# Nmap Changelog ($Id: CHANGELOG 22229 2011-02-11 21:20:23Z fyodor $); -*-text-*-

Nmap 5.51 [2011-02-11]

o [Ndiff] Added support for prerule and postrule scripts. [David]

o [NSE] Fixed a bug which caused some NSE scripts to fail due to the
  absence of the NSE SCRIPT_NAME environment variable when loaded.
  Michael Pattrick reported the problem. [Djalal]

o [Zenmap] Selecting one of the scan targets in the left pane is
  supposed to jump to that host in the Nmap Output in the right pane
  (but it wasn't).  Brian Krebs reported this bug. [David]

o Fixed an obscure bug in Windows interface matching. If the MAC
  address of an interface couldn't be retrieved, it might have been
  used instead of the correct interface. Alexander Khodyrev reported
  the problem.  [David]

o [NSE] Fixed portrules in dns-zone-transfer and ftp-proftpd-backdoor
  that used shortport functions incorrectly and always returned
  true. [Jost Krieger]

o [Ndiff] Fixed ndiff.dtd to include two elements that can be diffed:
  status and address. [Daniel Miller]

o [Ndiff] Fixed the ordering of hostscript-related elements in XML
  output. [Daniel Miller]

o [NSE] Fixed a bug in the nrpe-enum script that would make it run for
  every port (when it was selected--it isn't by default).  Daniel
  Miller reported the bug. [Patrick]

o [NSE] When an NSE script sets a negative socket timeout, it now
  causes a controlled Lua stack trace instead of a fatal error.
  Vlatko Kosturjak reported the bug. [David]

o [Zenmap] Worked around an error that caused the py2app bootstrap
  executable to be non-universal even when the rest of the application
  was universal. This prevented the binary .dmg from working on
  PowerPC. Yxynaxen reported the problem. [David]

o [Ndiff] Fixed an output line that wasn't being redirected to a file
  when all other output was. [Daniel Miller]

Nmap 5.50 [2011-01-28]

o [Zenmap] Added a new script selection interface, allowing you to
  choose scripts and arguments from a list which includes descriptions
  of every available script. Just click the "Scripting" tab in the
  profile editor. [Kirubakaran]

o [Nping] Added echo mode, a novel technique for discovering how your
  packets are changed (or dropped) in transit between the host they
  originated and a target machine. It can detect network address
  translation, packet filtering, routing anomalies, and more.  You can
  try it out against our public Nping echo server using this command:
    nping --echo-client "public" echo.nmap.org'
  Or learn more about echo mode at
  http://nmap.org/book/nping-man-echo-mode.html. [Luis]

o [NSE] Added an amazing 46 scripts, bringing the total to 177! You
  can learn more about any of them at http://nmap.org/nsedoc/. Here
  are the new ones (authors listed in brackets):

  broadcast-dns-service-discovery: Attempts to discover hosts'
    services using the DNS Service Discovery protocol.  It sends a
    multicast DNS-SD query and collects all the responses. [Patrik
    Karlsson]

  broadcast-dropbox-listener: Listens for the LAN sync information
    broadcasts that the Dropbox.com client broadcasts every 20
    seconds, then prints all the discovered client IP addresses, port
    numbers, version numbers, display names, and more.  [Ron Bowes,
    Mak Kolybabi, Andrew Orr, Russ Tait Milne]

  broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the
    same broadcast domain. [Patrik Karlsson]

  broadcast-upnp-info: Attempts to extract system information from the
    UPnP service by sending a multicast query, then collecting,
    parsing, and displaying all responses. [Patrik Karlsson]

  broadcast-wsdd-discover: Uses a multicast query to discover devices
    supporting the Web Services Dynamic Discovery (WS-Discovery)
    protocol. It also attempts to locate any published Windows
    Communication Framework (WCF) web services (.NET 4.0 or
    later). [Patrik Karlsson]

  db2-discover: Attempts to discover DB2 servers on the network by
    querying open ibm-db2 UDP ports (normally port 523). [Patrik
    Karlsson]

  dns-update.nse: Attempts to perform an unauthenticated dynamic DNS
    update. [Patrik Karlsson]

  domcon-brute: Performs brute force password auditing against the
    Lotus Domino Console. [Patrik Karlsson]

  domcon-cmd: Runs a console command on the Lotus Domino Console with
    the given authentication credentials (see also: domcon-brute).
    [Patrik Karlsson]

  domino-enum-users: Attempts to discover valid IBM Lotus Domino users
    and download their ID files by exploiting the CVE-2006-5835
    vulnerability. [Patrik Karlsson]

  firewalk: Tries to discover firewall rules using an IP TTL
    expiration technique known as firewalking. [Henri Doreau]

  ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c
    backdoor reported as OSVDB-ID 69562. This script attempts to
    exploit the backdoor using the innocuous id command by default,
    but that can be changed with a script argument. [Mak Kolybabi]

  giop-info: Queries a CORBA naming server for a list of
    objects. [Patrik Karlsson]

  gopher-ls: Lists files and directories at the root of a gopher
    service. Remember those? [Toni Ruottu]

  hddtemp-info: Reads hard disk information (such as brand, model, and
    sometimes temperature) from a listening hddtemp service. [Toni
    Ruottu]

  hostmap: Tries to find hostnames that resolve to the target's IP
    address by querying the online database at
    http://www.bfk.de/bfk_dnslogger.html. [Ange Gutek]

  http-brute: Performs brute force password auditing against http
    basic authentication. [Patrik Karlsson]

  http-domino-enum-passwords: Attempts to enumerate the hashed Domino
    Internet Passwords that are (by default) accessible by all
    authenticated users. This script can also download any Domino ID
    Files attached to the Person document. [Patrik Karlsson]

  http-form-brute: Performs brute force password auditing against http
    form-based authentication. [Patrik Karlsson]

  http-vhosts: Searches for web virtual hostnames by making a large
    number of HEAD requests against http servers using common
    hostnames. [Carlos Pantelides]

  informix-brute: Performs brute force password auditing against
    IBM Informix Dynamic Server. [Patrik Karlsson]

  informix-query: Runs a query against IBM Informix Dynamic Server
    using the given authentication credentials (see also:
    informix-brute). [Patrik Karlsson]

  informix-tables: Retrieves a list of tables and column definitions
    for each database on an Informix server. [Patrik Karlsson]

  iscsi-brute: Performs brute force password auditing against iSCSI
    targets. [Patrik Karlsson]

  iscsi-info: Collects and displays information from remote iSCSI
    targets. [Patrik Karlsson]

  modbus-discover: Enumerates SCADA Modbus slave ids (sids) and
    collects their device information. [Alexander Rudakov]

  nat-pmp-info: Queries a NAT-PMP service for its external
    address. [Patrik Karlsson]

  netbus-auth-bypass: Checks if a NetBus server is vulnerable to an
    authentication bypass vulnerability which allows full access
    without knowing the password. [Toni Ruottu]

  netbus-brute: Performs brute force password auditing against the
    Netbus backdoor ("remote administration") service. [Toni Ruottu]

  netbus-info: Opens a connection to a NetBus server and extracts
    information about the host and the NetBus service itself. [Toni
    Ruottu]

  netbus-version: Extends version detection to detect NetBuster, a
    honeypot service that mimes NetBus. [Toni Ruottu]

  nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to
    obtain information such as load averages, process counts, logged in
    user information, etc. [Mak Kolybabi]

  oracle-brute: Performs brute force password auditing against Oracle
    servers. [Patrik Karlsson]

  oracle-enum-users: Attempts to enumerate valid Oracle user names
    against unpatched Oracle 11g servers (this bug was fixed in
    Oracle's October 2009 Critical Patch Update). [Patrik Karlsson]

  path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris
    Katterjohn]

  resolveall: Resolves hostnames and adds every address (IPv4 or IPv6,
    depending on Nmap mode) to Nmap's target list.  This differs from
    Nmap's normal host resolution process, which only scans the first
    address (A or AAAA record) returned for each host name. [Kris
    Katterjohn]

  rmi-dumpregistry: Connects to a remote RMI registry and attempts to
    dump all of its objects. [Martin Holst Swende]

  smb-flood: Exhausts a remote SMB server's connection limit by by
    opening as many connections as we can.  Most implementations of
    SMB have a hard global limit of 11 connections for user accounts
    and 10 connections for anonymous. Once that limit is reached,
    further connections are denied. This script exploits that limit by
    taking up all the connections and holding them. [Ron Bowes]

  ssh2-enum-algos: Reports the number of algorithms (for encryption,
    compression, etc.) that the target SSH2 server offers. If
    verbosity is set, the offered algorithms are each listed by
    type. [Kris Katterjohn]

  stuxnet-detect: Detects whether a host is infected with the Stuxnet
    worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]

  svn-brute: Performs brute force password auditing against Subversion
    source code control servers. [Patrik Karlsson]

  targets-traceroute: Inserts traceroute hops into the Nmap scanning
    queue. It only functions if Nmap's --traceroute option is used and
    the newtargets script argument is given. [Henri Doreau]

  vnc-brute: Performs brute force password auditing against VNC
    servers. [Patrik Karlsson]

  vnc-info: Queries a VNC server for its protocol version and
    supported security types. [Patrik Karlsson]

  wdb-version: Detects vulnerabilities and gathers information (such
    as version numbers and hardware support) from VxWorks Wind DeBug
    agents. [Daniel Miller]

  wsdd-discover: Retrieves and displays information from devices
    supporting the Web Services Dynamic Discovery (WS-Discovery)
    protocol. It also attempts to locate any published Windows
    Communication Framework (WCF) web services (.NET 4.0 or
    later). [Patrik Karlsson]

o [NSE] Added 12 new protocol libraries:
 - dhcp.lua by Ron
 - dnssd.lua (DNS Service Discovery) by Patrik
 - ftp.lua by David
 - giop.lua (CORBA naming service) by Patrik
 - informix.lua (Informix database) by Patrik
 - iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik
 - nrpc.lua (Lotus Domino RPC) by Patrik
 - rmi.lua (Java Remote Method Invocation) by Martin Holst Swende
 - tns.lua (Oracle) by Patrik
 - upnp.lua (UPnP support) by Thomas Buchanan and Patrik
 - vnc.lua (Virtual Network Computing) by Patrik
 - wsdd.lua (Web Service Dynamic Discovery) by Patrik

o [NSE] Added a new brute library that provides a basic framework and logic
  for brute force password auditing scripts. [Patrik]

o [Zenmap] Greatly improved performance for large scans by
  benchmarking intensively and then recoding dozens of slow parts.
  Time taken to load our benchmark file (a scan of just over a million
  IPs belonging to Microsoft corporation, with 74,293 hosts up) was
  reduced from hours to less than two minutes. Memory consumption
  decreased dramatically as well. [David]

o Performed a major OS detection integration run. The database has
  grown more than 14% to 2,982 fingerprints and many of the existing
  fingerprints were improved. Highlights include Linux 2.6.37, iPhone
  OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4.
  David posted highlights of his integration work at
  http://seclists.org/nmap-dev/2010/q4/651

o Performed a huge version detection integration run. The number of
  signatures has grown by more than 11% to 7,355.  More than a third
  of our signatures are for http, but we also detect 743 other service
  protocols, from abc, acap, access-remote-pc, and achat to zenworks,
  zeo, and zmodem.  David posted highlights at
  http://seclists.org/nmap-dev/2010/q4/761.

o [NSE] Added the target NSE library which allows scripts to add newly
  discovered targets to Nmap's scanning queue. This allows Nmap to
  support a wide range of target acquisition techniques. Scripts which
  can now use this feature include dns-zone-transfer, hostmap,
  ms-sql-info, snmp-interfaces, targets-traceroute, and several
  more. [Djalal]

o [NSE] Nmap has two new NSE script scanning phases. The new pre-scan
  occurs before Nmap starts scanning. Some of the initial pre-scan
  scripts use techniques like broadcast DNS service discovery or DNS
  zone transfers to enumerate hosts which can optionally be treated as
  targets. The other phase (post scan) runs after all of Nmap's
  scanning is complete. We don't have any of these scripts yet, but
  they could compile scan statistics or present the results in a
  different way. One idea is a reverse index which provides a list of
  services discovered during a network scan, along with a list of IPs
  found to be running each service. See
  http://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]

o [NSE] A new --script-help option describes all scripts matching a
  given specification. It accepts the same specification format as
  --script does. For example, try 'nmap --script-help "default or
  http-*"'. [David, Martin Holst Swende]

o Dramatically improved nmap.xsl (used for converting Nmap XML output
  to HTML). In particular:
  - Put verbose details behind expander buttons so you can see them if
    you want, but they don't distract from the main output.  In
    particular, offline hosts and traceroute results are collapsed by
    default.
  - Improved the color scheme to be less garish.
  - Added support for the new NSE pre-scan and post-scan phases.
  - Changed script output to use 'pre' tags to keep even lengthy
    output readable.
  - Added a floating menu to the lower-right for toggling whether
    closed/filtered ports are shown or not (they are now hidden by
    default if Javascript is enabled).
  Many smaller improvements were made as well. You can find the new
  file at http://nmap.org/svn/docs/nmap.xsl, and here is an example
  scan processed through it: http://nmap.org/tmp/newxsl.html. [Tom]

o [NSE] Created a new "broadcast" script category for the broadcast-*
  scripts.  These perform network discovery by broadcasting on the
  local network and listening for responses.  Since they don't
  directly relate to targets specified on the command line, these are
  kept out of the default category (nor do they go in "discovery").

o Integrated cracked passwords from the Gawker.com compromise
  (http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000
  password database. A team of Nmap developers lead by Brandon Enright
  has cracked 635,546 out of 748,081 password hashes so far
  (85%). Gawker doesn't exactly have the most sophisticated users on
  the Internet--their top passwords are "123456", "password",
  "12345678", "lifehack", "qwerty", "abc123", "12345", "monkey",
  "111111", "consumer", and "letmein".

o XML output now excludes output for down hosts when only doing host
  discovery, unless verbosity (-v) was requested. This is how it
  already worked for normal scans, but the ping-only case was
  overlooked.  [David]

o Updated the Windows build process to work with (and require) Visual
  C++ 2010 rather than 2008.  If you want to build Zenmap too, you now
  need Python 2.7 (rather than 2.6) and GTK+ 2.22. See
  http://nmap.org/book/inst-windows.html#inst-win-source [David, Rob
  Nicholls, KX]

o Merged port names in the nmap-services file with allocated names
  from the IANA (http://www.iana.org/assignments/port-numbers). We
  only added IANA names which were "unknown" in our file--we didn't
  deal with conflicting names. [David]

o Enabled the ASLR and DEP security technologies for Nmap.exe,
  Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will
  set the /DYNAMICBASE and /NXCOMPAT flags in the PE
  header. Executables generated using py2exe or NSIS and third party
  binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support
  for DEP on XP SP3, using SetProcessDEPPolicy(), could still be
  implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]

o Investigated using the CPE (Common Platform Enumeration) standard
  for describing operating systems, devices, and service names for
  Nmap OS and service detection. You can read David's reports at
  http://seclists.org/nmap-dev/2010/q3/278 and
  http://seclists.org/nmap-dev/2010/q3/303.

o [Zenmap] Improved the output viewer to show new output in constant
  time. Previously it would get slower and slower as the output grew
  longer, eventually making Zenmap appear to freeze with 100% CPU. Rob
  Nicholls and Ray Middleton helped with testing. [David]

o The Linux RPM builds of Nmap and related tools (ncat, nping, etc.)
  now link to system libraries dynamically rather than statically.
  They still link statically to dependency libraries such as OpenSSL,
  Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so
  the RPMs will work on distributions with older software (like RHEL,
  Debian stable) as well as more bleeding edge ones like
  Fedora. [David]

o [NSE] Added the ability to send and receive on unconnected sockets.
  This can be used, for example, to receive UDP broadcasts without
  having to use Libpcap. A number of scripts have been changed so that
  they can work as prerule scripts to discover services by UDP
  broadcasting, and optionally add the discovered targets to the
  scanning queue:
    - ms-sql-info
    - upnp-info
    - dns-service-discovery
  The nmap.new_socket function can now optionally take a default
  protocol and address family, which will be used if the socket is not
  connected. There is a new nmap.sendto function to be used with
  unconnected UDP sockets. [David, Patrik]

o [Nping] Substantially improved the Nping man page. You can read it
  online at http://nmap.org/book/nping-man.html. [Luis, David]

o Documented the licenses of the third-party software used by Nmap and
  it's sibling tools:
  http://nmap.org/svn/docs/3rd-party-licenses.txt. [David]

o [NSE] Improved the SMB scripts so that they can run in parallel
  rather than using a mutex to force serialization.  This quadrupled
  the SMB scan speed in one large scale test.  See
  http://seclists.org/nmap-dev/2010/q3/819. [Ron]

o Added a simple Nmap NSE script template to make writing new scripts
  easier: http://nmap.org/svn/docs/sample-script.nse. [Ron]

o [Zenmap] Made the topology node radiuses grow logarithmically
  instead of linearly, so that hosts with thousands of open ports
  don't overwhelm the diagram. Also only open ports (not
  open|filtered) are considered when calculating node sizes. Henri
  Doreau found and fixed a bug in the implementation. [Daniel Miller]

o [NSE] Added the get_script_args NSE function for parsing script
  arguments in a clean and standardized way
  (http://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]

o Increased the initial RTT timeout for ARP scans from 100 ms to 200
  ms. Some wireless and VPN links were taking around 300 ms to
  respond. The default of one retransmission gives them 400 ms to be
  detected.

o Added new version detection probes and signatures from Patrik for:
  - Lotus Domino Console running on tcp/2050 (shows OS and hostname)
  - IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
  - Database servers running the DRDA protocol
  - IBM Websphere MQ (shows name of queue-manager and channel)

o Fix Nmap compilation on OpenSolaris (see
  http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]

o [NSE] The http library's request functions now accept an additional
  "auth" table within the option table, which causes Basic
  authentication credentials to be sent. [David]

o Improved IPv6 host output in that we now remember and report the
  forward DNS name (given by the user) and any non-scanned addresses
  (usually because of round robin DNS).  We already did this for
  IPv4. [David]

o [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation
  messages about gtk.Tooltip. [Rob Nicholls]

o [NSE] Made dns-zone-transfer script able to add new discovered DNS
  records to the Nmap scanning queue. [Djalal]

o [NSE] Enhance ssl-cert to also report the type and bit size of SSL
  certificate public keys [Matt Selsky]

o [Ncat] Make --exec and --idle-timeout work when connecting with
  --proxy. Florian Roth reported the bug. [David]

o [Nping] Fixed a bug which caused Nping to fail when targeting
  broadcast addresses (see
  http://seclists.org/nmap-dev/2010/q3/752). [Luis]

o [Nping] Nping now limits concurrent open file descriptors properly
  based on the resources available on the host (see
  http://seclists.org/nmap-dev/2010/q4/2). [Luis]

o [NSE] Improved ssh2's kex_init() parameters: all of the algorithm
  and language lists can be set using new keys in the "options" table
  argument. These all default to the same value used before. Also, the
  required "cookie" argument is now replaced by an optional "cookie"
  key in the "options" table, defaulting to random bytes as suggested
  by the RFC. [Kris]

o Ncat now logs Nsock debug output to stderr instead of stdout for
  consistency with its other debug messages. [David]

o [NSE] Added a new function, shortport.http, for HTTP script
  portrules and changed 14 scripts to use it. [David]

o Updated to the latest config.guess and config.sub. Thanks to Ty
  Miller for a reminder. [David]

o [NSE] Added prerule support to snmp-interfaces and the ability to
  add the remote host's interface addresses to the scanning queue.
  The new script arguments used for this functionality are "host"
  (required) and "port" (optional). [Kris]

o Fixed some inconsistencies in nmap-os-db and a small memory leak
  that would happen where there was more than one round of OS
  detection. These were reported by Xavier Sudre from
  netVigilance. [David]

o [NSE] Fixed a bug with worker threads calling the wrong destructors.
  Fixing this allows better parallelism in http-brute.nse. The problem
  was reported by Patrik Karlsson. [David, Patrick]

o Upgraded the OpenSSL binaries shipped in our Windows installer to
  version 1.0.0a. [David]

o [NSE] Added prerule support to the dns-zone-transfer script,
  allowing it to run early to discover IPs from DNS records and
  optionally add those IPs to Nmap's target queue.  You must specify
  the DNS server and domain name to use with script
  arguments. [Djalal]

o Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with
  a struct of the same name in <netinet/sctp.h>. This caused a
  compilation error when Nmap was compiled with an OpenSSL that had
  SCTP support. [Olli Hauer, Daniel Roethlisberger]

o [NSE] Implemented a big cleanup of the Nmap NSE Nsock library
  binding code. [Patrick]

o Added a bunch of Apple and Netatalk AFP service detection
  signatures.  These often provide extra details such as whether the
  target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]

o [NSE] Host tables now have a host.traceroute member available when
  --traceroute is used. This array contains the IP address, reverse
  DNS name, and RTT for each traceroute hop. [Henri Doreau]

o [NSE] Made the ftp-anon script return a directory listing when
  anonymous login is allowed. [Gutek, David]

o [NSE] Added the nmap.resolve() function. It takes a host name and
  optionally an address family (such as "inet") and returns a table
  containing all of its matching addresses. If no address family is
  specified, all addresses for the name are returned. [Kris]

o [NSE] Added the nmap.address_family() function which returns the address
  family Nmap is using as a string (e.g., "inet6" is returned if Nmap is
  called with the -6 option). [Kris]

o [NSE] Scripts can now access the MTU of the host.interface device using
  host.interface_mtu. [Kris]

o Restrict the default Windows DLL search path by removing the current
  directory. This adds extra protection against DLL hijacking attacks,
  especially if we were to add file type associations to Nmap in the
  future. We implement this with the SetDllDirectory function when
  available (Windows XP SP1 and later). Otherwise, we call
  SetCurrentDirectory with the directory containing the
  executable. [David]

o Nmap now prints the MTU for interfaces in --iflist output. [Kris]

o [NSE] Removed references to the MD2 algorithm, which OpenSSL 1.x.x
  no longer supports. [Alexandru]

o [Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and
  Nmap NSE, allowing them to connect to servers which run multiple SSL
  websites on one IP address. To enable this for NSE, the nmap.connect
  function has been changed to accept host and port tables (like those
  provided to the action function) in place of a string and a
  number. [David]

o [NSE] Renamed db2-info and db2-brute scripts to drda-*. Added
  support other DRDA based databases such as IBM Informix Dynamic
  Server and Apache Derby.  [Patrik]

o [Nsock] Added a new function, nsi_set_hostname, to set the intended
  hostname of the target. This allows the use of Server Name
  Indication in SSL connections. [David]

o [NSE] Limits the number of ports that qscan will scan (now up to 8
  open ports and up to 1 closed port by default). These limits can be
  controlled with the qscan.numopen and qscan.numclosed script
  arguments. [David]

o [NSE] Made sslv2.nse give special output when SSLv2 is supported,
  but no SSLv2 ciphers are offered. This happened with a specific
  Sendmail configuration. [Matt Selsky]

o [NSE] Added a "times" table to the host table passed to scripts.
  This table contains Nmap's timing data (srtt, the smoothed round
  trip time; rttvar, the rtt variance; and timeout), all represented
  as floating-point seconds.  The ipidseq and qscan scripts were
  updated to utilize the host's timeout value rather than using a
  conservative guess of 3 seconds for read timeouts. [Kris]

o Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping),
  which were improperly sending whole packets in version
  5.35DC1. [Kris]

o [NSE] When receiving raw packets from Pcap, the packet capture time
  is now available to scripts as an additional return value from
  pcap_receive().  It is returned as the floating point number of
  seconds since the epoch.  Also added the nmap.clock() function which
  returns the current time (and convenience functions clock_ms() and
  clock_us()).  Qscan.nse was updated to use this more accurate timing
  data. [Kris]

o [Ncat,Nsock] Fixed some minor bugs discovered using the Smatch
  source code analyzer (http://smatch.sourceforge.net/). [David]

o [Zenmap] Fixed a crash that would happen after opening the search
  window, entering a relative date criterion such as "after:-7", and
  then clicking the "Expressions" button. The error message was
    AttributeError: 'tuple' object has no attribute 'strftime'
  [David]

o Added a new packet payload--a NAT-PMP external address request for
  port 5351/udp.  Payloads help us elicit responses from listening UDP
  services to better distinguish them from filtered ports.  This
  payload goes well with our new nat-pmp-info script. [David, Patrik]

o Updated IANA IP address space assignment list for random IP (-iR)
  generation. [Kris]

o [Ncat] Ncat now uses case-insensitive string comparison when
  checking authentication schemes and parameters. Florian Roth found a
  server offering "BASIC" instead of "Basic", and the HTTP RFC
  requires case-insensitive comparisons in most places. [David]

o [NSE] There is now a limit of 1,000 concurrent running scripts,
  instituted to keep memory under control when there are many open
  ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE
  crash) for one host with tens of thousands of open ports. This limit
  can be controlled with the variable CONCURRENCY_LIMIT in
  nse_main.lua. [David]

o The command line in XML output (/nmaprun/@args attribute) now does
  quoting of whitespace using double quotes and backslashes. This
  allows recovering the original command line array even when
  arguments contain whitespace. [David]

o Added a service detection probe for master servers of Quake 3 and
  related games.  [Toni Ruottu]

o [Zenmap] Fixed an crash when printing a scan that had no output
  (like a scan made by command-line Nmap). Henri Doreau noticed the
  error. [David]

Nmap 5.35DC1 [2010-07-16]

o [NSE] Added 17 scripts, bringing the total to 131! They are
  described individually in the CHANGELOG, but here is the list of new
  ones:
   afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
   http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
   ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
   ms-sql-query, ms-sql-tables, ms-sql-xp-cmdshell, nfs-ls,
   ntp-monlist
  Learn more about any of these at: http://nmap.org/nsedoc/

o Performed a major OS detection integration run. The database has
  grown to 2,608 fingerprints (an increase of 262) and many of the
  existing fingerprints were improved. These include the Apple iPad
  and Cisco IOS 15.X devices. We also received many fingerprints for
  ancient Microsoft systems including MS-DOS with MS Networking Client
  3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
  integration work at http://seclists.org/nmap-dev/2010/q2/283.

o Performed a large version detection integration run. The number of
  signatures has grown to 6,622 (an increase of 279). New signatures
  include a remote administrative backdoor that a school famously used
  to spy on its students, an open source digital currency scheme named
  Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
  Frozen Bubble. You can read David's highlights at
  http://seclists.org/nmap-dev/2010/q2/385.

o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
  attributes. The nfs-acls and nfs-dirlist scripts were deleted 
  because all their features are supported by this script. [Djalal]

o [NSE] Add new DB2 library and two scripts
  - db2-brute.nse uses the unpwdb library to guess credentials for DB2
  - db2-info.nse re-write of Tom Sellers script to use the new library
  [Patrik]

o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
  scripts are:
  - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
  - ms-sql-config retrieves various configuration details from the server		
  - ms-sql-empty-password checks if the sa account has an empty password
  - ms-sql-hasdbaccess lists database access per user
  - ms-sql-query add support for running custom queries against the database
  - ms-sql-tables lists databases, tables, columns and datatypes with optional
    keyword filtering
  - ms-sql-xp-cmdshell adds support for OS command execution to privileged
    users
  [Patrik]

o [NSE] Added the afp-serverinfo script that gets a hostname, IP
  addresses, and other configuration information from an AFP server.
  The script, and a patch to the afp library, were contributed by
  Andrew Orr and subsequently enhanced by Patrik and David.

o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
  The Windows RAS RPC service vulnerability MS06-025
  (http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)
  and the Windows DNS Server RPC vuln MS07-029
  (http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).
  Note that these are only run if you specify the "unsafe" script arg
  because the implemented test crashes vulnerable services. [Drazen]

o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs
  cache snooping by either sending non-recursive queries or by measuring
  response times.

o [Zenmap] Added the ability to print Nmap output to a
  printer. [David]

o [Nmap, Ncat, Nping] The default unit for time specifications is now
  seconds, not milliseconds, and times may have a decimal point. 1000
  now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.
  Floating point values such as 1.5 are now allowed.  This affects the
  following options:
  Nmap:
    --host-timeout
    --max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout
    --scan-delay --max-scan-delay
    --stats-every
  Ncat:
    -d --delay
    -i --idle-timeout
    -w --wait
  Nping:
    --delay
    --host-timeout
    --icmp-orig-time --icmp-recv-time --icmp-trans-time
  Some sanity checks have been added to catch what looks like an
  attempt to use the old millisecond defaults. For example,
  --host-timeout 10000 yields
    Since April 2010, the default unit for --host-timeout is seconds,
    so your time of "10000" is 2.8 hours. If this is what you want,
    use "10000s".
    QUITTING!
  You can always disable the warning by giving an explicit unit.

o [NSE] Scripts which take an argument for a time duration can now
  have the duration be a number followed by a unit, like elsewhere in
  Nmap. An example is "10m" for 10 minutes. The units understood are
  "ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for
  hours.  Seconds are the default if no unit is specified. The new
  function stdnse.parse_timespec does the parsing of these
  formats. The qscan.delay script argument, which formerly interpreted
  its argument as being in milliseconds, now defaults to seconds;
  append "ms" to continue using the same numbers. [David]

o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor
  that was in UnrealIRCd source code distributions between November
  2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826.
  [Vlatko Kosturjak, Ron, David]

o Ports are now considered open during a SYN scan if a SYN packet
  (without the ACK flag) is received in response. This can be due to
  an extremely rare TCP feature known as a simultaneous open or split
  handshake connection. see http://bit.ly/tcp-sh and
  http://seclists.org/nmap-dev/2010/q2/723. [Jah]

o [Ncat] In listen mode, the --exec and --sh-exec options now accept a
  single connection and then exit, just like in normal listen mode.
  Use the --keep-open option to get the old default inetd-like
  behavior. This was suggested by David Millis. [David]

o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an
  off-by-one stack overflow vulnerability in libopie by giving the FTP
  service an overly long name. See
  http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
  details.

o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and
  client hosts associated with a scanned target by sending NTPv2
  Private Mode 'monitor' and 'peers' commands to the target. [Jah]

o [NSE] Added http-php-version.nse from Gutek. This script retrieves
  version-specific pages through a couple of magic PHP queries, which
  can identify the PHP version even when a server doesn't advertise
  it.

o [NSE] New script dns-fuzz launches a fuzzing attack against DNS
  servers. Added a new category - fuzzer - for scripts like this.
  [Michael Pattrick]

o David made many improvements to the NSEDoc for individual scripts,
  including adding @output sections to scripts which didn't have them.
  He also improved the generated HTML with features like
  auto-generating usage strings if the scripts don't include their own
  and allowing the giant sidebar lists of scripts/libraries to expand
  and contract.  See http://nmap.org/nsedoc/.

o UDP payloads are now stored in an external data file, nmap-payloads,
  instead of being hard-coded in the executable. This makes it easier
  to add your own payloads or disable those you find problematic. [Jay
  Fink, David]

o The Windows executable installer now uses LZMA compression instead
  of zlib, making it about 15% smaller. See
  http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David]

o Open XML elements are now closed in case of a fatal error, so the
  output should at least be well-formed. There are new attributes
  "exit" and "errormsg" in the finished element. "exit" is "success"
  or "error". When it is "error", the "errormsg" attribute contains
  the error message. Thanks to Grant Bartlett, who found a typo in the
  new output. [David]

o Fixed name resolution in environments where gethostbyname can return
  IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
  would wrongly use the first four bytes of the IPv6 address as an
  IPv4 address. You could force this, at least on Debian, by adding
  the line "options inet6" to /etc/resolv.conf or by running with
  RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik
  Andersson, who also suggested the fix. [David]

o Fixed the assignment of interface aliases to directly connected
  routes on Linux, which was broken in 5.30BETA1 (it always assigned
  the base interface instead of the alias). This was visible in the
  host.interface variable passed to NSE scripts. The bug was reported
  Victor Rudnev. [David]

o When Nmap is passed a hostname such as google.com which resolves to
  several IP addresses, Nmap now prints each IP address.  It still
  only scans the first one in the returned list. [David]

o Nmap now works if you specify several target host names which
  resolve to the same IP address.  This can be useful when you are
  scanning virtual-hosted web servers and want to see NSE results
  specific to each site name even though they reside on the same
  machine. [David]

o Made a list of current Nmap SVN committers:
  http://nmap.org/svn/docs/committers.txt

o Added a new library, libnetutil, which contains about 2,700 lines of
  networking related code which is now shared between Nmap and Nping
  (it was previously duplicated by each tool). [Luis, David]

o [NSE] http-passwd.nse now also checks for boot.ini to support
  Windows targets. [Gutek]

o Removed --interactive mode, a miniature shell whose primary purpose
  was to hide command line arguments from the process list. It had
  been broken (would segfault during the second scan) for at least 9
  months and was rarely used. The fact that it was broken was reported
  by Juan Carlos Castro. [David]

o Added a version probe, match line, and UDP payload for the
  serialnumberd service of Mac OS X Server. This service overrides
  firewall settings to make itself visible, so it's useful for host
  discovery. [Patrik]

o Improved service detection match lines for:
  o Oracle Enterprise Manager Agent and mupdate by Matt Selsky
  o Twisted web server, Apple Filing Protocol, Apple Mac OS X Password
    Server, XAVi XG6546p Wireless Gateway, Sun GlassFish
    Communications Server, and Comdasys, SIParator and Glassfish SIP
    by Patrik
  o PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring
    HTTPd by Tom Sellers

o Improved our brute force password guessing list by mixing in some
  data sent in by Solar Designer of John the Ripper fame.

o [Zenmap] IP addresses are now sorted by octet rather than their
  string representation. For example, 10.1.1.2 is now sorted before
  10.1.1.10. This problem was reported by Norris Carden. [David]

o [NSE] Added UDP header parsing support to packet.lua. [jah]

o Fixed a bug in Libpcap which lead to Nmap hanging forever in some
  cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3.  The fix was
  actually already available in upstream Libpcap, just not released.
  We also had to make Nmap build with its own Libpcap on 64-bit OS X
  if an already-installed system Libpcap has this bug. [David]

o Updated our WinPcap to the new 4.1.2 release. [Rob Nicholls]

o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence
  level of 0.9995 was used.  Thanks to Marcin Hoffmann for noticing
  the problem. [Kris]

o [libpcap] Added a --disable-packet-ring option to force the use of
  an older, slower packet capture mechanism on Linux. Before Linux
  2.6.27, the packet ring mechanism uses different-sized kernel
  structures on 32- and 64-bit architectures, so a 32-bit program will
  not run correctly on a 64-bit kernel. The older mechanism does not
  have this flaw.

o Fixed some errors in nmap-os-db, probably caused by incorrect string
  replacement during integration. This patch is from James Cook.

o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that
  allows setting the SO_BROADCAST option on sockets. Ncat now sets
  this option unconditionally in connect mode to allow connections to
  broadcast addresses (useful in UDP mode). [Daniel Miller]

o Nmap now works with "teamed" network interfaces on Windows. In order
  to distinguish the interfaces, their textual descriptions are now
  compared in addition to their MAC addresses. Without this, Nmap
  would send on the wrong interface and not receive any replies. A
  symptom of this problem was all scans failing except when
  --unprivileged was used. Norris Carden reported this bug. [David]

o [Ncat] When receiving a connection/datagram in listen mode, Ncat now
  prints the connecting source port along with the IP address (when
  verbosity is enabled). [Rebellis]

o Fixed a problem where the time variable used in some port scanning
  algorithms (for probe timeouts, etc) could vary based on the
  debugging level. [Kris]

o Moved the parse_long function from ncat to nbase for better reuse,
  and used it to simplify netmask parsing code. [William Pursell]

o Added EPROTO to the list of known error codes in service scan. Daniel
  Miller reported that an EPROTO was causing Nmap to exit after sending
  the Sqlping probe during service scan. The error message was
  "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
  error)". We suspect this was caused by a forged ICMP packet sent by an
  active firewall. [David]

o [NSE] Improved smtp-commands.nse to work against more mail servers,
  made it take an smtp-commands.domain script argument, and rewrote it
  in the style of other smtp scripts. [Jason DePriest]

o [NSE] Made smtp-commands run for the services smtp, smtps,
  submission rather than just smtp.  The other smtp scripts already do
  this. [David]

o [NSE] The dns-recursion script now marks the port as open when it
  gets a response. [Olivier M]

o [Nping] A big correctness and code cleanliness audit was performed
  which resulted in many bugs being fixed and much more code being
  shared with Nmap rather than duplicated. A structured testing
  script system was also created. [Luis, David]

o [Nping] Now allows a --count value of zero to run almost
  indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]

o [Nping] Fixed --data argument parsing. The value passed was not
  actually making it into outgoing packets. Reported by Tim
  Poth. [Luis]

o [Nping] When a RST packet is received in response to a connection
  attempt in TCP-Connect mode, Nping now properly prints "Connection
  refused" rather than "Operation now in progress". [Luis]

o [Nping] Fixed a bug which caused failure when the first supplied
  target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com
  tcpdump.com). [Luis]

o [Nping] Fixed some bugs in the BPF filter creation to avoid capture
  and printing of packets Nping sent or which are destined for another
  process. [Luis]

o [Nping] Fixed a bug which prevented ARP replies from being displayed
  properly. [Luis]

o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to
  be set in host byte order rather than proper network byte
  order. [Luis]

o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek]

o The Mac OS X installer is now built with MacPorts 1.9.1 rather than
  1.8.2. Among other changes, this fixes a segmentation fault reported
  by some OS X 10.6.3 users.

o Nsock now supports an option to remove its Pcap support.  This
  allows the same Nsock to be shared with Nmap (which needs that
  support) and Ncrack (which doesn't.) Pcap support can be disabled by
  specifying --disable-pcap at configure time on UNIX, or by selecting
  the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on
  Windows.

o Sped up compilation by not building both shared and static libdnet
  libraries--we only use the static one. [David]

o [NSE] Improved error handling and reporting and re-designed communication
  class in RPC library with patch from Djalal Harouni. [Patrik]

o Upgraded the included libpcap to version 1.1.1. [David]

o [NSE] Add some special-use IPv4 addresses to isPrivate which are
  described in RFC 5736 and RFC 5737, published in Jan 2010. Improve
  performance of isPrivate for IPv4 addresses by using ip_in_range
  less frequently. Add an extra return value to isPrivate - when the
  first return value is true, the second return value will now be a
  string representing the special use assignment in which the supplied
  address is located. [jah]

o Fix compilation on OpenSolaris.  We had to make the libdnet autoconf
  check for PF_PACKET Linux-specific.  Recent versions of OpenSolaris
  support PF_PACKET, but not in a way which is entirely compatible
  with the Linux approach. This problem was reported by Darren Reed. A
  few other minor compatibility changes were made as well. [David]

o [NSE] Added script arguments "username" and "password" to ftp-bounce
  to override the default anonymous:IEUser@ login combination. [Kris]

o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik]

o [NSE] Added an snmpWalk() function to the SNMP library and updated
  scripts to use it.  [Patrik]

o [NSE] Fixed this dns.lua error reported by Eugene Alexeev:
  nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value)
  [Jah]

o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13.

o Updated IANA IP address space assignment list for random IP (-iR)
  generation. [Kris]
[--snip--]
