Features Download
From: Fyodor <fyodor <at> nmap.org>
Subject: Nmap 6.25 holiday season release! 85 new scripts, better performance, Windows 8 enhancements, and more
Newsgroups: gmane.comp.security.nmap.general
Date: Friday 30th November 2012 00:34:15 UTC (over 4 years ago)
Hi folks.  It has been more than five months since the Nmap 6.01
release, and I'm pleased to announce a new version for you to enjoy
during the holidays!  Nmap 6.25 contains hundreds of improvements,
including 85 new NSE scripts, nearly 1,000 new OS and service
detection fingerprints, performance enhancements such as the new
kqueue and poll I/O engines, better IPv6 traceroute support, Windows 8
improvements, and much more!  It also includes the work of five Google
Summer of Code interns who worked full time with Nmap mentors during
the summer.

Nmap 6.25 source code and binary packages for Linux, Windows, and Mac
are available for free download from:


If you find any bugs, please let us know on nmap-dev as described at
 Here are the most important
change since 6.01:

o Integrated all of your IPv4 OS fingerprint submissions since January
  (more than 3,000 of them).  Added 373 fingerprints, bringing the new
  total to 3,946.  Additions include Linux 3.6, Windows 8, Windows
  Server 2012, Mac OS X 10.8, and a ton of new WAPs, printers,
  routers, and other devices--including our first IP-enabled doorbell!
  Many existing fingerprints were improved. [David Fifield]

o Integrated all of your service/version detection fingerprints
  submitted since January (more than 1,500)!  Our signature
  count jumped by more than 400 to 8,645.  We now detect 897
  protocols, from extremely popular ones like http, ssh, smtp and imap
  to the more obscure airdroid, gopher-proxy, and
  enemyterritory. [David Fifield]

o Integrated your latest IPv6 OS submissions and corrections. We're
  still low on IPv6 fingerprints, so please scan any IPv6 systems you
  own or administer and submit them to http://nmap.org/submit/.  Both
  new fingerprints (if Nmap doesn't find a good match) and corrections
  (if Nmap guesses wrong) are useful.

o Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto
  (Next Header) probes. [David Fifield]

o Scripts can now return a structured name-value table so that results
  are query-able from XML output. Scripts can return a string as
  before, or a table, or a table and a string. In this last case, the
  table will go to XML output and the string will go to screen output.
  See http://nmap.org/book/nse-api.html#nse-structured-output
  Miller, David Fifield, Patrick Donnelly]

o [Nsock] Added new poll and kqueue I/O engines for improved
  performance on Windows and BSD-based systems including Mac OS X.
  These are in addition to the epoll engine (used on Linux) and the
  classic select engine fallback for other system.  [Henri Doreau]

o [Ncat] Added support for Unix domain sockets. The new -U and
  --unixsock options activate this mode.  These provide compatibility
  with Hobbit's original Netcat. [Tomas Hozza]

o Moved some Windows dependencies, including OpenSSL, libsvn, and the
  vcredist files, into a new public Subversion directory
  /nmap-mswin32-aux and moved it out of the source tarball. This
  reduces the compressed tarball size from 22 MB to 8 MB and similarly
  reduces the bandwidth and storage required for an svn checkout.
  Folks who build Nmap on Windows will need to check out
  /nmap-mswin32-aux along with /nmap as described at

o Many of the great features in this release were created by college
  and grad students generously sponsored by Google's Summer of Code
  program.  Thanks, Google Open Source Department!  This year's team
  of five developers is introduced at
and their successes
  documented at http://seclists.org/nmap-dev/2012/q4/138

o [NSE] Replaced old RPC grinder (RPC enumeration, performed as part
  of version detection when a port seems to run a SunRPC service) with
  a faster and easier to maintain NSE-based implementation.  This also
  allowed us to remove the crufty old pos_scan scan engine. [Hani

o Updated our Nmap Scripting Engine to use Lua 5.2 (and then 5.2.1)
  rather than 5.1. See http://seclists.org/nmap-dev/2012/q2/34
  details. [Patrick Donnelly]

o [NSE] Added 85(!) NSE scripts, bringing the total up to 433.  They
  are all listed at http://nmap.org/nsedoc/, and the
summaries are
  below (authors are listed in brackets):

  + ajp-auth retrieves the authentication scheme and realm of an AJP
    service (Apache JServ Protocol) that requires authentication. The
    Apache JServ Protocol is commonly used by web servers to
    communicate with back-end Java application server
    containers. [Patrik Karlsson]

  + ajp-brute performs brute force passwords auditing against the
    Apache JServ protocol. [Patrik Karlsson]

  + ajp-headers performs a HEAD or GET request against either the root
    directory or any optional directory of an Apache JServ Protocol
    server and returns the server response headers. [Patrik Karlsson]

  + ajp-methods discovers which options are supported by the AJP
    (Apache JServ Protocol) server by sending an OPTIONS request and
    lists potentially risky methods. [Patrik Karlsson]

  + ajp-request requests a URI over the Apache JServ Protocol and
    displays the result (or stores it in a file). Different AJP
    methods such as; GET, HEAD, TRACE, PUT or DELETE may be
    used. [Patrik Karlsson]

  + bjnp-discover retrieves printer or scanner information from a
    remote device supporting the BJNP protocol. The protocol is known
    to be supported by network based Canon devices. [Patrik Karlsson]

  + broadcast-ataoe-discover discovers servers supporting the ATA over
    Ethernet protocol. ATA over Ethernet is an ethernet protocol
    developed by the Brantley Coile Company and allows for simple,
    high-performance access to SATA drives over Ethernet. [Patrik

  + broadcast-bjnp-discover attempts to discover Canon devices
    (Printers/Scanners) supporting the BJNP protocol by sending BJNP
    Discover requests to the network broadcast address for both ports
    associated with the protocol. [Patrik Karlsson]

  + broadcast-eigrp-discovery performs network discovery and routing
    information gathering through Cisco's EIGRP protocol. [Hani

  + broadcast-igmp-discovery discovers targets that have IGMP
    Multicast memberships and grabs interesting information. [Hani

  + broadcast-pim-discovery discovers routers that are running PIM
    (Protocol Independent Multicast). [Hani Benhabiles]

  + broadcast-tellstick-discover discovers Telldus Technologies
    TellStickNet devices on the LAN. The Telldus TellStick is used to
    wirelessly control electric devices such as lights, dimmers and
    electric outlets. [Patrik Karlsson]

  + cassandra-brute performs brute force password auditing against the
    Cassandra database. [Vlatko Kosturjak]

  + cassandra-info attempts to get basic info and server status from a
    Cassandra database. [Vlatko Kosturjak]

  + cups-info lists printers managed by the CUPS printing
    service. [Patrik Karlsson]

  + cups-queue-info Lists currently queued print jobs of the remote
    CUPS service grouped by printer. [Patrik Karlsson]

  + dict-info Connects to a dictionary server using the DICT protocol,
    runs the SHOW SERVER command, and displays the result. [Patrik

  + distcc-cve2004-2687 detects and exploits a remote code execution
    vulnerability in the distributed compiler daemon distcc. [Patrik

  + dns-check-zone checks DNS zone configuration against best
    practices, including RFC 1912.  The configuration checks are
    divided into categories which each have a number of different
    tests. [Patrik Karlsson]

  + dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6
    network using a technique which analyzes DNS server response codes
    to dramatically reduce the number of queries needed to enumerate
    large networks. [Patrik Karlsson]

  + dns-nsec3-enum tries to enumerate domain names from the DNS server
    that supports DNSSEC NSEC3 records. [Aleksandar Nikolic, John

  + eppc-enum-processes attempts to enumerate process info over the
    Apple Remote Event protocol.  When accessing an application over
    the Apple Remote Event protocol the service responds with the uid
    and pid of the application, if it is running, prior to requesting
    authentication. [Patrik Karlsson]

  + firewall-bypass detects a vulnerability in Netfilter and other
    firewalls that use helpers to dynamically open ports for protocols
    such as ftp and sip. [Hani Benhabiles]

  + flume-master-info retrieves information from Flume master HTTP
    pages. [John R. Bond]

  + gkrellm-info queries a GKRellM service for monitoring
    information. A single round of collection is made, showing a
    snapshot of information at the time of the request. [Patrik

  + gpsd-info retrieves GPS time, coordinates and speed from the GPSD
    network daemon. [Patrik Karlsson]

  + hostmap-robtex discovers hostnames that resolve to the target's IP
    address by querying the Robtex service at
    http://www.robtex.com/dns/. [Arturo

  + http-drupal-enum-users enumerates Drupal users by exploiting a an
    information disclosure vulnerability in Views, Drupal's most
    popular module. [Hani Benhabiles]

  + http-drupal-modules enumerates the installed Drupal modules by
    using a list of known modules. [Hani Benhabiles]

  + http-exif-spider spiders a site's images looking for interesting
    exif data embedded in .jpg files. Displays the make and model of
    the camera, the date the photo was taken, and the embedded geotag
    information. [Ron Bowes]

  + http-form-fuzzer performs a simple form fuzzing against forms
    found on websites.  Tries strings and numbers of increasing length
    and attempts to determine if the fuzzing was successful. [Piotr

  + http-frontpage-login checks whether target machines are vulnerable
    to anonymous Frontpage login. [Aleksandar Nikolic]

  + http-git checks for a Git repository found in a website's document
    root (/.git/) then retrieves as much repo
    information as possible, including language/framework, Github
    username, last commit message, and repository description. [Alex

  + http-gitweb-projects-enum retrieves a list of Git projects, owners
    and descriptions from a gitweb (web interface to the Git revision
    control system). [riemann]

  + http-huawei-hg5xx-vuln detects Huawei modems models HG530x,
    HG520x, HG510x (and possibly others...) vulnerable to a remote
    credential and information disclosure vulnerability. It also
    extracts the PPPoE credentials and other interesting configuration
    values. [Paulino Calderon]

  + http-icloud-findmyiphone retrieves the locations of all "Find my
    iPhone" enabled iOS devices by querying the MobileMe web service
    (authentication required). [Patrik Karlsson]

  + http-icloud-sendmsg sends a message to a iOS device through the
    Apple MobileMe web service. The device has to be registered with
    an Apple ID using the Find My iPhone application. [Patrik

  + http-phpself-xss crawls a web server and attempts to find PHP
    files vulnerable to reflected cross site scripting via the
    variable $_SERVER["PHP_SELF"].  [Paulino Calderon]

  + http-rfi-spider crawls webservers in search of RFI (remote file
    inclusion) vulnerabilities. It tests every form field it finds and
    every parameter of a URL containing a query. [Piotr Olma]

  + http-robtex-shared-ns Finds up to 100 domain names which use the
    same name server as the target by querying the Robtex service at
    http://www.robtex.com/dns/. [Arturo

  + http-sitemap-generator spiders a web server and displays its
    directory structure along with number and types of files in each
    folder. Note that files listed as having an 'Other' extension are
    ones that have no extension or that are a root document. [Piotr

  + http-slowloris-check tests a web server for vulnerability to the
    Slowloris DoS attack without actually launching a DoS
    attack. [Aleksandar Nikolic]

  + http-slowloris tests a web server for vulnerability to the
    Slowloris DoS attack by launching a Slowloris attack. [Aleksandar
    Nikolic, Ange Gutek]

  + http-tplink-dir-traversal exploits a directory traversal
    vulnerability existing in several TP-Link wireless
    routers. Attackers may exploit this vulnerability to read any of
    the configuration and password files remotely and without
    authentication. [Paulino Calderon]

  + http-traceroute exploits the Max-Forwards HTTP header to detect
    the presence of reverse proxies. [Hani Benhabiles]

  + http-virustotal checks whether a file has been determined as
    malware by virustotal. Virustotal is a service that provides the
    capability to scan a file or check a checksum against a number of
    the major antivirus vendors. [Patrik Karlsson]

  + http-vlcstreamer-ls connects to a VLC Streamer helper service and
    lists directory contents. The VLC Streamer helper service is used
    by the iOS VLC Streamer application to enable streaming of
    multimedia content from the remote server to the device. [Patrik

  + http-vuln-cve2010-0738 tests whether a JBoss target is vulnerable
    to jmx console authentication bypass (CVE-2010-0738). [Hani

  + http-waf-fingerprint Tries to detect the presence of a web
    application firewall and its type and version. [Hani Benhabiles]

  + icap-info tests a list of known ICAP service names and prints
    information about any it detects. The Internet Content Adaptation
    Protocol (ICAP) is used to extend transparent proxy servers and is
    generally used for content filtering and antivirus
    scanning. [Patrik Karlsson]

  + ip-forwarding detects whether the remote device has ip forwarding
    or "Internet connection sharing" enabled, by sending an ICMP echo
    request to a given target using the scanned host as default
    gateway. [Patrik Karlsson]

  + ipv6-ra-flood generates a flood of Router Advertisements (RA) with
    random source MAC addresses and IPv6 prefixes. Computers, which
    have stateless autoconfiguration enabled by default (every major
    OS), will start to compute IPv6 suffix and update their routing
    table to reflect the accepted announcement. This will cause 100%
    CPU usage on Windows and platforms, preventing to process other
    application requests. [Adam Stevko]

  + irc-sasl-brute performs brute force password auditing against IRC
    (Internet Relay Chat) servers supporting SASL
    authentication. [Piotr Olma]

  + isns-info lists portals and iSCSI nodes registered with the
    Internet Storage Name Service (iSNS). [Patrik Karlsson]

  + jdwp-exec attempts to exploit java's remote debugging port. When
    remote debugging port is left open, it is possible to inject java
    bytecode and achieve remote code execution.  This script abuses
    this to inject and execute a Java class file that executes the
    supplied shell command and returns its output. [Aleksandar

  + jdwp-info attempts to exploit java's remote debugging port.  When
    remote debugging port is left open, it is possible to inject java
    bytecode and achieve remote code execution.  This script injects
    and execute a Java class file that returns remote system
    information. [Aleksandar Nikolic]

  + jdwp-inject attempts to exploit java's remote debugging port.
    When remote debugging port is left open, it is possible to inject
    java bytecode and achieve remote code execution.  This script
    allows injection of arbitrary class files. [Aleksandar Nikolic]

  + llmnr-resolve resolves a hostname by using the LLMNR (Link-Local
    Multicast Name Resolution) protocol. [Hani Benhabiles]

  + mcafee-epo-agent check if ePO agent is running on port 8081 or
    port identified as ePO Agent port. [Didier Stevens and Daniel

  + metasploit-info gathers info from the Metasploit RPC service.  It
    requires a valid login pair. After authentication it tries to
    determine Metasploit version and deduce the OS type.  Then it
    creates a new console and executes few commands to get additional
    info. [Aleksandar Nikolic]

  + metasploit-msgrpc-brute performs brute force username and password
    auditing against Metasploit msgrpc interface. [Aleksandar Nikolic]

  + mmouse-brute performs brute force password auditing against the
    RPA Tech Mobile Mouse servers. [Patrik Karlsson]

  + mmouse-exec connects to an RPA Tech Mobile Mouse server, starts an
    application and sends a sequence of keys to it. Any application
    that the user has access to can be started and the key sequence is
    sent to the application after it has been started. [Patrik

  + mrinfo queries targets for multicast routing information. [Hani

  + msrpc-enum queries an MSRPC endpoint mapper for a list of mapped
    services and displays the gathered information. [Aleksandar

  + ms-sql-dac queries the Microsoft SQL Browser service for the DAC
    (Dedicated Admin Connection) port of a given (or all) SQL Server
    instance. The DAC port is used to connect to the database instance
    when normal connection attempts fail, for example, when server is
    hanging, out of memory or in other bad states. [Patrik Karlsson]

  + mtrace queries for the multicast path from a source to a
    destination host. [Hani Benhabiles]

  + mysql-dump-hashes dumps the password hashes from an MySQL server
    in a format suitable for cracking by tools such as John the
    Ripper.  Appropriate DB privileges (root) are required. [Patrik

  + mysql-query runs a query against a MySQL database and returns the
    results as a table. [Patrik Karlsson]

  + mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQL
    and MariaDB servers by exploiting CVE2012-2122. If its vulnerable,
    it will also attempt to dump the MySQL usernames and password
    hashes. [Paulino Calderon]

  + oracle-brute-stealth exploits the CVE-2012-3137 vulnerability, a
    weakness in Oracle's O5LOGIN authentication scheme.  The
    vulnerability exists in Oracle 11g R1/R2 and allows linking the
    session key to a password hash. [Dhiru Kholia]

  + pcanywhere-brute performs brute force password auditing against
    the pcAnywhere remote access protocol. [Aleksandar Nikolic]

  + rdp-enum-encryption determines which Security layer and Encryption
    level is supported by the RDP service. It does so by cycling
    through all existing protocols and ciphers. [Patrik Karlsson]

  + rmi-vuln-classloader tests whether Java rmiregistry allows class
    loading.  The default configuration of rmiregistry allows loading
    classes from remote URLs, which can lead to remote code
    execution. The vendor (Oracle/Sun) classifies this as a design
    feature. [Aleksandar Nikolic]

  + rpc-grind fingerprints the target RPC port to extract the target
    service, RPC number and version. [Hani Benhabiles]

  + sip-call-spoof spoofs a call to a SIP phone and detects the action
    taken by the target (busy, declined, hung up, etc.) [Hani

  + sip-methods enumerates a SIP Server's allowed methods (INVITE,
    OPTIONS, SUBSCRIBE, etc.) [Hani Benhabiles]

  + smb-ls attempts to retrieve useful information about files shared
    on SMB volumes.  The output is intended to resemble the output of
    the UNIX ls command. [Patrik Karlsson]

  + smb-print-text attempts to print text on a shared printer by
    calling Print Spooler Service RPC functions. [Aleksandar Nikolic]

  + smb-vuln-ms10-054 tests whether target machines are vulnerable to
    the ms10-054 SMB remote memory corruption
    vulnerability. [Aleksandar Nikolic]

  + smb-vuln-ms10-061 tests whether target machines are vulnerable to
    ms10-061 Printer Spooler impersonation vulnerability. [Aleksandar

  + snmp-hh3c-logins attempts to enumerate Huawei / HP/H3C Locally
    Defined Users through the hh3c-user.mib OID [Kurt Grutzmacher]

  + ssl-date retrieves a target host's time and date from its TLS
    ServerHello response. [Aleksandar Nikolic]

  + tls-nextprotoneg enumerates a TLS server's supported protocols by
    using the next protocol negotiation extension. [Hani Benhabiles]

  + traceroute-geolocation lists the geographic locations of each hop
    in a traceroute and optionally saves the results to a KML file,
    plottable on Google earth and maps. [Patrik Karlsson]

o [NSE] Added 12 new protocol libraries, bring our total to 105!  Here
  they are, with authors enclosed in brackets:
  + ajp (Apache JServ Protocol) [Patrik Karlsson]
  + base32 (Base32 encoding/decoding - RFC 4648) [Philip Pickering]
  + bjnp (Canon BJNP printer/scanner discovery protocol) [Patrik Karlsson]
  + cassandra (Cassandra database protocol) [Vlatko Kosturjak]
  + eigrp (Cisco Enhanced Interior Gateway Routing Protocol) [Hani
  + gps (Global Positioning System - does GPRMC NMEA decoding) [Patrik
  + ipp (CUPS Internet Printing Protocol) [Patrik Karlsson]
  + isns (Internet Storage Name Service) [Patrik Karlsson]
  + jdwp (Java Debug Wire Protocol) [Aleksandar Nikolic]
  + mobileme (a service for managing Apple/Mac devices) [Patrik Karlsson]
  + ospf (Open Shortest Path First routing protocol) [Patrik Karlsson]
  + rdp (Remote Desktop Protocol) [Patrik Karlsson]

o Added Common Platform Enumeration (CPE) identifiers to nearly 1,000
  more OS detection signatures.  Nmap 6.01 had them for 2,608 of 3,572
  fingerprints (73%) and now we have them for 3,558 out of 3,946
  (90%). [David Fifield]

o Scans that use OS sockets (including TCP connect scan, version
  detection, and script scan) now use the SO_BINDTODEVICE sockopt on
  Linux, so that the -e (select network device) option is
  honored. [David Fifield]

o [Zenmap] Host filters can now do negative matching, for example you
  can use "os:!linux" to match hosts NOT detected as Linux. [Daniel

o Fixed a bug that caused an incorrect source address to be set when
  scanning certain addresses (apparently those ending in .0) on
  Windows XP. The symptom of this bug was the messages
    get_srcaddr: can't connect socket: The requested address is not
valid in its context.
    Failed to convert source address to presentation format!?!  Error:
Unknown error
  Thanks to Robert Washam and Jorge Hernandez for reports and help
  debugging. [David Fifield]

o Upgraded the included OpenSSL to version 1.0.1c. [David Fifield]

o [NSE] Added changes to brute and unpwdb libraries to allow more
  flexible iterator specification and control. [Aleksandar Nikolic]

o Tested that our WinPcap installer works on Windows 8 and Windows
  Server 2012 build 8400.  Updated to installer text to recommend that
  users select the option to start 'NPF' at startup. [Rob Nicholls]

o [NSE] Added CPE to smb-os-discovery output.

o [Ncat] Fixed the printing of warning messages for large arguments to
  the -i and -w options. [Michal Hlavinka]

o [Ncat] Shut down the write part of connected sockets in listen mode
  when stdin hits EOF, just as was already done in connect mode.
  [Michal Hlavinka]

o [Zenmap] Removed a crashing error that could happen when canceling a
  "Print to File" on Windows:
  Traceback (most recent call last):
    File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb
    File "zenmapGUI\Print.pyo", line 156, in run_print_operation
  GError: Error from StartDoc
  This bug was reported by Imre Adácsi. [David Fifield]

o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3,
  SquirrelMail, RoundCube. [Jesper Kückelhahn]

o Changed libdnet's routing interface to return an interface name for
  each route on the most common operating systems. This is used to
  improve the quality of Nmap's matching of routes to interfaces,
  which was previously done by matching routes to interface addresses.
  [Djalal Harouni, David Fifield]

o Fixed a bug that prevented Nmap from finding any interfaces when one
  of them had the type ARPHDR_INFINIBAND; this was the case for
  IP-over-InfiniBand interfaces. However, This support is not complete
  since IPoIB interfaces use 20 bytes for the hardware address, and
  currently we only report and handle 6 bytes.
  Nmap IP level scans should work without any problem, please refer to
  the '--send-ip' switch and to the following thread:
  This bug was reported by starlight.2012q3. [Djalal Harouni]

o Fixed a bug that prevented Nmap from finding any interfaces when one
  of them had the type ARPHDR_IEEE80211; this was the case for wireless
  interfaces operating in access point mode. This bug was reported by
  Sebastiaan Vileijn. [Djalal Harouni]

o Updated the Zenmap desktop icons on Windows, Linux, and Mac with higher
  resolution ones. [Sean Rivera, David Fifield]

o [NSE] Script results for a host or service are now sorted
  alphabetically by script name. [Sean Rivera]

o Fixed a bug that prevented Nmap from finding any interfaces when any
  interface had the type ARPHRD_VOID; this was the case for OpenVZ
  venet interfaces. [Djalal Harouni, David Fifield]

o Linux unreachable routes are now properly ignored. [David Fifield]

o Added Dan Miller as an Nmap committer.  He has done a ton of great
  work on Nmap, as you can see by searching for him in this CHANGELOG
  or reading the Nmap committers list at

o Added a new --disable-arp-ping option. This option prevents Nmap
  from implicitly using ARP or ND host discovery for discovering
  directly connected Ethernet targets. This is useful in networks
  using proxy ARP, which make all addresses appear to be up using ARP
  scan. The previously recommended workaround for this situation,
  --send-ip, didn't work on Windows because that lame excuse for an
  operating system is still missing raw socket support.  [David
  Fifield (editorializing added by Fyodor)]

o Protocol scan (-sO) probes for TCP, UDP, and SCTP now go to ports
  80, 40125, and 80 respectively, instead of being randomly generated
  or going to the same port as the source port. [David Fifield]

o The Nmap --log-errors functionality (including errors and warnings
  in the normal-format output file) is now always true, whether you
  pass that option or not. [Sean Rivera]

o [NSE] Rewrote ftp-brute script to use the brute library for
  performing password auditing. [Aleksandar Nikolic]

o Reduced the size of Port structures by about two thirds (from 176 to
  64 bytes on x86_64). They had accidentally grown during the IPv6
  code merge. [David Fifield]

o Made source port numbers (used to encode probe metadata) increment
  so as not to overlap between different scanning phases. Previously
  it was possible for an RST response to an ACK probe from host
  discovery to be misinterpreted as a reply to a SYN probe from port
  scanning. [Sean Rivera, David Fifield]

o [NSE] Added support for ECDSA keys to ssh-hostkey.nse. [Adam Števko]

o Changed the CPE for Linux from cpe:/o:linux:kernel to
  cpe:/o:linux:linux_kernel to reflect deprecation in the official CPE

o Added some additional CPE entries to nmap-service-probes.
  [Dillon Graham]

o Fixed an assertion failure with IPv6 traceroute trying to use an
  unsupported protocol:
    nmap: traceroute.cc:749: virtual unsigned char*
    UDPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion
    `source->ss_family == 2' failed.
  This was reported by Pierre Emeriaud. [David Fifield]

o Added version detection signatures for half a dozen new or changed
  products. [Tom Sellers]

o Fixed protocol number-to-name mapping. A patch was contributed by

o [NSE] The nmap.ip_send function now takes a second argument, the
  destination to send to. Previously the destination address was taken
  from the packet buffer, but this failed for IPv6 link-local
  addresses, because the scope ID is not part of the packet. Calling
  ip_send without a destination address will continue to use the old
  behavior, but this practice is deprecated.

o Increased portability of configure scripts on systems using a libc
  other than Glibc. Several problems were reported by John Spencer.

o [NSE] Fixed a bug in rpc-grind.nse that would cause unresponsive UDP
  ports to be wrongly marked open. This was reported by Christopher
  Clements. [David Fifield]

o [Ncat] Close connection endpoint when receiving EOF on
  stdin. [Michal Hlavinka].

o Fixed interface listing on NetBSD. The bug was first noticed by
  Fredrik Pettai and diagnosed by Jan Schaumann. [David Fifield]

o [Ncat] Applied a blocking-socket workaround for a bug that could
  prevent some sends from working in listen mode. The problem was
  reported by Jonas Wielicki. [Alex Weber, David Fifield]

o [NSE] Updated mssql.lua library to support additional data types,
  enhanced some of the existing data types, added the DoneProc
  response token, and reordered code for maintainability. [Tom

o [Nping] Nping now prints out an error and exists when the user tries to
  the -p flag for a scan option where that is meaningless. [Sean Rivera]

o [NSE] Added spoolss functions and constants to msrpc.lua. [Aleksandar

o [NSE] Reduced the number of names tried by http-vhosts by default.
  [Vlatko Kosturjak]

o [Zenmap] Fixed a crash when using the en_NG locale: "ValueError:
  unknown locale: en_NG" [David Fifield]

o [NSE] Fixed some bugs in snmp-interfaces which prevented the script from
  outputting discovered interface info and caused it to abort in the
  pre-scanning phase. [jah]

o [NSE] lltd-discovery scripts now parses for hostnames and outputs network
  card manufacturer. [Hani Benhabiles]

o Added protocol specific payloads for IPv6 hop-by-hop (0x00), routing
  fragment (0x2c), and destination (0x3c). [Sean Rivera]

o [NSE] Added support for decoding OSPF Hello packets to
  [Hani Benhabiles]

o [NSE] Fixed a false positive in http-vuln-cve2011-3192.nse, which
  Apache 2.2.22 as vulnerable. [Michael Meyer]

o [NSE] Modified multiple scripts that operated against HTTP based services
  so as to remove false positives that were generated when the target
  answers with a 200 response to all requests. [Tom Sellers]

o [NSOCK] Fixed an epoll-engine-specific bug. The engine didn't recognized
  that were internally closed and replaced by other ones. This happened
  reconnect attempts. Also, the IOD flags were not properly cleared.
  [Henri Doreau, Daniel Miller]

o Added support for log type bitmasks in log_vwrite(). Also replaced a
  statement by an assert(0) to get rid of a possible infinite call loop
  passed an invalid log type. [Henri Doreau]

o Added handling for the unexpected error WSAENETRESET (10052). This error
  currently wrapped in the ifdef for WIN32 as there error appears to be
  to windows [Sean Rivera]

o [NSE] Added default values for Expires, Call-ID, Allow and Content-Length
  headers in SIP requests and removed redundant code in sip library.
  [Hani Benhabiles]

o [NSE] Calling methods of unconnected sockets now causes the usual
  error code return value, instead of raising a Lua error. The problem
  was noticed by Daniel Miller. [David Fifield]

o [NSE] Added AUTH_UNIX support to the rpc library and NFS scripts.
  [Daniel Miller]

o [Zenmap] Fixed a crash in the profile editor that would happen when
  the nmap binary couldn't be found. [David Fifield]

o Made the various Makefiles' treatment of makefile.dep uniform:
  "make clean" keeps the file and "make distclean" deletes it.
  [Michael McTernan]

o [NSE] Fixed dozens of scripts and libraries to work better on
  system which don't have OpenSSL available. [Patrik Karlsson]

o [Ncat] --output logging now works in UDP mode. Thanks to Michal
  Hlavinka for reporting the bug. [David Fifield]

o [NSE] More Windows 7 and Windows 2008 fixes for the smb library and
  scripts. [Patrik Karlsson]

o [NSE] Added SPNEGO authentication supporting Windows 7 and Windows 2008
  the smb library. [Patrik Karlsson]

o [NSE] Changed http-brute so that it works against the root path
  ("/") by default rather than always requiring the http-brute.path
  script argument. [Fyodor]

o [NSE] Applied patch from Daniel Miller that fixes bug in several scripts
  libraries http://seclists.org/nmap-dev/2012/q2/593
[Daniel Miller]

o [Zenmap] Added Italian translation by Francesco Tombolini and
  Japanese translation by Yujiy Tounai.  Some typos in the Japanese
  translation were corrected by OKANO Takayoshi.

o [NSE] Rewrote mysql-brute to use brute library [Aleksandar Nikolic]

o Improved the mysql library to handle multiple columns with the same name,
  added a formatResultset function to format a query response to a table
  suitable for script output. [Patrik Karlsson]

o The message "nexthost: failed to determine route to ..." is now a
  warning rather than a fatal error. Addresses that are skipped in
  this way are recorded in the XML output as "target" elements. [David

o [NSE] targets-sniffer now is capable of sniffing IPv6 addresses.
  [Daniel Miller]

o [NSE] Ported the pop3-brute script to use the brute library.
  [Piotr Olma]

o [NSE] Added an error message indicating script failure, when Nmap is
  run in non verbose/debug mode. [Patrik Karlsson]

o Service-scan information is now included in XML and grepable output
  even if -sV wasn't used. This information can be set by scripts in the
  absence of -sV. [Daniel Miller]

Enjoy the new release!
Sent through the nmap-hackers mailing list
Archived at http://seclists.org/nmap-hackers/
CD: 4ms