Nmap 6.25 - Changelog

What's new in Nmap 6.25:

November 30th, 2012

· [NSE] Added CPE to smb-os-discovery output.
· [Ncat] Fixed the printing of warning messages for large arguments to the -i and -w options. [Michal Hlavinka]
· [Ncat] Shut down the write part of connected sockets in listen mode when stdin hits EOF, just as was already done in connect mode. [Michal Hlavinka]
· [Zenmap] Removed a crashing error that could happen when canceling a "Print to File" on Windows: Traceback (most recent call last): File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb File "zenmapGUI\Print.pyo", line 156, in run_print_operation GError: Error from StartDoc This bug was reported by Imre Adácsi. [David Fifield]
· [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3, SquirrelMail, RoundCube. [Jesper Kückelhahn]
· Added some new checks for failed library calls. [Bill Parker]

What's new in Nmap 5.59 Beta 1:

July 11th, 2011

[NSE] Added 40 scripts, bringing the total to 217! You can learn more about any of them at http://nmap.org/nsedoc/. Here are the new ones (authors listed in brackets):

· afp-ls: Lists files and their attributes from Apple Filing Protocol (AFP) volumes. [Patrik Karlsson]
· backorifice-brute: Performs brute force password auditing against the BackOrifice remote administration (trojan) service. [Gorjan Petrovski]
· backorifice-info: Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself. [Gorjan Petrovski]
· broadcast-avahi-dos: Attempts to discover hosts in the local network using the DNS Service Discovery protocol, then tests whether each host is vulnerable to the Avahi NULL UDP packet denial of service bug (CVE-2011-1002). [Djalal Harouni]
· broadcast-netbios-master-browser: Attempts to discover master browsers and the Windows domains they manage. [Patrik Karlsson]
· broadcast-novell-locate: Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers. [Patrik Karlsson]
· creds-summary: Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan. [Patrik Karlsson]
· dns-brute: Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. [Cirrus]
· dns-nsec-enum: Attempts to discover target hosts' services using the DNS Service Discovery protocol. [Patrik Karlsson]
· dpap-brute: Performs brute force password auditing against an iPhoto Library. [Patrik Karlsson]
· epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers. [Toni Ruottu]
· http-affiliate-id: Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon Associates, etc.) from a web page. These can be used to identify pages with the same owner. [Hani Benhabiles, Daniel Miller]
· http-barracuda-dir-traversal: Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles]
· http-cakephp-version: Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework. [Paulino Calderon]
· http-majordomo2-dir-traversal: Exploits a directory traversal vulnerability existing in the Majordomo2 mailing list manager to retrieve remote files. (CVE-2011-0049). [Paulino Calderon]
· http-wp-plugins: Tries to obtain a list of installed WordPress plugins by brute force testing for known plugins. [Ange Gutek]
· ip-geolocation-geobytes: Tries to identify the physical location of an IP address using the Geobytes geolocation web service (http://www.geobytes.com/iplocator.htm). [Gorjan Petrovski]
· ip-geolocation-geoplugin: Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). [Gorjan Petrovski]
· ip-geolocation-ipinfodb: Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service (http://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski]
· ip-geolocation-maxmind: Tries to identify the physical location of an IP address using a Geolocation Maxmind database file (available from http://www.maxmind.com/app/ip-location). [Gorjan Petrovski]
· ldap-novell-getpass: Attempts to retrieve the Novell Universal Password for a user. You must already have (and include in script arguments) the username and password for an eDirectory server administrative account. [Patrik Karlsson]
· mac-geolocation: Looks up geolocation information for BSSID (MAC) addresses of WiFi access points in the Google geolocation database. [Gorjan Petrovski]
· mysql-audit: Audit MySQL database server security configuration against parts of the CIS MySQL v1.0.2 benchmark (the engine can also be used for other MySQL audits by creating appropriate audit files). [Patrik Karlsson]
· ncp-enum-users: Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
· ncp-serverinfo: Retrieves eDirectory server information (OS version, server name, mounts, etc.) from the Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
· nping-brute: Performs brute force password auditing against an Nping Echo service. [Toni Ruottu]
· omp2-brute: Performs brute force password auditing against the OpenVAS manager using OMPv2. [Henri Doreau]
· omp2-enum-targets: Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server. [Henri Doreau]
· ovs-agent-version: Detects the version of an Oracle OVSAgentServer by fingerprinting responses to an HTTP GET request and an XML-RPC method call. [David Fifield]
· quake3-master-getservers: Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol). [Toni Ruottu]
· servicetags: Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481). [Matthew Flanagan]
· sip-brute: Performs brute force password auditing against Session Initiation Protocol (SIP - http://en.wikipedia.org/wiki/Session_Initiation_Protocol) accounts. This protocol is most commonly associated with VoIP sessions. [Patrik Karlsson]
· sip-enum-users: Attempts to enumerate valid SIP user accounts. Currently only the SIP server Asterisk is supported. [Patrik Karlsson]
· smb-mbenum: Queries information managed by the Windows Master Browser. [Patrik Karlsson]
· smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345). [Djalal Harouni]
· smtp-vuln-cve2011-1720: Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution. [Djalal Harouni]
· snmp-ios-config: Attempts to downloads Cisco router IOS configuration files using SNMP RW (v1) and display or save them. [Vikas Singhal, Patrik Karlsson]
· ssl-known-key: Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys. [Mak Kolybabi]
· targets-sniffer: Sniffs the local network for a configurable amount of time (10 seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue. [Nick Nikolaou]
· xmpp: Connects to an XMPP server (port 5222) and collects server information such as supported auth mechanisms, compression methods and whether TLS is supported and mandatory. [Vasiliy Kulikov]

Nmap has long supported IPv6 for basic (connect) port scans, basic host discovery, version detection, Nmap Scripting Engine. This release dramatically expands and improves IPv6 support:

· IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan, etc.) are now supported. [David, Weilin]
· IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP discovery packets, etc.) is now supported. [David, Weilin]
· IPv6 traceroute is now supported [David]
· IPv6 protocol scan (-sO) is now supported, including creating realistic headers for many protocols. [David]
· IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel Miller, Patrik]
· The --exclude and --excludefile now support IPV6 addresses with netmasks. [Colin]

· Scanme.Nmap.Org (the system anyone is allowed to scan for testing purposes) is now dual-stacked (has an IPv6 address as well as IPv4) so you can scan it during IPv6 testing. We also added a DNS record for ScanmeV6.nmap.org which is IPv6-only. See http://seclists.org/nmap-dev/2011/q2/428. [Fyodor]
· The Nmap.Org website as well as sister sites Insecure.Org, SecLists.Org, and SecTools.Org all have working IPv6 addresses now (dual stacked). [Fyodor]
· Nmap now determines the filesystem location it is being run from and that path is now included early in the search path for data files (such as nmap-services). This reduces the likelihood of needing to specify --datadir or getting data files from a different version of Nmap installed on the system. For full details, see http://nmap.org/book/data-files-replacing-data-files.html. Thanks to Solar Designer for implementation advice. [David]
· Created a page on our SecWiki for collecting Nmap script ideas! If you have a good idea, post it to the incoming section of the page. Or if you're in a script writing mood but don't know what to write, come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.
· The development pace has greatly increased because Google (again) sponsored a 7 full-time college and graduate student programmer interns this summer as part of their Summer of Code program! Thanks, Google Open Source Department! We're delighted to introduce the team: http://seclists.org/nmap-dev/2011/q2/312
[NSE] Added 7 new protocol libraries, bringing the total to 66. You can read about them all at http://nmap.org/nsedoc/. Here are the new ones (authors listed in brackets):

· creds: Handles storage and retrieval of discovered credentials (such as passwords discovered by brute force scripts). [Patrik Karlsson]
· ncp: A tiny implementation of Novell Netware Core Protocol (NCP). [Patrik Karlsson]
· omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri Doreau]
· sip: Supports a limited subset of SIP commands and methods. [Patrik Karlsson]
· smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal Harouni]
· srvloc: A relatively small implementation of the Service Location Protocol. [Patrik Karlsson]
· tftp: Implements a minimal TFTP server. It is used in snmp-ios-config to obtain router config files.[Patrik Karlsson]

Improved Nmap's service/version detection database by adding:

· Apple iPhoto (DPAP) protocol probe [Patrik]
· Zend Java Bridge probe [Michael Schierl]
· BackOrifice probe [Gorjan Petrovski]
· GKrellM probe [Toni Ruotto]
· Signature improvements for a wide variety of services (we now have 7,375 signatures)

· [NSE] ssh-hostkey now additionally has a postrule that prints hosts found during the scan which share the same hostkey. [Henri Doreau]
· [NSE] Added 300+ new signatures to http-enum which look for admin directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, Wordpress, and more. [Paulino]
· Made the final IP address space assignment update as all available IPv4 address blocks have now been allocated to the regional registries. Our random IP generation (-iR) logic now only excludes the various reserved blocks. Thanks to Kris for years of regular updates to this function!
· [NSE] Replaced http-trace with a new more effective version. [Paulino]
· Performed some output cleanup work to remove unimportant status lines so that it is easier to find the good stuff! [David]
· [Zenmap] now properly kills Nmap scan subprocess when you cancel a scan or quit Zenmap on Windows. [Shinnok]
· [NSE] Banned scripts from being in both the "default" and "intrusive" categories. We did this by removing dhcp-discover and dns-zone-transfer from the set of scripts run by default (leaving them "intrusive"), and reclassifying dns-recursion, ftp-bounce, http-open-proxy, and socks-open-proxy as "safe" rather than "intrusive" (keeping them in the "default" set).
· [NSE] Added a credential storage library (creds.lua) and modified the brute library and scripts to make use of it. [Patrik]
· [Ncat] Created a portable version of ncat.exe that you can just drop onto Microsoft Windows systems without having to run any installer or copy over extra library files. See the Ncat page (http://nmap.org/ncat/) for binary downloads and a link to build instructions. [Shinnok]
· Fix a segmentation fault which could occur when running Nmap on various Android-based phones. The problem related to NULL being passed to freeaddrinfo(). [David, Vlatko Kosturjak]
· [NSE] The host.bin_ip and host.bin_ip_src entries now also work with 16-byte IPv6 addresses. [David]
· [Ncat] Updated the ca-bundle.crt list of trusted certificate authority certificates. [David]
· [NSE] Fixed a bug in the SMB Authentication library which could prevent concurrently running scripts with valid credentials from logging in. [Chris Woodbury]
· [NSE] Re-worked http-form-brute.nse to better autodetect form fields, allow brute force attempts where only the password (no username) is needed, follow HTTP redirects, and better detect incorrect login attempts. [Patrik, Daniel Miller]
· [Zenmap] Changed the "slow comprehensive scan" profile's NSE script selection from "all" to "default or (discovery and safe)" categories. Except for testing and debugging, "--script all" is rarely desirable.
· [NSE] Added the stdnse.silent_require method which is used for library requires that you know might fail (e.g. "openssl" fails if Nmap was compiled without that library). If these libraries are called with silent_require and fail to load, the script will cease running but the user won't be presented with ugly failure messages as would happen with a normal require. [Patrick Donnelly]
· [Ncat] ncat now listens on both localhost and ::1 when you run ncat -l. It works as before if you specify -4 or -6 or a specific address. [Colin Rice]
· [Zenmap] Fixed a bug in topology mapper which caused endpoints behind firewalls to sometimes show up in the wrong place (see http://seclists.org/nmap-dev/2011/q2/733). [Colin Rice]
· [Zenmap] If you scan a system twice, any open ports from the first scan which are closed in the 2nd will be properly marked as closed. [Colin Rice].
· [Zenmap] Fixed an error that could cause a crash ("TypeError: an integer is required") if a sort column in the ports table was unset. [David]
· [Ndiff] Added nmaprun element information (Nmap version, scan date, etc.) to the diff. Also, the Nmap banner with version number and data is now only printed if there were other differences in the scan. [Daniel Miller, David, Dr. Jesus]
· [NSE] Added nmap.get_interface and nmap.get_interface_info functions so scripts can access characteristics of the scanning interface. Removed nmap.get_interface_link. [Djalal]
· Fixed an overflow in scan elapsed time display that caused negative times to be printed after about 25 days. [Daniel Miller]
· Updated nmap-rpc from the master list, now maintained by IANA. [Daniel Miller, David]
· [Zenmap] Fixed a bug in the option parser: -sN (null scan) was interpreted as -sn (no port scan). This was reported by Shitaneddine. [David]
· [Ndiff] Fixed the Mac OS X packages to use the correct path for Python: /usr/bin/python instead of /opt/local/bin/python. The bug was reported by Wellington Castello. [David]
· Removed the -sR (RPC scan) option--it is now an alias for -sV (version scan), which always does RPC scan when an rpcinfo service is detected.
[NSE] Improved the ms-sql scripts and library in several ways:

· Improved version detection and server discovery
· Added support for named pipes, integrated authentication, and connecting to instances by name or port
· Improved script and library stability and documentation.

· [Patrik Karlsson, Chris Woodbury]
· [NSE] Fixed http.validate_options when handling a cookie table. [Sebastian Prengel]
· Added a Service Tags UDP probe for port 6481/udp. [David]
· [NSE] Enabled firewalk.nse to automatically find the gateways at which probes are dropped and fixed various bugs. [Henri Doreau]
· [Zenmap] Worked around a pycairo bug that prevented saving the topology graphic as PNG on Windows: "Error Saving Snapshot: Surface.write_to_png takes one argument which must be a filename (str), file object, or a file-like object which has a 'write' method (like StringIO)". The problem was reported by Alex Kah. [David]
· The -V and --version options now show the platform Nmap was compiled on, which features are compiled in, the version numbers of libraries it is linked against, and whether the libraries are the ones that come with Nmap or the operating system. [Ambarisha B., David]
· Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre from netVigilance.
· The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]
· [NSE] Added a shortport.ssl function which can be used as a script portrule to match SSL services. It is similar in concept to our existing shortport.http. [David]
· Set up the RPM build to use the compat-glibc and compat-gcc-34-c++ packages (on CentOS 5.3) to resolve a report of Nmap failing to run on old versions of Glibc. [David]
· We no longer support Nmap on versions of Windows earlier than XP SP2. Even Microsoft no longer supports Windows versions that old. But if you must use Nmap on such systems anyway, please see https://secwiki.org/w/Nmap_On_Old_Windows_Releases.
· There were hundreds of other little bug fixes and improvements (especially to NSE scripts). See the SVN logs for revisions 22,274 through 24,460 for details.

What's new in Nmap 5.50:

February 2nd, 2011

· [Zenmap] Added a new script selection interface, allowing you to choose scripts and arguments from a list which includes descriptions of every available script. Just click the "Scripting" tab in the profile editor. [Kirubakaran]
· [Nping] Added echo mode, a novel technique for discovering how your packets are changed (or dropped) in transit between the host they originated and a target machine. It can detect network address translation, packet filtering, routing anomalies, and more. You can try it out against our public Nping echo server using this command: nping --echo-client "public" echo.nmap.org' Or learn more about echo mode at http://nmap.org/book/nping-man-echo-mode.html. [Luis]
[NSE] Added an amazing 46 scripts, bringing the total to 177! You can learn more about any of them at http://nmap.org/nsedoc/. Here are the new ones (authors listed in brackets):
· broadcast-dns-service-discovery: Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses. [Patrik Karlsson]
· broadcast-dropbox-listener: Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more. [Ron Bowes, Mak Kolybabi, Andrew Orr, Russ Tait Milne]
· broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the same broadcast domain. [Patrik Karlsson]
· broadcast-upnp-info: Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses. [Patrik Karlsson]
· broadcast-wsdd-discover: Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later). [Patrik Karlsson]
· db2-discover: Attempts to discover DB2 servers on the network by querying open ibm-db2 UDP ports (normally port 523). [Patrik Karlsson]
· dns-update.nse: Attempts to perform an unauthenticated dynamic DNS update. [Patrik Karlsson]
· domcon-brute: Performs brute force password auditing against the Lotus Domino Console. [Patrik Karlsson]
· domcon-cmd: Runs a console command on the Lotus Domino Console with the given authentication credentials (see also: domcon-brute). [Patrik Karlsson]
· domino-enum-users: Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability. [Patrik Karlsson]
· firewalk: Tries to discover firewall rules using an IP TTL expiration technique known as firewalking. [Henri Doreau]
· ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with a script argument. [Mak Kolybabi]
· giop-info: Queries a CORBA naming server for a list of objects. [Patrik Karlsson]
· gopher-ls: Lists files and directories at the root of a Gopher service. Remember those? [Toni Ruottu]
· hddtemp-info: Reads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service. [Toni Ruottu]
· hostmap: Tries to find hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html. [Ange Gutek]
· http-brute: Performs brute force password auditing against http basic authentication. [Patrik Karlsson]
· http-domino-enum-passwords: Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. [Patrik Karlsson]
· http-form-brute: Performs brute force password auditing against http form-based authentication. [Patrik Karlsson]
· http-vhosts: Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames. [Carlos Pantelides]
· informix-brute: Performs brute force password auditing against IBM Informix Dynamic Server. [Patrik Karlsson]
· informix-query: Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute). [Patrik Karlsson]
· informix-tables: Retrieves a list of tables and column definitions for each database on an Informix server. [Patrik Karlsson]
· iscsi-brute: Performs brute force password auditing against iSCSI targets. [Patrik Karlsson]
· iscsi-info: Collects and displays information from remote iSCSI targets. [Patrik Karlsson]
· modbus-discover: Enumerates SCADA Modbus slave ids (sids) and collects their device information. [Alexander Rudakov]
· nat-pmp-info: Queries a NAT-PMP service for its external address. [Patrik Karlsson]
· netbus-auth-bypass: Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password. [Toni Ruottu]
· netbus-brute: Performs brute force password auditing against the Netbus backdoor ("remote administration") service. [Toni Ruottu]
· netbus-info: Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself. [Toni Ruottu]
· netbus-version: Extends version detection to detect NetBuster, a honeypot service that mimes NetBus. [Toni Ruottu]
· nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc. [Mak Kolybabi]
· oracle-brute: Performs brute force password auditing against Oracle servers. [Patrik Karlsson]
· oracle-enum-users: Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update). [Patrik Karlsson]
· path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris Katterjohn]
· resolveall: Resolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmap's target list. This differs from Nmap's normal host resolution process, which only scans the first address (A or AAAA record) returned for each host name. [Kris Katterjohn]
· rmi-dumpregistry: Connects to a remote RMI registry and attempts to dump all of its objects. [Martin Holst Swende]
· smb-flood: Exhausts a remote SMB server's connection limit by by opening as many connections as we can. Most implementations of SMB have a hard global limit of 11 connections for user accounts and 10 connections for anonymous. Once that limit is reached, further connections are denied. This script exploits that limit by taking up all the connections and holding them. [Ron Bowes]
· ssh2-enum-algos: Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers. If verbosity is set, the offered algorithms are each listed by type. [Kris Katterjohn]
· stuxnet-detect: Detects whether a host is infected with the Stuxnet worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]
· svn-brute: Performs brute force password auditing against Subversion source code control servers. [Patrik Karlsson]
· targets-traceroute: Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's --traceroute option is used and the newtargets script argument is given. [Henri Doreau]
· vnc-brute: Performs brute force password auditing against VNC servers. [Patrik Karlsson]
· vnc-info: Queries a VNC server for its protocol version and supported security types. [Patrik Karlsson]
· wdb-version: Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents. [Daniel Miller]
· wsdd-discover: Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later). [Patrik Karlsson]

[NSE] Added 12 new protocol libraries:
· - dhcp.lua by Ron
· - dnssd.lua (DNS Service Discovery) by Patrik
· - ftp.lua by David
· - giop.lua (CORBA naming service) by Patrik
· - informix.lua (Informix database) by Patrik
· - iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik
· - nrpc.lua (Lotus Domino RPC) by Patrik
· - rmi.lua (Java Remote Method Invocation) by Martin Holst Swende
· - tns.lua (Oracle) by Patrik
· - upnp.lua (UPnP support) by Thomas Buchanan and Patrik
· - vnc.lua (Virtual Network Computing) by Patrik
· - wsdd.lua (Web Service Dynamic Discovery) by Patrik

· [NSE] Added a new brute library that provides a basic framework and logic for brute force password auditing scripts. [Patrik]
· [Zenmap] Greatly improved performance for large scans by benchmarking intensively and then recoding dozens of slow parts.
· Time taken to load our benchmark file (a scan of just over a million IPs belonging to Microsoft corporation, with 74,293 hosts up) was reduced from hours to less than two minutes. Memory consumption decreased dramatically as well. [David]

· Performed a major OS detection integration run. The database has grown more than 14% to 2,982 fingerprints and many of the existing fingerprints were improved. Highlights include Linux 2.6.37, iPhone OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4. David posted highlights of his integration work at
· http://seclists.org/nmap-dev/2010/q4/651

· Performed a huge version detection integration run. The number of signatures has grown by more than 11% to 7,355. More than a third of our signatures are for http, but we also detect 743 other service protocols, from abc, acap, access-remote-pc, and achat to zenworks, zeo, and zmodem. David posted highlights at http://seclists.org/nmap-dev/2010/q4/761.

· [NSE] Added the target NSE library which allows scripts to add newly discovered targets to Nmap's scanning queue. This allows Nmap to support a wide range of target acquisition techniques. Scripts which can now use this feature include dns-zone-ransfer, hostmap, ms-sql-info, snmp-interfaces, targets-traceroute, and several more. [Djalal]

· [NSE] Nmap has two new NSE script scanning phases. The new pre-scan occurs before Nmap starts scanning. Some of the initial pre-scan scripts use techniques like broadcast DNS service discovery or DNS zone transfers to enumerate hosts which can optionally be treated as targets. The other phase (post scan) runs after all of Nmap's
· scanning is complete. We don't have any of these scripts yet, but they could compile scan statistics or present the results in a different way. One idea is a reverse index which provides a list of services discovered during a network scan, along with a list of IPs found to be running each service. See http://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]

· [NSE] A new --script-help option describes all scripts matching a given specification. It accepts the same specification format as --script does. For example, try 'nmap -script-help "default or http-*"'. [David, Martin Holst Swende]

Dramatically improved nmap.xsl (used for converting Nmap XML output to HTML). In particular:
· Put verbose details behind expander buttons so you can see them if you want, but they don't distract from the main output. In particular, offline hosts and traceroute results are collapsed by default.
· Improved the color scheme to be less garish.
· Added support for the new NSE pre-scan and post-scan phases.
· Changed script output to use 'pre' tags to keep even lengthy output readable.
· Added a floating menu to the lower-right for toggling whether closed/filtered ports are shown or not (they are now hidden by default if Javascript is enabled).
· Many smaller improvements were made as well. You can find the new file at http://nmap.org/svn/docs/nmap.xsl, and here is an example scan processed through it: http://nmap.org/tmp/newxsl.html. [Tom]
· [NSE] Created a new "broadcast" script category for the broadcast-* scripts. These perform network discovery by broadcasting on the local network and listening for responses. Since they don't directly relate to targets specified on the command line, these are kept out of the default category (nor do they go in "discovery").
· Integrated cracked passwords from the Gawker.com compromise (http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000 password database. A team of Nmap developers lead by Brandon Enright has cracked 635,546 out of 748,081 password hashes so far (85%). Gawker doesn't exactly have the most sophisticated users on the Internet--their top passwords are "123456", "password", "12345678", "lifehack", "qwerty", "abc123", "12345", "monkey", "111111", "consumer", and "letmein".
· XML output now excludes output for down hosts when only doing host discovery, unless verbosity (-v) was requested. This is how it already worked for normal scans, but the ping-only case was overlooked. [David]
· Updated the Windows build process to work with (and require) Visual C++ 2010 rather than 2008. If you want to build Zenmap too, you now need Python 2.7 (rather than 2.6) and GTK+ 2.22. See http://nmap.org/book/inst-windows.html#inst-win-source [David, Rob Nicholls, KX]
· Merged port names in the nmap-services file with allocated names from the IANA (http://www.iana.org/assignments/port-numbers). We only added IANA names which were "unknown" in our file--we didn't deal with conflicting names. [David]
· Enabled the ASLR and DEP security technologies for Nmap.exe,Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will set the /DYNAMICBASE and /NXCOMPAT flags in the PE header. Executables generated using py2exe or NSIS and third party binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support for DEP on XP SP3, using SetProcessDEPPolicy(), could still be implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]
· Investigated using the CPE (Common Platform Enumeration) standard for describing operating systems, devices, and service names for Nmap OS and service detection. You can read David's reports at http://seclists.org/nmap-dev/2010/q3/278 and http://seclists.org/nmap-dev/2010/q3/303.
· [Zenmap] Improved the output viewer to show new output in constant time.
· previously it would get slower and slower as the output grew longer, eventually making Zenmap appear to freeze with 100% CPU. Rob Nicholls and Ray Middleton helped with testing. [David]
· The Linux RPM builds of Nmap and related tools (ncat, nping, etc.) now link to system libraries dynamically rather than statically. They still link statically to dependency libraries such as OpenSSL, Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so the RPMs will work on distributions with older software (like RHEL, Debian stable) as well as more bleeding edge ones like Fedora. [David]
· [NSE] Added the ability to send and receive on unconnected sockets. This can be used, for example, to receive UDP broadcasts without having to use Libpcap. A number of scripts have been changed so that they can work as prerule scripts to discover services by UDP broadcasting, and optionally add the discovered targets to the
scanning queue:
· - ms-sql-info
· - upnp-info
· - dns-service-discovery

· The nmap.new_socket function can now optionally take a default protocol and address family, which will be used if the socket is not connected. There is a new nmap.sendto function to be used with unconnected UDP sockets. [David, Patrik]
· [Nping] Substantially improved the Nping man page. You can read it online at http://nmap.org/book/nping-man.html. [Luis, David]
· Documented the licenses of the third-party software used by Nmap and it's sibling tools: http://nmap.org/svn/docs/3rd-party-licenses.txt. [David]

· [NSE] Improved the SMB scripts so that they can run in parallel rather than using a mutex to force serialization. This quadrupled the SMB scan speed in one large scale test. See http://seclists.org/nmap-dev/2010/q3/819. [Ron]
· Added a simple Nmap NSE script template to make writing new scripts easier: http://nmap.org/svn/docs/sample-script.nse. [Ron]
· [Zenmap] Made the topology node radiuses grow logarithmically instead of linearly, so that hosts with thousands of open ports don't overwhelm the diagram. Also only open ports (not open|filtered) are considered when calculating node sizes. Henri Doreau found and fixed a bug in the implementation. [Daniel Miller]
· [NSE] Added the get_script_args NSE function for parsing script arguments in a clean and standardized way (http://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]
· Increased the initial RTT timeout for ARP scans from 100 ms to 200 ms. Some wireless and VPN links were taking around 300 ms to respond. The default of one retransmission gives them 400 ms to be detected.
Added new version detection probes and signatures from Patrik for:
· - Lotus Domino Console running on tcp/2050 (shows OS and hostname)
· - IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
· - Database servers running the DRDA protocol
· - IBM Websphere MQ (shows name of queue-manager and channel)
· Fix Nmap compilation on OpenSolaris (see http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]
· [NSE] The http library's request functions now accept an additional "auth" table within the option table, which causes Basic authentication credentials to be sent. [David]
· Improved IPv6 host output in that we now remember and report the forward DNS name (given by the user) and any non-scanned addresses (usually because of round robin DNS). We already did this for IPv4. [David]
· [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation messages about gtk.Tooltip. [Rob Nicholls]
· [NSE] Made dns-zone-transfer script able to add new discovered DNS records to the Nmap scanning queue. [Djalal]
· [NSE] Enhance ssl-cert to also report the type and bit size of SSL certificate public keys [Matt Selsky]
· [Ncat] Make --exec and --idle-timeout work when connecting with --proxy. Florian Roth reported the bug. [David]
· [Nping] Fixed a bug which caused Nping to fail when targeting broadcast addresses (see http://seclists.org/nmap-dev/2010/q3/752). [Luis]
· [Nping] Nping now limits concurrent open file descriptors properly based on the resources available on the host (see http://seclists.org/nmap-dev/2010/q4/2). [Luis]
· [NSE] Improved ssh2's kex_init() parameters: all of the algorithm and language lists can be set using new keys in the "options" table argument. These all default to the same value used before. Also, the required "cookie" argument is now replaced by an optional "cookie" key in the "options" table, defaulting to random bytes as suggested by the RFC. [Kris]
· Ncat now logs Nsock debug output to stderr instead of stdout for consistency with its other debug messages. [David]
· [NSE] Added a new function, shortport.http, for HTTP script portrules and changed 14 scripts to use it. [David]
· Updated to the latest config.guess and config.sub. Thanks to Ty Miller for a reminder. [David]
· [NSE] Added prerule support to snmp-interfaces and the ability to add the remote host's interface addresses to the scanning queue.
· The new script arguments used for this functionality are "host" (required) and "port" (optional). [Kris]
· Fixed some inconsistencies in nmap-os-db and a small memory leak that would happen where there was more than one round of OS detection. These were reported by Xavier Sudre from netVigilance. [David]
· [NSE] Fixed a bug with worker threads calling the wrong destructors. Fixing this allows better parallelism in http-brute.nse. The problem was reported by Patrik Karlsson. [David, Patrick]
· Upgraded the OpenSSL binaries shipped in our Windows installer to version 1.0.0a. [David]
· [NSE] Added prerule support to the dns-zone-transfer script, allowing it to run early to discover IPs from DNS records and optionally add those IPs to Nmap's target queue. You must specify the DNS server and domain name to use with script arguments. [Djalal]
· Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with a struct of the same name in . This caused a compilation error when Nmap was compiled with an OpenSSL that had SCTP support. [Olli Hauer, Daniel Roethlisberger]
· [NSE] Implemented a big cleanup of the Nmap NSE Nsock library binding code. [Patrick]
· Added a bunch of Apple and Netatalk AFP service detection signatures. These often provide extra details such as whether the target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]
· [NSE] Host tables now have a host.traceroute member available when --traceroute is used. This array contains the IP address, reverse DNS name, and RTT for each traceroute hop. [Henri Doreau]
· [NSE] Made the ftp-anon script return a directory listing when anonymous login is allowed. [Gutek, David]
· [NSE] Added the nmap.resolve() function. It takes a host name and optionally an address family (such as "inet") and returns a table containing all of its matching addresses. If no address family is specified, all addresses for the name are returned. [Kris]
· [NSE] Added the nmap.address_family() function which returns the address family Nmap is using as a string (e.g., "inet6" is returned if Nmap is called with the -6 option). [Kris]
· [NSE] Scripts can now access the MTU of the host.interface device using host.interface_mtu. [Kris]
· Restrict the default Windows DLL search path by removing the current directory. This adds extra protection against DLL hijacking attacks, especially if we were to add file type associations to Nmap in the future. We implement this with the SetDllDirectory function when available (Windows XP SP1 and later). Otherwise, we call SetCurrentDirectory with the directory containing the executable. [David]
· Nmap now prints the MTU for interfaces in --iflist output. [Kris]
· [NSE] Removed references to the MD2 algorithm, which OpenSSL 1.x.x no longer supports. [Alexandru]
· [Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and Nmap NSE, allowing them to connect to servers which run multiple SSL websites on one IP address. To enable this for NSE, the nmap.connect function has been changed to accept host and port tables (like those provided to the action function) in place of a string and a number. [David]
· [NSE] Renamed db2-info and db2-brute scripts to drda-*. Added support other DRDA based databases such as IBM Informix Dynamic Server and Apache Derby. [Patrik]
· [Nsock] Added a new function, nsi_set_hostname, to set the intended hostname of the target. This allows the use of Server Name Indication in SSL connections. [David]
· [NSE] Limits the number of ports that qscan will scan (now up to 8 open ports and up to 1 closed port by default). These limits can be controlled with the qscan.numopen and qscan.numclosed script arguments. [David]
· [NSE] Made sslv2.nse give special output when SSLv2 is supported, but no SSLv2 ciphers are offered. This happened with a specific Sendmail configuration. [Matt Selsky]
· [NSE] Added a "times" table to the host table passed to scripts. This table contains Nmap's timing data (srtt, the smoothed round trip time; rttvar, the rtt variance; and timeout), all represented as floating-point seconds. The ipidseq and qscan scripts were
· updated to utilize the host's timeout value rather than using a conservative guess of 3 seconds for read timeouts. [Kris]
· Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping), which were improperly sending whole packets in version 5.35DC1. [Kris]
· [NSE] When receiving raw packets from Pcap, the packet capture time is now available to scripts as an additional return value from pcap_receive(). It is returned as the floating point number of seconds since the epoch. Also added the nmap.clock() function which returns the current time (and convenience functions clock_ms() and
· clock_us()). Qscan.nse was updated to use this more accurate timing data. [Kris]
· [Ncat,Nsock] Fixed some minor bugs discovered using the Smatch source code analyzer (http://smatch.sourceforge.net/). [David]
· [Zenmap] Fixed a crash that would happen after opening the search window, entering a relative date criterion such as "after:-7", and then clicking the "Expressions" button. The error message was AttributeError: 'tuple' object has no attribute 'strftime' [David]
· Added a new packet payload--a NAT-PMP external address request for port 5351/udp. Payloads help us elicit responses from listening UDP services to better distinguish them from filtered ports. This payload goes well with our new nat-pmp-info script. [David, Patrik]
· Updated IANA IP address space assignment list for random IP (-iR) generation. [Kris]
· [Ncat] Ncat now uses case-insensitive string comparison when checking authentication schemes and parameters. Florian Roth found a server offering "BASIC" instead of "Basic", and the HTTP RFC requires case-insensitive comparisons in most places. [David]
· [NSE] There is now a limit of 1,000 concurrent running scripts, instituted to keep memory under control when there are many open ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE crash) for one host with tens of thousands of open ports. This limit can be controlled with the variable CONCURRENCY_LIMIT in nse_main.lua. [David]
· The command line in XML output (/nmaprun/@args attribute) now does quoting of whitespace using double quotes and backslashes. This allows recovering the original command line array even when arguments contain whitespace. [David]
· Added a service detection probe for master servers of Quake 3 and related games. [Toni Ruottu]

What's new in Nmap 5.35DC1:

July 30th, 2010

· It has been 3.5 months since the last Nmap release (5.30BETA1 on March 29), and anyone following the nmap-dev list knows that we've been very busy during that time. So I'm pleased to release Nmap version 5.35DC1 containing the fruits of that labor. The Defcon name is because that conference is awesome! And also because David Fifield and I have an exciting Nmap talk planned there and at Black Hat in a couple weeks (see http://seclists.org/nmap-dev/2010/q3/108).

· This release includes 131 NSE scripts (17 new), 6,622 version detection signatures, 2,608 OS fingerprints, and more. I'm particularly excited about the new db2 and ms-sql scripts, and nfs-ls really makes NFS discovery easy! We also added Eugene Alexeev's clever new dns-cache-snoop script. Nping and Ncat were significantly improved as well.

· The Nmap 5.35DC1 source code and packages for Linux, Mac OS X, and Windows are available for download at the usual place.

What's new in Nmap 5.21:

January 27th, 2010

· [Zenmap] Added a workaround for a Ubuntu Python packaging idiosyncrasy. As of version python2.6-2.6.4-0ubuntu3, Ubuntu's distutils modifies self.prefix, a variable we use in the setup.py script. This would cause Zenmap to look in the wrong place for its configuration files, and show the dialog "Error creating the per-user configuration directory" with the specific error "[Errno 2] No such file or directory: '/usr/share/zenmap/config'". This problem was reported by Chris Clements, who also helped debug. [David]
· Fixed an error that occurred when UDP scan was combined with version scan. UDP ports would appear in the state "unknown" at the end of the scan, and in some cases an assertion failure would be raised. This was an unintended side effect of the memory use reduction changes in 5.20. The bug was reported by Jon Kibler. [David]
· [NSE] Did some simple bit-flipping on the nmap_service.exe program used by the smb-psexec script, to avoid its being falsely detected as malware. [Ron]
· [NSE] Fixed a bug in http.lua that could lead to an assertion failure. It happened when there was an error getting the a response at the beginning of a batch in http.pipeline. The symptoms of the bug were: NSE: Received only 0 of 1 expected reponses. Decreasing max pipelined requests to 0. NSOCK (0.1870s) Write request for 0 bytes... nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed. The error was reported by Brandon Enright and pyllyukko.
· [NSE] Restored the ability of http.head to return a body if the server returns one. This was lost in the http.lua overhaul from 5.20. [David]
· [NSE] Fixed the use of our strict.lua library on distributions that install their own strict.lua. The error message was nse_main.lua:97: attempt to call a boolean value It was reported by Onur K. [Patrick]
· Fixed handing of nameserver entries in /etc/resolv.conf so it could handle entries containing more than 16 bytes, which can occur with IPv6 addresses. Gunnar Lindberg reported the problem and contributed an initial patch, then Brandon and Kris refined and implemented it.
· [NSE] Corrected a behavior change in http.request that was accidentally made in 5.20: it could return nil instead of a table indicating failure. [David]
· [NSE] Fixed the use of an undefined variable in smb-enum-sessions, reported by Brandon. [Ron]
· Fixed a compiler error when --without-liblua is used. [Brandon]
· [NSE] Fixed an error with running http-enum.nse along with the --datadir option. The script would report the error http-enum.nse:198: bad argument #1 to 'lines' (nselib/data/http-fingerprints: No such file or directory) The error was reported by Ron Meldau and Brandon. [Kris]
· Added a function that was missing from http-favicon.nse. Its absence would cause the error http-favicon.nse:141: variable 'dirname' is not declared when a web page specified an relative icon URL through the link element. This bug was reported by Ron Meldau. [David]
· Fixed a bug with the decoding of NMAP OID component values greater than 127. [Patrik Karlsson, David]

What's new in Nmap 4.90 RC1:

June 29th, 2009

· [Zenmap] Fixed a display hanging problem on Mac OS X reported by Christopher Caldwell at http://seclists.org/nmap-dev/2009/q2/0721.html. This was done by adding gtk2 back to macports-1.8.0-universal.diff and removing the dependency on shared-mime-info so it doesn't expect /usr/share/mime files at runtime. Also included GDK pixbuf loaders statically rather than as external loadable modules. [David]
· Fixed a memory bug (access of freed memory) when loading exclude targets with --exclude. This was reported to occasionally cause a crash. Will Cladek reported the bug and contributed an initial patch. [David]
· Zenmap application icons were regenerated using the newer SVG representation of the Nmap eye. [David]

What's new in Nmap 4.85 Beta 9:

May 15th, 2009

· Integrated all of your 1,156 of your OS detection submissions and your 50 corrections since January 8. Please keep them coming! The second generation OS detection DB has grown 14% to more than 2,000 fingerprints! That is more than we ever had with the first system. The 243 new fingerprints include Microsoft Windows 7 beta, Linux 2.6.28, and much more. See http://seclists.org/nmap-dev/2009/q2/0335.html. [David]
[Ncat] A whole lot of work was done by David to improve SSL security and functionality:
· Ncat now does certificate domain and trust validation against trusted certificate lists if you specify --ssl-verify.
· [Ncat] To enable SSL certificate verification on systems whose default trusted certificate stores aren't easily usable by OpenSSL, we install a set of certificates extracted from Windows in the file ca-bundle.crt. The trusted contents of this file are added to whatever default trusted certificates the operating system may provide. [David]
· Ncat now automatically generates a temporary keypair and certificate in memory when you request it to act as an SSL server but you don't specify your own key using --ssl-key and --ssl-cert options. [David]
· [Ncat] In SSL mode, Ncat now always uses secure connections, meaning that it uses only good ciphers and doesn't use SSLv2. Certificates can optionally be verified with the --ssl-verify and --ssl-trustfile options. Nsock provides the option of making SSL connections that prioritize either speed or security; Ncat uses security while version detection and NSE continue to use speed. [David]
[NSE] Added Boolean Operators for --script. You may now use ("and", "or", or "not") combined with categories, filenames, and wildcarded filenames to match a set files. Parenthetical subexpressions are allowed for precedence too. For example, you can now run:
· nmap --script "(default or safe or intrusive) and not http-*" scanme.nmap.org
· For more details, see http://nmap.org/book/nse-usage.html#nse-args. [Patrick]
· [Ncat] The HTTP proxy server now works on Windows too. [David]
· [Zenmap] The command wizard has been removed. The profile editor has the same capabilities with a better interface that doesn't require clicking through many screens. The profile editor now has its own "Scan" button that lets you run an edited command line immediately without saving a new profile. The profile editor now comes up showing the current command rather than being blank. [David]
· [Zenmap] Added an small animated throbber which indicates that a scan is still running (similar in concept to the one on the upper-right Firefox corner which animates while a page is loading). [David]
· Regenerate script.db to remove references to non-existent smb-check-vulns-2.nse. This caused the following error messages when people used the --script=all option: "nse_main.lua:319: smb-check-vulns-2.nse is not a file!" The script.db entries are now sorted again to make diffs easier to read. [David,Patrick]
· Fixed --script-updatedb on Windows--it was adding bogus backslashes preceding file names in the generated script.db. Reported by Michael Patrick at http://seclists.org/nmap-dev/2009/q2/0192.html, and fixed by Jah. The error message was also improved.
· The official Windows binaries are now compiled with MS Visual C++ 2008 Express Edition SP1 rather than the RTM version. We also now distribute the matching SP1 version of the MS runtime components (vcredist_x86.exe). A number of compiler warnings were fixed too. [Fyodor,David]
· Fixed a bug in the new NSE Lua core which caused it to round fractional runlevel values to the next integer. This could cause dependency problems for the smb-* scripts and others which rely on floating point runlevel values (e.g. that smb-brute at runlevel 0.5 will run before smb-system-info at the default runlevel of 1).
· The SEQ.CI OS detection test introduced in 4.85BETA4 now has some examples in nmap-os-db and has been assigned a MatchPoints value of 50. [David]
· [Ncat] When using --send-only, Ncat will now close the network connection and terminate after receiving EOF on standard input. This is useful for, say, piping a file to a remote ncat where you don't care to wait for any response. [Daniel Roethlisberger]
· [Ncat] Fix hostname resolution on BSD systems where a recently fixed libc bug caused getaddrinfo(3) to fail unless a socket type hint is provided. Patch originally provided by Hajimu Umemoto of FreeBSD. [Daniel Roethlisberger]
· [NSE] Fixed bug in the DNS library which caused the error message "nselib/dns.lua:54: 'for' limit must be a number". [Jah]
· Fixed Solaris 10 compilation by renaming a yield structure which conflicted with a yield function declared in unistd.h on that platform. [Pieter Bowman, Patrick]
· [Ncat] Minor code cleanup of Ncat memory allocation and string duplication calls. [Ithilgore]
· Fixed a bug which could cause -iR to only scan the first host group and then terminate prematurely. The problem related to the way hosts are counted by o.numhosts_scanned. [David]
· Fixed a bug in the su-to-zenmap.sh script so that, in the cases where it calls su, it uses the proper -c option rather than -C. [Michal Januszewski, Henry Gebhardt]
· Overhaul the NSE documentation "Usage and Examples" section and add many more examples: http://nmap.org/book/nse-usage.html [David]
· [NSE] Made hexify in nse_nsock.cc take an unsigned char * to work around an assertion in Visual C++ in Debug mode. The isprint, isalpha, etc. functions from ctype.h have an assertion that the value of the character passed in is = 128, it is cast to an unsigned int, making it a large positive number and failing the assertion. This is the same thing that was reported in http://seclists.org/nmap-dev/2007/q2/0257.html, in regard to non-ASCII characters in nmap-mac-prefixes. [David]
· [NSE] Fixed a segmentation fault which could occur in scripts which use the NSE pcap library. The problem was reported by Lionel Cons and fixed by Patrick.
· [NSE] Port script start/finish debug messages now show the target port number as well as the host/IP. [Jah]
· Updated IANA assignment IP list for random IP (-iR) generation. [Kris]
· [NSE] Fixed http.table_argument so that user-supplied HTTP headers are now properly sent in HTTP requests. [Jah]