# Nmap Changelog ($Id: CHANGELOG 36342 2016-09-29 15:23:29Z dmiller $); -*-text-*-

Nmap 7.30 [2016-09-29]

o Integrated all 12 of your IPv6 OS fingerprint submissions from June to
  September. No new groups, but several classifications were strengthened,
  especially Windows localhost and OS X. [Daniel Miller]

o [NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + [GH#369] coap-resources grabs the list of available resources from CoAP
    endpoints. [Mak Kolybabi]

  + fox-info retrieves detailed version and configuration info from Tridium
    Niagara Fox services. [Stephen Hilt]

  + ipmi-brute performs authentication brute-forcing on IPMI services.
    [Claudiu Perta]

  + ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows
    connection without a password. [Claudiu Perta]

  + ipmi-version retrieves protocol version and authentication options from
    ASF-RMCP (IPMI) services. [Claudiu Perta]

  + [GH#352] mqtt-subscribe connects to a MQTT broker, subscribes to topics,
    and lists the messages received. [Mak Kolybabi]

  + pcworx-info retrieves PLC model, firmware version, and date from Phoenix
    Contact PLCs. [Stephen Hilt]

o Upgraded Npcap, our new Windows packet capturing driver/library,
  from version to 0.09 to 0.10r2. This includes many bug fixes, with a
  particular on emphasis on concurrency issues discovered by running
  hundreds of Nmap instances at a time. More details are available
  from https://github.com/nmap/npcap/releases. [Yang Luo, Daniel
  Miller, Fyodor]

o New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx,
  ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]

o Improved some output filtering to remove or escape carriage returns ('\r')
  that could allow output spoofing by overwriting portions of the screen. Issue
  reported by Adam Rutherford. [Daniel Miller]

o [NSE] Fixed a few bad Lua patterns that could result in denial of service due
  to excessive backtracking. [Adam Rutherford, Daniel Miller]

o Fixed a discrepancy between the number of targets selected with -iR and the
  number of hosts scanned, resulting in output like "Nmap done: 1033 IP
  addresses" when the user specified -iR 1000. [Daniel Miller]

o Fixed a bug in port specification parsing that could cause extraneous
  'T', 'U', 'S', and 'P' characters to be ignored when they should have
  caused an error. [David Fifield]

o [GH#543] Restored compatibility with LibreSSL, which was lost in adding
  library version checks for OpenSSL 1.1. [Wonko7]

o [Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting
  in this message instead of Ndiff output:
    ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found.  Did find:
    /Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
  Reported by Kyle Gustafson. [Daniel Miller]

o [NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to
  not output TLSv1.2 info with DHE ciphersuites or others involving
  ServerKeyExchange messages. [Daniel Miller]

o [NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now
  shows the Subject Alternative Name extension; all extensions are shown in the
  XML output. [Daniel Miller]

Nmap 7.25BETA2 [2016-09-01]

o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
  SHA256 certificate. This should give our users extra peace-of-mind and avoid
  triggering Microsoft's ever-increasing security warnings.

o [NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a
  utf8 library, and native binary packing and unpacking functions. Removed bit
  library, added bits.lua, replaced base32, base64, and bin libraries. [Patrick
  Donnelly]

o [NSE] Added 2 NSE scripts, bringing the total up to 534!  They are both listed
  at https://nmap.org/nsedoc/, and the summaries are below:

  + oracle-tns-version decodes the version number from Oracle Database Server's
    TNS listener. [Daniel Miller]

  + clock-skew analyzes and reports clock skew between Nmap and services that
    report timestamps, grouping hosts with similar skews. [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted from
  January to April (578 of them). The signature count went up 2.2% to 10760.
  We now detect 1122 protocols, from elasticsearch, fhem, and goldengate to
  ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]

o Upgraded Npcap, our new Windows packet capturing driver/library,
  from version 0.07-r17 to 0.09. This includes many improvements you can
  read about at https://github.com/nmap/npcap/releases.

o [Nsock][GH#148] Added the new IOCP Nsock engine which uses the Windows
  Overlapped I/O API to improve performance of version scan and NSE against
  many targets on Windows. [Tudor Emil Coman]

o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
  SHA256 certificate. This should give our users extra peace-of-mind and avoid
  triggering Microsoft's ever-increasing security warnings.

o Various performance improvements for large-scale high-rate scanning,
  including increased ping host groups, faster probe matching, and ensuring
  data types can handle an Internet's-worth of targets. [Tudor Emil Coman]

o [NSE] Added the oracle-tns-version NSE script which decodes the version
  number from Oracle Database Server's TNS
  listener. https://nmap.org/nsedoc/scripts/oracle-tns-version.html [Daniel
  Miller]

o [NSE] Added the clock-skew NSE script which analyzes and reports clock skew
  between Nmap and services that report timestamps, grouping hosts with
  similar skews. https://nmap.org/nsedoc/scripts/clock-skew.html [Daniel
  Miller]

o [Zenmap] Long-overdue Spanish language translation has been added! Muy bien!
  [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]

o [Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only
  zenmap.conf. User will be warned that config cannot be saved and that they
  should fix the file permissions. [Daniel Miller]

o [NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support,
  like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers
  will label the ciphersuite strength as "unknown." Reported by Bertrand
  Bonnefoy-Claudet. [Daniel Miller]

o [NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations
  against LDAP services when version detection or STARTTLS were used.
  [Tom Sellers]

o [Zenmap] Long-overdue Spanish language translation has been added! Muy bien!
  [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]

o [GH#426] Remove a workaround for lack of selectable pcap file descriptors on
  Windows, which required including pcap-int.h and locking us to a single
  version of libpcap. The new method, using WaitForSingleObject should work
  with all versions of both WinPcap and Npcap. [Daniel Miller]

o [NSE][GH#234] Added a --script-timeout option for limiting run time for
  every individual NSE script. [Abhishek Singh]

o [Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in
  traditional netcat, it can be used to quickly check the status of a
  port. Port ranges are not supported since we recommend a certain other tool
  for port scanning. [Abhishek Singh]

o Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and
  "nmap" with no options result in the same behaviors as on Linux (and no
  crashes) [Daniel Miller]

o [NSE] ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode,
  which are vulnerable to the SWEET32 attack.

o [NSE][GH#117] tftp-enum now only brute-forces IP-address-based Cisco filenames when
  the wordlist contains "{cisco}". Previously, custom wordlists would still end
  up sending these extra 256 requests. [Sriram Raghunathan]

o [GH#472] Avoid an unnecessary assert failure in timing.cc when printing estimated
  completion time. Instead, we'll output a diagnostic error message:
    Timing error: localtime(n) is NULL
  where "n" is some number that is causing problems. [Jean-Guilhem Nousse]

o [NSE][GH#519] Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]

o [NSE] Added 9 new fingerprints for script http-default-accounts.
  (Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix,
  Schneider controller, Xerox printer, Citrix NetScaler, ESXi hypervisor)
  [nnposter]

o [NSE] Completed a refresh and validation of almost all fingerprints for
  script http-default-accounts. Also improved the script speed. [nnposter]

o [GH#98] Added support for decoys in IPv6. Earlier we supported decoys only in
  IPv4. [Abhishek Singh]

o Various performance improvements for large-scale high-rate scanning,
  including increased ping host groups, faster probe matching, and ensuring
  data types can handle an Internet's-worth of targets. [Tudor Emil Coman]

o [GH#484] Allow Nmap to compile on some older Red Hat distros that disable EC
  crypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]

o [GH#439] Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]

o [Ncat] Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssl
  and --max-conns, due to improper accounting of file descriptors. [Daniel
  Miller]

o FTP Bounce scan: improved some edge cases like anonymous login without
  password, 500 errors used to indicate port closed, and timeouts for LIST
  command. Also fixed a 1-byte array overrun (read) when checking for
  privileged ports. [Daniel Miller]

o [GH#140] Allow target DNS names up to 254 bytes. We previously imposed an
  incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]

o [NSE] The hard limit on number of concurrently running scripts can now
  increase above 1000 to match a high user-set --min-parallelism value. [Tudor
  Emil Coman]

o [NSE] Solved a memory corruption issue that would happen if a socket connect
  operation produced an error immediately, such as Network Unreachable. The
  event handler was throwing a Lua error, preventing Nsock from cleaning up
  properly, leaking events. [Abhishek Singh, Daniel Miller]

o [NSE] Added the datetime library for performing date and time calculations,
  and as a helper to the clock-skew script.

o [GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully
  handling truncated replies. If a response is too long, we now fall back to
  using the system resolver to answer it. [Abhishek Singh]

o [Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]

Nmap 7.25BETA1 [2016-07-15]

o Nmap now ships with and uses Npcap, our new packet sniffing library
  for Windows. It's based on WinPcap (unmaintained for years), but
  uses modern Windows APIs for better performance. It also includes
  security improvements and many bug fixes. See http://npcap.org. And
  it enables Nmap to perform SYN scans and OS detection against
  localhost, which we haven't been able to do on Windows since
  Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel
  Miller, Fyodor]

o [NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + clamav-exec detects ClamAV servers vulnerable to unauthorized clamav
    command execution. [Paulino Calderon]

  + http-aspnet-debug detects ASP.NET applications with debugging enabled.
    [Josh Amishav-Zlatin]

  + http-internal-ip-disclosure determines if the web server leaks its internal
    IP address when sending an HTTP/1.0 request without a Host header. [Josh
    Amishav-Zlatin]

  + [GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and dumps
    its configuration. [Frank Spierings]

  + [GH#365] sslv2-drown detects vulnerability to the DROWN attack, including
    CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL.
    [Bertrand Bonnefoy-Claudet]

  + vnc-title logs in to VNC servers and grabs the desktop title, geometry, and
    color depth. [Daniel Miller]

o Integrated all of your IPv4 OS fingerprint submissions from January
  to April (539 of them). Added 98 fingerprints, bringing the new total
  to 5187. Additions include Linux 4.4, Android 6.0, Windows Server
  2016, and more. [Daniel Miller]

o Integrated all 31 of your IPv6 OS fingerprint submissions from January to
  June. The classifier added 2 groups and expanded several others. Several
  Apple OS X groups were consolidated, reducing the total number of groups to
  93. [Daniel Miller]

o Update oldest supported Windows version to Vista (Windows 6.0). This enables
  the use of the poll Nsock engine, which has significant performance and
  accuracy advantages. Windows XP users can still use Nmap 7.12, available from
  https://nmap.org/dist/?C=M&O=D [Daniel Miller]

o [NSE] Fix a crash that happened when trying to print the percent done of 0
  NSE script threads:
    timing.cc:710 bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.
  This would happen if no scripts were scheduled in a scan phase and the user
  pressed a key or specified a short --stats-every interval. Reported by
  Richard Petrie. [Daniel Miller]

o [GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown
  address family 0" crash on Windows and other platforms that do not set the
  src_addr argument to recvfrom for TCP sockets. [Daniel Miller]

o Retrieve the correct network prefix length for an adapter on Windows. If more
  than one address was configured on an adapter, the same prefix length would
  be used for both. This incorrect behavior is still used on Windows XP and
  earlier. Reported by Niels Bohr. [Daniel Miller]

o Changed libdnet-stripped to avoid bailing completely when an interface is
  encountered with an unsupported hardware address type. Caused "INTERFACES:
  NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address
  types. [Daniel Miller]

o Improved service detection of Docker and fixed a bug in the output of
  docker-version script. [Tom Sellers]

o Fix detection of Microsoft Terminal Services (RDP). Our improved TLS service
  probes were matching on port 3389 before our specific Terminal Services
  probe, causing the port to be labeled as "ssl/unknown". Reported by Josh
  Amishav-Zlatin.

o [NSE] Update to enable smb-os-discovery to augment version detection
  for certain SMB related services using data that the script discovers.
  [Tom Sellers]

o Improved version detection and descriptions for Microsoft and Samba
  SMB services. Also addresses certain issues with OS identification.
  [Tom Sellers]

o [NSE] ssl-enum-ciphers will give a failing score to any server with an RSA
  certificate whose public key uses an exponent of 1. It will also cap the
  score of an RC4-ciphersuite handshake at C and output a warning referencing
  RFC 7465. [Daniel Miller]

o [NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua .
  [Daniel Miller]

o [GH#399] Zenmap's authorization wrapper now uses an AppleScript method for
  privilege escalation on OS X, avoiding the deprecated
  AuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]

o [GH#454] The OS X binary package is distributed in a .dmg disk image that now
  features an instructive background image. [Vincent Dumont]

o [GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to
  provide all dependencies. We no longer use Macports for this purpose.
  [Vincent Dumont]

o [GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable
  location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead of
  next to the zenmap.exe executable. This avoids a warning message when closing
  Zenmap if it produced any stderr output. [Daniel Miller]

o [GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable hosts.
  Reported by alias1. [Paulino Calderon]

o [NSE][GH#371] Fix mysql-audit by adding needed library requires to the
  mysql-cis.audit file. The script would fail with "Failed to load rulebase"
  message. [Paolo Perego]

o [NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse.
  Also added version detection and information extraction to match the
  new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]

o [GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq
  and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The
  Probes will elicit responses from target services that allow better finger
  -printing and information extraction. Also added nmap-payload entry for
  detecting LDAP on udp. [Tom Sellers]

o [NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of
  authentication sub-types in vnc-info, and all zero-authentication types are
  recognized and reported. [Daniel Miller]

Nmap 7.12 [2016-03-29]

o [Zenmap] Avoid file corruption in zenmap.conf, reported as files containing
  many null ("\x00") characters. Example exceptions:
    TypeError: int() argument must be a string or a number, not 'list'
    ValueError: unable to parse colour specification

o [NSE] VNC updates including vnc-brute support for TLS security type and
  negotiating a lower RFB version if the server sends an unknown higher
  version.  [Daniel Miller]

o [NSE] Added STARTTLS support for VNC, NNTP, and LMTP [Daniel Miller]

o Added new service probes and match lines for OpenVPN on UDP and TCP.

Nmap 7.11 [2016-03-22]

o [NSE][GH#341] Added support for diffie-hellman-group-exchange-* SSH key
  exchange methods to ssh2.lua, allowing ssh-hostkey to run on servers that
  only support custom Diffie-Hellman groups. [Sergey Khegay]

o [NSE] Added support in sslcert.lua for Microsoft SQL Server's TDS protocol,
  so you can now grab certs with ssl-cert or check ciphers with
  ssl-enum-ciphers.  [Daniel Miller]

o [Zenmap] Fix a crash when setting default window geometry:
    TypeError: argument of type 'int' is not iterable

o [Zenmap] Fix a crash when displaying the date from an Nmap XML file due to an
  empty or unknown locale:
    File "zenmapCore/NmapParser.py", line 627, in get_formatted_date
      locale.getpreferredencoding())
    LookupError: unknown encoding:

o [Zenmap] Fix a crash due to incorrect file paths when installing to
  /usr/local prefix. Example:
    Exception: File '/home/blah/.zenmap/scan_profile.usp' does not exist or could not be found!

Nmap 7.10 [2016-03-17]

o [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + [GH#322] http-apache-server-status parses the server status page of
    Apache's mod_status. [Eric Gershman]

  + http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in
    Allegro RomPager web server. Also added a fingerprint for detecting
    CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]

  + [GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon"
    pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]

  + imap-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled IMAP services. [Justin Cacak]

  + ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes.
    The discovery is the same as targets-ipv6-multicast-mld, but the subscribed
    addresses are decoded and listed.  [Alexandru Geana, Daniel Miller]

  + ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL
    Server instances via the NTLM challenge message. [Justin Cacak]

  + nntp-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled NNTP services. [Justin Cacak]

  + pop3-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled POP3 services. [Justin Cacak]

  + rusers retrieves information about logged-on users from the rusersd RPC
    service. [Daniel Miller]

  + [GH#333] shodan-api queries the Shodan API (https://www.shodan.io) and
    retrieves open port and service info from their Internet-wide scan data.
    [Glenn Wilkinson]

  + smtp-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled SMTP and submission services. [Justin Cacak]

  + telnet-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled Telnet services. [Justin Cacak]

o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and Linux
  RPM) to 1.0.2g with SSLv2 enabled.

o Integrated all of your IPv4 OS fingerprint submissions from October to
  January (536 of them). Added 104 fingerprints, bringing the new total to
  5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.
  Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted from
  October to January (508 of them). The signature count went up 2.2% to 10532.
  We now detect 1108 protocols, from icy, finger, and rtsp to ipfs,
  basestation, and minecraft-pe. Highlights:
  http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]

o Integrated all 12 of your IPv6 OS fingerprint submissions from October to
  January. The classifier added 3 new groups, including new and expanded groups
  for OS X, bringing the new total to 96. Highlights:
  http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]

o [NSE] Upgrade to http-form-brute allowing correct handling of token-based
  CSRF protections and cookies. Also, a simple database of common login forms
  supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller]

o [Zenmap] [GH#247] Remember window geometry (position and size) from the
  previous time Zenmap was run. [isjing]

o New service probe for CORBA GIOP (General Inter-ORB Protocol) detection
  should elicit a not-found exception from GIOP services that do not respond to
  non-GIOP probes. [Quentin Hardy]

o [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given
  /32 netmasks regardless of actual netmask configured, resulting in failed
  routing. Reported by Martin Gysi. [Daniel Miller]

o [GH#272][GH#269] Give option parsing errors after the usage statement, or
  avoid printing the usage statement in some cases. The options summary has
  grown quite large, requiring users to scroll to the top to see the error
  message. [Abhishek Singh]

o [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's
  Slow Comprehensive Scan profile.  In the case of unknown OpenSSL errors,
  ERR_reason_error_string would return NULL, which could not be printed with
  the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]

o [GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to
  not work in Zenmap on Windows.

o Changed Nmap's idea of reserved and private IP addresses to include
  169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in
  libnetutil's isipprivate function, is used to filter -iR randomly generated
  targets. The newly-valid address ranges belong to the U.S. Department of
  Defense, so users wanting to avoid those ranges should use their own
  exclusion lists with --exclude or --exclude-file.  [Bill Parker, Daniel
  Miller]

o Allow the -4 option for Nmap to indicate IPv4 address family. This is the
  default, and using the option doesn't change anything, but does make it more
  explicit which address family you want to scan. Using -4 with -6 is an error.
  [Daniel Miller]

o [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the
  screen. This happens at the time of argument parsing, so the usual meaning of
  "verbosity 0" is preserved. [isjing]

o [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and
  SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the
  draft specification from Mozilla. [Bertrand Bonnefoy-Claudet]

o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection
  against services that are not TLS encrypted by default but that support
  post connection upgrade. This will enable more comprehensive detection
  of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]

o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and
  BeEF to http-default-accounts. [nnposter]

o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation
  Required messages when tracing packets or in Nping output. Improper offset
  meant we were printing the total IP length. [Sławomir Demeszko]

o [NSE] Added support for DHCP options "TFTP server name" and "Bootfile name"
  to dhcp.lua and enabled checking for options with a code above 61 by default.
  [Mike Rykowski]

o [NSE] whois-ip: Don't request a remote IANA assignments data file when the
  local filesystem will not permit the file to cached in a local file. [jah]

o [NSE] Updated http-php-version hash database to cover all versions from PHP
  4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled
  from Shodan API (https://www.shodan.io/) [Daniel Miller]

o Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan
  types, allowing periodic status updates with --stats-every or keypress
  events.  [Daniel Miller]

o [GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for OS
  X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have
  properly select-able fds. Fix by OpenBSD port maintainer [David Carlier]

o Print service info in grepable output for ports which are not listed in
  nmap-services when a service tunnel (SSL) is detected. Previously, the
  service info ("ssl|unknown") was not printed unless the service inside the
  tunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260
  [Daniel Miller]

o [NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent.
  [Tom Sellers]

Nmap 7.01 [2015-12-09]

o Switch to using gtk-mac-bundler and jhbuild for building the OS X installer.
  This promises to reduce a lot of the problems we've had with local paths and
  dependencies using the py2app and macports build system. [Daniel Miller]

o The Windows installer is now built with NSIS 2.47 which features LoadLibrary
  security hardening to prevent DLL hijacking and other unsafe use of temporary
  directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to
  us and the many other projects that use it.

o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM)
  to 1.0.2e.

o [Zenmap] [GH#235] Fix several failures to launch Zenmap on OS X. The new
  build process eliminates these errors:
    IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in'
    LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810.

o [NSE] [GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers to
  match the one in nmap-service-probes, which was fixed previously to correct a
  length calculation error. [Daniel Miller]

o [NSE] [GH#251] Correct false positives and unexpected behavior in http-*
  scripts which used http.identify_404 to determine when a file was not found
  on the target. The function was following redirects, which could be an
  indication of a soft-404 response. [Tom Sellers]

o [NSE] [GH#241] Fix a false-positive in hnap-info when the target responds
  with 200 OK to any request. [Tom Sellers]

o [NSE] [GH#244] Fix an error response in xmlrpc-methods when run against a
  non-HTTP service. The expected behavior is no output. [Niklaus Schiess]

o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett.

Nmap 7.00 [2015-11-19]

o This is the most important release since Nmap 6.00 back in May 2012!
  For a list of the most significant improvements and new features,
  see the announcement at: https://nmap.org/7

o [NSE] Added 6 NSE scripts from 6 authors, bringing the total up to 515!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + targets-xml extracts target addresses from previous Nmap XML results files.
    [Daniel Miller]

  + [GH#232] ssl-dh-params checks for problems with weak, non-safe, and
    export-grade Diffie-Hellman parameters in TLS handshakes. This includes the
    LOGJAM vulnerability (CVE-2015-4000). [Jacob Gajek]

  + nje-node-brute does brute-forcing of z/OS JES Network Job Entry node names.
    [Soldier of Fortran]

  + ip-https-discover detectings support for Microsoft's IP over HTTPS
    tunneling protocol. [Niklaus Schiess]

  + [GH#165] broadcast-sonicwall-discover detects and extracts information from
    SonicWall firewalls. [Raphael Hoegger]

  + [GH#38] http-vuln-cve2014-8877 checks for and optionally exploits a
    vulnerability in CM Download Manager plugin for Wordpress. [Mariusz Ziulek]

o [Ncat] [GH#151] [GH#142] New option --no-shutdown prevents Ncat from shutting
  down when it reads EOF on stdin. This is the same as traditional netcat's
  "-d" option. [Adam Saponara]

o [NSE] [GH#229] Improve parsing in http.lua for multiple Set-Cookie headers in
  a single response.  [nnposter]

Nmap 6.49BETA6 [2015-11-03]

o Integrated all of your IPv6 OS fingerprint submissions from April to October
  (only 9 of them!). We are steadily improving the IPv6 database, but we need
  your submissions. The classifier added 3 new groups, bringing the new total
  to 93. Highlights: http://seclists.org/nmap-dev/2015/q4/61 [Daniel Miller]

o Integrated all of your IPv4 OS fingerprint submissions from February to
  October (1065 of them). Added 219 fingerprints, bringing the new total to
  4985. Additions include Linux 4.1, Windows 10, OS X 10.11, iOS 9, FreeBSD
  11.0, Android 5.1, and more. Highlights:
  http://seclists.org/nmap-dev/2015/q4/60 [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted from
  February to October (800+ of them). The signature count went up 2.5% to
  10293. We now detect 1089 protocols, from afp, bitcoin, and caldav to
  xml-rpc, yiff, and zebra. Highlights: http://seclists.org/nmap-dev/2015/q4/62
  [Daniel Miller]

o [NSE] Added 10 NSE scripts from 5 authors, bringing the total up to 509!
  They are all listed at http://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + knx-gateway-discover and knx-gateway-info scripts gather information from
    multicast and unicast KNX gateways, which connect home automation systems
    to IP networks. [Niklaus Schiess, Dominik Schneider]

  + http-ls parses web server directory index pages with optional recursion.
    [Pierre Lalet]

  + xmlrpc-methods perfoms introspection of xmlrpc services and lists methods
    and their descriptions. [Gyanendra Mishra]

  + http-fetch can be used like wget or curl to fetch all files, specific
    filenames, or files that match a given pattern. [Gyanendra Mishra]

  + http-svn-enum enumerates users of a Subversion repository by examining
    commit logs. [Gyanendra Mishra]

  + http-svn-info requests information from a Subversion repository, similar to
    the "svn info" command. [Gyanendra Mishra]

  + hnap-info detects and outputs info for Home Network Administration Protocol
    devices. [Gyanendra Mishra]

  + http-webdav-scan detects WebDAV servers and reports allowed methods and
    directory listing. [Gyanendra Mishra]

  + tor-consensus-checker checks the target's address with the Tor directory
    authorities to determine if a target is a known Tor node. [Jiayi Ye]

o [NSE] Several scripts have been split, combined, or renamed:

  + [GH#171] smb-check-vulns has been split into:
    * smb-vuln-conficker
    * smb-vuln-cve2009-3103
    * smb-vuln-ms06-025
    * smb-vuln-ms07-029
    * smb-vuln-regsvc-dos
    * smb-vuln-ms08-067
    The scripts now use the vulns library, and the "unsafe" script-arg has been
    replaced by putting the scripts into the "dos" category. [Paulino Calderon]

  + http-email-harvest was removed, as the new http-grep does email address
    scraping by default. [Gyanendra Mishra]

  + http-drupal-modules was renamed to http-drupal-enum. Extended to enumerate
    both themes and modules of Drupal installaions. [Gyanendra Mishra]

o [Ncat] [GH#193] Fix Ncat listen mode over Unix sockets (named pipes) on OS X.
  This was crashing with the error:
    Ncat: getnameinfo failed: Undefined error: 0 QUITTING.
  Fixed by forcing the name to "localhost" [Michael Wallner]

o [Zenmap] Fix a crash in Zenmap when using Compare Results:
    AttributeError: 'NoneType' object has no attribute 'get_nmap_output'
  [Daniel Miller]

o [NSE] [GH#194] Add support for reading fragmented TLS messages to
  ssl-enum-ciphers. [Jacob Gajek]

o [GH#51] Added IPv6 support to nmap_mass_rdns, improved reverse DNS cache,
  and refactored DNS code to improve readability and
  extensibility. All in all, this makes the rDNS portion of IPv6 scans
  much faster. [Gioacchino Mazzurco]

o [NSE] Added NTLM brute support to http-brute. [Gyanendra Mishra]

o [NSE] Added NTLM authentication support to http.lua and a related function to create
  an ntlm v2 session response in smbauth.lua. [Gyanendra Mishra]

o [NSE] [GH#106] Added a new NSE module, ls.lua, for accumulating and
  outputting file and directory listings. The afp-ls, nfs-ls, and smb-ls
  scripts have been converted to use this module. [Pierre Lalet]

o [NSE] bacnet-info.nse and s7-info.nse were added to the version category.
  [Paulino Calderon] 

o [NSE] Added 124 new identifiers to bacnet-info.nse vendor database.
  [Paulino Calderon] 

o [NSE] Fixed bacnet-info.nse to bind to the service port detected 
  during scan instead of fixed port. [Paulino Calderon] 

o [NSE] Enhanced reporting of elliptic curve names and strengths in
  ssl-enum-ciphers. The name of the curve is now reported instead of just "ec"
  [Brandon Paulsen]

o [GH#75] Normalize Makefile targets to use the same verb-project format, e.g.
  build-ncat, check-zenmap, install-nping, clean-nsock [Gioacchino Mazzurco]

o [NSE] Added builtin pattern and multiple pattern search to http-grep. [Gyanendra Mishra]

o [NSE] http-crossdomainxml is now http-cross-domain-policy and supports client
  access policies and uses the new SLAXML parser. [Gyanendra Mishra]

o [NSE] Added a patch for vulns lib that allows list of tables to be submitted
  to fields in the vulns report. [Jacob Gajek]

o [NSE] Added additional checks for successful PUT request in http-put.
  [Oleg Mitrofanov]

o [NSE] Added an update for http-methods that checks all possible methods not in
  Allow or Public header of OPTIONS response. [Gyanendra Mishra]

o [NSE] Added SLAXML, an XML parser in Lua originally written by Gavin Kistner
  (a.k.a. Phrogz). [Gyanendra Mishra]

o [NSE] [GH#122] Update the snmp-brute and other snmp-* scripts to use the
  creds library to store brute-forced snmp community strings. This allows Nmap
  to use the correct brute-forced string for each host. [Gioacchino Mazzurco]

o Several improvements to TLS/SSL detection in nmap-service-probes. A new
  probe, TLSSessionReq, and improvements to default SSL ports should help speed
  up -sV scans. http://seclists.org/nmap-dev/2015/q2/17 [Daniel Miller]

o [Nsock] Clean up the API so that nsp_* calls are now nsock_pool_* and nsi_*
  are nsock_iod_*. Simplify Nsock SSL init API, and make logging global to the
  library instead of associated with a nspool. [Henri Doreau]

o [GH#181] The configure script now prints a summary of configured options.
  Most importantly, it warns if OpenSSL was not found, since most users will
  want this library compiled in. [Gioacchino Mazzurco]

o Define TCP Options for SYN scan in nmap.h instead of literally throughout.
  This string is used by p0f and other IDS to detect Nmap scans, so having it a
  compile-time option is a step towards better evasion. [Daniel Miller]

o [GH#51] Nmap's parallel reverse-DNS resolver now handles IPv6 addresses. This
  should result in faster -6 scans. The old behavior is available with
  --system-dns. [Gioacchino Mazzurco]

o [NSE] Fix a couple odd bugs in NSE command-line parsing. Most notably,
  --script broadcast-* will now work (generally, wildcards with scripts whose
  name begins with a category name were not working properly). [Daniel Miller]

o [NSE] [GH#113] http-form-fuzzer will now stop increasing the size of a
  request when an HTTP 413 or 414 error indicates the web server will not
  accept a larger request. [Gioacchino Mazzurco]

o [NSE] [GH#159] Add the ability to tag credentials in the creds library with
  freeform text for easy retrieval. This gives necessary granularity to track
  credentials to multiple web apps on a single host+port. [Gioacchino Mazzurco]

Nmap 6.49BETA5 [2015-09-25]

o Work around a bug which could cause Nmap to hang when running
  multiple instances at once on Windows. The actual bug appears to be
  in the WinPCAP driver in that it hanges when accessed via
  OpenServiceA by multiple processes at once. So for now we have added
  a mutex to prevent even multiple Nmap processes from making
  concurrent calls to this part of WinPcap. We've received the reports
  from multiple users on Windows 8.1 and Windows Server 2012 R2 and
  this fix seems to resolve the hang for them. [Daniel Miller]

o [GH#212][NSE] Fix http.get_url function which was wrongly attempting
  non-SSL HTTP requests first when passed https URLs. [jah]

o [GH#201] Fix Ndiff interpreter path problems in the OS X .dmg
  installer which could prevent Ndiff (and the related Zenmap "compare
  results" window) from working on OS X in some cases. [Daniel Miller]

o Fix Nmap's DTD, which did not recognize that the script element
  could contain character data when a script returns a number or a
  boolean.  [Jonathan Daugherty]

o [GH#172][NSE] Fix reporting of DH parameter sizes by
  ssl-enum-ciphers. The number shown was the length in bytes, not bits
  as it should have been.  Reported by Michael Staruch. [Brandon
  Paulsen]

o Our Windows Nmap packages are now compiled with the older platform
  toolset (v120_xp rather than v120) and so they may work with Windows
  XP again for the dwindling number of users still on that operating
  system.

o [GH#34] Disable TPACKET_V3 in our included libpcap. This version of
  the Linux kernel packet ring API has problems that result in lots of
  lost packets. This patch falls back to TPACKET_V2 or earlier
  versions if available. [nnposter]

o [NSE] Check for socket errors in iscsi.lua. This was causing the
  iscsi-info script to crash against some services. [Daniel Miller]

o [NSE] Fix http-useragent-tester, which was using cached HTTP
  responses instead of testing new User-Agent strings. [Daniel Miller]

o Output a warning when deprecated options are used, and suggest the
  preferred option. Currently deprecated: -i -o -m -sP -P0 -PN -oM
  -sR. The warning is only visible with -v. [Daniel Miller]

o Add a fatal error for options like -oG- which is interpreted as the
  deprecated -o option, outputting to a file named "G-", instead of
  the expected behavior of -oG - (Grepable output to stdout). [Daniel
  Miller]

o [GH#196] Fix raw packet sending on FreeBSD 10.0 and later. FreeBSD
  changed byte order of the IPv4 stack, so SYN scan and other raw
  packet functions were broken. [Edward Napierała] Also reported in
  [GH#50] by Olli Hauer.

o [GH#183] Fix compilation on Visual Studio 2010, which failed with
  error: "service_scan.cc(2559): error C2065: 'EOPNOTSUPP' :
  undeclared identifier" [Daniel Miller]

o [GH#115][NSE] ssl-enum-ciphers will still produce output if OpenSSL
  (required for certificate parsing) is not available. In cases where
  handshake strength depends on the certificate, it will be reported
  as "unknown". [jrchamp]

Nmap 6.49BETA4 [2015-07-06]

o Fix a hang on OS X in Zenmap's Topology page with error
  "zenmap_wrapper.py[857]: GError: Couldn't recognize the image file format for
  file '/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'
  http://seclists.org/nmap-dev/2015/q3/8 [Daniel Miller]

o Fix a small memory leak for each target specified as a hostname which fails
  to resolve. [Daniel Miller]

o Allow 'make check' to succeed when Nmap is configured without OpenSSL
  support. This was broken due to our NSE unittest library expecting to be able
  to load every library without error. [Daniel Miller]

o [NSE] Enable ssl-enum-ciphers to safely scan servers with a long handshake
  intolerance issue which resulted in incomplete results when the handshake was
  greater than 255 bytes. [Jacob Gajek, Daniel Miller]

o [Ncat] Fix a write overrun in Ncat that could cause a segfault if the -g
  (source route) option was given too many times. [Daniel Miller]

o [NSE] [GH#168] Allow ssl-enum-ciphers to run on non-typical ports when it is
  selected by name. It will now send a service detection probe if the port is
  not a typical SSL port and version scan (-sV) was not used. [Daniel Miller]

Nmap 6.49BETA3 [2015-06-25]

o [GH#166] Fix Ncat listen mode on Solaris and other platforms where struct sockaddr
  does not have a sa_len member. This also affected use of the -p and -s
  options. Brandon Haberfeld reported the crash. [Daniel Miller]

o [GH#164] Fix a Zenmap failure ot open on OS X with the error:
  "dyld: Symbol not found: _iconv Referenced from: /usr/lib/libcups.2.dylib"
  We had to remove the DYLD_LIBRARY_PATH environment variable from
  zenmap_wrapper.py. Reported by Robert Strom. [Daniel Miller]

o Report our https URL (https://nmap.org) in more places rather than
  our non-SSL one. [David Fifield]

o [NSE] Fix Diffie-Hellman parameter extraction in tls.lua. [Jacob Gajek]

Nmap 6.49BETA2 [2015-06-16]

o [GH#154] Fix a crash (assertion error) when Nmap recieves an ICMP Host
  Unreachable message.

o [GH#158] Fix a configure failure when Python is not present, but no Python
  projects were requested. [Gioacchino Mazzurco]

o [GH#161] [Zenmap] Fix Zenmap on OS X which was failing with
  zipimport.ZipImportError due to architecture mismatch.

o [NSE] Remove ahbl.org checks from dnsbl.lua, since the service was shut down.
  [Forrest B.]

Nmap 6.49BETA1 [2015-06-03]

o Integrated all of your IPv4 OS fingerprint submissions from May 2014 to
  February 2015 (1900+ of them). Added 281 fingerprints, bringing the new total
  to 4766. Addtions include Linux 3.18, Windows 8.1, OS X 10.10, Android 5.0,
  FreeBSD 10.1, OpenBSD 5.6, and more. Highlights:
  http://seclists.org/nmap-dev/2015/q2/169 [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted from
  June 2013 to February 2015 (2500+ of them). The signature count soared over
  the 10000 mark, a 12% increase. We now detect 1062 protocols, from http,
  telnet, and ftp to jute, bgp, and slurm. Highlights:
  http://seclists.org/nmap-dev/2015/q2/171 [Daniel Miller]

o Integrated all of your IPv6 OS fingerprint submissions from June 2013 to
  April 2015 (only 97 of them!). We are steadily improving the IPv6 database,
  but we need your submissions. The classifier added 9 new groups, bringing the
  new total to 90. Highlights: http://seclists.org/nmap-dev/2015/q2/170 [Daniel
  Miller]

o Nmap now has an official bug tracker! We are using Github Issues, which you
  can reach from http://issues.nmap.org/. We welcome your bug reports,
  enhancement requests, and code submissions via the Issues and Pull Request
  features of Github (https://github.com/nmap/nmap), though the repository
  itself is just a mirror of our authoritative Subversion repository.

o [Zenmap] New Chinese-language (zh) translation from Jie Jiang, new Hindi (hi)
  translation by Gyanendra Mishra, and updated translations for German (de,
  Chris Leick), Italian (it, Jan Reister), Polish (pl, Jacek Wielemborek), and
  French (fr, MaZ)

o Added options --data <hex string> and --data-string <string> to send custom
  payloads in scan packet data. [Jay Bosamiya]

o --reason is enabled for verbosity > 2, and now includes the TTL of received
  packets in Normal output (this was already present in XML) [Jay Bosamiya]

o Fix ICMP Echo (-PE) host discovery for IPv6, broken since 6.45, caused by
  failing to set the ICMP ID for outgoing packets which is used to match
  incoming responses. [Andrew Waters]

o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
  passing a NULL pointer to a WinPcap function that then tries to write an
  error message to it. [Peter Malecka]

o Enhance Nmap's tcpwrapped service detection by using a shorter timeout for
  the tcpwrapped designation. This prevents falsely labeling services as
  tcpwrapped which merely have a read timeout shorter than 6 seconds. Full
  discussion: http://issues.nmap.org/39 [nnposter, Daniel Miller]

o All nmap.org pages are now available SSL-secured to improve privacy
  and ensure your binaries can't be tampered with in transit. So be
  sure to download from https://nmap.org/download.html . We will soon
  remove the non-SSL version of the site. We still offer GPG-signed
  binaries as well: https://nmap.org/book/install.html#inst-integrity

o [NSE] Added 25 NSE scripts from 17 authors, bringing the total up to 494!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + bacnet-info gets device information from SCADA/ICS devices via BACnet
    (Building Automation and Control Networks) [Stephen Hilt, Michael Toecker]

  + docker-version detects and fingerprints Docker [Claudio Criscione]

  + enip-info gets device information from SCADA/ICS devices via EtherNet/IP
    [Stephen Hilt]

  + fcrdns performs a Forward-confirmed Reverse DNS lookup and reports
    anomalous results. [Daniel Miller]

  + http-avaya-ipoffice-users enumerates users in Avaya IP Office 7.x systems.
    [Paulino Calderon]

  + http-cisco-anyconnect gets version and tunnel information from Cisco SSL
    VPNs. [Patrik Karlsson]

  + http-crossdomainxml detects overly permissive crossdomain policies and
    finds trusted domain names available for purchase. [Paulino Calderon]

  + http-shellshock detects web applications vulnerable to Shellshock
    (CVE-2014-6271). [Paulino Calderon]

  + http-vuln-cve2006-3392 exploits a file disclosure vulnerability in Webmin.
    [Paul AMAR]

  + http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and
    http-vuln-cve2014-2129 detect specific vulnerabilities in Cisco AnyConnect
    SSL VPNs. [Patrik Karlsson]

  + http-vuln-cve2015-1427 detects Elasticsearch servers vulnerable to remote
    code execution. [Gyanendra Mishra]

  + http-vuln-cve2015-1635 detects Microsoft Windows systems vulnerable to
