LinuxReviws.org --get your your Linux knowledge
> Linux Reviews > News and headlines > 2012 News archive >

Nmap 5.61TEST5 with scripting fun

Huge amounts of testing scripts are being added to Nmap, many are very useful for checking if you (or your adversary) are using weak passwords.

Full official security-guru Fyodor story, as leaked on the nmap-hax0rs mailing list, is:


Hi folks! We've been working hard for the last 2 months since 5.61TEST4, and I'm pleased to announce the results: Nmap 5.61TEST5. This release has 43 new scripts, including new brute forcers for http proxies, SOCKS proxies, Asterisk IAX2, Membase, MongoDB, Nessus XMLRPC, Redis, the WinPcap remote capture daemon, the VMWare auth daemon, and old-school rsync. Better check that your passwords are strong! Some other fun scripts are nat-pmp-mapport, asn-to-prefix, url-snarf, and http-auth-finder. See the changelog entries below for a full list with descriptions.

For this release, we also incorporated thousands of your OS detection and service detection submissions, dramatically improving the databases. Our IPv6 OS detection system became smarter as well. And we've incorporated a new "nsock engines" system which improves performance by using advanced I/O APIs (such as epoll on Linux) rather than always using select.

You can download 5.61TEST5 source code and binaries for Linux, Windows, and Mac OS X at the normal place:

http://nmap.org/download.html

Please give this some good testing, as we're hoping to use it as the base for a new stable version of Nmap! That will be the first stable version since 5.51 more than a year ago. If you encounter any problems, please report them to nmap-dev as described at:

http://nmap.org/book/man-bugs.html

Here are the most significant changes since 5.61TEST4:

  • Integrated all of your IPv4 OS fingerprint submissions since June 2011 (about 1,900 of them). Added about 256 new fingerprints (and deleted some bogus ones), bringing the new total to 3,572. Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0 through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other devices. Many existing fingerprints were improved. For more details, see http://seclists.org/nmap-dev/2012/q1/431 David
  • Integrated all of your service/version detection fingerprints submitted since November 2010--more than 2,500 of them! Our signature count increased more than 10% to 7,423 covering 862 protocols. Some amusing and bizarre new services are described at http://seclists.org/nmap-dev/2012/q1/359 David
  • Integrated your latest IPv6 OS submissions and corrections. We're still low on IPv6 fingerprints, so please scan any IPv6 systems you own or administer and submit them to http://nmap.org/submit/. Both new fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap guesses wrong) are useful.
  • [NSE] Added a host-based registry which only persists (for the given host) until all scripts have finished scanning that host. The normal registry saves information until it is deleted or the Nmap scan ends. That is a waste of memory for information which doesn't need to persist that long. Use the host based registry instead if you can. See http://nmap.org/book/nse-api.html#nse-api-registry. Patrik
  • IPv6 OS detection now includes a novelty detection system which avoids printing a match when an observed fingerprint is too different from fingerprints seen before. As the OS database is still small, this helps to avoid making (essentially) wild guesses when seeing a new operating system. David
  • Refactored the nsock library to add the nsock-engines system. This allows system-specific scalable IO notification facilities to be used while maintaining the portable Nsock API. This initial version comes with an epoll-based engine for Linux and a select-based fallback engine for all other operating systems. Also added the --nsock-engine option to Nmap, Nping and Ncat to enforce use of a specific Nsock IO engine. Henri - [NSE] Added 43(!) NSE scripts, bringing the total up to 340. They are all listed at http://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
    • acarsd-info retrieves information from a listening acarsd daemon. Acarsd decodes ACARS (Aircraft Communication Addressing and Reporting System) data in real time. Brendan
    • asn-to-prefix produces a list of IP prefixes for a given AS number (ASN). It uses the external Shadowserver API (with their permission). John
    • broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address, parses the response, then extracts and prints the address along with any options returned by the server. Patrik
    • broadcast-networker-discover discovers the EMC Networker backup software server on a LAN by using network broadcasts. Patrik
    • broadcast-pppoe-discover discovers PPPoE servers using the PPPoE Discovery protocol (PPPoED). Patrik
    • broadcast-ripng-discover discovers hosts and routing information from devices running RIPng on the LAN by sending a RIPng Request command and collecting the responses from all responsive devices. Patrik
    • broadcast-versant-locate discovers Versant object databases using the srvloc protocol. Patrik
    • broadcast-xdmcp-discover discovers servers running the X Display Manager Control Protocol (XDMCP) by sending a XDMCP broadcast request to the LAN. Patrik
    • cccam-version detects the CCcam service (software for sharing subscription TV among multiple receivers). David
    • dns-client-subnet-scan performs a domain lookup using the edns-client-subnet option that adds support for adding subnet information to the query describing where the query is originating. The script uses this option to supply a number of geographically distributed locations in an attempt to enumerate as many different address records as possible. John
    • dns-nsid retrieves information from a DNS nameserver by requesting its nameserver ID (nsid) and asking for its id.server and version.bind values. John
    • dns-srv-enum enumerates various common service (SRV) records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. Patrik
    • eap-info enumerates the authentication methods offered by an EAP authenticator for a given identity or for the anonymous identity if no argument is passed. Riccardo
    • http-auth-finder spiders a web site to find web pages requiring form-based or HTTP-based authentication. Patrik
    • http-config-backup checks for backups and swap files of common content management system and web server configuration files. Riccardo
    • http-generator displays the contents of the "generator" meta tag of a web page (default: /) if there is one. Michael
    • http-proxy-brute performs brute force password guessing against a HTTP proxy server. Patrik
    • http-qnap-nas-info attempts to retrieve the model, firmware version, and enabled services from a QNAP Network Attached Storage (NAS) device. Brendan
    • http-vuln-cve2009-3960 exploits cve-2009-3960 also known as Adobe XML External Entity Injection. Hani
    • http-vuln-cve2010-2861 executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. Micah
    • iax2-brute performs brute force password auditing against the Asterisk IAX2 protocol. Patrik
    • membase-brute performs brute force password auditing against Couchbase Membase servers. Patrik
    • membase-http-info retrieves information (hostname, OS, uptime, etc.) from the CouchBase Web Administration port. Patrik
    • memcached-info retrieves information (including system architecture, process ID, and server time) from distributed memory object caching system memcached. Patrik
    • mongodb-brute performs brute force password auditing against the MongoDB database. Patrik
    • nat-pmp-mapport maps a WAN port on the router to a local port on the client using the NAT Port Mapping Protocol (NAT-PMP). Patrik
    • ndmp-fs-info lists remote file systems by querying the remote device using the Network Data Management Protocol (ndmp). Patrik
    • ndmp-version retrieves version information from the remote Network Data Management Protocol (NDMP) service. Patrik
    • nessus-xmlrpc-brute performs brute force password auditing against a Nessus vulnerability scanning daemon using the XMLRPC protocol. Patrik
    • redis-brute performs brute force passwords auditing against a Redis key-value store. Patrik
    • redis-info retrieves information (such as version number and architecture) from a Redis key-value store. Patrik
    • riak-http-info retrieves information (such as node name and architecture) from a Basho Riak distributed database using the HTTP protocol. Patrik
    • rpcap-brute performs brute force password auditing against the WinPcap Remote Capture Daemon (rpcap). Patrik
    • rpcap-info connects to the rpcap service (provides remote sniffing capabilities through WinPcap) and retrieves interface information. Patrik
    • rsync-brute performs brute force password auditing against the rsync remote file syncing protocol. Patrik
    • rsync-list-modules lists modules available for rsync (remote file sync) synchronization. Patrik
    • socks-auth-info determines the supported authentication mechanisms of a remote SOCKS 5 proxy server. Patrik
    • socks-brute performs brute force password auditing against SOCKS 5 proxy servers. Patrik
    • url-snarf sniffs an interface for HTTP traffic and dumps any URLs, and their originating IP address. Patrik
    • versant-info extracts information, including file paths, version and database names from a Versant object database. Patrik
    • vmauthd-brute performs brute force password auditing against the VMWare Authentication Daemon (vmware-authd). Patrik
    • voldemort-info retrieves cluster and store information from the Voldemort distributed key-value store using the Voldemort Native Protocol. Patrik
    • xdmcp-discover requests an XDMCP (X display manager control protocol) session and lists supported authentication and authorization mechanisms. Patrik
  • [NSE] Added 14 new protocol libraries! They were all written by Patrik Karlsson, except for the EAP library by Riccardo Cecolin:
    • dhcp6 (Dynamic Host Configuration Protocol for IPv6)
    • eap (Extensible Authentication Protocol)
    • iax2 (Inter-Asterisk eXchange v2 VoIP protocol)
    • membase (Couchbase Membase TAP protocol)
    • natpmp (NAT Port Mapping Protocol)
    • ndmp (Network Data Management Protocol)
    • pppoe (Point-to-point protocol over Ethernet)
    • redis (in-memory key-value data store)
    • rpcap (WinPcap Remote Capture Deamon)
    • rsync (remote file sync)
    • socks (SOCKS 5 proxy protocol)
    • sslcert (for collecting SSL certificates and storing them in the host-based registry)
    • versant (an object database)
    • xdmcp (X Display Manager Control Protocol)
  • CPE (Common Platform Enumeration) OS classification is now supported for IPv6 OS detection. Previously it was only available for IPv4. David
  • [NSE] The host.os table is now a structured array of table that include OS class information and CPE. See http://nmap.org/book/nse-api.html for documentation of the new structure. Henri Doreau,
  • [NSE] Service matches can now access CPE through the port.version.cpe array. Henri
  • Added a new --script-args-file option which allows you to specify the name of a file containing all of your desired NSE script arguments. The arguments may be separated with commas or newlines and may be overridden by arguments specified on the command-line with --script-args. Daniel
  • Audited the nmap-service-probes database to remove all unused captures, fixing dozens of bugs with captures either being ignored or two fields erroneously using the same capture. Lauri Kokkonen, David Fifield, and Rob
  • Added new version detection probes and match lines for:
    • Erlang Port Mapper Daemon
    • Couchbase Membase NoSQL database
    • Basho Riak distributed database protocol buffers client (PBC)
    • Tarantool in-memory data store Patrik
  • Split the nmap-update client into its own binary RPM to avoid the Nmap RPM having a dependency on the Subversion and APR libraries. We're not yet distributing this binary nmap-update RPM since the system isn't complete, but the source code is available in the Nmap tarball and source RPM. [David]
  • [NSE] Added authentication support to the MongoDB library and modified existing scripts to support it. Patrik
  • [NSE] Added support to broadcast-listener for extracting address, native VLAN and management IP address from CDP packets. Tom
  • [NSE] Added RPC Call CALLIT to the RPC library and modified UDP sockets to be unconnected in order to support broadcast. Patrik
  • [NSE] Modified the ssl-cert and ssl-google-cert-catalog scripts to take advantage of the new sslcert library which retrieves and caches SSL certificates in the registry.
  • [NSE] Patch our bitcoin library to support recent changes in the BitCoin protocol. Andrew Orr, Patrik
  • Fixed an error where very long messages could cause an assertion failure: "log_vwrite: vsnprintf failed. Even after increasing bufferlen to ---, Vsnprintf returned -1 (logt == 1)." This was reported by David Hingos.
  • Fixed an assertion failure that was printed when a fatal error occurred while an XML tag was incomplete: "!xml.tag_open, file ..\xml.cc, line 401". This was reported by David Hingos. David
  • [NSE] Added support for decoding EIGRP broadcasts from Cisco routers to broadcast-listener. Tom
  • [NSE] Added redirect support to the http library. All calls to http.get and http.head now transparently handle any HTTP redirects. The number and destination of redirects are limited by default to avoid endless loops or unwanted follows of redirects to different servers, but they can be configured. Patrik
  • [NSE] Modified the sql-injection script to use the httpspider library. Lauri
  • Added --with-apr and --with-subversion configuration options to support systems where those libraries aren't in the usual places. David
  • [NSE] Fixed a bunch of global access errors in various libraries reported by the nse_check_globals script. Patrik
  • Fixed an assertion failure which could occur when connecting to an SSL server: nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed. Thanks to Ron for reporting the bug and testing. Henri
  • [NSE] Added support to the DNS library for the CHAOS class and NSID requests. John
  • [NSE] Changed the dnsbl library to take a much faster threaded approach to querying DNS blacklists. Patrik
  • [NSE] Added new services and the ATTACK category to the dnsbl script. Duarte
  • [NSE] Fixed a memory leak in PortList::setServiceProbeResults() which was noticed and reported by David Fifield. The leak was triggered by set_port_version calls from NSE. Henri
  • [NSE] Fixed a race condition in broadcast-dhcp-discover.nse that could cause responses to be missed on fast networks. It was noticed by Vasiliy Kulikov. David
  • Fixed a bug in reverse name resolution: a name of "." would leave the hostname unintialized and cause "Illegal character(s) in hostname" warnings. Gisle
  • Allow overriding the AR variable to use a different version of the ar library creation tool when creating the liblinear library. [Nuno Gonçalves]
  • Added vcredist2008_x86.exe to the Windows zip file. This installer from MS must be run on new Windows 2008 systems (those which don't already have it) before running Nmap. The Nmap Windows installer already takes care of this. David
  • Removed about 5MB of unnecessary DocBook XSL from the Nping docs directory. David
  • The packet library now uses consistent naming of the address fields for IPv4 and IPv6 packets (ip_bin_src, ip_bin_dst, ip_src, and ip_dst). Henri
  • Update to the latest MAC address prefix assignments from IEEE as of March 8, 2012. [Fyodor]
  • Fixed a problem in the ippackethdrinfo function which was leading to warning messages like: "BOGUS! Can't parse supposed IP packet" during certain IPv6 scans. David
  • Fixed building on Arch Linux. The PCAP_IS_SUITABLE test had to be modified to ensure that -lnl was passed on the build line. See the r28202 svn log for further information. David
  • Include net/if.h before net/if_arp.h in netutil.cc and tcpip.cc to hopefully fix some build problems on AIX 5.3.
  • [NSE] Added IPv6 support to firewalk.nse. Henri

And here is the download link again:

http://nmap.org/download.html

And the bug reporting link again:

http://nmap.org/book/man-bugs.html

Cheers, Fyodor ----

Meet new people