# Nmap Changelog ($Id: CHANGELOG 31564 2013-07-28 22:16:38Z fyodor $); -*-text-*-

Nmap 6.40 [2013-07-28]

o For logistical reasons, we had to do the 6.40 builds before we
  finished writing the change log.  Rather than include something
  incomplete here, we have removed it.  Please view it instead at
  http://nmap.org/changelog.html.  For just the changes in this
  release, search for the "Nmap 6.40" line and read down from there
  to the "Nmap 6.25" line.

Nmap 6.25 [2012-11-29]

o [NSE] Added CPE to smb-os-discovery output.

o [Ncat] Fixed the printing of warning messages for large arguments to
  the -i and -w options. [Michal Hlavinka]

o [Ncat] Shut down the write part of connected sockets in listen mode
  when stdin hits EOF, just as was already done in connect mode.
  [Michal Hlavinka]

o [Zenmap] Removed a crashing error that could happen when canceling a
  "Print to File" on Windows:
  Traceback (most recent call last):
    File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb
    File "zenmapGUI\Print.pyo", line 156, in run_print_operation
  GError: Error from StartDoc
  This bug was reported by Imre Adácsi. [David Fifield]

o Added some new checks for failed library calls. [Bill Parker]

Nmap 6.20BETA1 [2012-11-16]

o Integrated all of your IPv4 OS fingerprint submissions since January
  (more than 3,000 of them).  Added 373 fingerprints, bringing the new
  total to 3,946.  Additions include Linux 3.6, Windows 8, Windows
  Server 2012, Mac OS X 10.8, and a ton of new WAPs, printers,
  routers, and other devices--including our first IP-enabled doorbell!
  Many existing fingerprints were improved. [David Fifield]

o Integrated all of your service/version detection fingerprints
  submitted since January (more than 1,500)!  Our signature
  count jumped by more than 400 to 8,645.  We now detect 897
  protocols, from extremely popular ones like http, ssh, smtp and imap
  to the more obscure airdroid, gopher-proxy, and
  enemyterritory. [David Fifield]

o Integrated your latest IPv6 OS submissions and corrections. We're
  still low on IPv6 fingerprints, so please scan any IPv6 systems you
  own or administer and submit them to http://nmap.org/submit/.  Both
  new fingerprints (if Nmap doesn't find a good match) and corrections
  (if Nmap guesses wrong) are useful.

o Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto
  (Next Header) probes.  Previously, only TCP and ICMP were
  supported.  [David Fifield]

o Scripts can now return a structured name-value table so that results
  are query-able from XML output. Scripts can return a string as
  before, or a table, or a table and a string. In this last case, the
  table will go to XML output and the string will go to screen output.
  See http://nmap.org/book/nse-api.html#nse-structured-output [Daniel
  Miller, David Fifield, Patrick Donnelly]

o [Nsock] Added new poll and kqueue I/O engines for improved
  performance on Windows and BSD-based systems including Mac OS X.
  These are in addition to the epoll engine (used on Linux) and the
  classic select engine fallback for other system.  [Henri Doreau]

o [Ncat] Added support for Unix domain sockets. The new -U and
  --unixsock options activate this mode.  These provide compatibility
  with Hobbit's original Netcat. [Tomas Hozza]

o Moved some Windows dependencies, including OpenSSL, libsvn, and the
  vcredist files, into a new public Subversion directory
  /nmap-mswin32-aux and moved it out of the source tarball. This
  reduces the compressed tarball size from 22 MB to 8 MB and similarly
  reduces the bandwidth and storage required for an svn checkout.
  Folks who build Nmap on Windows will need to check out
  /nmap-mswin32-aux along with /nmap as described at
  http://nmap.org/book/inst-windows.html#inst-win-source.

o Many of the great features in this release were created by college
  and grad students generously sponsored by Google's Summer of Code
  program.  Thanks, Google Open Source Department!  This year's team
  of five developers is introduced at
  http://seclists.org/nmap-dev/2012/q2/204 and their successes
  documented at http://seclists.org/nmap-dev/2012/q4/138

o [NSE] Replaced old RPC grinder (RPC enumeration, performed as part
  of version detection when a port seems to run a SunRPC service) with
  a faster and easier to maintain NSE-based implementation.  This also
  allowed us to remove the crufty old pos_scan scan engine. [Hani
  Benhabiles]

o Updated our Nmap Scripting Engine to use Lua 5.2 (and then 5.2.1)
  rather than 5.1. See http://seclists.org/nmap-dev/2012/q2/34 for
  details. [Patrick Donnelly]

o [NSE] Added 85(!) NSE scripts, bringing the total up to 433.  They
  are all listed at http://nmap.org/nsedoc/, and the summaries are
  below (authors are listed in brackets):

  + ajp-auth retrieves the authentication scheme and realm of an AJP
    service (Apache JServ Protocol) that requires authentication. The
    Apache JServ Protocol is commonly used by web servers to
    communicate with back-end Java application server
    containers. [Patrik Karlsson]

  + ajp-brute performs brute force passwords auditing against the
    Apache JServ protocol. [Patrik Karlsson]

  + ajp-headers performs a HEAD or GET request against either the root
    directory or any optional directory of an Apache JServ Protocol
    server and returns the server response headers. [Patrik Karlsson]

  + ajp-methods discovers which options are supported by the AJP
    (Apache JServ Protocol) server by sending an OPTIONS request and
    lists potentially risky methods. [Patrik Karlsson]

  + ajp-request requests a URI over the Apache JServ Protocol and
    displays the result (or stores it in a file). Different AJP
    methods such as; GET, HEAD, TRACE, PUT or DELETE may be
    used. [Patrik Karlsson]

  + bjnp-discover retrieves printer or scanner information from a
    remote device supporting the BJNP protocol. The protocol is known
    to be supported by network based Canon devices. [Patrik Karlsson]

  + broadcast-ataoe-discover discovers servers supporting the ATA over
    Ethernet protocol. ATA over Ethernet is an ethernet protocol
    developed by the Brantley Coile Company and allows for simple,
    high-performance access to SATA drives over Ethernet. [Patrik
    Karlsson]

  + broadcast-bjnp-discover attempts to discover Canon devices
    (Printers/Scanners) supporting the BJNP protocol by sending BJNP
    Discover requests to the network broadcast address for both ports
    associated with the protocol. [Patrik Karlsson]

  + broadcast-eigrp-discovery performs network discovery and routing
    information gathering through Cisco's EIGRP protocol. [Hani
    Benhabiles]

  + broadcast-igmp-discovery discovers targets that have IGMP
    Multicast memberships and grabs interesting information. [Hani
    Benhabiles]

  + broadcast-pim-discovery discovers routers that are running PIM
    (Protocol Independent Multicast). [Hani Benhabiles]

  + broadcast-tellstick-discover discovers Telldus Technologies
    TellStickNet devices on the LAN. The Telldus TellStick is used to
    wirelessly control electric devices such as lights, dimmers and
    electric outlets. [Patrik Karlsson]

  + cassandra-brute performs brute force password auditing against the
    Cassandra database. [Vlatko Kosturjak]

  + cassandra-info attempts to get basic info and server status from a
    Cassandra database. [Vlatko Kosturjak]

  + cups-info lists printers managed by the CUPS printing
    service. [Patrik Karlsson]

  + cups-queue-info Lists currently queued print jobs of the remote
    CUPS service grouped by printer. [Patrik Karlsson]

  + dict-info Connects to a dictionary server using the DICT protocol,
    runs the SHOW SERVER command, and displays the result. [Patrik
    Karlsson]

  + distcc-cve2004-2687 detects and exploits a remote code execution
    vulnerability in the distributed compiler daemon distcc. [Patrik
    Karlsson]

  + dns-check-zone checks DNS zone configuration against best
    practices, including RFC 1912.  The configuration checks are
    divided into categories which each have a number of different
    tests. [Patrik Karlsson]

  + dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6
    network using a technique which analyzes DNS server response codes
    to dramatically reduce the number of queries needed to enumerate
    large networks. [Patrik Karlsson]

  + dns-nsec3-enum tries to enumerate domain names from the DNS server
    that supports DNSSEC NSEC3 records. [Aleksandar Nikolic, John
    Bond]

  + eppc-enum-processes attempts to enumerate process info over the
    Apple Remote Event protocol.  When accessing an application over
    the Apple Remote Event protocol the service responds with the uid
    and pid of the application, if it is running, prior to requesting
    authentication. [Patrik Karlsson]

  + firewall-bypass detects a vulnerability in Netfilter and other
    firewalls that use helpers to dynamically open ports for protocols
    such as ftp and sip. [Hani Benhabiles]

  + flume-master-info retrieves information from Flume master HTTP
    pages. [John R. Bond]

  + gkrellm-info queries a GKRellM service for monitoring
    information. A single round of collection is made, showing a
    snapshot of information at the time of the request. [Patrik
    Karlsson]

  + gpsd-info retrieves GPS time, coordinates and speed from the GPSD
    network daemon. [Patrik Karlsson]

  + hostmap-robtex discovers hostnames that resolve to the target's IP
    address by querying the Robtex service at
    http://www.robtex.com/dns/. [Arturo Busleiman]

  + http-drupal-enum-users enumerates Drupal users by exploiting a an
    information disclosure vulnerability in Views, Drupal's most
    popular module. [Hani Benhabiles]

  + http-drupal-modules enumerates the installed Drupal modules by
    using a list of known modules. [Hani Benhabiles]

  + http-exif-spider spiders a site's images looking for interesting
    exif data embedded in .jpg files. Displays the make and model of
    the camera, the date the photo was taken, and the embedded geotag
    information. [Ron Bowes]

  + http-form-fuzzer performs a simple form fuzzing against forms
    found on websites.  Tries strings and numbers of increasing length
    and attempts to determine if the fuzzing was successful. [Piotr
    Olma]

  + http-frontpage-login checks whether target machines are vulnerable
    to anonymous Frontpage login. [Aleksandar Nikolic]

  + http-git checks for a Git repository found in a website's document
    root (/.git/<something>) then retrieves as much repo
    information as possible, including language/framework, Github
    username, last commit message, and repository description. [Alex
    Weber]

  + http-gitweb-projects-enum retrieves a list of Git projects, owners
    and descriptions from a gitweb (web interface to the Git revision
    control system). [riemann]

  + http-huawei-hg5xx-vuln detects Huawei modems models HG530x,
    HG520x, HG510x (and possibly others...) vulnerable to a remote
    credential and information disclosure vulnerability. It also
    extracts the PPPoE credentials and other interesting configuration
    values. [Paulino Calderon]

  + http-icloud-findmyiphone retrieves the locations of all "Find my
    iPhone" enabled iOS devices by querying the MobileMe web service
    (authentication required). [Patrik Karlsson]

  + http-icloud-sendmsg sends a message to a iOS device through the
    Apple MobileMe web service. The device has to be registered with
    an Apple ID using the Find My iPhone application. [Patrik
    Karlsson]

  + http-phpself-xss crawls a web server and attempts to find PHP
    files vulnerable to reflected cross site scripting via the
    variable $_SERVER["PHP_SELF"].  [Paulino Calderon]

  + http-rfi-spider crawls webservers in search of RFI (remote file
    inclusion) vulnerabilities. It tests every form field it finds and
    every parameter of a URL containing a query. [Piotr Olma]

  + http-robtex-shared-ns Finds up to 100 domain names which use the
    same name server as the target by querying the Robtex service at
    http://www.robtex.com/dns/. [Arturo Busleiman]

  + http-sitemap-generator spiders a web server and displays its
    directory structure along with number and types of files in each
    folder. Note that files listed as having an 'Other' extension are
    ones that have no extension or that are a root document. [Piotr
    Olma]

  + http-slowloris-check tests a web server for vulnerability to the
    Slowloris DoS attack without actually launching a DoS
    attack. [Aleksandar Nikolic]

  + http-slowloris tests a web server for vulnerability to the
    Slowloris DoS attack by launching a Slowloris attack. [Aleksandar
    Nikolic, Ange Gutek]

  + http-tplink-dir-traversal exploits a directory traversal
    vulnerability existing in several TP-Link wireless
    routers. Attackers may exploit this vulnerability to read any of
    the configuration and password files remotely and without
    authentication. [Paulino Calderon]

  + http-traceroute exploits the Max-Forwards HTTP header to detect
    the presence of reverse proxies. [Hani Benhabiles]

  + http-virustotal checks whether a file has been determined as
    malware by virustotal. Virustotal is a service that provides the
    capability to scan a file or check a checksum against a number of
    the major antivirus vendors. [Patrik Karlsson]

  + http-vlcstreamer-ls connects to a VLC Streamer helper service and
    lists directory contents. The VLC Streamer helper service is used
    by the iOS VLC Streamer application to enable streaming of
    multimedia content from the remote server to the device. [Patrik
    Karlsson]

  + http-vuln-cve2010-0738 tests whether a JBoss target is vulnerable
    to jmx console authentication bypass (CVE-2010-0738). [Hani
    Benhabiles]

  + http-waf-fingerprint Tries to detect the presence of a web
    application firewall and its type and version. [Hani Benhabiles]

  + icap-info tests a list of known ICAP service names and prints
    information about any it detects. The Internet Content Adaptation
    Protocol (ICAP) is used to extend transparent proxy servers and is
    generally used for content filtering and antivirus
    scanning. [Patrik Karlsson]

  + ip-forwarding detects whether the remote device has ip forwarding
    or "Internet connection sharing" enabled, by sending an ICMP echo
    request to a given target using the scanned host as default
    gateway. [Patrik Karlsson]

  + ipv6-ra-flood generates a flood of Router Advertisements (RA) with
    random source MAC addresses and IPv6 prefixes. Computers, which
    have stateless autoconfiguration enabled by default (every major
    OS), will start to compute IPv6 suffix and update their routing
    table to reflect the accepted announcement. This will cause 100%
    CPU usage on Windows and platforms, preventing to process other
    application requests. [Adam Stevko]

  + irc-sasl-brute performs brute force password auditing against IRC
    (Internet Relay Chat) servers supporting SASL
    authentication. [Piotr Olma]

  + isns-info lists portals and iSCSI nodes registered with the
    Internet Storage Name Service (iSNS). [Patrik Karlsson]

  + jdwp-exec attempts to exploit java's remote debugging port. When
    remote debugging port is left open, it is possible to inject java
    bytecode and achieve remote code execution.  This script abuses
    this to inject and execute a Java class file that executes the
    supplied shell command and returns its output. [Aleksandar
    Nikolic]

  + jdwp-info attempts to exploit java's remote debugging port.  When
    remote debugging port is left open, it is possible to inject java
    bytecode and achieve remote code execution.  This script injects
    and execute a Java class file that returns remote system
    information. [Aleksandar Nikolic]

  + jdwp-inject attempts to exploit java's remote debugging port.
    When remote debugging port is left open, it is possible to inject
    java bytecode and achieve remote code execution.  This script
    allows injection of arbitrary class files. [Aleksandar Nikolic]

  + llmnr-resolve resolves a hostname by using the LLMNR (Link-Local
    Multicast Name Resolution) protocol. [Hani Benhabiles]

  + mcafee-epo-agent check if ePO agent is running on port 8081 or
    port identified as ePO Agent port. [Didier Stevens and Daniel
    Miller]

  + metasploit-info gathers info from the Metasploit RPC service.  It
    requires a valid login pair. After authentication it tries to
    determine Metasploit version and deduce the OS type.  Then it
    creates a new console and executes few commands to get additional
    info. [Aleksandar Nikolic]

  + metasploit-msgrpc-brute performs brute force username and password
    auditing against Metasploit msgrpc interface. [Aleksandar Nikolic]

  + mmouse-brute performs brute force password auditing against the
    RPA Tech Mobile Mouse servers. [Patrik Karlsson]

  + mmouse-exec connects to an RPA Tech Mobile Mouse server, starts an
    application and sends a sequence of keys to it. Any application
    that the user has access to can be started and the key sequence is
    sent to the application after it has been started. [Patrik
    Karlsson]

  + mrinfo queries targets for multicast routing information. [Hani
    Benhabiles]

  + msrpc-enum queries an MSRPC endpoint mapper for a list of mapped
    services and displays the gathered information. [Aleksandar
    Nikolic]

  + ms-sql-dac queries the Microsoft SQL Browser service for the DAC
    (Dedicated Admin Connection) port of a given (or all) SQL Server
    instance. The DAC port is used to connect to the database instance
    when normal connection attempts fail, for example, when server is
    hanging, out of memory or in other bad states. [Patrik Karlsson]

  + mtrace queries for the multicast path from a source to a
    destination host. [Hani Benhabiles]

  + mysql-dump-hashes dumps the password hashes from an MySQL server
    in a format suitable for cracking by tools such as John the
    Ripper.  Appropriate DB privileges (root) are required. [Patrik
    Karlsson]

  + mysql-query runs a query against a MySQL database and returns the
    results as a table. [Patrik Karlsson]

  + mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQL
    and MariaDB servers by exploiting CVE2012-2122. If its vulnerable,
    it will also attempt to dump the MySQL usernames and password
    hashes. [Paulino Calderon]

  + oracle-brute-stealth exploits the CVE-2012-3137 vulnerability, a
    weakness in Oracle's O5LOGIN authentication scheme.  The
    vulnerability exists in Oracle 11g R1/R2 and allows linking the
    session key to a password hash. [Dhiru Kholia]

  + pcanywhere-brute performs brute force password auditing against
    the pcAnywhere remote access protocol. [Aleksandar Nikolic]

  + rdp-enum-encryption determines which Security layer and Encryption
    level is supported by the RDP service. It does so by cycling
    through all existing protocols and ciphers. [Patrik Karlsson]

  + rmi-vuln-classloader tests whether Java rmiregistry allows class
    loading.  The default configuration of rmiregistry allows loading
    classes from remote URLs, which can lead to remote code
    execution. The vendor (Oracle/Sun) classifies this as a design
    feature. [Aleksandar Nikolic]

  + rpc-grind fingerprints the target RPC port to extract the target
    service, RPC number and version. [Hani Benhabiles]

  + sip-call-spoof spoofs a call to a SIP phone and detects the action
    taken by the target (busy, declined, hung up, etc.) [Hani
    Benhabiles]

  + sip-methods enumerates a SIP Server's allowed methods (INVITE,
    OPTIONS, SUBSCRIBE, etc.) [Hani Benhabiles]

  + smb-ls attempts to retrieve useful information about files shared
    on SMB volumes.  The output is intended to resemble the output of
    the UNIX <code>ls</code> command. [Patrik Karlsson]

  + smb-print-text attempts to print text on a shared printer by
    calling Print Spooler Service RPC functions. [Aleksandar Nikolic]

  + smb-vuln-ms10-054 tests whether target machines are vulnerable to
    the ms10-054 SMB remote memory corruption
    vulnerability. [Aleksandar Nikolic]

  + smb-vuln-ms10-061 tests whether target machines are vulnerable to
    ms10-061 Printer Spooler impersonation vulnerability. [Aleksandar
    Nikolic]

  + snmp-hh3c-logins attempts to enumerate Huawei / HP/H3C Locally
    Defined Users through the hh3c-user.mib OID [Kurt Grutzmacher]

  + ssl-date retrieves a target host's time and date from its TLS
    ServerHello response. [Aleksandar Nikolic]

  + tls-nextprotoneg enumerates a TLS server's supported protocols by
    using the next protocol negotiation extension. [Hani Benhabiles]

  + traceroute-geolocation lists the geographic locations of each hop
    in a traceroute and optionally saves the results to a KML file,
    plottable on Google earth and maps. [Patrik Karlsson]

o [NSE] Added 12 new protocol libraries, bring our total to 105!  Here
  they are, with authors enclosed in brackets:
  + ajp (Apache JServ Protocol) [Patrik Karlsson]
  + base32 (Base32 encoding/decoding - RFC 4648) [Philip Pickering]
  + bjnp (Canon BJNP printer/scanner discovery protocol) [Patrik Karlsson]
  + cassandra (Cassandra database protocol) [Vlatko Kosturjak]
  + eigrp (Cisco Enhanced Interior Gateway Routing Protocol) [Hani Benhabiles]
  + gps (Global Positioning System - does GPRMC NMEA decoding) [Patrik Karlsson]
  + ipp (CUPS Internet Printing Protocol) [Patrik Karlsson]
  + isns (Internet Storage Name Service) [Patrik Karlsson]
  + jdwp (Java Debug Wire Protocol) [Aleksandar Nikolic]
  + mobileme (a service for managing Apple/Mac devices) [Patrik Karlsson]
  + ospf (Open Shortest Path First routing protocol) [Patrik Karlsson]
  + rdp (Remote Desktop Protocol) [Patrik Karlsson]

o Added Common Platform Enumeration (CPE) identifiers to nearly 1,000
  more OS detection signatures.  Nmap 6.01 had them for 2,608 of 3,572
  fingerprints (73%) and now we have them for 3,558 out of 3,946
  (90%). [David Fifield]

o Scans that use OS sockets (including TCP connect scan, version
  detection, and script scan) now use the SO_BINDTODEVICE sockopt on
  Linux, so that the -e (select network device) option is
  honored. [David Fifield]

o [Zenmap] Host filters can now do negative matching, for example you
  can use "os:!linux" to match hosts NOT detected as Linux. [Daniel
  Miller]

o Fixed a bug that caused an incorrect source address to be set when
  scanning certain addresses (apparently those ending in .0) on
  Windows XP. The symptom of this bug was the messages
    get_srcaddr: can't connect socket: The requested address is not valid in its context.
    Failed to convert source address to presentation format!?!  Error: Unknown error
  Thanks to Robert Washam and Jorge Hernandez for reports and help
  debugging. [David Fifield]

o Upgraded the included OpenSSL to version 1.0.1c. [David Fifield]

o [NSE] Added changes to brute and unpwdb libraries to allow more
  flexible iterator specification and control. [Aleksandar Nikolic]

o Tested that our WinPcap installer works on Windows 8 and Windows
  Server 2012 build 8400.  Updated to installer text to recommend that
  users select the option to start 'NPF' at startup. [Rob Nicholls]

o Changed libdnet's routing interface to return an interface name for
  each route on the most common operating systems. This is used to
  improve the quality of Nmap's matching of routes to interfaces,
  which was previously done by matching routes to interface addresses.
  [Djalal Harouni, David Fifield]

o Fixed a bug that prevented Nmap from finding any interfaces when one
  of them had the type ARPHDR_INFINIBAND; this was the case for
  IP-over-InfiniBand interfaces. However, This support is not complete
  since IPoIB interfaces use 20 bytes for the hardware address, and
  currently we only report and handle 6 bytes.
  Nmap IP level scans should work without any problem, please refer to
  the '--send-ip' switch and to the following thread:
  http://seclists.org/nmap-dev/2012/q3/642
  This bug was reported by starlight.2012q3. [Djalal Harouni]

o Fixed a bug that prevented Nmap from finding any interfaces when one
  of them had the type ARPHDR_IEEE80211; this was the case for wireless
  interfaces operating in access point mode. This bug was reported by
  Sebastiaan Vileijn. [Djalal Harouni]

o Updated the Zenmap desktop icons on Windows, Linux, and Mac with higher
  resolution ones. [Sean Rivera, David Fifield]

o [NSE] Script results for a host or service are now sorted
  alphabetically by script name. [Sean Rivera]

o Fixed a bug that prevented Nmap from finding any interfaces when any
  interface had the type ARPHRD_VOID; this was the case for OpenVZ
  venet interfaces. [Djalal Harouni, David Fifield]

o Linux unreachable routes are now properly ignored. [David Fifield]

o Added Dan Miller as an Nmap committer.  He has done a ton of great
  work on Nmap, as you can see by searching for him in this CHANGELOG
  or reading the Nmap committers list at
  https://svn.nmap.org/nmap/docs/committers.txt.

o Added a new --disable-arp-ping option. This option prevents Nmap
  from implicitly using ARP or ND host discovery for discovering
  directly connected Ethernet targets. This is useful in networks
  using proxy ARP, which make all addresses appear to be up using ARP
  scan. The previously recommended workaround for this situation,
  --send-ip, didn't work on Windows because that lame excuse for an
  operating system is still missing raw socket support.  [David
  Fifield (editorializing added by Fyodor)]

o Protocol scan (-sO) probes for TCP, UDP, and SCTP now go to ports
  80, 40125, and 80 respectively, instead of being randomly generated
  or going to the same port as the source port. [David Fifield]

o The Nmap --log-errors functionality (including errors and warnings
  in the normal-format output file) is now always true, whether you
  pass that option or not. [Sean Rivera]

o [NSE] Rewrote ftp-brute script to use the brute library for
  performing password auditing. [Aleksandar Nikolic]

o Reduced the size of Port structures by about two thirds (from 176 to
  64 bytes on x86_64). They had accidentally grown during the IPv6
  code merge. [David Fifield]

o Made source port numbers (used to encode probe metadata) increment
  so as not to overlap between different scanning phases. Previously
  it was possible for an RST response to an ACK probe from host
  discovery to be misinterpreted as a reply to a SYN probe from port
  scanning. [Sean Rivera, David Fifield]

o [NSE] Added support for ECDSA keys to ssh-hostkey.nse. [Adam Števko]

o Changed the CPE for Linux from cpe:/o:linux:kernel to
  cpe:/o:linux:linux_kernel to reflect deprecation in the official CPE
  dictionary.

o Added some additional CPE entries to nmap-service-probes.
  [Dillon Graham]

o Fixed an assertion failure with IPv6 traceroute trying to use an
  unsupported protocol:
    nmap: traceroute.cc:749: virtual unsigned char*
    UDPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion
    `source->ss_family == 2' failed.
  This was reported by Pierre Emeriaud. [David Fifield]

o Added version detection signatures for half a dozen new or changed
  products. [Tom Sellers]

o Fixed protocol number-to-name mapping. A patch was contributed by
  hejianet.

o [NSE] The nmap.ip_send function now takes a second argument, the
  destination to send to. Previously the destination address was taken
  from the packet buffer, but this failed for IPv6 link-local
  addresses, because the scope ID is not part of the packet. Calling
  ip_send without a destination address will continue to use the old
  behavior, but this practice is deprecated.

o Increased portability of configure scripts on systems using a libc
  other than Glibc. Several problems were reported by John Spencer.

o [NSE] Fixed a bug in rpc-grind.nse that would cause unresponsive UDP
  ports to be wrongly marked open. This was reported by Christopher
  Clements. [David Fifield]

o [Ncat] Close connection endpoint when receiving EOF on
  stdin. [Michal Hlavinka].

o Fixed interface listing on NetBSD. The bug was first noticed by
  Fredrik Pettai and diagnosed by Jan Schaumann. [David Fifield]

o [Ncat] Applied a blocking-socket workaround for a bug that could
  prevent some sends from working in listen mode. The problem was
  reported by Jonas Wielicki. [Alex Weber, David Fifield]

o [NSE] Updated mssql.lua library to support additional data types,
  enhanced some of the existing data types, added the DoneProc
  response token, and reordered code for maintainability. [Tom
  Sellers]

o [Nping] Nping now prints out an error and exists when the user tries to use
  the -p flag for a scan option where that is meaningless. [Sean Rivera] 

o [NSE] Added spoolss functions and constants to msrpc.lua. [Aleksandar Nikolic]

o [NSE] Reduced the number of names tried by http-vhosts by default.
  [Vlatko Kosturjak]

o [Zenmap] Fixed a crash when using the en_NG locale: "ValueError:
  unknown locale: en_NG" [David Fifield]

o [NSE] Fixed some bugs in snmp-interfaces which prevented the script from
  outputting discovered interface info and caused it to abort in the
  pre-scanning phase. [jah]

o [NSE] lltd-discovery scripts now parses for hostnames and outputs network
  card manufacturer. [Hani Benhabiles]

o Added protocol specific payloads for IPv6 hop-by-hop (0x00), routing (0x2b),
  fragment (0x2c), and destination (0x3c). [Sean Rivera] 

o [NSE] Added support for decoding OSPF Hello packets to broadcast-listener.
  [Hani Benhabiles]

o [NSE] Fixed a false positive in http-vuln-cve2011-3192.nse, which detected
  Apache 2.2.22 as vulnerable. [Michael Meyer]

o [NSE] Modified multiple scripts that operated against HTTP based services
  so as to remove false positives that were generated when the target service 
  answers with a 200 response to all requests. [Tom Sellers]

o [NSOCK] Fixed an epoll-engine-specific bug. The engine didn't recognized FDs
  that were internally closed and replaced by other ones. This happened during
  reconnect attempts. Also, the IOD flags were not properly cleared.
  [Henri Doreau, Daniel Miller]

o Added support for log type bitmasks in log_vwrite(). Also replaced a fatal()
  statement by an assert(0) to get rid of a possible infinite call loop when
  passed an invalid log type. [Henri Doreau]

o Added handling for the unexpected error WSAENETRESET (10052). This error is
  currently wrapped in the ifdef for WIN32 as there error appears to be unique
  to windows [Sean Rivera]

o [NSE] Added default values for Expires, Call-ID, Allow and Content-Length
  headers in SIP requests and removed redundant code in sip library.
  [Hani Benhabiles]

o [NSE] Calling methods of unconnected sockets now causes the usual
  error code return value, instead of raising a Lua error. The problem
  was noticed by Daniel Miller. [David Fifield]

o [NSE] Added AUTH_UNIX support to the rpc library and NFS scripts.
  [Daniel Miller]

o [Zenmap] Fixed a crash in the profile editor that would happen when
  the nmap binary couldn't be found. [David Fifield]

o Made the various Makefiles' treatment of makefile.dep uniform:
  "make clean" keeps the file and "make distclean" deletes it.
  [Michael McTernan]

o [NSE] Fixed dozens of scripts and libraries to work better on
  system which don't have OpenSSL available. [Patrik Karlsson]

o [Ncat] --output logging now works in UDP mode. Thanks to Michal
  Hlavinka for reporting the bug. [David Fifield]

o [NSE] More Windows 7 and Windows 2008 fixes for the smb library and smb-ls
  scripts. [Patrik Karlsson]

o [NSE] Added SPNEGO authentication supporting Windows 7 and Windows 2008 to
  the smb library. [Patrik Karlsson]

o [NSE] Changed http-brute so that it works against the root path
  ("/") by default rather than always requiring the http-brute.path
  script argument. [Fyodor]

o [NSE] Applied patch from Daniel Miller that fixes bug in several scripts and
  libraries http://seclists.org/nmap-dev/2012/q2/593 [Daniel Miller]

o [Zenmap] Added Italian translation by Francesco Tombolini and
  Japanese translation by Yujiy Tounai.  Some typos in the Japanese
  translation were corrected by OKANO Takayoshi.

o [NSE] Rewrote mysql-brute to use brute library [Aleksandar Nikolic]

o Improved the mysql library to handle multiple columns with the same name,
  added a formatResultset function to format a query response to a table
  suitable for script output. [Patrik Karlsson]

o The message "nexthost: failed to determine route to ..." is now a
  warning rather than a fatal error. Addresses that are skipped in
  this way are recorded in the XML output as "target" elements. [David
  Fifield]

o [NSE] targets-sniffer now is capable of sniffing IPv6 addresses.
  [Daniel Miller]

o [NSE] Ported the pop3-brute script to use the brute library.
  [Piotr Olma]

o [NSE] Added an error message indicating script failure, when Nmap is being
  run in non verbose/debug mode. [Patrik Karlsson]

o Service-scan information is now included in XML and grepable output
  even if -sV wasn't used. This information can be set by scripts in the
  absence of -sV. [Daniel Miller]

Nmap 6.01 [2012-06-16]

o [Zenmap] Fixed a hang that would occur on Mac OS X 10.7. A symptom
  of the hang was this message in the system console:
  "Couldn't recognize the image file format for file
  '/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'".
  [David Fifield]

o [Zenmap] Fixed a crash that happened when activating the host filter.
      File "zenmapCore\SearchResult.pyo", line 155, in match_os
    KeyError: 'osmatches'
  [jah]

o Fixed an error that occurred when scanning certain addresses like
  192.168.0.0 on Windows XP:
    get_srcaddr: can't connect socket: The requested address is not valid in its context.
    nexthost: failed to determine route to 10.80.0.0
  [David Fifield]

o Fixed a bug that caused Nmap to fail to find any network interface when
  at least one of them is in the monitor mode. The fix was to define the
  ARP_HRD_IEEE80211_RADIOTAP 802.11 radiotap header identifier in the
  libdnet-stripped code. Network interfaces that are in this mode are used
  by radiotap for 802.11 frame injection and reception. The bug was
  reported by Tom Eichstaedt and Henri Doreau.
  http://seclists.org/nmap-dev/2012/q2/449
  http://seclists.org/nmap-dev/2012/q2/478
  [Djalal Harouni, Henri Doreau]

o Fixed the greppable output of hosts that time-out (when --host-timeout was
  used and the host timed-out after something was received from that host).
  This issue was reported by Matthew Morgan. [jah]

o [Zenmap] Updated the version of Python used to build the Windows
  release from 2.7.1 to 2.7.3 to remove a false-positive security
  alarm flagged by tools such as Secunia PSI. There was a minor
  vulnerability in certain Python27.dll web functionality (which Nmap
  doesn't use anyway) and Secunia was flagging all software which
  includes that version of Python27.dll. This update should prevent
  the false alarm.

Nmap 6.00 [2012-05-21]

o Most important release since Nmap 5.00 in July 2009! For a list of
  the most significant improvements and new features, see the
  announcement at: http://nmap.org/6

o In XML output, "osclass" elements are now child elements of the
  "osmatch" they belong to. Old output was thus (we're using square
  brackets instead of angle brackets in this CHANGELOG entry to avoid
  html escaping problems:
    [os][osclass/][osclass/]...[osmatch/][osmatch/]...[/os]
  New output is:
    [os][osmatch][osclass/][osclass/]...[/osmatch]...[/os]
  The option --deprecated-xml-osclass restores the old output, in case
  you use an Nmap XML parser that doesn't understand the new
  structure. The xmloutputversion has been increased to 1.04.

o Added a new "target" element to XML output that indicates when a
  target specification was ignored, perhaps because of a syntax error
  or DNS failure. It looks like this (except with angle brackets
  rather than square):
    [target specification="1.2.3.4.5" status="skipped" reason="invalid"/]
  [David Fifield]

o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the
  SAMBA pre-auth remote root vulnerability (CVE-2012-1182).
  [Aleksandar Nikolic]

o [NSE] Added http-vuln-cve2012-1823.nse, which checks for PHP CGI
  installations with a remote code execution vulnerability. [Paulino
  Calderon]

o [NSE] Added script targets-ipv6-mld that sends a malformed ICMP6 MLD Query
  to discover IPv6 enabled hosts on the LAN. [Niteesh Kumar]

o [NSE] Added rdp-vuln-ms12-020.nse by Aleksandar Nikolic. This tests
  for two Remote Desktop vulnerabilities, including one allowing
  remote code execution, that were fixed in the MS12-020 advisory.

o [NSE] Added a stun library and the scripts stun-version and stun-info, which
  extract version information and the external NAT:ed address.
  [Patrik Karlsson]

o [NSE] Added the script duplicates which attempts to determine duplicate
  hosts by analyzing information collected by other scripts. [Patrik Karlsson]

o Fixed the routing table loop on OS X so that on-link routes appear.
  Previously, they were ignored so that things like ARP scan didn't
  work. [Patrik Karlsson, David Fifield]

o Upgraded included libpcap to version 1.2.1.

o [NSE] Added ciphers from RFC 5932 and Fortezza-based ciphers to
  ssl-enum-ciphers.nse. The patch was submitted by Darren McDonald.

o [NSE] Renamed hostmap.nse to hostmap-bfk.nse.

o Fixed a compilation problem on Solaris 9 caused by a missing
  definition of IPV6_V6ONLY. Reported by Dagobert Michelsen.

o Setting --min-parallelism by itself no longer forces the maximum
  parallelism to the same value. [Chris Woodbury, David Fifield]

o Changed XML output to show the "service" element whenever a tunnel
  is discovered for a port, even if the service behind it was unknown.
  [Matt Foster]

o [Zenmap] Fixed a crash that would happen in the profile editor when
  the script.db file doesn't exist. The bug was reported by Daniel
  Miller.

o [Zenmap] It is now possible to compare scans having the same name or
  command line parameters. [Jah, David Fifield]

o Fixed an error that could occur with ICMPv6 probes and -d4 debugging:
  "Unexpected probespec2ascii type encountered" [David Fifield]

o [NSE] Added new script http-chrono, which measures min, max and average
  response times of web servers. [Ange Gutek]

o Applied a workaround to make pcap captures work better on Solaris
  10. This involves peeking at the pcap buffer to ensure that captures
  are not being lost. A symptom of the previous behavior was that,
  when doing ARP host discovery against two targets, only one would be
  reported as up. [David Fifield]

o Fixed a bug that could cause Nsock timers to fire too early. This
  could happen for the timed probes in IPv6 OS detection, causing an
  incorrect measurement of the TCP_ISR feature. [David Fifield]

o [Zenmap] We now build on Windows with a newer version of PyGTK, so
  copy and paste should work again.

o Changed the way timeout calculations are made in the IPv6 OS engine.
  In rare cases a certain interleaving of probes and responses would
  result in an assertion failure.

Nmap 5.61TEST5 [2012-03-09]

o Integrated all of your IPv4 OS fingerprint submissions since June
  2011 (about 1,900 of them).  Added about 256 new fingerprints (and
  deleted some bogus ones), bringing the new total to 3,572.
  Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0
  through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other
  devices. Many existing fingerprints were improved. For more details,
  see http://seclists.org/nmap-dev/2012/q1/431 [David Fifield]

o Integrated all of your service/version detection fingerprints
  submitted since November 2010--more than 2,500 of them!  Our
  signature count increased more than 10% to 7,423 covering 862
  protocols. Some amusing and bizarre new services are described at
  http://seclists.org/nmap-dev/2012/q1/359 [David Fifield]

o Integrated your latest IPv6 OS submissions and corrections. We're
  still low on IPv6 fingerprints, so please scan any IPv6 systems you
  own or administer and submit them to http://nmap.org/submit/.  Both
  new fingerprints (if Nmap doesn't find a good match) and corrections
  (if Nmap guesses wrong) are useful.

o [NSE] Added a host-based registry which only persists (for the given
  host) until all scripts have finished scanning that host. The normal
  registry saves information until it is deleted or the Nmap scan
  ends. That is a waste of memory for information which doesn't need
  to persist that long. Use the host based registry instead if you
  can. See http://nmap.org/book/nse-api.html#nse-api-registry. [Patrik
  Karlsson]

o IPv6 OS detection now includes a novelty detection system which
  avoids printing a match when an observed fingerprint is too
  different from fingerprints seen before. As the OS database is still
  small, this helps to avoid making (essentially) wild guesses when
  seeing a new operating system. [David Fifield]

o Refactored the nsock library to add the nsock-engines system. This
  allows system-specific scalable IO notification facilities to be
  used while maintaining the portable Nsock API. This initial version
  comes with an epoll-based engine for Linux and a select-based
  fallback engine for all other operating systems. Also added the
  --nsock-engine option to Nmap, Nping and Ncat to enforce use of a
  specific Nsock IO engine. [Henri Doreau]

o [NSE] Added 43(!) NSE scripts, bringing the total up to 340.  They
  are all listed at http://nmap.org/nsedoc/, and the summaries are
  below (authors are listed in brackets):

  + acarsd-info retrieves information from a listening acarsd
    daemon. Acarsd decodes ACARS (Aircraft Communication Addressing
    and Reporting System) data in real time. [Brendan Coles]

  + asn-to-prefix produces a list of IP prefixes for a given AS number
    (ASN). It uses the external Shadowserver API (with their
    permission). [John Bond]

  + broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to the
    DHCPv6 multicast address, parses the response, then extracts and
    prints the address along with any options returned by the
    server. [Patrik Karlsson]

  + broadcast-networker-discover discovers the EMC Networker backup
    software server on a LAN by using network broadcasts. [Patrik Karlsson]

  + broadcast-pppoe-discover discovers PPPoE servers using the PPPoE
    Discovery protocol (PPPoED). [Patrik Karlsson]

  + broadcast-ripng-discover discovers hosts and routing information
    from devices running RIPng on the LAN by sending a RIPng Request
    command and collecting the responses from all responsive
    devices. [Patrik Karlsson]

  + broadcast-versant-locate discovers Versant object databases using
    the srvloc protocol. [Patrik Karlsson]

  + broadcast-xdmcp-discover discovers servers running the X Display
    Manager Control Protocol (XDMCP) by sending a XDMCP broadcast
    request to the LAN. [Patrik Karlsson]

  + cccam-version detects the CCcam service (software for sharing
    subscription TV among multiple receivers). [David Fifield]

  + dns-client-subnet-scan performs a domain lookup using the
    edns-client-subnet option that adds support for adding subnet
    information to the query describing where the query is
    originating. The script uses this option to supply a number of
    geographically distributed locations in an attempt to enumerate as
    many different address records as possible. [John Bond]

  + dns-nsid retrieves information from a DNS nameserver by requesting
    its nameserver ID (nsid) and asking for its id.server and
    version.bind values. [John Bond]

  + dns-srv-enum enumerates various common service (SRV) records for a
    given domain name.  The service records contain the hostname, port
    and priority of servers for a given service. [Patrik Karlsson]

  + eap-info enumerates the authentication methods offered by an EAP
    authenticator for a given identity or for the anonymous identity
    if no argument is passed. [Riccardo Cecolin]

  + http-auth-finder spiders a web site to find web pages requiring
    form-based or HTTP-based authentication. [Patrik Karlsson]

  + http-config-backup checks for backups and swap files of common
    content management system and web server configuration
    files. [Riccardo Cecolin]

  + http-generator displays the contents of the "generator" meta tag
    of a web page (default: /) if there is one. [Michael Kohl]

  + http-proxy-brute performs brute force password guessing against a
    HTTP proxy server. [Patrik Karlsson]

  + http-qnap-nas-info attempts to retrieve the model, firmware
    version, and enabled services from a QNAP Network Attached Storage
    (NAS) device. [Brendan Coles]

  + http-vuln-cve2009-3960 exploits cve-2009-3960 also known as Adobe
    XML External Entity Injection. [Hani Benhabiles]
[--snip--]
