# Nmap Changelog ($Id: CHANGELOG 28938 2012-06-14 01:56:21Z fyodor $); -*-text-*-

Nmap 6.01 [2012-06-13]

o [Zenmap] Fixed a hang that would occur on Mac OS X 10.7. A symptom
  of the hang was this message in the system console:
  "Couldn't recognize the image file format for file
  '/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'".
  [David Fifield]

o [Zenmap] Fixed a crash that happened when activating the host filter.
      File "zenmapCore\SearchResult.pyo", line 155, in match_os
    KeyError: 'osmatches'
  [jah]

o Fixed an error that occurred when scanning certain addresses like
  192.168.0.0 on Windows XP:
    get_srcaddr: can't connect socket: The requested address is not valid in its context.
    nexthost: failed to determine route to 10.80.0.0
  [David Fifield]

o Fixed a bug that caused Nmap to fail to find any network interface when
  at least one of them is in the monitor mode. The fix was to define the
  ARP_HRD_IEEE80211_RADIOTAP 802.11 radiotap header identifier in the
  libdnet-stripped code. Network interfaces that are in this mode are used
  by radiotap for 802.11 frame injection and reception. The bug was
  reported by Tom Eichstaedt and Henri Doreau.
  http://seclists.org/nmap-dev/2012/q2/449
  http://seclists.org/nmap-dev/2012/q2/478
  [Djalal Harouni, Henri Doreau]

o Fixed the greppable output of hosts that time-out (when --host-timeout was
  used and the host timed-out after something was received from that host).
  This issue was reported by Matthew Morgan. [jah]

o [Zenmap] Updated the version of Python used to build the Windows
  release from 2.7.1 to 2.7.3 to remove a false-positive security
  alarm flagged by tools such as Secunia PSI. There was a minor
  vulnerability in certain Python27.dll web functionality (which Nmap
  doesn't use anyway) and Secunia was flagging all software which
  includes that version of Python27.dll. This update should prevent
  the false alarm.

Nmap 6.00 [2012-05-21]

o Most important release since Nmap 5.00 in July 2009! For a list of
  the most significant improvements and new features, see the
  announcement at: http://nmap.org/6

o In XML output, <osclass> elements are now child elements of the
  <osmatch> they belong to. Old output was thus:
    <os><osclass/><osclass/>...<osmatch/><osmatch/>...</os>
  New output is:
    <os><osmatch><osclass/><osclass/>...</osmatch>...</os>
  The option --deprecated-xml-osclass restores the old output, in case
  you use an Nmap XML parser that doesn't understand the new
  structure. The xmloutputversion has been increased to 1.04.

o Added a new <target> element to XML output that indicates when a
  target specification was ignored, perhaps because of a syntax error
  or DNS failure. It looks like this:
    <target specification="1.2.3.4.5" status="skipped" reason="invalid"/>
  [David Fifield]

o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the
  SAMBA pre-auth remote root vulnerability (CVE-2012-1182).
  [Aleksandar Nikolic]

o [NSE] Added http-vuln-cve2012-1823.nse, which checks for PHP CGI
  installations with a remote code execution vulnerability. [Paulino
  Calderon]

o [NSE] Added script targets-ipv6-mld that sends a malformed ICMP6 MLD Query
  to discover IPv6 enabled hosts on the LAN. [Niteesh Kumar]

o [NSE] Added rdp-vuln-ms12-020.nse by Aleksandar Nikolic. This tests
  for two Remote Desktop vulnerabilities, including one allowing
  remote code execution, that were fixed in the MS12-020 advisory.

o [NSE] Added a stun library and the scripts stun-version and stun-info, which
  extract version information and the external NAT:ed address.
  [Patrik Karlsson]

o [NSE] Added the script duplicates which attempts to determine duplicate
  hosts by analyzing information collected by other scripts. [Patrik Karlsson]

o Fixed the routing table loop on OS X so that on-link routes appear.
  Previously, they were ignored so that things like ARP scan didn't
  work. [Patrik Karlsson, David Fifield]

o Upgraded included libpcap to version 1.2.1.

o [NSE] Added ciphers from RFC 5932 and Fortezza-based ciphers to
  ssl-enum-ciphers.nse. The patch was submitted by Darren McDonald.

o [NSE] Renamed hostmap.nse to hostmap-bfk.nse.

o Fixed a compilation problem on Solaris 9 caused by a missing
  definition of IPV6_V6ONLY. Reported by Dagobert Michelsen.

o Setting --min-parallelism by itself no longer forces the maximum
  parallelism to the same value. [Chris Woodbury, David Fifield]

o Changed XML output to show the "service" element whenever a tunnel
  is discovered for a port, even if the service behind it was unknown.
  [Matt Foster]

o [Zenmap] Fixed a crash that would happen in the profile editor when
  the script.db file doesn't exist. The bug was reported by Daniel
  Miller.

o [Zenmap] It is now possible to compare scans having the same name or
  command line parameters. [Jah, David Fifield]

o Fixed an error that could occur with ICMPv6 probes and -d4 debugging:
  "Unexpected probespec2ascii type encountered" [David Fifield]

o [NSE] Added new script http-chrono, which measures min, max and average
  response times of web servers. [Ange Gutek]

o Applied a workaround to make pcap captures work better on Solaris
  10. This involves peeking at the pcap buffer to ensure that captures
  are not being lost. A symptom of the previous behavior was that,
  when doing ARP host discovery against two targets, only one would be
  reported as up. [David Fifield]

o Fixed a bug that could cause Nsock timers to fire too early. This
  could happen for the timed probes in IPv6 OS detection, causing an
  incorrect measurement of the TCP_ISR feature. [David Fifield]

o [Zenmap] We now build on Windows with a newer version of PyGTK, so
  copy and paste should work again.

o Changed the way timeout calculations are made in the IPv6 OS engine.
  In rare cases a certain interleaving of probes and responses would
  result in an assertion failure.

Nmap 5.61TEST5 [2012-03-09]

o Integrated all of your IPv4 OS fingerprint submissions since June
  2011 (about 1,900 of them).  Added about 256 new fingerprints (and
  deleted some bogus ones), bringing the new total to 3,572.
  Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0
  through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other
  devices. Many existing fingerprints were improved. For more details,
  see http://seclists.org/nmap-dev/2012/q1/431 [David Fifield]

o Integrated all of your service/version detection fingerprints
  submitted since November 2010--more than 2,500 of them!  Our
  signature count increased more than 10% to 7,423 covering 862
  protocols. Some amusing and bizarre new services are described at
  http://seclists.org/nmap-dev/2012/q1/359 [David Fifield]

o Integrated your latest IPv6 OS submissions and corrections. We're
  still low on IPv6 fingerprints, so please scan any IPv6 systems you
  own or administer and submit them to http://nmap.org/submit/.  Both
  new fingerprints (if Nmap doesn't find a good match) and corrections
  (if Nmap guesses wrong) are useful.

o [NSE] Added a host-based registry which only persists (for the given
  host) until all scripts have finished scanning that host. The normal
  registry saves information until it is deleted or the Nmap scan
  ends. That is a waste of memory for information which doesn't need
  to persist that long. Use the host based registry instead if you
  can. See http://nmap.org/book/nse-api.html#nse-api-registry. [Patrik
  Karlsson]

o IPv6 OS detection now includes a novelty detection system which
  avoids printing a match when an observed fingerprint is too
  different from fingerprints seen before. As the OS database is still
  small, this helps to avoid making (essentially) wild guesses when
  seeing a new operating system. [David Fifield]

o Refactored the nsock library to add the nsock-engines system. This
  allows system-specific scalable IO notification facilities to be
  used while maintaining the portable Nsock API. This initial version
  comes with an epoll-based engine for Linux and a select-based
  fallback engine for all other operating systems. Also added the
  --nsock-engine option to Nmap, Nping and Ncat to enforce use of a
  specific Nsock IO engine. [Henri Doreau]

o [NSE] Added 43(!) NSE scripts, bringing the total up to 340.  They
  are all listed at http://nmap.org/nsedoc/, and the summaries are
  below (authors are listed in brackets):

  + acarsd-info retrieves information from a listening acarsd
    daemon. Acarsd decodes ACARS (Aircraft Communication Addressing
    and Reporting System) data in real time. [Brendan Coles]

  + asn-to-prefix produces a list of IP prefixes for a given AS number
    (ASN). It uses the external Shadowserver API (with their
    permission). [John Bond]

  + broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to the
    DHCPv6 multicast address, parses the response, then extracts and
    prints the address along with any options returned by the
    server. [Patrik Karlsson]

  + broadcast-networker-discover discovers the EMC Networker backup
    software server on a LAN by using network broadcasts. [Patrik Karlsson]

  + broadcast-pppoe-discover discovers PPPoE servers using the PPPoE
    Discovery protocol (PPPoED). [Patrik Karlsson]

  + broadcast-ripng-discover discovers hosts and routing information
    from devices running RIPng on the LAN by sending a RIPng Request
    command and collecting the responses from all responsive
    devices. [Patrik Karlsson]

  + broadcast-versant-locate discovers Versant object databases using
    the srvloc protocol. [Patrik Karlsson]

  + broadcast-xdmcp-discover discovers servers running the X Display
    Manager Control Protocol (XDMCP) by sending a XDMCP broadcast
    request to the LAN. [Patrik Karlsson]

  + cccam-version detects the CCcam service (software for sharing
    subscription TV among multiple receivers). [David Fifield]

  + dns-client-subnet-scan performs a domain lookup using the
    edns-client-subnet option that adds support for adding subnet
    information to the query describing where the query is
    originating. The script uses this option to supply a number of
    geographically distributed locations in an attempt to enumerate as
    many different address records as possible. [John Bond]

  + dns-nsid retrieves information from a DNS nameserver by requesting
    its nameserver ID (nsid) and asking for its id.server and
    version.bind values. [John Bond]

  + dns-srv-enum enumerates various common service (SRV) records for a
    given domain name.  The service records contain the hostname, port
    and priority of servers for a given service. [Patrik Karlsson]

  + eap-info enumerates the authentication methods offered by an EAP
    authenticator for a given identity or for the anonymous identity
    if no argument is passed. [Riccardo Cecolin]

  + http-auth-finder spiders a web site to find web pages requiring
    form-based or HTTP-based authentication. [Patrik Karlsson]

  + http-config-backup checks for backups and swap files of common
    content management system and web server configuration
    files. [Riccardo Cecolin]

  + http-generator displays the contents of the "generator" meta tag
    of a web page (default: /) if there is one. [Michael Kohl]

  + http-proxy-brute performs brute force password guessing against a
    HTTP proxy server. [Patrik Karlsson]

  + http-qnap-nas-info attempts to retrieve the model, firmware
    version, and enabled services from a QNAP Network Attached Storage
    (NAS) device. [Brendan Coles]

  + http-vuln-cve2009-3960 exploits cve-2009-3960 also known as Adobe
    XML External Entity Injection. [Hani Benhabiles]

  + http-vuln-cve2010-2861 executes a directory traversal attack
    against a ColdFusion server and tries to grab the password hash
    for the administrator user. It then uses the salt value (hidden in
    the web page) to create the SHA1 HMAC hash that the web server
    needs for authentication as admin. [Micah Hoffman]

  + iax2-brute performs brute force password auditing against the
    Asterisk IAX2 protocol. [Patrik Karlsson]

  + membase-brute performs brute force password auditing against
    Couchbase Membase servers. [Patrik Karlsson]

  + membase-http-info retrieves information (hostname, OS, uptime,
    etc.) from the CouchBase Web Administration port. [Patrik
    Karlsson]

  + memcached-info retrieves information (including system
    architecture, process ID, and server time) from distributed memory
    object caching system memcached. [Patrik Karlsson]

  + mongodb-brute performs brute force password auditing against the
    MongoDB database. [Patrik Karlsson]

  + nat-pmp-mapport maps a WAN port on the router to a local port on
    the client using the NAT Port Mapping Protocol (NAT-PMP). [Patrik
    Karlsson]

  + ndmp-fs-info lists remote file systems by querying the remote
    device using the Network Data Management Protocol (ndmp). [Patrik
    Karlsson]

  + ndmp-version retrieves version information from the remote Network
    Data Management Protocol (NDMP) service. [Patrik Karlsson]

  + nessus-xmlrpc-brute performs brute force password auditing against
    a Nessus vulnerability scanning daemon using the XMLRPC
    protocol. [Patrik Karlsson]

  + redis-brute performs brute force passwords auditing against a
    Redis key-value store. [Patrik Karlsson]

  + redis-info retrieves information (such as version number and
    architecture) from a Redis key-value store. [Patrik Karlsson]

  + riak-http-info retrieves information (such as node name and
    architecture) from a Basho Riak distributed database using the
    HTTP protocol. [Patrik Karlsson]

  + rpcap-brute performs brute force password auditing against the
    WinPcap Remote Capture Daemon (rpcap). [Patrik Karlsson]

  + rpcap-info connects to the rpcap service (provides remote sniffing
    capabilities through WinPcap) and retrieves interface
    information. [Patrik Karlsson]

  + rsync-brute performs brute force password auditing against the
    rsync remote file syncing protocol. [Patrik Karlsson]

  + rsync-list-modules lists modules available for rsync (remote file
    sync) synchronization. [Patrik Karlsson]

  + socks-auth-info determines the supported authentication mechanisms
    of a remote SOCKS 5 proxy server. [Patrik Karlsson]

  + socks-brute performs brute force password auditing against SOCKS 5
    proxy servers. [Patrik Karlsson]

  + url-snarf sniffs an interface for HTTP traffic and dumps any URLs, and their
    originating IP address. [Patrik Karlsson]

  + versant-info extracts information, including file paths, version
    and database names from a Versant object database. [Patrik
    Karlsson]

  + vmauthd-brute performs brute force password auditing against the
    VMWare Authentication Daemon (vmware-authd). [Patrik Karlsson]

  + voldemort-info retrieves cluster and store information from the
    Voldemort distributed key-value store using the Voldemort Native
    Protocol. [Patrik Karlsson]

  + xdmcp-discover requests an XDMCP (X display manager control
    protocol) session and lists supported authentication and
    authorization mechanisms. [Patrik Karlsson]

o [NSE] Added 14 new protocol libraries! They were all written by
  Patrik Karlsson, except for the EAP library by Riccardo Cecolin:
  + dhcp6 (Dynamic Host Configuration Protocol for IPv6)
  + eap (Extensible Authentication Protocol)
  + iax2 (Inter-Asterisk eXchange v2 VoIP protocol)
  + membase (Couchbase Membase TAP protocol)
  + natpmp (NAT Port Mapping Protocol)
  + ndmp (Network Data Management Protocol)
  + pppoe (Point-to-point protocol over Ethernet)
  + redis (in-memory key-value data store)
  + rpcap (WinPcap Remote Capture Deamon)
  + rsync (remote file sync)
  + socks (SOCKS 5 proxy protocol)
  + sslcert (for collecting SSL certificates and storing them in the
    host-based registry)
  + versant (an object database)
  + xdmcp (X Display Manager Control Protocol)

o CPE (Common Platform Enumeration) OS classification is now supported
  for IPv6 OS detection. Previously it was only available for
  IPv4. [David Fifield]

o [NSE] The host.os table is now a structured array of table that
  include OS class information and CPE. See
  http://nmap.org/book/nse-api.html for documentation of the new
  structure. [Henri Doreau, David]

o [NSE] Service matches can now access CPE through the
  port.version.cpe array. [Henri Doreau]

o Added a new --script-args-file option which allows you to specify
  the name of a file containing all of your desired NSE script
  arguments. The arguments may be separated with commas or newlines
  and may be overridden by arguments specified on the command-line
  with --script-args. [Daniel Miller]

o Audited the nmap-service-probes database to remove all unused
  captures, fixing dozens of bugs with captures either being ignored
  or two fields erroneously using the same capture. [Lauri Kokkonen,
  David Fifield, and Rob Nicholls]

o Added new version detection probes and match lines for:
 + Erlang Port Mapper Daemon
 + Couchbase Membase NoSQL database
 + Basho Riak distributed database protocol buffers client (PBC)
 + Tarantool in-memory data store
 [Patrik Karlsson]

o Split the nmap-update client into its own binary RPM to avoid the
  Nmap RPM having a dependency on the Subversion and APR libraries.
  We're not yet distributing this binary nmap-update RPM since the
  system isn't complete, but the source code is available in the Nmap
  tarball and source RPM. [David]

o [NSE] Added authentication support to the MongoDB library and
  modified existing scripts to support it. [Patrik Karlsson]

o [NSE] Added support to broadcast-listener for extracting address, native VLAN
  and management IP address from CDP packets. [Tom Sellers]
	
o [NSE] Added RPC Call CALLIT to the RPC library and modified UDP sockets to be
  unconnected in order to support broadcast. [Patrik Karlsson]

o [NSE] Modified the ssl-cert and ssl-google-cert-catalog scripts to
  take advantage of the new sslcert library which retrieves and caches
  SSL certificates in the registry.

o [NSE] Patch our bitcoin library to support recent changes in the
  BitCoin protocol. [Andrew Orr, Patrik Karlsson]

o Fixed an error where very long messages could cause an
  assertion failure: "log_vwrite: vsnprintf failed.  Even after
  increasing bufferlen to ---, Vsnprintf returned -1 (logt == 1)."
  This was reported by David Hingos.

o Fixed an assertion failure that was printed when a fatal error
  occurred while an XML tag was incomplete: "!xml.tag_open, file
  ..\xml.cc, line 401". This was reported by David Hingos. [David
  Fifield]

o [NSE] Added support for decoding EIGRP broadcasts from Cisco routers
  to broadcast-listener. [Tom Sellers]

o [NSE] Added redirect support to the http library. All calls to
  http.get and http.head now transparently handle any HTTP
  redirects. The number and destination of redirects are limited by
  default to avoid endless loops or unwanted follows of redirects to
  different servers, but they can be configured. [Patrik Karlsson]

o [NSE] Modified the sql-injection script to use the httpspider library.
  [Lauri Kokkonen]

o Added --with-apr and --with-subversion configuration options to
  support systems where those libraries aren't in the usual places.
  [David Fifield]

o [NSE] Fixed a bunch of global access errors in various libraries reported by
  the nse_check_globals script. [Patrik Karlsson]

o Fixed an assertion failure which could occur when connecting to an
  SSL server:
  nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.
  Thanks to Ron for reporting the bug and testing. [Henri Doreau]

o [NSE] Added support to the DNS library for the CHAOS class and NSID
  requests. [John Bond]

o [NSE] Changed the dnsbl library to take a much faster threaded
  approach to querying DNS blacklists. [Patrik Karlsson]

o [NSE] Added new services and the ATTACK category to the dnsbl
  script. [Duarte Silva]

o [NSE] Fixed a memory leak in PortList::setServiceProbeResults()
  which was noticed and reported by David Fifield. The leak was
  triggered by set_port_version calls from NSE.  [Henri Doreau]

o [NSE] Fixed a race condition in broadcast-dhcp-discover.nse that
  could cause responses to be missed on fast networks. It was noticed
  by Vasiliy Kulikov. [David Fifield]

o Fixed a bug in reverse name resolution: a name of "." would leave
  the hostname unintialized and cause "Illegal character(s) in
  hostname" warnings. [Gisle Vanem]

o Allow overriding the AR variable to use a different version of the
  ar library creation tool when creating the liblinear library. [Nuno
  Gonçalves]

o Added vcredist2008_x86.exe to the Windows zip file. This installer
  from MS must be run on new Windows 2008 systems (those which don't
  already have it) before running Nmap.  The Nmap Windows installer
  already takes care of this. [David Fifield]

o Removed about 5MB of unnecessary DocBook XSL from the Nping docs
  directory. [David Fifield]

o The packet library now uses consistent naming of the address fields
  for IPv4 and IPv6 packets (ip_bin_src, ip_bin_dst, ip_src, and
  ip_dst). [Henri Doreau]

o Update to the latest MAC address prefix assignments from IEEE as of
  March 8, 2012. [Fyodor]

o Fixed a problem in the ippackethdrinfo function which was leading to
  warning messages like: "BOGUS!  Can't parse supposed IP packet" during
  certain IPv6 scans. [David Fifield]

o Fixed building on Arch Linux. The PCAP_IS_SUITABLE test had to be
  modified to ensure that -lnl was passed on the build line. See the
  r28202 svn log for further information. [David Fifield]

o Include net/if.h before net/if_arp.h in netutil.cc and tcpip.cc to
  hopefully fix some build problems on AIX 5.3.

o [NSE] Added IPv6 support to firewalk.nse. [Henri Doreau]

Nmap 5.61TEST4 [2012-01-02]

o [NSE] Added a new httpspider library which is used for recursively
  crawling web sites for information.  New scripts using this
  functionality include http-backup-finder, http-email-harvest,
  http-grep, http-open-redirect, and http-unsafe-output-escaping. See
  http://nmap.org/nsedoc/ or the list later in this file for details
  on these. [Patrik]

o Our Mac OS X packages are now x86-only (rather than universal),
  reducing the download size from 30 MB to about 17.  If you still
  need a PowerPC version (Apple stopped selling those machines in
  2006), you can use Nmap 5.51 or 5.61TEST2 from
  http://nmap.org/dist/?C=M&O=D.

o We set up a new SVN server for the Nmap codebase.  This one uses SSL
  for better security, WebDAV rather than svnserve for greater
  functionality, is hosted on a faster (virtual) machine, provides
  Nmap code history back to 1998 rather than 2005, and removes the
  need for the special "guest" username.  The new server is at
  https://svn.nmap.org.  More information:
  http://seclists.org/nmap-dev/2011/q4/504.

o [NSE] Added a vulnerability management library (vulns.lua) to store and to
  report discovered vulnerabilities.  Modified these scripts to use
  the new library:
  - ftp-libopie.nse
  - http-vuln-cve2011-3192.nse
  - ftp-vuln-cve2010-4221.nse
  - ftp-vsftpd-backdoor.nse
  - smtp-vuln-cve2011-1720.nse
  - smtp-vuln-cve2011-1764.nse
  - afp-path-vuln.nse
  [Djalal, Henri]

o [NSE] Added a new script force feature.  You can force scripts to
  run against target ports (even if the "wrong" service is detected)
  by placing a plus in front of the script name passed to --script.
  See
  http://nmap.org/book/nse-usage.html#nse-script-selection. [Martin
  Swende]

o [NSE] Added 51(!) NSE scripts, bringing the total up to 297.  They
  are all listed at http://nmap.org/nsedoc/, and the summaries are
  below (authors listed in brackets):

  + amqp-info gathers information (a list of all server properties)
    from an AMQP (advanced message queuing protocol)
    server. [Sebastian Dragomir]

  + bitcoin-getaddr queries a Bitcoin server for a list of known
    Bitcoin nodes. [Patrik Karlsson]

  + bitcoin-info extracts version and node information from a Bitcoin
    server [Patrik Karlsson]

  + bitcoinrpc-info obtains information from a Bitcoin server by
    calling <code>getinfo</code> on its JSON-RPC interface. [Toni
    Ruottu]

  + broadcast-pc-anywhere sends a special broadcast probe to discover
    PC-Anywhere hosts running on a LAN. [Patrik Karlsson]

  + broadcast-pc-duo discovers PC-DUO remote control hosts and
    gateways running on the LAN. [Patrik Karlsson]

  + broadcast-rip-discover discovers hosts and routing information
    from devices running RIPv2 on the LAN. It does so by sending a
    RIPv2 Request command and collects the responses from all devices
    responding to the request. [Patrik Karlsson]

  + broadcast-sybase-asa-discover discovers Sybase Anywhere servers on
    the LAN by sending broadcast discovery messages. [Patrik Karlsson]

  + broadcast-wake-on-lan wakes a remote system up from sleep by
    sending a Wake-On-Lan packet. [Patrik Karlsson]

  + broadcast-wpad-discover Retrieves a list of proxy servers on the
    LAN using the Web Proxy Autodiscovery Protocol (WPAD). [Patrik
    Karlsson]

  + dns-blacklist checks target IP addresses against multiple DNS
    anti-spam and open proxy blacklists and returns a list of services
    where the IP has been blacklisted. [Patrik Karlsson]

  + dns-zeustracker checks if the target IP range is part of a Zeus
    botnet by querying ZTDNS @ abuse.ch. [Mikael Keri]

  + ganglia-info retrieves system information (OS version, available
    memory, etc.) from a listening Ganglia Monitoring Daemon or
    Ganglia Meta Daemon. [Brendan Coles]

  + hadoop-datanode-info discovers information such as log directories
    from an Apache Hadoop DataNode HTTP status page. [John R. Bond]

  + hadoop-jobtracker-info retrieves information from an Apache Hadoop
    JobTracker HTTP status page. [John R. Bond]

  + hadoop-namenode-info retrieves information from an Apache Hadoop
    NameNode HTTP status page. [John R. Bond]

  + hadoop-secondary-namenode-info retrieves information from an
    Apache Hadoop secondary NameNode HTTP status page. [John R. Bond]

  + hadoop-tasktracker-info retrieves information from an Apache
    Hadoop TaskTracker HTTP status page. [John R. Bond]

  + hbase-master-info retrieves information from an Apache HBase
    (Hadoop database) master HTTP status page. [John R. Bond]

  + hbase-region-info retrieves information from an Apache HBase
    (Hadoop database) region server HTTP status page. [John R. Bond]

  + http-apache-negotiation checks if the target http server has
    mod_negotiation enabled.  This feature can be leveraged to find
    hidden resources and spider a web site using fewer requests. [Hani
    Benhabiles]

  + http-backup-finder Spiders a website and attempts to identify
    backup copies of discovered files.  It does so by requesting a
    number of different combinations of the filename (e.g. index.bak,
    index.html~, copy of index.html). [Patrik Karlsson]

  + http-cors tests an http server for Cross-Origin Resource Sharing
    (CORS), a way for domains to explicitly opt in to having certain
    methods invoked by another domain. [Toni Ruottu]

  + http-email-harvest spiders a web site and collects e-mail
    addresses. [Patrik Karlsson]

  + http-grep spiders a website and attempts to match all pages and
    urls against a given string. Matches are counted and grouped per
    url under which they were discovered. [Patrik Karlsson]

  + http-method-tamper tests whether a JBoss target is vulnerable to
    jmx console authentication bypass (CVE-2010-0738). [Hani
    Benhabiles]

  + http-open-redirect spiders a website and attempts to identify open
    redirects. Open redirects are handlers which commonly take a URL
    as a parameter and responds with a http redirect (3XX) to the
    target. [Martin Holst Swende]

  + http-put uploads a local file to a remote web server using the
    HTTP PUT method. You must specify the filename and URL path with
    NSE arguments. [Patrik Karlsson]

  + http-robtex-reverse-ip Obtains up to 100 forward DNS names for a
    target IP address by querying the Robtex service
    (http://www.robtex.com/ip/). [riemann]

  + http-unsafe-output-escaping spiders a website and attempts to
    identify output escaping problems where content is reflected back
    to the user. [Martin Holst Swende]

  + http-vuln-cve2011-3368 tests for the CVE-2011-3368 (Reverse Proxy
    Bypass) vulnerability in Apache HTTP server's reverse proxy
    mode. [Ange Gutek, Patrik Karlsson]

  + ipv6-node-info obtains hostnames, IPv4 and IPv6 addresses through
    IPv6 Node Information Queries. [David Fifield]

  + irc-botnet-channels checks an IRC server for channels that are
    commonly used by malicious botnets. [David Fifield, Ange Gutek]

  + irc-brute performs brute force password auditing against IRC
    (Internet Relay Chat) servers. [Patrik Karlsson]

  + krb5-enum-users discovers valid usernames by brute force querying
    likely usernames against a Kerberos service. [Patrik Karlsson]

  + maxdb-info retrieves version and database information from a SAP
    Max DB database. [Patrik Karlsson]

  + metasploit-xmlrpc-brute performs brute force password auditing
    against a Metasploit RPC server using the XMLRPC protocol. [Vlatko
    Kosturjak]

  + ms-sql-dump-hashes Dumps the password hashes from an MS-SQL server
    in a format suitable for cracking by tools such as
    John-the-ripper. In order to do so the user needs to have the
    appropriate DB privileges. [Patrik Karlsson]

  + nessus-brute performs brute force password auditing against a
    Nessus vulnerability scanning daemon using the NTP 1.2
    protocol. [Patrik Karlsson]

  + nexpose-brute performs brute force password auditing against a
    Nexpose vulnerability scanner using the API 1.1. [Vlatko
    Kosturjak]

  + openlookup-info parses and displays the banner information of an
    OpenLookup (network key-value store) server. [Toni Ruottu]

  + openvas-otp-brute performs brute force password auditing against a
    OpenVAS vulnerability scanner daemon using the OTP 1.0
    protocol. [Vlatko Kosturjak]

  + reverse-index creates a reverse index at the end of scan output
    showing which hosts run a particular service. [Patrik Karlsson]

  + rexec-brute performs brute force password auditing against the
    classic UNIX rexec (remote exec) service. [Patrik Karlsson]

  + rlogin-brute performs brute force password auditing against the
    classic UNIX rlogin (remote login) service. [Patrik Karlsson]

  + rtsp-methods determines which methods are supported by the RTSP
    (real time streaming protocol) server. [Patrik Karlsson]

  + rtsp-url-brute attempts to enumerate RTSP media URLS by testing
    for common paths on devices such as surveillance IP
    cameras. [Patrik Karlsson]

  + telnet-encryption determines whether the encryption option is
    supported on a remote telnet server.  Some systems (including
    FreeBSD and the krb5 telnetd available in many Linux
    distributions) implement this option incorrectly, leading to a
    remote root vulnerability. [Patrik Karlsson, David Fifield,
    Fyodor]

  + tftp-enum enumerates TFTP (trivial file transfer protocol) filenames by testing
    for a list of common ones. [Alexander Rudakov]

  + unusual-port compares the detected service on a port against the
    expected service for that port number (e.g. ssh on 22, http on 80)
    and reports deviations. An early version of this same idea was
    written by Daniel Miller. [Patrik Karlsson]

  + vuze-dht-info retrieves some basic information, including protocol
    version from a Vuze filesharing node. [Patrik Karlsson]

o [NSE] Added some new protocol libraries
 + amqp (advanced message queuing protocol) [Sebastian Dragomir]
 + bitcoin crypto currency [Patrik Karlsson
 + dnsbl for DNS-based blacklists [Patrik Karlsson
 + rtsp (real time streaming protocol) [Patrik Karlsson]
 + httpspider and vulns have separate entries in this CHANGELOG

o Nmap now includes a nmap-update program for obtaining the latest
  updates (new scripts, OS fingerprints, etc.)  The system is
  currently only available to a few developers for testing, but we
  hope to enable a larger set of beta testers soon. [David]

o On Windows, the directory <HOME>\AppData\Roaming\nmap is now
  searched for data files. This is the equivalent of $HOME/.nmap on
  POSIX. [David]

o Improved OS detection performance by scaling congestion control
  increments by the response rate during OS scan, just as was done
  for port scan before. [David]

o [NSE] The targets-ipv6-multicast-*.nse scripts now scan all
  interfaces by default. They show the MAC address and interface name
  now too. [David, Daniel Miller]

o Added some new version detection probes:
 + MongoDB service [Martin Holst Swende]
 + Metasploit XMLRPC service [Vlatko Kosturjak]
 + Vuze filesharing system [Patrik]
 + Redis key-value store [Patrik]
 + memcached [Patrik]
 + Sybase SQL Anywhere [Patrik]
 + VMware ESX Server [Aleksey Tyurin]
 + TCP Kerberos [Patrik]
 + PC-Duo [Patrik]
 + PC Anywhere [Patrik]

o Targets requiring different source addresses now go into different
  hostgroups, not only for host discovery but also for port scanning.
  Before, only responses to one of the source addresses would be
  processed, and the others would be ignored. [David]

o Tidied up the version detection DB (nmap-service-probes) with a new
  cleanup/canonicalization program sv-tidy.  In particular, this:
 - Removes excess whitespace
 - Sorts templates in the order m p v i d o h cpe:
 - Canonicalizes template delimiters in the order: / | % = @ #.
 [David]

o The --exclude and --excludefile options for excluding targets can
  now be used together. [David]

o [NSE] Added support for detecting whether a http connection was established
  using SSL or not to the http.lua library [Patrik]

o [NSE] Added local port to BPF filter in snmp-brute to fix bug that would
  prevent multiple scripts from receiving the correct responses. The bug was
  discovered by Brendan Bird. [Patrik]

o [NSE] Changed the dhcp-discover script to use the DHCPINFORM request
  to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code
  from dhcp-discover and placed the script into the discovery and safe
  categories. Added support for adding options to DHCP requests and
  cleaned up some code in the dhcp library. [Patrik]

o [NSE] Applied patch to snmp-brute that solves problems with handling
  errors that occur during community list file parsing. [Duarte
  Silva]

o [NSE] Added new fingerprints to http-enum for:
  - Subversion, CVS and Apache Archiva [Duarte Silva]
  - DVCS systems Git, Mercurial and Bazaar [Hani Benhabiles].

o [NSE] Applied some code cleanup to the snmp library. [Brendan Byrd]

o [NSE] Fixed an undeclared variable bug in snmp-ios-config [Patrik]

o [NSE] Add additional version information to Mongodb scripts [Martin
  Swende]

o [NSE] Added path argument to the http-auth script and update the
  script to use stdnse.format_output. [Duarte Silva, Patrik]

o [NSE] Fixed bug in the http library that would fail to parse
  authentication headers if no parameters were present. [Patrik]

o Made a syntax change in the zenmap.desktop file for compliance with
  the XDG standard. [Frederik Schwarzer]

o [NSE] Replaced a number of GET requests to HEAD in http-
  fingerprints.lua.  HEAD is quicker and sufficient when no matching
  is performed on the returned contents.  [Hani Benhabiles]

o [NSE] Added support for retrieving SSL certificates from FTP
  servers. [Matt Selsky]

o [Nping] The --safe-payloads option is now the default. Added
  --include-payloads for the special situations where payloads are
  needed. [Colin Rice]

o [NSE] Added new functionality and fixed some bugs in the brute library:
  - Added support for restricting the number of guesses performed by the
    brute library against users, to prevent account lockouts.
  - Added support to guess the username as password. The documentation
    previously suggested (wrongly) that this was the default behavior.
  - Added support to guess an empty string as password if not
    present in the dictionary. [Patrik]

o [NSE] Re-enabled support for guessing the username in addition to password
  that was incorrectly removed from the metasploit-xmlrpc-brute in previous
  commit. [Patrik]
  
o [NSE] Fixed bug that would prevent brute scripts from running if no service
  field was present in the port table. [Patrik]

o [NSE] Turned on promiscuous mode in targets-sniffer.nse so that it
  finds packets not only from or to the scanning host. [David]

o The Zenmap topology display feature is now disabled when there are
  more than 1,000 target hosts.  Those topology maps slow down the
  interface and are generally too crowded to be of much use.

o [NSE] Modified the http library to support servers that don't return valid
  chunked encoded data, such as the Citrix XML service. [Patrik]

o [NSE] Fixed a bug where the brute library would not abort even after all
  retries were exhausted [Patrik]

o Fixed a bug in the IPv6 OS probe called NI. The Node Information
  Query didn't include the target address as the payload, so at least
  OS X didn't respond. This differed from the probe sent by the
  ipv6fp.py program from which some of our fingerprints were derived.
  [David]

o [NSE] Fixed an error in the mssql library that was causing the
  broadcast-ms-sql-discover script to fail when trying to update port version
  information. [Patrik]

o [NSE] Added the missing broadcast category to the broadcast-listener script.
  [Jason DePriest]

o [NSE] Made changes to the categories of the following scripts (new
  categories shown) [Duarte Silva]:
  - http-userdir-enum.nse (auth,intrusive)
  - mysql-users.nse (auth,intrusive)
  - http-wordpress-enum.nse (auth,intrusive,vuln)
  - krb5-enum-users.nse (auth,intrusive)
  - snmp-win32-users.nse (default,auth,safe)
  - smtp-enum-users.nse (auth,external,intrusive)
  - ncp-enum-users.nse (auth,safe)
  - smb-enum-users.nse (auth,intrusive)

o Made nbase compile with the clang compiler that is a part of Xcode
  4.2. [Daniel J. Luke]

o [NSE] Fix a nil table index bug discovered in the mongodb
  library. [Thomas Buchanan]

o [NSE] Added XMPP support to ssl-cert.nse.

o [NSE] Made http-wordpress-enum.nse able to get names of users who
  have no posts. [Duarte Silva]

o Increased hop distance estimates from OS detection by one. The
  distance now counts the number of hops including the final one to
  the target, not just the number of intermediate nodes. The IPv6
  distance calculation already worked this way. [David]

Nmap 5.61TEST2 [2011-09-30]

o Added IPv6 OS detection system! The new system utilizes many tests
  similar to IPv4, and also some IPv6-specific ones that we found to
  be particularly effective. And it uses a machine learning approach
  rather than the static classifier we use for IPv4. We hope to move
  some of the IPv6 innovations back to our IPv4 system if they work
  out well. The database is still very small, so please submit any
  fingerprints that Nmap gives you to the specified URL (as long as
  you are certain that you know what the target system is
  running). Usage and results output are basically the same as with
  IPv4, but we will soon document the internal mechanisms at
  http://nmap.org/book/osdetect.html, just as we have for IPv4. For an
  example, try "nmap -6 -O scanme.nmap.org". [David, Luis]

o [NSE] Added 3 scripts, bringing the total to 246!  You can learn
  more about them at http://nmap.org/nsedoc/. Here they are (authors
  listed in brackets):

  + lltd-discovery uses the Microsoft LLTD protocol to discover hosts
    on a local network. [Gorjan Petrovski]

  + ssl-google-cert-catalog queries Google's Certificate Catalog for
    the SSL certificates retrieved from target hosts. [Vasiliy Kulikov]

  + quake3-info extracts information from a Quake3-like game
    server. [Toni Ruottu]

o Improved AIX support for raw scans. This includes some patches
  originally written by Peter O'Gorman and Florian Schmid. It also
  involved various build fixes found necessary on AIX 6.1 and 7.1. See
  http://nmap.org/book/inst-other-platforms.html. [David]

o Fixed Nmap so that it again compiles and runs on Solaris 10,
  including IPv6 support. [David]

o [NSE] Moved our brute force authentication cracking scripts
  (*-brute) from the "auth" category into a new "brute"
  category. Nmap's brute force capabilities have grown tremendously!
  You can see all 32 of them at
  http://nmap.org/nsedoc/categories/brute.html.  It isn't clear
  whether dns-brute should be in the brute category, so for now it
  isn't. [Fyodor]

o Made the interface gathering loop work on Linux when an interface
  index is more than two digits in /proc/sys/if_inet6. Joe McEachern
  tracked down the problem and provided the fix.

o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
  (status, response) and replaced the workaround in asn-query.nse by the proper
  use. [Henri]

o [NSE] Made irc-info.nse handle the case where the MOTD is missing.
  Patch by Sebastian Dragomir.

o Updated nmap-mac-prefixes to include the latest IEEE assignments
  as of 2011-09-29.

Nmap 5.61TEST1 [2011-09-19]

o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
  output for OS and service versions. This is a standard way to
  identify operating systems and applications so that Nmap can
  better interoperate with other software. Nmap's own (generally more
  comprehensive) taxonomy/classification system is still supported as
  well. Some OS and version detection results don't have CPE entries
  yet. CPE entries show up in normal output with the headings "OS
  CPE:" and "Service Info:":
    OS CPE: cpe:/o:linux:kernel:2.6.39
    Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
  These also appear in XML output, which additionally has CPE entries
  for service versions. [David, Henri]

o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4
  ARP scan. It is the default ping type for local IPv6 networks.
  [Weilin]

o Integrated your latest (IPv4) OS detection submissions and
  corrections until June 22. New fingerprints include Linux 3, FreeBSD
  9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to
  3,308 fingerprints. See
  http://seclists.org/nmap-dev/2011/q3/556. Please keep those
  fingerprints coming! We now accept IPv4 and IPv6 OS fingerprints as
  well as service fingerprints, plus corrections of all types if Nmap
  guess wrong.

o [NSE] Added 27 scripts, bringing the total to 243!  You can learn
  more about any of them at http://nmap.org/nsedoc/. Here are the new
  ones (authors listed in brackets):

  + address-info shows extra information about IPv6 addresses, such as
    embedded MAC or IPv4 addresses when available. [David Fifield]

  + bittorrent-discovery discovers bittorrent peers sharing a file
    based on a user-supplied torrent file or magnet link. [Gorjan
    Petrovski]

  + broadcast-db2-discover attempts to discover DB2 servers on the
    network by sending a broadcast request to port 523/udp. [Patrik
    Karlsson]
[--snip--]
