more undesirableaddresses.
Fixed portscan timing bug found by H D Moore (hdm(a)secureaustin.com).This bug can occur when you specify a --max_rtt_timeout but not--initial_rtt_timeout and then scan certain firewalled hosts.
Fixed port number printing bug found by "Stephen Leavitt"(stephen_j_leavitt(a)hotmail.com)
The Nmap source tarball now extracts with more lenient permissions(sometimes world-readable or world-executable, but neverworld-writable). If you don't want this, set your umask to 077(which is what I do). Suggested by Line Printer (lps(a)rahul.net)

Nmap 2.54BETA28 [2001-07-28]§

I hope that I have fixed the Libpcap "Unknown datalink type" problem thatmany people reported. If you still receive this error, please sendme the following info:
- Full output of Nmap including the command you typed
- What OS/OS version you are using
- What type of interface is the scan going through (PPP, ISDN, ethernet,PPPoE, etc)
- Whether you compiled from source or used the RPM version
Hopefully fixed Libpcap lex/yacc generated file problem thatplagued a few folks.
Various minor fixes/changes/updates

Nmap 2.54BETA27 [2001-07-20]§

Fixed bug that caused "adding open port" messages to be printed evenwhen verbose mode was not specified (patch sent by Doug Hoyte).
Fixed bug in zombie:port option parsing in Idlescan as well a fewother bugs in patch sent by Germano Caronni (gec(a)acm.org)
Fixed Windows compilation (I broke it when I added Idlescan).
Fixed a (Win32 only) port identification bug which would cause someports to be listed as "unknown" even when Nmap should know theirname. This was found at patched by David Griffiths(davidg(a)intrinsica.co.uk).
Fixed more nmap-os-fingerprints syntax/grammar violations found byRaymond Mercier of VIGILANTe
Fixed a memory leak in Nbase str*casecmp() functions by applyingpatch sent by Matt (matt(a)use.net). I plan to kill this wholestrcasecmp.c file as soon as possible (it is a mess).

Nmap 2.54BETA26 [2001-07-09]§

Added Idlescan (IPID blind scan). The usage syntax is"-sI [zombie]".
Fixed a bunch of fingerprints that were corrupt due to violations ofthe fingerprint syntax/grammar (problems were found by RaymondMercier of VIGILANTe )
Fixed command-line option parsing bug foundby "m r rao" (mrrao(a)del3.vsnl.net.in )
Fixed an OS fingerprinting bug that caused many extra packets to besent if you request a lot of decoys.
Added some debug code to help diagnose the "Unknown datalink type"error. If Nmap is giving you this error, please send the followinginfo to fyodor@insecure.org : 1) The full output from Nmap(including the command arguments) 2) What OS and OS version are youusing 3) What type of adaptor are you using (modem, ethernet, FDDI,etc)
Added a bunch of IDS sensor/console/agent port numbers fromPatrick Mueller (pmueller(a)neohapsis.com)

Nmap 2.54BETA25 [2001-06-04]§

Added a whole bunch of new OS fingerprints (and adjustments) rangingfrom big important ones (Linux 2.4.X, OpenBSD 2.9, FreeBSD 4.3,Cisco 12.2.1, MacOS X, etc) to some that are more obscure ( such asApple Color LaserWriter 12/660 PS and VirtualAccess LinxpeedPro 120 )
Upgraded Libpcap to the latest version (0.6.2) from tcpdump.org. Imodified the build system slightly by shipping pre-generatedscanner.c/grammer.c (instead of using lex/yacc) and I also upgradedto the newest config.sub/config.guess .
Fixed some issues with the new Libpcap under Linux (patches will besent to the developers).
Added "All zeros" IP.ID sequence classification to account for thenew Linux 2.4 scheme which seems to use 0 whenever the DF bit is set(probably a good idea).
Tweaked TCP Timestamp and IP.ID sequence classification algorithms

Nmap 2.54BETA24 [2001-06-02]§

Fixed compilation problems on MacOS X publis release. Thanks toNicolas Dawson (nizcolas(a)myrealbox.com) for securing an account forme.
On the suggestion of the ever-helpful LaMont Jones (lamont(a)hp.com),I obtained the newest config.guess/config.sub fromhttp://subversions.gnu.org/cgi-bin/cvsweb/config and madelibpcap/nbase use symlinks rather than copeis of the file
Applied patch from LaMont Jones (lamont(a)hp.com) which makes Nmapcompatible with gcc 3.0 (apparently printf() is a macro in thatversion)
Applied patch from Colin Phipps (cph(a)netcraft.com) which fixes aproblem that kept UDP RPC scanning from working unless you were alsodoing a TCP scan.
Applied a patch from Chris Eagle (cseagle(a)redshift.com) which fixesWindows compilation (I broke it with a recent change).
Updated Lithuanian translation of man page based on a newer version sentby Aurimas Mikalauskas (inner(a)crazy.lt)
Killed carriage returns in nmap.c and nmapfe.c, which causedproblems for some (SGI) compilers. Problem noted by ArturNiederstebruch (artur(a)sgi.com)
Updated to latest version of rpc program number list, maintained byEilon Gishri (eilon(a)aristo.tau.ac.il)
Fixed a quoting bug in the Nmap man page found byRasmus Andersson (rasmus(a)pole-position.org)
Applied RPM spec file changes from "Benjamin Reed"(ranger(a)befunk.com) which allows you to avoid building the frontendby adding "--define frontend 0" to the build command (eg --rebuild,--ba, etc).

Nmap 2.54BETA22 [2001-03-10]§

Eliminated usage of u_int32_t (was causing compilation errors onsome Sun and HP boxes). Problem first noted by Nick Munger(nmunger(a)Oswego.EDU) and Ralf Hildebrandt(Ralf.Hildebrandt(a)innominate.com) and Antonin Sprinzl(Antonin.Sprinzl(a)tuwien.ac.at)
Defined integer-width typedefs such as u32/s32/u16/etc. in Nbase.Went through much of the Nmap code and substituted these in wherecorrect lengths are important (port numbers, IP addresses, etc).

Nmap 2.54BETA21 [2001-03-09]§

Cleaned up a few build/distribution issues that were reported byLaMont Jones (lamont(a)hp.com)
Fixed compiler warning noted by Gabor Z. Papp (gzp(a)papp.hu) )

Nmap 2.54BETA20 [2001-03-05]§

Added TCP Timestamp sequence checking for OS detection andNetcraft-style uptime tests.
Found and fixed (I hope) byte alignment problem which was causingbus errors on SPARC64 ( reported by H D Moore(hdm(a)secureaustin.com) and Matthew Franz (mfranz(a)cisco.com) )
Apple Darwin (Mac OS X) 1.2 portability patch from Rob Braun(bbraun(a)synack.net)
Added IPID sequence number predictability report (also now used inOS detection).
Show actual IPID, TCP ISN, and TCP timestamp values in XML formatoutput rather than just the cooked results.
Suppress IPID and TCP ISN predictability report unless you use -v(you need -O as well).
Applied Solaris 8 compilation fixes from Germano Caronni (gec(a)acm.org )
Applied configure.in variable name typo fixes from ChristianWeisgerber (naddy(a)openbsd.org)
Applied some more changes from Andy Lutomirski(Luto(a)mailandnews.com) which provides better detection andreporting from some heinous errors.
Added -n and -R (always/never DNS resolve) options to the man page.

Nmap 2.54BETA19 [2001-01-02]§

I ported NmapFE to Windows so that Win32 users can use the graphicalinterface. It generally works, although I haven't tested much.Patches welcome!
Various little fixes and cleanups, especially to the Windows port.
Applied patch from Andy Lutomirski (Luto(a)mailandnews.com) whichenhances some of the Win* error messages and adds the --win_tracedebugging option.
Applied some patches from Jay Freeman (saurik(a)saurik.com)
- New --data_length option adds indicated number of random databytes to send with scan packet and tcp ping packet (does notcurrently work with ICMP ping packet). Does not affect OSdetection, RPC, or connect() scan packets.
- Windows portability fixes
- Various other little fixes.
Renamed rpc.h and error.h because they conflict with Windows includefiles. By the way, this was a pain to figure out because VC++ issuch a crappy compiler! It basically just says problem in"foobar.h" without giving you any idea how foobar.h got included!gcc gives you a nice message tracing the chain of include files!

Nmap 2.54BETA16 [2000-12-07]§

Upgraded to latest version of WinPcap ( 2.1-beta )
Merged in Windows port code from Ryan Permeh ( ryan(a)eeye.com) andAndy Lutomirski ( Luto(a)mailandnews.com ).
Took out C++ compiler test from nbase configure script. It wasinserted accidently, but I found it interesting that only 2 peoplecomplained about this causing them problems. I guess most everyonealready has C++ compilers.
Applied patch from Steve Bleazard (steve(a)bleazard.com) which fixedbug in internal Smoothed Round Trim Time calculations.
Fixed CFLAGS computation error in configure. Problem discovered andpatched by Fredrik Lundholm (exce7(a)ce.chalmers.se)
Added more debugging code for "Unknown datalink type" error -- ifyou get this, please send me the full error msg including hexvalues.
Added Portuguese man page translations from Antonio Pires de CastroJunior (apcastro(a)ic.unicamp.br).
Capitalized all references to God in error messages.

Nmap 2.54BETA7 [2000-10-08]§

Applied patch from Hubert Feyrer(hubert.feyrer(a)informatik.fh-regensburg.de) which adds support forthe new NetBSD DLT_PPP_* types.
Updated to Eilon Gishri's (eilon(a)aristo.tau.ac.il) newest versionof nmap-rpc at ftp://ftp.tau.ac.il/pub/users/eilon/rpc/rpc
Moved a bunch of the scanning engine related functions to new files(scan_engine.c and scan_engine.h ). Timing functions were moved tothe new timing.c/timing.h . Other stuff was shifted totcpip.c/tcpip.h. At some point, nmap.c will only contain the Nmapcommand line UI.
Updated Russian version of man page from Alex Volkov (topcat(a)nm.ru)

Nmap 2.54BETA6 [2000-10-08]§

Added XML output (-oX). Hopefully this will help those of youwriting Nmap front ends and other tools that utilize Nmap. The"machine-readable" output has been renamed "grepable" (-oG) toemphasize that XML is now the preferred machine-readable outputformat. But don't worry if your tool uses -oM , that format (andthe deprecated -oM flag) won't go away any time soon (if ever).Thanks to Stou Sandalski (tangui(a)cell2000.net) and Fredrick PaulEisele (phreed(a)gmail.com) for sending proposals that inspired theformat used.
Applied patch from Stefan Rapp (s.rapp(a)hrz.uni-dortmund.de) whichfixes a variable argument integer promotion problem in the newsnprintf compatibility file. This is important for Redhat 7systems.
Reorganized output-related routines so that they now reside inoutput.c & output.h. Let me know if I accidently screwed up thebehavior of any scan types in the process.

Nmap 2.54BETA5 [2000-09-17]§

Revamped the 'compatibility libraries' subsystem. Moved all of thatto a new library called 'libnbase' and changed Nmap and NmapFE touse that. I included a better version of *snprintf and some othercompatibility files. Obviously I cannot test these changes on everywhacked OS that needs this compatibility cruft, so please let meknow if you run into compilation problems.
Fixed a problem found by Martyn Tovey (martyn(a)netcraft.com) whenusing Nmap on platforms that dislike division by zero.
Removed 128.210.*.* addresses from Nmap man page due to complaintsfrom Purdue security staff.
Fixed FreeBSD (some versions) compilation problem found by MartynTovey (martyn(a)netcraft.com)

Nmap 2.54BETA4 [2000-09-04]§

Upgraded to the very latest Libpcap version ( the 9/3/00 CVSsnapshot ). This version is from the tcpdump.org group rather thanthe Lawrence Livermore crew. The most important advantage is LinuxSocket Filter support (so you won't have that annoying syslogmessage about Nmap using the obsolete SOCK_PACKET interface).
I tried to install Nmap on yet another machine without lex/yacc orflex/bison. That was the last straw! I am now shipping thegenerated C files, which eliminates the lex/yacc requirement.
Applied patch by Jay Freeman (saurik) (saurik(a)saurik.com) to makeNmap C++-clean (this was lot of tedious work! Thanks!). Note thatNmap still uses a normal C compiler by default, but Nmap derivativesmay appreciate C++ compatibility. Note that this only applies to"Nmap proper", not libpcap.
Added a HACKING file for people who want to help with Nmapdevelopment. It describes preferred patch formats, developmentresources, and offers a number of useful changes that would likelybe accepted into the main tree.
Fixed a configure.in error found by Vacuum(vacuum(a)technotronic.com) which could cause compilation errors.
Fingerprint file adjustments for better Win* detection
Ensure libpcap is not configured and/or installed if you alreadyhave a "new enough" version (0.4a6+) installed.
Included Italian translation of Nmap man page from Giorgio Zoppi(deneb(a)supereva.it) .
Fixed a SYN scan problem that could cause a major slowdown on somebusy networks.
Fixed a crash problem in NmapFE reported by sverre ( sverre(a)gmx.net )
Added an "SInfo" line to most printed fingerprints. It lookssimilar to this:
```
SInfo(V=2.54BETA4%P=i686-pc-linux-gnu%D=9/4%Time=9681031%O=7%C=1)
```
and contains information useful when fingerprints are reported (Nmapversion/platform, scan date, and open/closed ports used)
Fixed RPCGrind (-sR) scan. It has been almost completely brokensince 2.54BETA2 (which has been out for two weeks) and nobodyreported it! I noticed the problem myself during testing ofsomething else. I am disappointed that nobody bothered to even letme know that this was broken. Does anyone even use RPC Scan?
Various other small fixes/improvements

Nmap 2.54BETA3 [2000-08-14]§

Went through and added/adjusted a bunch of fingerprints. A lot ofpeople submitted Windows Millenium Edition (WinME) betafingerprints, but nobody submitted IPs for them. So please let meknow if this version detects your WinME boxes.
Applied NmapFE patch from Michael Fischer v. Mollard (mfvm(a)gmx.de)which made did the following:
- Added delete event so that NmapFE always quits when you kill itwith your window manager
- added the menubar to the vbox instead to the fixed widget
Various small fixes/improvements

Nmap 2.54BETA2 [2000-08-01]§

Added a shortcut which can make single port SYN scans of a networkmuch faster. For example, if a new sendmail vulnerability is found,this reduces the time it takes to scan your whole network for port25. This shortcut takes effect when you do "-PS[port] -sS-p[port]". For example 'nmap -n -sS -p25 -PS25 24.0.0.0/8". Thisoptimization doubled the scan speed in a 30,000 IP test I performed.
Added -sL (List scan). Just as ping scan (-sP) allows you to shortcircuit the scan right after pinging, -sL allows you to shortcircuit the scan right after target selection. This allows you tosee what hosts WOULD be scanned without actually doing it. Thehosts will be resolved unles you use -n. Primary uses:
- Get all the IPs in a network (like A.B.C.D/16) and take out
```
machines that are too fragile to be scanned safely beforecalling Nmap with the new list (using -iL).
```
- Test that a complex spec like 128.4,5,7-9.*.7 does what you
```
expect before actual scanning.
```
- When all you want to do is resolve a bunch of IPs.
- You just want results of a zone transfer (if it is implemented).
Added some new fingerprints and adjusted some others based onsubmissions to the DB (I still have a lot more to go through sodon't worry if your submission is still not detected).
Added a warning when you scan 0 hosts (eg "nmap -v"). There arevarious other output tweaks as well.
Ensured that 0.0.0.0 can be scanned by nmap (although on some OSs,like Linux, it won't work due to what seem to be kernel bugs). Ohwell. I'll look into it later.

Nmap 2.54BETA1 [2000-05-29]§

Added an extremely cool scan type by Gerhard Rieger ( rieger atiue.tuwien.ac.at ) -- IP Protocol scanning. Basically it sends abunch of IP headers (no data) with different "protocol" fields tothe host. The host then (usually) sends back a protocol unreachablefor those that it does not support. By exclusion, nmap can make alist of those that are supported. This is similar in concept to(and is implemented using most of the same scanning routines as) UDPscanning. Note that some hosts do not send back protocolunreachables -- in that case all protocols will appear "open".
Fixed an uninitialized variable problem in NmapFE (found by AlvinStarr (alvin at iplink.net )
Fixed a packaging problem that lead to the Nmap man page beingincluded twice in the .tgz .
Fixed dangling nroff include in xnmap man page (noted by Debian Nmappackage maintainer LaMont Jones (lamont(a)security.hp.com)
Give a warning when no targets at all are specified
Updated 'make uninstall' so that it deletes all relevant files
Included latest nmap-rpc from Eilon Gishri (eilon at aristo.tau.ac.il)
Eliminated -I. from Nmap's and NmapFE's makefiles (suggested by "JayFreeman (saurik)" (saurik at saurik.com)
Added Russian documentation by Alex Volkov
Added Lithuanian documentation from Aurimas Mikalauskas (inner(a)dammit.lt)

Nmap 2.53 [2000-05-08]§

Fixed a commenting issue that could cause trouble for non-GNUcompilers (first found by Jan-Frode Myklebust (janfrode atparallab.uib.no))
A few new services to nmap-services

Nmap 2.52 [2000-05-03]§

Added very simple man pages for xnmap/nmapfe (lack of man pages forthese was noticed by LaMont Jones (lamont(a)hp.com), the Debian Nmappackage maintainer, based on bug report by Adrian Bunk(bunk(a)fs.tum.de ).
Fixed a "Status: Down" machine name output problem in machineparseable logs found by Alek O. Komarnitsky (alek(a)ast.lmco.com)
Took some wierd files out of the doc directory (cd, grep, vi, and.swp)
Fixed some typos found by Thomas Klausner (wiz(a)danbala.ifoer.tuwien.ac.at)
Updated nmap-rpc with new entries found in the latest version ofEilon Gishri's rpc list.

Nmap 2.51 [2000-04-29]§

Fixed target parsing bug found by Steve Horsburgh (shorsburgh(a)horsburgh.com).
Changed makefile/rpm to store fingerprint, rpc, and services file in$prefix/share/nmap rather than $prefix/lib/nmap , since these filesare architecture independent. You should now use ./configure--datadir instead of ./configure --libdir to change the defaultlocation. Suggested by Thomas Klausner(wiz(a)danbala.ifoer.tuwien.ac.at).
I am now including Eilon Gishri's (eilon(a)aristo.tau.ac.il) rpcnumber list (which he recently merged with the Nmap 2.50 rpc list).
Included Spanish and French HTML versions of the Nmap man page (maynot always be up to date).

Nmap 2.50 [2000-04-28]§

Fixed an IP calculation error which could occur in some cases whereyou scan machines on different devices (like lo and eth0). Thisproblem was discoved by Jonathan Fine (jfine(a)psu.edu).
Fixed a problem that could, in rare cases, cause a SYN scan scan tocrash (the error message was "attempt to add port number X withillegal state 0"). This problem was reported by Erik Benner(erik(a)xyzzy.net)
Changed the .spec file so that RPM versions create a xnmap link tonmapfe ( the normal make install has done this for a long time ).

Nmap 2.3BETA21 [2000-04-24]§

A number of people reported problems with nmapfe in variousenvironments (specifically gdk errors, hangs, and crashes). I thinkthat is now fixed. Let me know if you still have the problem (makesure the title bar says BETA21).
Added a bunch of OS fingerprints based on all the contributions inthe last month or so.
Fixed a bug that completely broke RPC scanning in BETA19.
Added list of ports scanned near the top of each machine log WHEN-v was specified. Here is an example of the format:# Ports scanned: TCP(13;1-10,22,25) UDP(0;)The "13" above is the number of TCP ports being scanned.
Got rid of a snprintf() from nmapfe sine some systems don't have it:( and I'm to lazy to integrate in the snprintf that comes with nmapright now.
Fixed important target IP range parsing bug found by Jean-Yves Simon( lethalwp(a)linuxbe.org ).
Applied patch by albert chin (china at thewrittenword.com) whichadds --with-libpcap[=DIR] option to configure and and adds anelegant approach for -lnsl and -lsocket checking to configure .
Fixed a bug which could cause Nmap to mark a port filtered based onICMP dest. unreachable packets relating to a different host than theone being scanned.
Fixed output problem relating to ident scan noted by Peter Marschall( peter.marschall at mayn.de )
Applied patch to services.c by Andrew Brown (atatat(a)atatdot.net)which prevents some useless debugging (-d) output when reading somekindss of /etc/services files.
Added "Host: [machinename] (ip) Status: Down" to machine logs whenthe verbose option is given (just like down hosts are reported tostdout when verbose is given). Suggested by Alek Komarnitsky.
Applied NetBSD compatibility patch provided by Mipam (reinoud atibbnet.org) which changes an autoconf macro to check forgetopt_long_only instead of getopt_long.
Nmap used to print an inaccuracy warning when no open TCP ports werefound on the target machine. Due to a bug, this was not alwaysbeing printed. Problem found by Matt (matt at use.net) and AjayGupta2 (Ajay.Gupta2 at ey.com).
Added the number of ports in the ignored state right after the statename in machine parseable logs. It used to looke like: "IgnoredState: closed" whereas now it looks like: "Ignored State: closed(1508)" Meaning that 1508 ports were closed and thus are notspecifically enumerated.
Changed all nmapfe calls to gdk_font_load into gdk_fontset_load .Bennett Feitell (bfeitell at panix.com) suggested that this fixedsome nmapfe font problems.

Nmap 2.3BETA20 [2000-04-10]§

Applied patch sent in by s.rapp(a)hrz.uni-dortmund.de which fixes amemory alignment bug in osscan.c which could cause core dumps onmachines which require aligned access (like SPARC).
Fixed a compilation problem on machines that do not have MAP_FAILEDdefined (as a return value to mmap). Problem noted by PhilStracchino (alaric(a)babcom.com).

Nmap 2.3BETA19 [2000-04-10]§

Tweaked the output so that it now tells how many ports are not shownand what state the ignored ports are in. This info could beinferred before by people who had studied the manpage, but now theinfo is explicitly available. I cleaned up a bunch of stuffinternally to make this happen. I hope I didn't break anything!
Changed NmapFE so that it always kills any running Nmap process whenyou press exit. Problem noted by Marc Renner(mrenner(a)ci.marysville.wa.us)
Apparently some Linux (glibc) systems now come with a "strcasestr"function. So I have made autoconf look for this and use the nativeversion if supported (problem noted by Sami Farin(sfarin(a)ratol.fi)).
Added a new attribute "Ignored State: xxx" to the machine parseablelogs, where xxx is the state (closed, filtered, or UNfiltered) thatis being ignored. Ports in that state are not listed (they weren'tlisted in earlier versions either). Perhaps I should list ALL portsfor machine parseable output. Opinions?
Merged in a patch sent in by Mipam (reinoud(a)ibbnet.org) which isapparently part of the OpenBSD Nmap "port". Although Nmap seems towork fine for me on my OpenBSD 2.4 box, a couple OpenBSD users havecomplained of problems. Hopefully this will help (it adds DLT_LOOPand DLT_ENC offset cases when reading from libpcap).
A few really minor bugfixes.

Nmap 2.3BETA18 [2000-04-06]§

Fixed a very important bug that occurred when SYN scanninglocalhost. Many thanks to Dries Schellekens (gwyllion(a)ace.ulyssis.student.kuleuven.ac.be ) for first reportingthe problem.
Uros Prestor from TurboLinux informed us that the latest versions ofNmap work with Linux on the upcoming Intel Merced/Itanium IA-64processors. He also said that the TurboLinux distribution includesNmap. Kudos to them! As well as the other distros that supportNmap (Debian, Red Hat, Suse, Trinux) and of course FreeBSD, NetBSD,& OpenBSD. Does anyone know if Nmap ships with the latest fromMandrake or Corel? The latest Solaris includes some Free software.If anyone can get them to ship Nmap, I will buy you a case of beer:).
Added a #define to change vsnprintf to vsprintf on machines which donot support the former (mostly Solaris 2.5.1 and earlier). Thisfunction is less safe. For people who care about security, werecommend an upgrade to Solaris 8 (or Linux/*BSD).
Changed the NmapFE version to 0.[nmap_version] rather than alwaysleaving it at 0.9.5 (which was confusing). Thanks to J.D.K. Chipps(jdkc(a)woptura.com) for noticing this.
Added support for "-vv" (means the same as "-v -v"). Older versionsof Nmap supported it (noted by George Kurtz).

Nmap 2.3BETA17 [2000-03-26]§

Added ACK scanning. This scan technique (which van Houser andothers have been bugging me to add for years :), is great fortesting firewall rulesets. It can NOT find open ports, but it candistinguish between filtered/unfilterd by sending an ACK packet toeach port and waiting for a RST to come back. Filtered ports willnot send back a RST (or will send ICMP unreachables). This scantype is activated with -sA .
Documented the Window scan (-sW) which Lamont Granquist added inSeptember 99.
Added a whole bunch of OS fingerprints that people have submitted.
"Protocol" field in output eliminated. It is now printed right nextto the number (/etc/services style). Like "22/tcp". I wonder whatI should put in the extra white space this leaves on the report :).
Added --resume option to continue a large network scan where youleft off. This is useful for recovering from errors (modem dropscarrier, network outage, etc). It also allows you to start and stopfor policy reasons (like if a client only wants you to scan onweekends or at night) or if you want to run the scan on a differenthost. Usage is 'nmap --resume logfile' where logfile can be eithernormal (-oN) or machine parseable (-oM) logfile from the scan thatwas aborted. No other options can be given (the options in thelogfile from the original scan will be used). Nmap will start offwith the host after the last one successfully scanned in the logfile.
Added --append_output option which causes -oN/-oM/-oS to APPEND tothe output file you specify rather than overwriting it.
Various internal code cleanup, makefile fixes, etc.
Changed version number from 2.3BETA* to 2.30BETA* to appease variouspackaging systems that thought 2.3BETA was < 2.12 .
Nmap output to files now correctly flushes output after scanning foreach host is finished.
Fixed compiler -L flags error found by Ralf Hildebrandt(R.Hildebrandt(a)tu-bs.de)
Fixed configure scripts so that options you give to the Nmapconfigure (like --prefix ) are also passed to the nmapfe configurescript. This problem was noted by Ralf Hildebrandt(R.Hildebrandt(a)tu-bs.de). While I was at it, I added some othercleanups to the system.
Added --noninteractive option for when nmap is called from scripts(where stuff like prompting users for info is unacceptable). Itdoes not currently do anything (Nmap never prompts) and scriptwriters should probably wait until at least May '2000 so theirscripts still work with earlier versions of Nmap.
Updated to the latest config.guess and config.sub from Autoconf 2.13
Applied patch by Sven (s.carstens(a)gmx.de> which fixes asegmentation fault problem in Nmapfe colored mode as well as someoutput niceties.
Changed some C++ comments to C-style for portability (noticed by"Sergei V. Rousakov" (sergei(a)cas.Vanderbilt.Edu) )

Nmap 2.3BETA14 [2000-01-28]§

Peter Kosinar (goober(a)gjh.sk) performed some cleanup of the outputroutines and as a bonus he added skript kiddie output mode!!! Tryit out by adding "-oS - " to your nmap command line. Note thatusing '-' to represent stdout instead of a filename is something youcan do with any of the output modes.
Ensured that Nmap always gives up on ident scan after the first portattempt finds it to be closed (problem noticed by Matt(matt(a)use.net))
Changed strsep's in nmapfe to more portable strtok's (shouldespecially help Nmapfe compiles on Solaris)
Changed permutation algorithm to make port order and host ordershuffling more random.
Various minor changes and internal code cleanup.
Fixed integer overflow that was limiting the max --host_timeoutvalue to about 2,000,000 milliseconds (~1/2 hour). The limit is nowabout 4,000,000,000 milliseconds (~1 month). I really hope youdon't need more than that :).

Nmap 2.3BETA13 [2000-01-17]§

I made Nmap smarter about detecting filtering during UDP, Xmas,NULL, and FIN scans.
Updated Nmapfe to 0.9.5 (+ a patch from NmapFE author Zach Smith)
Fixed a problem where NmapFE would fail to honor $PATH (Noticed byK. Scott Rowe (kscott(a)nmt.edu)
Added a couple ICMP unreachable messages Nmap was missing (found byBifrost (bifrost(a)minions.com)).
Internal cleanup that improves the way some port lists are stored.
Added some more RPC numbers from (mmmorris(a)netscape.net)
Relaxed the dependency requirements of nmapfe rpm (now will acceptany version of Nmap).

Nmap 2.3BETA12 [2000-01-01]§

Added interactive mode which adds convenience for managing nmapsessions and also enhances privacy. Get to it with --interactiveand then type 'h' for help.
Added/modified many fingerprints including the latest 2.3.X Linuxreleases, the latest Win2000 builds, the Apple Airport Wirelessdevice, and several dozen more.
Migrated to RPM .spec file sent in by Tim Powers(timp(a)redhat.com). That is the file they will be using to packageNmap with the power tools CD in the next Redhat release. The mostimportant changes are that Nmap (only the RPM version) now installsin /usr/* instead of /usr/local/* and the frontend is nowdynamically linked with GTK and comes in a separate rpm.
The -i (input from list) option has been deprecated. From now onyou should use -iL [filename] to read from a list or -iR to haveNmap generate random IPs to scan. This -iR option is new.
The -o and -m options have been deprecated. From now on, you shoulduse -oN for normal (human readable) output and -oM for machineparseable output. At some point I might add -oH (HTML output) or-oSK (sKr|pt kiDdi3 0uTPut).
Added --randomize_hosts option, which causes hosts be be scanned innon-sequential order. This makes scans less conspicuous. Forefficiency reasons, the hosts are chopped into groups of 2048 andthen each group is internally shuffled (the groups still go inorder).
Rearranged the help ('nmap -h' or 'nmap' or 'nmap --help') screen tobe shorter (37 -> 23 lines!) and include some of the new features ofthis release. The man page was updated as well.
Fixed longstanding bug where nmap -sS mylocalnetwork/24 would notsuccessfully scan the host running nmap.
Internal improvements to make scanning faster with -i (input list)or when you specify multiple machines on the command line.
Uses faster GCD algorithm and fixed several typos (sent in by PeterKosinar).
Provide more information in machine/human readable output files(start time, end time, RPC program name, Nmap version number)
Killed the -A option (if you don't know what that is then you won'tmiss it. In fact, even if you do know what it is you won't missit.)

Nmap 2.3BETA10 [1999-12-12]§

Added about 70 new OS fingerprints so that Nmap can detect moresystems. The most important new fingerprints are probably:
- The new SP5+ NT boxes -- After all these years MS FINALLY madesequence prediction harder (on NT anyway).
- Solaris 8 Pre-Release
- Sega Dreamcast (Hack that!)
- Latest Windows 2000 builds
- OpenBSD 2.6

Nmap 2.3BETA9 [1999-12-07]§

Applied patch by Mark Abene (Phiber Optik) to fix several typelength issues so that it works on Linux/Alpha.
Applied patch by Matthieu Verbert (mve(a)zurich.ibm.com) to speed up OSScan

Nmap 2.3BETA8 [1999-11-21]§

Added "firewall mode" timing optimizations which can decrease theammount of time neccessary to SYN or connect scan some heavilyfiltered hosts.
Added min_rtt_timeout timing option (see man page for details)
Changed "TCP Ping" to use a random ACK value rather than 0 (an IDScalled Snort was using this to detect Nmap TCP Pings).
Some changes for better Alpha/Linux support based on investigationby Bill Beers (wbeers(a)carolina.rr.com)
Applied changes for FDDI support by Tobias J. Nijweide (tobias(a)mesa.nl)
Applied a socket binding patch from LaMont Jones(lamont(a)security.hp.com) which can be useful when using -S tospecify one of multiple interfaces on a machine.
Made OS detection smart enough to first check scan results for aknown closed port instead of immediately resorting to a random one.This improves OS detection against some machines behind packetfilters (suggested by van Hauser).
Applied a shortcut suggestion by Thomas Reinke which can lead to atremendous speedup against some firewalled hosts.
Added some ports commonly used for RPC to nmap-services
Fixed a problem with the timing of an RPC scan (could come beforethe UDP scans they rely on)
Added a number of new ports to nmap-services

Nmap 2.3BETA6 [1999-09-19]§

Added sophisticated timing controls to give the user much morecontrol over Nmap's speed. This allows you to make Nmap much moreaggressive to scan hosts faster, or you can make Nmap more "polite"-- slower but less likely to wreak havoc on your Network. You caneven enforce large delays between sending packets to sneak under IDSthresholds and prevent detection. See the new "Timing Options"section of the Nmap man page for more information on using this.
Applied Lamont Granquist's (lamontg(a)u.washington.edu) Window scanpatch (I changed the name from ACK scan to Window scan since I mayadd another scan that uses ACK packets and I don't want them to beconfused). -sW activates this scan type. It is mostly effectiveagainst BSD, AIX, Digital UNIX, and various older HP/UX, SunOS, andVAX (See nmap-hackers mailing list archives for an extensive list).
Added various long options people expect to see like --version ,--help , --usage , etc. Some of the new timing options are also long.I had to add getopt_long C files since most non-Linux boxes don'tsupport getopt_long in libc.
Human readable (-o) output changed to include the time/date of thescan. Suggested by van Hauser.

Nmap 2.3BETA5 [1999-09-07]§

Changed RPC output based on suggestions by David O'Brien(obrien(a)NUXI.com) and Lance Spitzner (lance(a)spitzner.net). Igot rid of the "(Non-RPC)" unnecessary clutter which appeared aftereach non RPC port and the "(untested)" that appeard after each"filtered" port.
Added a ton of new OS fingerprints people submitted. I had about400 in my inbox. Of course, almost 100 of them were submissions forwww.windows2000test.com :).
Changed the machine parseable output of RPC information to includethe version information. If we figured out the RPC info, it is nowprovided as "program-num*lowversion-highversion". If we didn't getthe number, but we think the port is RPC, the field simply contains"R". If we believe the port is NOT RPC, then the field contains"N". If the field is empty, we did not RPC scan the port. Thanksto H D Moore (nlog(a)ings.com) for making me aware how much theearlier machine parseable RPC logging sucked :).

Nmap 2.3BETA4 [1999-08-30]§

Added direct (non-portmapper) RPC scanning to determine what RPCprogram is listening on a particular port. This works for UDP andTCP ports and is currently implemented using sockets (which meansyou can't use decoys, but on the other hand you don't have to beroot). Thanks go to ga (ga(a)capyork.com) for writing sample codeto demonstrate the technique. The RPC services list included withnmap was compiled by Vik Bajaj (vbajaj(a)sas.upenn.edu) with helpfrom various members of the nmap-hackers list.
Fixed a problem that could cause freezes when you scan machines onat least two different types of interfaces as part of the samecommand.
Identified and found workaround for Linux kernel bug which allowsconnect() to sometimes succeed inapropriately when scanning closedports on localhost.
Fixed problems relating to people who specify the same port morethan once on the command line. While the right answer is "well,don't do that!", I decided to fix nmap to handle this gracefully.
Tweaked UDP scanning to be more effective against Solaris ICMP errorlimiting.
Fixed strtol() integer overflow problem found by Renaud Deraison(deraison(a)cvs.nessus.org)
The HTML translation of the Man page athttps://nmap.org/book/man.html should now becomplete (man2html was dropping lines before).
Added a note in the man page that Nmap 2.0+ is believed to beCOMPLETELY Y2K COMPLIANT! I've been getting a lot of letters fromlaywers about that recently. You should still be able to port scanon Jan 1st (well ... as long as you have electricity and gangs oflooting thugs haven't stolen your computers :)

Nmap 2.2-Beta4 [1999-05-07]§

Integrated nmapfe code from Zach Smith to allow the nmapfe outputwindow to resize when you resize the nmapfe window.
Integrated patch sent in by Stefan Erben (stefan(a)erben.com) whichallows nmap to recognize and ignore null interfaces. If you weregetting a bogus error like "eth0 not found in /proc/net/route" thenthis should solve your problem.
Applied patch from Alexander Savelyev (fano(a)ham.kiev.ua) whichgives nmap the parameters necessary to support SLIP and PPP on BSDIsystems.
Upgraded to a new version of shtool (1.2.3)

Nmap 2.2-Beta3 [1999-05-02]§

Adopted Ralf S. Engelschall's excellent shtool script forsimplifying the nmap makefile and making it more portable
Various other minor changes to nmapfe.

Nmap 2.2-Beta2§

Cleaned up build environment more, fixed up RPM and Makefile.in,eliminated the automake stuff.
Added nmapfe feature to show nmap command as you change options
Changed nmapfe to use a global MyWidgets struct rather than tons ofglobal vars all over the place.
Made nmapfe much smarter about rejecting stupid option attempts. Itnow tries to correct things when you specify illegal options.
GTK+ 1.0 compatibility fixes
Integrated nmapfe changes from Zach

Nmap 2.2-BETA1§

Integrated in nmapfe -- a cool front end wrottem by Zach Smith (matrxweb(a)hotmail.com)

Nmap 2.12 [1999-04-04]§

Changed the way tcp connect() scan determines the results of aconnect() call. Hopefully this will make nmap a little moreportable.
Got rid of the security warning message for people who are missing/dev/random and /dev/urandom due to complaints about the warning.This only silences the warnings -- it still uses relatively weakrandom number generation under Solaris and other systems that lackthis functionality.
Eliminated pow() calls on Linux boxes. I think some sort of glibcbug was causing nmap to sigsegv in some cases inside of pow(). Mostpeople weren't affected, but those who were would almost alwaysSIGSEGV with -O.
Fixed an rpm problem noted by Mark Smith (marks(a)senet.com.au)

Nmap 2.11 [1999-04-03]§

Many new fingerprints added. I received more than 300 submissionsbetween this release and the last one.
Fixed IRIX problems which prevented OS scanning from working on thatplatform. The problem was researched and solution found by LamontGranquist (lamontg(a)u.washington.edu). You can also thank him forporting nmap to almost every UNIX around.
Added support for '-m -' to redirect machine readable logs to stdoutfor shell pipelining, etc. I also changed machine readable outputto show service names now that we use a nmap specific services filerather than /etc/services. These features were suggested by DanFarmer. You can also thank him for SATAN (the auditing tool).
Fixed a link-list bug that could cause hangs in UDP,FIN,NULL, andXMAS scans. Also fixed a ptr problem that could cause SIGSEGV.These problem were discovered and tracked down by Ben Laurie(ben(a)algroup.co.uk). You can also thank him for Apache, OpenSSL,and Apache-SSL.
Fixed installation problem for people without a /usr/local/man/man1directory. Found by Jeffrey Robertson (a-jeffro(a)microsoft.com).I guess you can thank him for Win98 ;).
Several other little fixes to the installation script and minorscanner tweaks.

Nmap 2.10§

Private test release

Nmap 2.09§

Private test release

Nmap 2.08 [1999-02-16]§

Bugfix for problem that can cause nmap to appear to "freeze up" forlong periods of time when run on some busy networks (found byLamont Granquist).

Nmap 2.07 [1999-02-08]§

Fixed a lockup on Solaris (and perhaps other proprietary UNIXsystems) caused by a lack of /dev/random & /dev/urandom and a rand()that only returns values up to 65535. Users of Free operatingsystems like Linux, FreeBSD, or OpenBSD probably shouldn't botherupgrading.

Nmap 2.06 [1999-02-08]§

Fixed compile problems on machines which lack snprintf() (found byKen Williams (jkwilli2(a)unity.ncsu.edu))
Added the squid proxy to nmap-services (suggested by Holger Heimann)
Fixed a problem where the new memory allocation system was handingout misaligned pointers.
Fixed another memory allocation bug which probably doesn't cause anyreal-life problems.
Made nmap look in more places for nmap-os-fingerprints

Nmap 2.05 [1999-02-08]§

Tons of new fingerprints. The number has grown by more than 25%.In particular, Charles M. Hannum (root(a)ihack.net) fixed severalproblems with NetBSD that made it easy to fingerprint and he sent mea huge new batch of fingerprints for various NetBSD releases down to1.2. Other people sent NetBSD fingerprints down to 1.0. I finallygot some early Linux fingerprints in (down to 1.09).
Nmap now comes with its own nmap-services which I created by mergingthe /etc/services from a bunch of OS' and then adding Netbus, BackOrifice, etc.
Random number generation now takes advantage of the /dev/urandom or/dev/random that most Free operating systems offer.
Increased the maximum number of OS guesses nmap will make, told nmapnever to give you two matches where the OS names are byte-to-byteequivalent. Fixed nmap to differentiate between "no OS matchesfound" and "too many OS matches to list".
Fixed an information leak in the packet TTL values (found by HDMoore (hdmoore(a)usa.net))
Fixed the problem noted by Savva Uspensky about offsets used forvarious operating systems' PPP/SLIP headers. Due to lack ofresponses regarding other operating systems, I have made assumptionsabout what works for BSDI, NetBSD, and SOLARIS. If this version nolonger works on your modem, please let me know (and tell me whetheryou are using SLIP/PPP and what OS you are running).
Machine parseable logs are now more machine parseable (I now use atab to seperate test result fields rather than the more ambiguousspaces. This may break a few things which rely on the old format.Sorry. They should be easy to fix.
Added my nmap-fingerprintinting-article.txt to the distribution inthe docs directory.
Fixed problem where nmap -sS (my_ethernet_or_ppp_ip_address) wouldnot correctly scan localhost (due to the kernel rerouting thetraffic through localhost). Nmap should now detect and work aroundthis behavior.
Applied patch sent to my by Bill Fenner (fenner(a)parc.xerox.com)which fixes various SunOS compatibility problems.
Changed the makefile 'all' target to use install-sh rather thanmkdir -p (doesn't work on some systems)
Documentation updated and clarified slightly.
Added this CHANGELOG file to the distribution.