Nmap 5.59 BETA1 - 40 new NSE scripts & improved IPv6
The Hacker News
Official Change Log:

o [NSE] Added 40 scripts, bringing the total to 217! You can learn
more about any of them at https://nmap.org/nsedoc/. Here are the new
ones (authors listed in brackets):

+ afp-ls: Lists files and their attributes from Apple Filing
Protocol (AFP) volumes. [Patrik Karlsson]

+ backorifice-brute: Performs brute force password auditing against
the BackOrifice remote administration (trojan) service. [Gorjan

+ backorifice-info: Connects to a BackOrifice service and gathers
information about the host and the BackOrifice service
itself. [Gorjan Petrovski]

+ broadcast-avahi-dos: Attempts to discover hosts in the local
network using the DNS Service Discovery protocol, then tests
whether each host is vulnerable to the Avahi NULL UDP packet
denial of service bug (CVE-2011-1002). [Djalal Harouni]

+ broadcast-netbios-master-browser: Attempts to discover master
browsers and the Windows domains they manage. [Patrik Karlsson]

+ broadcast-novell-locate: Attempts to use the Service Location
Protocol to discover Novell NetWare Core Protocol (NCP)
servers. [Patrik Karlsson]

+ creds-summary: Lists all discovered credentials (e.g. from brute
force and default password checking scripts) at end of scan.
[Patrik Karlsson]

+ dns-brute: Attempts to enumerate DNS hostnames by brute force
guessing of common subdomains. [Cirrus]

+ dns-nsec-enum: Attempts to discover target hosts' services using
the DNS Service Discovery protocol. [Patrik Karlsson]

+ dpap-brute: Performs brute force password auditing against an
iPhoto Library. [Patrik Karlsson]

+ epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and
retrieves a list of nodes with their respective port
numbers. [Toni Ruottu]

+ http-affiliate-id: Grabs affiliate network IDs (e.g. Google
AdSense or Analytics, Amazon Associates, etc.) from a web
page. These can be used to identify pages with the same
owner. [Hani Benhabiles, Daniel Miller]

+ http-barracuda-dir-traversal: Attempts to retrieve the
configuration settings from a Barracuda Networks Spam & Virus
Firewall device using the directory traversal vulnerability
described at
https://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles]

+ http-cakephp-version: Obtains the CakePHP version of a web
application built with the CakePHP framework by fingerprinting
default files shipped with the CakePHP framework. [Paulino

+ http-majordomo2-dir-traversal: Exploits a directory traversal
vulnerability existing in the Majordomo2 mailing list manager to
retrieve remote files. (CVE-2011-0049). [Paulino Calderon]

+ http-wp-plugins: Tries to obtain a list of installed WordPress
plugins by brute force testing for known plugins. [Ange Gutek]

+ ip-geolocation-geobytes: Tries to identify the physical location
of an IP address using the Geobytes geolocation web service
(https://www.geobytes.com/iplocator.htm). [Gorjan Petrovski]

+ ip-geolocation-geoplugin: Tries to identify the physical location
of an IP address using the Geoplugin geolocation web service
(https://www.geoplugin.com/). [Gorjan Petrovski]

+ ip-geolocation-ipinfodb: Tries to identify the physical location
of an IP address using the IPInfoDB geolocation web service
(https://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski]

+ ip-geolocation-maxmind: Tries to identify the physical location of
an IP address using a Geolocation Maxmind database file (available
from https://www.maxmind.com/app/ip-location). [Gorjan Petrovski]

+ ldap-novell-getpass: Attempts to retrieve the Novell Universal
Password for a user. You must already have (and include in script
arguments) the username and password for an eDirectory server
administrative account. [Patrik Karlsson]

+ mac-geolocation: Looks up geolocation information for BSSID (MAC)
addresses of WiFi access points in the Google geolocation
database. [Gorjan Petrovski]

+ mysql-audit: Audit MySQL database server security configuration
against parts of the CIS MySQL v1.0.2 benchmark (the engine can
also be used for other MySQL audits by creating appropriate audit
files). [Patrik Karlsson]

+ ncp-enum-users: Retrieves a list of all eDirectory users from the
Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]

+ ncp-serverinfo: Retrieves eDirectory server information (OS
version, server name, mounts, etc.) from the Novell NetWare Core
Protocol (NCP) service. [Patrik Karlsson]

+ nping-brute: Performs brute force password auditing against an
Nping Echo service. [Toni Ruottu]

+ omp2-brute: Performs brute force password auditing against the
OpenVAS manager using OMPv2. [Henri Doreau]

+ omp2-enum-targets: Attempts to retrieve the list of target systems
and networks from an OpenVAS Manager server. [Henri Doreau]

+ ovs-agent-version: Detects the version of an Oracle OVSAgentServer
by fingerprinting responses to an HTTP GET request and an XML-RPC
method call. [David Fifield]

+ quake3-master-getservers: Queries Quake3-style master servers for
game servers (many games other than Quake 3 use this same
protocol). [Toni Ruottu]

+ servicetags: Attempts to extract system information (OS, hardware,
etc.) from the Sun Service Tags service agent (UDP port
6481). [Matthew Flanagan]

+ sip-brute: Performs brute force password auditing against Session
Initiation Protocol (SIP -


accounts. This protocol is most commonly associated with VoIP
sessions. [Patrik Karlsson]

+ sip-enum-users: Attempts to enumerate valid SIP user accounts.
Currently only the SIP server Asterisk is supported. [Patrik

+ smb-mbenum: Queries information managed by the Windows Master
Browser. [Patrik Karlsson]

+ smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow
within versions of Exim prior to version 4.69 (CVE-2010-4344) and
a privilege escalation vulnerability in Exim 4.72 and prior
(CVE-2010-4345). [Djalal Harouni]

+ smtp-vuln-cve2011-1720: Checks for a memory corruption in the
Postfix SMTP server when it uses Cyrus SASL library authentication
mechanisms (CVE-2011-1720). This vulnerability can allow denial
of service and possibly remote code execution. [Djalal Harouni]

+ snmp-ios-config: Attempts to downloads Cisco router IOS
configuration files using SNMP RW (v1) and display or save
them. [Vikas Singhal, Patrik Karlsson]

+ ssl-known-key: Checks whether the SSL certificate used by a host
has a fingerprint that matches an included database of problematic
keys. [Mak Kolybabi]

+ targets-sniffer: Sniffs the local network for a configurable
amount of time (10 seconds by default) and prints discovered
addresses. If the newtargets script argument is set, discovered
addresses are added to the scan queue. [Nick Nikolaou]

+ xmpp: Connects to an XMPP server (port 5222) and collects server
information such as supported auth mechanisms, compression methods
and whether TLS is supported and mandatory. [Vasiliy Kulikov]

o Nmap has long supported IPv6 for basic (connect) port scans, basic
host discovery, version detection, Nmap Scripting Engine. This
release dramatically expands and improves IPv6 support:
+ IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,
etc.) are now supported. [David, Weilin]
+ IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP
discovery packets, etc.) is now supported. [David, Weilin]
+ IPv6 traceroute is now supported [David]
+ IPv6 protocol scan (-sO) is now supported, including creating
realistic headers for many protocols. [David]
+ IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel
Miller, Patrik]
+ The --exclude and --excludefile now support IPV6 addresses with
netmasks. [Colin]

o Scanme.Nmap.Org (the system anyone is allowed to scan for testing
purposes) is now dual-stacked (has an IPv6 address as well as IPv4)
so you can scan it during IPv6 testing. We also added a DNS record
for ScanmeV6.nmap.org which is IPv6-only. See
https://seclists.org/nmap-dev/2011/q2/428. [Fyodor]

o The Nmap.Org website as well as sister sites Insecure.Org,
SecLists.Org, and SecTools.Org all have working IPv6 addresses now
(dual stacked). [Fyodor]

o Nmap now determines the filesystem location it is being run from and
that path is now included early in the search path for data files
(such as nmap-services). This reduces the likelihood of needing to
specify --datadir or getting data files from a different version of
Nmap installed on the system. For full details, see
https://nmap.org/book/data-files-replacing-data-files.html. Thanks
to Solar Designer for implementation advice. [David]

o Created a page on our SecWiki for collecting Nmap script ideas! If
you have a good idea, post it to the incoming section of the page.
Or if you're in a script writing mood but don't know what to write,
come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.

o The development pace has greatly increased because Google (again)
sponsored a 7 full-time college and graduate student programmer
interns this summer as part of their Summer of Code program!
Thanks, Google Open Source Department! We're delighted to introduce
the team: https://seclists.org/nmap-dev/2011/q2/312

o [NSE] Added 7 new protocol libraries, bringing the total to 66. You
can read about them all at https://nmap.org/nsedoc/. Here are the new
ones (authors listed in brackets):

+ creds: Handles storage and retrieval of discovered credentials
(such as passwords discovered by brute force scripts). [Patrik

+ ncp: A tiny implementation of Novell Netware Core Protocol
(NCP). [Patrik Karlsson]

+ omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri

+ sip: Supports a limited subset of SIP commands and
methods. [Patrik Karlsson]

+ smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal

+ srvloc: A relatively small implementation of the Service Location
Protocol. [Patrik Karlsson]

+ tftp: Implements a minimal TFTP server. It is used in
snmp-ios-config to obtain router config files.[Patrik Karlsson]

o Improved Nmap's service/version detection database by adding:
+ Apple iPhoto (DPAP) protocol probe [Patrik]
+ Zend Java Bridge probe [Michael Schierl]
+ BackOrifice probe [Gorjan Petrovski]
+ GKrellM probe [Toni Ruotto]
+ Signature improvements for a wide variety of services (we now have
7,375 signatures)

o [NSE] ssh-hostkey now additionally has a postrule that prints hosts
found during the scan which share the same hostkey. [Henri Doreau]

o [NSE] Added 300+ new signatures to http-enum which look for admin
directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, WordPress,
and more. [Paulino]

o Made the final IP address space assignment update as all available
IPv4 address blocks have now been allocated to the regional
registries. Our random IP generation (-iR) logic now only excludes
the various reserved blocks. Thanks to Kris for years of regular
updates to this function!

o [NSE] Replaced http-trace with a new more effective version. [Paulino]

o Performed some output cleanup work to remove unimportant status
lines so that it is easier to find the good stuff! [David]

o [Zenmap] now properly kills Nmap scan subprocess when you cancel a
scan or quit Zenmap on Windows. [Shinnok]

o [NSE] Banned scripts from being in both the "default" and
"intrusive" categories. We did this by removing dhcp-discover and
dns-zone-transfer from the set of scripts run by default (leaving
them "intrusive"), and reclassifying dns-recursion, ftp-bounce,
http-open-proxy, and socks-open-proxy as "safe" rather than
"intrusive" (keeping them in the "default" set).

o [NSE] Added a credential storage library (creds.lua) and modified
the brute library and scripts to make use of it. [Patrik]

o [Ncat] Created a portable version of ncat.exe that you can just drop
onto Microsoft Windows systems without having to run any installer
or copy over extra library files. See the Ncat page
(https://nmap.org/ncat/) for binary downloads and a link to build
instructions. [Shinnok]

o Fix a segmentation fault which could occur when running Nmap on
various Android-based phones. The problem related to NULL being
passed to freeaddrinfo(). [David, Vlatko Kosturjak]

o [NSE] The host.bin_ip and host.bin_ip_src entries now also work with
16-byte IPv6 addresses. [David]

o [Ncat] Updated the ca-bundle.crt list of trusted certificate
authority certificates. [David]

o [NSE] Fixed a bug in the SMB Authentication library which could
prevent concurrently running scripts with valid credentials from
logging in. [Chris Woodbury]

o [NSE] Re-worked http-form-brute.nse to better autodetect form
fields, allow brute force attempts where only the password (no
username) is needed, follow HTTP redirects, and better detect
incorrect login attempts. [Patrik, Daniel Miller]

o [Zenmap] Changed the "slow comprehensive scan" profile's NSE script
selection from "all" to "default or (discovery and safe)"
categories. Except for testing and debugging, "--script all" is
rarely desirable.

o [NSE] Added the stdnse.silent_require method which is used for
library requires that you know might fail (e.g. "openssl" fails if
Nmap was compiled without that library). If these libraries are
called with silent_require and fail to load, the script will cease
running but the user won't be presented with ugly failure messages
as would happen with a normal require. [Patrick Donnelly]

o [Ncat] ncat now listens on both localhost and ::1 when you run ncat
-l. It works as before if you specify -4 or -6 or a specific
address. [Colin Rice]

o [Zenmap] Fixed a bug in topology mapper which caused endpoints
behind firewalls to sometimes show up in the wrong place (see
https://seclists.org/nmap-dev/2011/q2/733). [Colin Rice]

o [Zenmap] If you scan a system twice, any open ports from the first
scan which are closed in the 2nd will be properly marked as
closed. [Colin Rice].

o [Zenmap] Fixed an error that could cause a crash ("TypeError: an
integer is required") if a sort column in the ports table was unset.

o [Ndiff] Added nmaprun element information (Nmap version, scan date,
etc.) to the diff. Also, the Nmap banner with version number and
data is now only printed if there were other differences in the
scan. [Daniel Miller, David, Dr. Jesus]

o [NSE] Added nmap.get_interface and nmap.get_interface_info functions
so scripts can access characteristics of the scanning interface.
Removed nmap.get_interface_link. [Djalal]

o Fixed an overflow in scan elapsed time display that caused negative
times to be printed after about 25 days. [Daniel Miller]

o Updated nmap-rpc from the master list, now maintained by IANA.
[Daniel Miller, David]

o [Zenmap] Fixed a bug in the option parser: -sN (null scan) was
interpreted as -sn (no port scan). This was reported by
Shitaneddine. [David]

o [Ndiff] Fixed the Mac OS X packages to use the correct path for
Python: /usr/bin/python instead of /opt/local/bin/python. The bug
was reported by Wellington Castello. [David]

o Removed the -sR (RPC scan) option--it is now an alias for -sV
(version scan), which always does RPC scan when an rpcinfo service
is detected.

o [NSE] Improved the ms-sql scripts and library in several ways:
- Improved version detection and server discovery
- Added support for named pipes, integrated authentication, and
connecting to instances by name or port
- Improved script and library stability and documentation.
[Patrik Karlsson, Chris Woodbury]

o [NSE] Fixed http.validate_options when handling a cookie table.
[Sebastian Prengel]

o Added a Service Tags UDP probe for port 6481/udp. [David]

o [NSE] Enabled firewalk.nse to automatically find the gateways at
which probes are dropped and fixed various bugs. [Henri Doreau]

o [Zenmap] Worked around a pycairo bug that prevented saving the
topology graphic as PNG on Windows: "Error Saving Snapshot:
Surface.write_to_png takes one argument which must be a filename
(str), file object, or a file-like object which has a 'write' method
(like StringIO)". The problem was reported by Alex Kah. [David]

o The -V and --version options now show the platform Nmap was compiled
on, which features are compiled in, the version numbers of libraries
it is linked against, and whether the libraries are the ones that
come with Nmap or the operating system. [Ambarisha B., David]

o Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre
from netVigilance.

o The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]

o [NSE] Added a shortport.ssl function which can be used as a script
portrule to match SSL services. It is similar in concept to our
existing shortport.http. [David]

o Set up the RPM build to use the compat-glibc and compat-gcc-34-c++
packages (on CentOS 5.3) to resolve a report of Nmap failing to run
on old versions of Glibc. [David]

o We no longer support Nmap on versions of Windows earlier than XP
SP2. Even Microsoft no longer supports Windows versions that old.
But if you must use Nmap on such systems anyway, please see


o There were hundreds of other little bug fixes and improvements
(especially to NSE scripts). See the SVN logs for revisions 22,274
through 24,460 for details.

Download Here

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.