I'm indeed giving a trip to Vegas that weekend some serious thought =) BTW I bought Fyodor's Nmap book and love it.
Ben On Sun, Jul 18, 2010 at 6:32 AM, Lisa Kachold <lisakach...@obnosis.com> wrote: > Opps, I did it. I read the list of presentations, so now I HAVE to go to > Defcon 18: > > https://www.defcon.org/html/defcon-18/dc-18-news.html > > Who else is going? > > ---------- Forwarded message ---------- > From: Fyodor <fyo...@insecure.org> > Date: Fri, Jul 16, 2010 at 10:50 AM > Subject: Nmap Defcon Release: Version 5.35DC1 > To: nmap-hack...@insecure.org > > > Hi folks. It has been 3.5 months since the last Nmap release > (5.30BETA1 on March 29), and anyone following the nmap-dev list knows > that we've been very busy during that time. So I'm pleased to release > Nmap version 5.35DC1 containing the fruits of that labor. The Defcon > name is because that conference is awesome! And also because David > Fifield and I have an exciting Nmap talk planned there and at Black > Hat in a couple weeks (see http://seclists.org/nmap-dev/2010/q3/108). > > This release includes 131 NSE scripts (17 new), 6,622 version > detection signatures, 2,608 OS fingerprints, and more. I'm > particularly excited about the new db2 and ms-sql scripts, and nfs-ls > really makes NFS discovery easy! We also added Eugene Alexeev's > clever new dns-cache-snoop script. Nping and Ncat were significantly > improved as well. > > The Nmap 5.35DC1 source code and packages for Linux, Mac OS X, and > Windows are available for download at the usual place: > > http://nmap.org/download.html > > This is a BETA release, but we hope it works well for you. If not (or > if you have any suggestions for improvement), please let us know on > nmap-dev as described at http://nmap.org/book/man-bugs.html. > > Here are the 83 most significant changes in this release: > > o [NSE] Added 17 scripts, bringing the total to 131! They are > described individually in the CHANGELOG, but here is the list of new > ones: > afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie > http-php-version, irc-unrealircd-backdoor, ms-sql-brute, > ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess, > ms-sql-query, ms-sql-tables ms-sql-xp-cmdshell, nfs-ls ntp-monlist > Learn more about any of these at: http://nmap.org/nsedoc/ > > o Performed a major OS detection integration run. The database has > grown to 2,608 fingerprints (an increase of 262) and many of the > existing fingerprints were improved. These include the Apple iPad > and Cisco IOS 15.X devices. We also received many fingerprints for > ancient Microsoft systems including MS-DOS with MS Networking Client > 3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his > integration work at http://seclists.org/nmap-dev/2010/q2/283. > > o Performed a large version detection integration run. The number of > signatures has grown to 6,622 (an increase of 279). New signatures > include a remote administrative backdoor that a school famously used > to spy on its students, an open source digital currency scheme named > Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and > Frozen Bubble. You can read David's highlights at > http://seclists.org/nmap-dev/2010/q2/385. > > o [NSE] Added nfs-ls.nse, which lists NFS exported files and their > attributes. The nfs-acls and nfs-dirlist scripts were deleted > because all their features are supported by this script. [Djalal] > > o [NSE] Add new DB2 library and two scripts > - db2-brute.nse uses the unpwdb library to guess credentials for DB2 > - db2-info.nse re-write of Tom Sellers script to use the new library > [Patrik] > > o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new > scripts are: > - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL > - ms-sql-config retrieves various configuration details from the server > - ms-sql-empty-password checks if the sa account has an empty password > - ms-sql-hasdbaccess lists database access per user > - ms-sql-query add support for running custom queries against the database > - ms-sql-tables lists databases, tables, columns and datatypes with > optional > keyword filtering > - ms-sql-xp-cmdshell adds support for OS command execution to privileged > users > [Patrik] > > o [NSE] Added the afp-serverinfo script that gets a hostname, IP > addresses, and other configuration information from an AFP server. > The script, and a patch to the afp library, were contributed by > Andrew Orr and subsequently enhanced by Patrik and David. > > o [NSE] Added additional vulnerability checks to smb-check-vulns.nse: > The Windows RAS RPC service vulnerability MS06-025 > (http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx) > and the Windows DNS Server RPC vuln MS07-029 > (http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx). > Note that these are only run if you specify the "unsafe" script arg > because the implemented test crashes vulnerable services. [Drazen] > > o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs > cache snooping by either sending non-recursive queries or by measuring > response times. > > o [Zenmap] Added the ability to print Nmap output to a > printer. [David] > > o [Nmap, Ncat, Nping] The default unit for time specifications is now > seconds, not milliseconds, and times may have a decimal point. 1000 > now means 1000 seconds, or about 17 minutes, not 1000 milliseconds. > Floating point values such as 1.5 are now allowed. This affects the > following options: > Nmap: > --host-timeout > --max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout > --scan-delay --max-scan-delay > --stats-every > Ncat: > -d --delay > -i --idle-timeout > -w --wait > Nping: > --delay > --host-timeout > --icmp-orig-time --icmp-recv-time --icmp-trans-time > Some sanity checks have been added to catch what looks like an > attempt to use the old millisecond defaults. For example, > --host-timeout 10000 yields > Since April 2010, the default unit for --host-timeout is seconds, > so your time of "10000" is 2.8 hours. If this is what you want, > use "10000s". > QUITTING! > You can always disable the warning by giving an explicit unit. > > o [NSE] Scripts which take an argument for a time duration can now > have the duration be a number followed by a unit, like elsewhere in > Nmap. An example is "10m" for 10 minutes. The units understood are > "ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for > hours. Seconds are the default if no unit is specified. The new > function stdnse.parse_timespec does the parsing of these > formats. The qscan.delay script argument, which formerly interpreted > its argument as being in milliseconds, now defaults to seconds; > append "ms" to continue using the same numbers. [David] > > o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor > that was in UnrealIRCd source code distributions between November > 2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826. > [Vlatko Kosturjak, Ron, David] > > o Ports are now considered open during a SYN scan if a SYN packet > (without the ACK flag) is received in response. This can be due to > an extremely rare TCP feature known as a simultaneous open or split > handshake connection. see http://bit.ly/tcp-sh and > http://seclists.org/nmap-dev/2010/q2/723. [Jah] > > o [Ncat] In listen mode, the --exec and --sh-exec options now accept a > single connection and then exit, just like in normal listen mode. > Use the --keep-open option to get the old default inetd-like > behavior. This was suggested by David Millis. [David] > > o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an > off-by-one stack overflow vulnerability in libopie by giving the FTP > service an overly long name. See > http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for > details. > > o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and > client hosts associated with a scanned target by sending NTPv2 > Private Mode 'monitor' and 'peers' commands to the target. [Jah] > > o [NSE] Added http-php-version.nse from Gutek. This script retrieves > version-specific pages through a couple of magic PHP queries, which > can identify the PHP version even when a server doesn't advertise > it. > > o [NSE] New script dns-fuzz launches a fuzzing attack against DNS > servers. Added a new category - fuzzer - for scripts like this. > [Michael Pattrick] > > o David made many improvements to the NSEDoc for individual scripts, > including adding @output sections to scripts which didn't have them. > He also improved the generated HTML with features like > auto-generating usage strings if the scripts don't include their own > and allowing the giant sidebar lists of scripts/libraries to expand > and contract. See http://nmap.org/nsedoc/. > > o UDP payloads are now stored in an external data file, nmap-payloads, > instead of being hard-coded in the executable. This makes it easier > to add your own payloads or disable those you find problematic. [Jay > Fink, David] > > o The Windows executable installer now uses LZMA compression instead > of zlib, making it about 15% smaller. See > http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David] > > o Open XML elements are now closed in case of a fatal error, so the > output should at least be well-formed. There are new attributes > "exit" and "errormsg" in the finished element. "exit" is "success" > or "error". When it is "error", the "errormsg" attribute contains > the error message. Thanks to Grant Bartlett, who found a typo in the > new output. [David] > > o Fixed name resolution in environments where gethostbyname can return > IPv6 (or other non-IPv4 addresses). In such an environment, Nmap > would wrongly use the first four bytes of the IPv6 address as an > IPv4 address. You could force this, at least on Debian, by adding > the line "options inet6" to /etc/resolv.conf or by running with > RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik > Andersson, who also suggested the fix. [David] > > o Fixed the assignment of interface aliases to directly connected > routes on Linux, which was broken in 5.30BETA1 (it always assigned > the base interface instead of the alias). This was visible in the > host.interface variable passed to NSE scripts. The bug was reported > Victor Rudnev. [David] > > o When Nmap is passed a hostname such as google.com which resolves to > several IP addresses, Nmap now prints each IP address. It still > only scans the first one in the returned list. [David] > > o Nmap now works if you specify several target host names which > resolve to the same IP address. This can be useful when you are > scanning virtual-hosted web servers and want to see NSE results > specific to each site name even though they reside on the same > machine. [David] > > o Made a list of current Nmap SVN committers: > http://nmap.org/svn/docs/committers.txt > > o Added a new library, libnetutil, which contains about 2,700 lines of > networking related code which is now shared between Nmap and Nping > (it was previously duplicated by each tool). [Luis, David] > > o [NSE] http-passwd.nse now also checks for boot.ini to support > Windows targets. [Gutek] > > o Removed --interactive mode, a miniature shell whose primary purpose > was to hide command line arguments from the process list. It had > been broken (would segfault during the second scan) for at least 9 > months and was rarely used. The fact that it was broken was reported > by Juan Carlos Castro. [David] > > o Added a version probe, match line, and UDP payload for the > serialnumberd service of Mac OS X Server. This service overrides > firewall settings to make itself visible, so it's useful for host > discovery. [Patrik] > > o Improved service detection match lines for: > o Oracle Enterprise Manager Agent and mupdate by Matt Selsky > o Twisted web server, Apple Filing Protocol, Apple Mac OS X Password > Server, XAVi XG6546p Wireless Gateway, Sun GlassFish > Communications Server, and Comdasys, SIParator and Glassfish SIP > by Patrik > o PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring > HTTPd by Tom Sellers > > o Improved our brute force password guessing list by mixing in some > data sent in by Solar Designer of John the Ripper fame. > > o [Zenmap] IP addresses are now sorted by octet rather than their > string representation. For example, 10.1.1.2 is now sorted before > 10.1.1.10. This problem was reported by Norris Carden. [David] > > o [NSE] Added UDP header parsing support to packet.lua. [jah] > > o Fixed a bug in Libpcap which lead to Nmap hanging forever in some > cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3. The fix was > actually already available in upstream Libpcap, just not released. > We also had to make Nmap build with its own Libpcap on 64-bit OS X > if an already-installed system Libpcap has this bug. [David] > > o Updated our Winpcap to the new 4.1.2 release [Rob Nicholls] > > o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence > level of 0.9995 was used. Thanks to Marcin Hoffmann for noticing > the problem. [Kris] > > o [libpcap] Added a --disable-packet-ring option to force the use of > an older, slower packet capture mechanism on Linux. Before Linux > 2.6.27, the packet ring mechanism uses different-sized kernel > structures on 32- and 64-bit architectures, so a 32-bit program will > not run correctly on a 64-bit kernel. The older mechanism does not > have this flaw. > > o Fixed some errors in nmap-os-db, probably caused by incorrect string > replacement during integration. This patch is from James Cook. > > o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that > allows setting the SO_BROADCAST option on sockets. Ncat now sets > this option unconditionally in connect mode to allow connections to > broadcast addresses (useful in UDP mode). [Daniel Miller] > > o Nmap now works with "teamed" network interfaces on Windows. In order > to distinguish the interfaces, their textual descriptions are now > compared in addition to their MAC addresses. Without this, Nmap > would send on the wrong interface and not receive any replies. A > symptom of this problem was all scans failing except when > --unprivileged was used. Norris Carden reported this bug. [David] > > o [Ncat] When receiving a connection/datagram in listen mode, Ncat now > prints the connecting source port along with the IP address (when > verbosity is enabled). [Rebellis] > > o Fixed a problem where the time variable used in some port scanning > algorithms (for probe timeouts, etc) could vary based on the > debugging level. [Kris] > > o Moved the parse_long function from ncat to nbase for better reuse, > and used it to simplify netmask parsing code. [William Pursell] > > o Added EPROTO to the list of known error codes in service scan. Daniel > Miller reported that an EPROTO was causing Nmap to exit after sending > the Sqlping probe during service scan. The error message was > "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol > error)". We suspect this was caused by a forged ICMP packet sent by an > active firewall. [David] > > o [NSE] Improved smtp-commands.nse to work against more mail servers, > made it take an smtp-commands.domain script argument, and rewrote it > in the style of other smtp scripts. [Jason DePriest] > > o [NSE] Made smtp-commands run for the services smtp, smtps, > submission rather than just smtp. The other smtp scripts already do > this. [David] > > o [NSE] The dns-recursion script now marks the port as open when it > gets a response. [Olivier M] > > o [Nping] A big correctness and code cleanliness audit was performed > which resulted in many bugs being fixed and much more code being > shared with Nmap rather than duplicated. A structured testing > script system was also created. [Luis, David] > > o [Nping] A big correctness and code cleanliness audit was performed > which resulted in many bugs being fixed and much more code being > shared with Nmap rather than duplicated. A structured testing > script system was also created. [Luis, David] > > o [Nping] Now allows a --count value of zero to run almost > indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis] > > o [Nping] Fixed --data argument parsing. The value passed was not > actually making it into outgoing packets. Reported by Tim > Poth. [Luis] > > o [Nping] When a RST packet is received in response to a connection > attempt in TCP-Connect mode, Nping now properly prints "Connection > refused" rather than "Operation now in progress". [Luis] > > o [Nping] Fixed a bug which caused failure when the first supplied > target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com > tcpdump.com). [Luis] > > o [Nping] Fixed some bugs in the BPF filter creation to avoid capture > and printing of packets Nping sent or which are destined for another > process. [Luis] > > o [Nping] Fixed a bug which prevented ARP replies from being displayed > properly. [Luis] > > o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to > be set in host byte order rather than proper network byte > order. [Luis] > > o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek] > > o The Mac OS X installer is now built with MacPorts 1.9.1 rather than > 1.8.2. Among other changes, this fixes a segmentation fault reported > by some OS X 10.6.3 users. > > o Nsock now supports an option to remove its Pcap support. This > allows the same Nsock to be shared with Nmap (which needs that > support) and Ncrack (which doesn't.) Pcap support can be disabled by > specifying --disable-pcap at configure time on UNIX, or by selecting > the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on > Windows. > > o Sped up compilation by not building both shared and static libdnet > libraries--we only use the static one. [David] > > o [NSE] Improved error handling and reporting and re-designed communication > class in RPC library with patch from Djalal Harouni. [Patrik] > > o Upgraded the included libpcap to version 1.1.1. [David] > > o [NSE] Add some special-use IPv4 addresses to isPrivate which are > described in RFC 5736 and RFC 5737, published in Jan 2010. Improve > performance of isPrivate for IPv4 addresses by using ip_in_range > less frequently. Add an extra return value to isPrivate - when the > first return value is true, the second return value will now be a > string representing the special use assignment in which the supplied > address is located. [jah] > > o Fix compilation on OpenSolaris. We had to make the libdnet autoconf > check for PF_PACKET Linux-specific. Recent versions of OpenSolaris > support PF_PACKET, but not in a way which is entirely compatible > with the Linux approach. This problem was reported by Darren Reed. A > few other minor compatibility changes were made as well. [David] > > o [NSE] Added script arguments "username" and "password" to ftp-bounce > to override the default anonymous:IEUser@ login combination. [Kris] > > o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik] > > o [NSE] Added an snmpWalk() function to the SNMP library and updated > scripts to use it. [Patrik] > > o [NSE] Fixed this dns.lua error reported by Eugene Alexeev: > nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value) > [Jah] > > o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13. > > o Updated IANA IP address space assignment list for random IP (-iR) > generation. [Kris] > > o Created a new directory for storing todo lists for Nmap and related > projects. You can see what we're working on and planning by > visiting http://nmap.org/svn/todo/. > > o [NSE] Removed explicit time limit checking from ms-sql-brute, > pgsql-brute, mysql-brute, ldap-brute, and afp-brute. The unpwdb > library does this automatically now. [David] > > o [NSE] Correct global access errors in afp.lua reported by Patrick Donnelly > [Patrik] > > o [NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis" > name in the MySQL library. [Kris] > > o Cleaned up our Winpcap header file directory, and also updated to > the latest files from the official developer pack > (WpdPack_4_1_1.zip). [Fyodor] > > o [NSE] Fixed a bug which would prevent rpcinfo.nse from returning any > results for RPC programs which could not be matched to a > name. [Patrik] > > o [NSE] The ftp-anon script is now much smarter about parsing server > responses and detecting successful (or not) logins. It now knows > how to send the ACCT command where appropriate as well. [Rob > Nicholls] > > o Normalized a bunch of version detection entries with "webserver" in > the description. In most cases this was changed to "httpd". > > o [Ncat] Fixed the --crlf option not to insert an extra \r byte in the > case that one system read ends with \r and the next begins with \n > (should be rare). [David] > > o [NSE] Fixed bug in rpc.lua library that incorrectly required file handles > to be 32 octets when calling the ReadDir function. The bug was reported by > Djalal Harouni. [Patrik] > > Enjoy the new release, and I hope to see you at Defcon! > -Fyodor > > > _______________________________________________ > Sent through the nmap-hackers mailing list > http://cgi.insecure.org/mailman/listinfo/nmap-hackers > Archived at http://seclists.org/nmap-hackers/ > > > > -- > Office: (480)307-8712 > AT&T: (503)754-4452 > > > > > > > > > > > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss