# Nmap Changelog ($Id: CHANGELOG 36907 2017-07-31 22:31:50Z dmiller $); -*-text-*-

Nmap 7.60 [2017-07-31]

o [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several issues
  with installation and compatibility with the Windows 10 Creators Update.

o [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
  including password brute-forcing and running remote commands, thanks to the
  combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
  Khegay, Evangelos Deirmentzoglou]

o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below:

  + ftp-syst sends SYST and STAT commands to FTP servers to get system version
    and connection information. [Daniel Miller]

  + [GH#916] http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting
    Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]

  + iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
    Timorin, Daniel Miller]

  + [GH#915] openwebnet-discovery retrieves device identifying information and
    number of connected devices running on openwebnet protocol. [Rewanth Cool]

  + puppet-naivesigning checks for a misconfiguration in the Puppet CA where
    naive signing is enabled, allowing for any CSR to be automatically signed.
    [Wong Wai Tuck]

  + [GH#943] smb-protocols discovers if a server supports dialects NT LM 0.12
    (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
    smbv2-enabled script. [Paulino Calderon]

  + [GH#943] smb2-capabilities lists the supported capabilities of SMB2/SMB3
    servers. [Paulino Calderon]

  + [GH#943] smb2-time determines the current date and boot date of SMB2
    servers. [Paulino Calderon]

  + [GH#943] smb2-security-mode determines the message signing configuration of
    SMB2/SMB3 servers. [Paulino Calderon]

  + [GH#943] smb2-vuln-uptime attempts to discover missing critical patches in
    Microsoft Windows systems based on the SMB2 server uptime. [Paulino Calderon]

  + ssh-auth-methods lists the authentication methods offered by an SSH server.
    [Devin Bjelland]

  + ssh-brute performs brute-forcing of SSH password credentials. [Devin Bjelland]

  + ssh-publickey-acceptance checks public or private keys to see if they could
    be used to log in to a target. A list of known-compromised key pairs is
    included and checked by default. [Devin Bjelland]

  + ssh-run uses user-provided credentials to run commands on targets via SSH.
    [Devin Bjelland]

o [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
  improvements. It was fully replaced by the smb-protocols script.

o [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect (client)
  mode with --udp --ssl. Also added Application Layer Protocol Negotiation
  (ALPN) support with the --ssl-alpn option. [Denis Andzakovic, Daniel Miller]

o Updated the default ciphers list for Ncat and the secure ciphers list for
  Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
  ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]

o [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
  Exec Agent 15 or 16. [Andrew Orr]

o [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino Calderon]

o [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
  resolve to unique addresses will be listed. [Aaron Heesakkers]

o [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
  TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]

o [NSE][GH#936] Function url.escape no longer encodes so-called "unreserved"
  characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
  [nnposter]

o [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
  connections are supported on HTTP 1.0 target (unless the target explicitly
  declares otherwise), as per RFC 7230. [nnposter]

o [NSE][GH#934] The HTTP response object has a new member, version, which
  contains the HTTP protocol version string returned by the server, e.g. "1.0".
  [nnposter]

o [NSE][GH#938] Fix handling of the objectSID Active Directory attribute
  by ldap.lua. [Tom Sellers]

o [NSE] Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
  Carriage Return characters were being sent in the connection packets, likely
  resulting in failure of the script. [Anant Shrivastava]

o [NSE][GH#141] http-useragent-checker now checks for changes in HTTP status
  (usually 403 Forbidden) in addition to redirects to indicate forbidden User
  Agents. [Gyanendra Mishra]

Nmap 7.50 [2017-06-13]

o [Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes
  for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]

o Integrated all of your service/version detection fingerprints submitted from
  September to March (855 of them). The signature count went up 2.9% to 11,418.
  We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon,
  slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140

o [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below:

  + [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors.
    OSPFv2 authentication is supported. [Emiliano Ticci]

  + [GH#671] cics-info checks IBM TN3270 services for CICS transaction services
    and extracts useful information. [Soldier of Fortran]

  + [GH#671] cics-user-brute does brute-force enumeration of CICS usernames on
    IBM TN3270 services. [Soldier of Fortran]

  + [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and
    Secure flags. [Steve Benson]

  + http-security-headers checks for the HTTP response headers related to
    security given in OWASP Secure Headers Project, giving a brief description
    of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]

  + [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache
    Struts2. [Seth Jackson]

  + [GH#876] http-vuln-cve2017-5689 detects a privilege escalation
    vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT)
    capable systems. [Andrew Orr]

  + http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in
    Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]

  + [GH#713] impress-remote-discover attempts to pair with the LibreOffice
    Impress presentation remote service and extract version info.  Pairing is
    PIN-protected, and the script can optionally brute-force the PIN.  New
    service probe and match line also added. [Jeremy Hiebert]

  + [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked
    Double Pulsar backdoor in Windows SMB servers. [Andrew Orr]

  + smb-vuln-cve-2017-7494 detects a remote code execution vulnerability
    affecting Samba versions 3.5.0 and greater with writable shares.
    [Wong Wai Tuck]

  + smb-vuln-ms17-010 detects a critical remote code execution vulnerability
    affecting SMBv1 servers in Microsoft Windows systems (ms17-010).  The
    script also reports patched systems. [Paulino Calderon]

  + [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability
    (CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]

  + vmware-version queries VMWare SOAP API for version and product information.
    Submitted in 2011, this was mistakenly turned into a service probe that was
    unable to elicit any matches. [Aleksey Tyurin]

o [Ncat] A series of changes and fixes based on feedback from the Red Hat community:

  + [GH#157] Ncat will now continue trying to connect to each resolved address
    for a hostname before declaring the connection refused, allowing it to
    fallback from IPv6 to IPv4 or to connect to names that use DNS failover.
    [Jaromir Koncicky, Michal Hlavinka]

  + The --no-shutdown option now also works in connect mode, not only in listen mode.

  + Made -i/--idle-timeout not cause Ncat in server mode to close while
    waiting for an initial connection. This was also causing -i to interfere
    with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]

  + [GH#773] Ncat in server mode properly handles TLS renegotiations and other
    situations where SSL_read returns a non-fatal error. This was causing
    SSL-over-TCP connections to be dropped. [Daniel Miller]

  + Enable --ssl-ciphers to be used with Ncat in client mode, not only in
    server (listen) mode. [Daniel Miller]

o [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use
  fully qualified paths. SMB scripts now work against all modern versions
  of Microsoft Windows. [Paulino Calderon]

o [NSE] smb library's share_get_list now properly uses anonymous connections
  first before falling back authenticating as a known user.

o New service probes and matches for Apache HBase and Hadoop MapReduce.
  [Paulino Calderon]

o Extended Memcached service probe and added match for Apache ZooKeeper.
  [Paulino Calderon]

o [NSE] New script argument "vulns.short" will reduce vulns library script
  output to a single line containing the target name or IP, the vulnerability
  state, and the CVE ID or title of the vulnerability. [Daniel Miller]

o [NSE][GH#862] SNMP scripts will now take a community string provided like
  `--script-args creds.snmp=private`, which previously did not work because it
  was interpreted as a username. [Daniel Miller]

o [NSE] Resolved several issues in the default HTTP redirect rules:
    - [GH#826] A redirect is now cancelled if the original URL contains
      embedded credentials
    - [GH#829] A redirect test is now more careful in determining whether
      a redirect destination is related to the original host
    - [GH#830] A redirect is now more strict in avoiding possible redirect
      loops
  [nnposter]

o [NSE][GH#766] The HTTP Host header will now include the port unless it is
  the default one for a given scheme. [nnposter]

o [NSE] The HTTP response object has a new member, fragment, which contains
  a partially received body (if any) when the overall request fails to
  complete. [nnposter]

o [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which
  are silently ignored (in accordance with RFC 6265). Unrecognized attributes
  were previously causing HTTP requests with such cookies to fail. [nnposter]

o [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted
  whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]

o [NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie
  header that has an extraneous trailing semicolon. [nnposter]

o [NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated
  with option any_af. As an added benefit, option any_af is now available for
  all connections via comm.lua, not just HTTP requests. [nnposter]

o [NSE][GH#781] There is a new common function, url.get_default_port(),
  to obtain the default port number for a given scheme. [nnposter]

o [NSE][GH#833] Function url.parse() now returns the port part as a number,
  not a string. [nnposter]

o No longer allow ICMP Time Exceeded messages to mark a host as down during
  host discovery. Running traceroute at the same time as Nmap was causing
  interference. [David Fifield]

o [NSE][GH#807] Fixed a JSON library issue that was causing long integers
  to be expressed in the scientific/exponent notation. [nnposter]

o [NSE] Fixed several potential hangs in NSE scripts that used
  receive_buf(pattern), which will not return if the service continues to send
  data that does not match pattern. A new function in match.lua, pattern_limit,
  is introduced to limit the number of bytes consumed while searching for the
  pattern. [Daniel Miller, Jacek Wielemborek]

o [Nsock] Handle any and all socket connect errors the same: raise as an Nsock
  error instead of fatal. This prevents Nmap and Ncat from quitting with
  "Strange error from connect:" [Daniel Miller]

o [NSE] Added several commands to redis-info to extract listening addresses,
  connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]

o [NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting
  changes at the source site (www.robtex.com). [aDoN]

o [NSE][GH#620][GH#715] Added 8 new http-enum fingerprints for Hadoop
  infrastructure components. [Thomas Debize, Varunram Ganesh]

o [NSE][GH#629] Added two new fingerprints to http-default-accounts
  (APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]

o [NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS
  probe due to a string escaping mixup. [Alexandr Savca]

o [NSE][GH#694] ike-version now outputs information about supported attributes
  and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was
  submitted by Alexis La Goutte. [Daniel Miller]

o [GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter]

o [GH#649] New service probe and match lines for the JMON and RSE services of
  IBM Explorer for z/OS. [Soldier of Fortran]

o Removed a duplicate service probe for Memcached added in 2011 (the original
  probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.

o New service probe and match line for NoMachine NX Server remote desktop.
  [Justin Cacak]

o [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap
  was installed to /Applications/Applications/Zenmap.app instead of
  /Applications/Zenmap.app.

o [Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary
  directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]

o [Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option,
  which was added in Nmap 7.10. Previously, this was treated the same as not
  specifying -v at all. [lymanZerga11]

o [GH#630] Updated or removed some OpenSSL library calls that were deprecated
  in OpenSSL 1.1. [eroen]

o [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]

o [NSE][GH#627] Fixed script hang in several brute scripts due to the "threads"
  script-arg not being converted to a number. Error message was
  "nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]

Nmap 7.40 [2016-12-20]

o [Windows] Updated the bundled Npcap from 0.10r9 to 0.78r5, with an
  improved installer experience, driver signing updates to work with
  Windows 10 build 1607, and bugfixes for WiFi connectivity
  problems. [Yang Luo, Daniel Miller]

o Integrated all of your IPv4 OS fingerprint submissions from April to
  September (568 of them). Added 149 fingerprints, bringing the new total to
  5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more.
  Highlights: http://seclists.org/nmap-dev/2016/q4/110 [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted from
  April to September (779 of them). The signature count went up 3.1% to 11,095.
  We now detect 1161 protocols, from airserv-ng, domaintime, and mep to
  nutcracker, rhpp, and usher. Highlights: http://seclists.org/nmap-dev/2016/q4/115
  [Daniel Miller]

o Fix reverse DNS on Windows which was failing with the message "mass_dns:
  warning: Unable to determine any DNS servers." This was because the interface
  GUID comparison needed to be case-insensitive. [Robert Croteau]

o [NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below:

  + cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270
    services. [Soldier of Fortran]

  + cics-user-enum brute-forces usernames for CICS users on TN3270 services.
    [Soldier of Fortran]

  + fingerprint-strings will print the ASCII strings it finds in the service
    fingerprints that Nmap shows for unidentified services. [Daniel Miller]

  + [GH#606] ip-geolocation-map-bing renders IP geolocation data as an image
    via Bing Maps API. [Mak Kolybabi]

  + [GH#606] ip-geolocation-map-google renders IP geolocation data as an image
    via Google Maps API. [Mak Kolybabi]

  + [GH#606] ip-geolocation-map-kml records IP geolocation data in a KML file
    for import into other mapping software [Mak Kolybabi]

  + nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST
    and OHOST. Helpfully, nje-node-brute can now brute force both of those
    values. [Soldier of Fortran]

  + [GH#557] ssl-cert-intaddr will search for private IP addresses in TLS
    certificate fields and extensions. [Steve Benson]

  + tn3270-screen shows the login screen from mainframe TN3270 Telnet services,
    including any hidden fields. The script is accompanied by the new tn3270
    library. [Soldier of Fortran]

  + tso-enum enumerates usernames for TN3270 Telnet services. [Soldier of Fortran]

  + tso-brute brute-forces passwords for TN3270 Telnet services. [Soldier of Fortran]

  + vtam-enum brute-forces VTAM application IDs for TN3270 services.
    [Soldier of Fortran]

o [NSE][GH#518] Brute scripts are faster and more accurate. New feedback and
  adaptivity mechanisms in brute.lua help brute scripts use resources more
  efficiently, dynamically changing number of threads based on protocol
  messages like FTP 421 errors, network errors like timeouts, etc.
  [Sergey Khegay]

o [GH#353] New option --defeat-icmp-ratelimit dramatically reduces UDP scan
  times in exchange for labeling unresponsive (and possibly open) ports as
  "closed|filtered". Ports which give a UDP protocol response to one of Nmap's
  scanning payloads will be marked "open". [Sergey Khegay]

o [NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that
  service at some point. Reported by Brian Morin.

o [NSE][GH#606] New NSE library, geoip.lua, provides a common framework for
  storing and retrieving IP geolocation results. [Mak Kolybabi]

o [Ncat] Restore the connection success message that Ncat prints with -v. This
  was accidentally suppressed when not using -z.

o [GH#316] Added scan resume from Nmap's XML output. Now you can --resume a
  canceled scan from all 3 major output formats: -oN, -oG, and -oX.
  [Tudor Emil Coman]

o [Ndiff][GH#591] Fix a bug where hosts with the same IP but different
  hostnames were shown as changing hostnames between scans. Made sort stable
  with regard to hostnames. [Daniel Miller]

o [NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for
  TLS Server Name Indication extension. The argument overrides the default use
  of the host's targetname. [Bertrand Bonnefoy-Claudet]

o [GH#505] Updated Russian translation of Zenmap by Alexander Kozlov.

o [NSE][GH#588] Fix a crash in smb.lua when using smb-ls due to a
  floating-point number being passed to os.time ("bad argument").
  [Dallas Winger]

o [NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in
  mysql-brute and other scripts due to including a null terminator in the salt
  value. This bug affects Nmap 7.25BETA2 and later releases.  [Daniel Miller]

o The --open option now implies --defeat-rst-ratelimit. This may result in
  inaccuracies in the numbers of "Not shown:" closed and filtered ports, but
  only in situations where it also speeds up scan times. [Daniel Miller]

o [NSE] Added known Diffie-Hellman parameters for haproxy, postfix, and
  IronPort to ssl-dh-params. [Frank Bergmann]

o Added service probe for ClamAV servers (clam),
  an open source antivirus engine used in mail scanning. [Paulino Calderon]

o Added service probe and UDP payload for Quick UDP Internet Connection (QUIC),
  a secure transport developed by Google and used with HTTP/2. [Daniel Miller]

o [NSE] Enabled resolveall to run against any target provided as a hostname, so
  the resolveall.hosts script-arg is no longer required. [Daniel Miller]

o [NSE] Revised script http-default-accounts in several ways [nnposter]:
  - Added 21 new fingerprints, plus broadened 5 to cover more variants.
  - [GH#577] It can now can test systems that return status 200 for
    non-existent pages.
  - [GH#604] Implemented XML output. Layout of the classic text output has also
    changed, including reporting blank usernames or passwords as "<blank>",
    instead of just empty strings.
  - Added CPE entries to individual fingerprints (where known). They are
    reported only in the XML output.

o [NSE][GH#573] Updated http.lua to allow processing of HTTP responses with
  malformed header names. Such header lines are still captured in the rawheader
  list but skipped otherwise. [nnposter]

o [GH#416] New service probe and match line for iperf3. [Eric Gershman]

o [NSE][GH#555] Add Drupal to the set of web apps brute forced by
  http-form-brute. [Nima Ghotbi]

Nmap 7.31 [2016-10-20]

o [Windows] Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing
  increased stability, bug fixes, and raw 802.11 WiFi capture (unused
  by Nmap). Further details on these changes can be found at
  https://github.com/nmap/npcap/releases. [Yang Luo]

o Fixed the way Nmap handles scanning names that resolve to the same IP. Due to
  changes in 7.30, the IP was only being scanned once, with bogus results
  displayed for the other names. The previous behavior is now restored.
  [Tudor Emil Coman]

o [Nping][GH#559] Fix Nping's ability to use Npcap on Windows. A privilege
  check was performed too late, so the Npcap loading code assumed the user had no
  rights. [Yang Luo, Daniel Miller]

o [GH#350] Fix an assertion failure due to floating point error in equality
  comparison, which triggered mainly on OpenBSD:
    assertion "diff <= interval" failed: file "timing.cc", line 440
  This was reported earlier as [GH#472] but the assertion fixed there was a
  different one. [David Carlier]

o [Zenmap] Fix a crash in the About page in the Spanish translation due to a
  missing format specifier:
    File "zenmapGUI\About.pyo", line 217, in __init__
    TypeError: not all arguments converted during string formatting
  [Daniel Miller]

o [Zenmap][GH#556] Better visual indication that display of hostname is tied to
  address in the Topology page. You can show numeric addresses with hostnames
  or without, but you can't show hostnames without numeric addresses when they
  are not available. [Daniel Miller]

o To increase the number of IPv6 fingerprint submissions, a prompt for
  submission will be shown with some random chance for successful matches of OS
  classes that are based on only a few submissions. Previously, only
  unsuccessful matches produced such a prompt. [Daniel Miller]

Nmap 7.30 [2016-09-29]

o Integrated all 12 of your IPv6 OS fingerprint submissions from June to
  September. No new groups, but several classifications were strengthened,
  especially Windows localhost and OS X. [Daniel Miller]

o [NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + [GH#369] coap-resources grabs the list of available resources from CoAP
    endpoints. [Mak Kolybabi]

  + fox-info retrieves detailed version and configuration info from Tridium
    Niagara Fox services. [Stephen Hilt]

  + ipmi-brute performs authentication brute-forcing on IPMI services.
    [Claudiu Perta]

  + ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows
    connection without a password. [Claudiu Perta]

  + ipmi-version retrieves protocol version and authentication options from
    ASF-RMCP (IPMI) services. [Claudiu Perta]

  + [GH#352] mqtt-subscribe connects to a MQTT broker, subscribes to topics,
    and lists the messages received. [Mak Kolybabi]

  + pcworx-info retrieves PLC model, firmware version, and date from Phoenix
    Contact PLCs. [Stephen Hilt]

o Upgraded Npcap, our new Windows packet capturing driver/library,
  from version to 0.09 to 0.10r2. This includes many bug fixes, with a
  particular on emphasis on concurrency issues discovered by running
  hundreds of Nmap instances at a time. More details are available
  from https://github.com/nmap/npcap/releases. [Yang Luo, Daniel
  Miller, Fyodor]

o New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx,
  ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]

o Improved some output filtering to remove or escape carriage returns ('\r')
  that could allow output spoofing by overwriting portions of the screen. Issue
  reported by Adam Rutherford. [Daniel Miller]

o [NSE] Fixed a few bad Lua patterns that could result in denial of service due
  to excessive backtracking. [Adam Rutherford, Daniel Miller]

o Fixed a discrepancy between the number of targets selected with -iR and the
  number of hosts scanned, resulting in output like "Nmap done: 1033 IP
  addresses" when the user specified -iR 1000. [Daniel Miller]

o Fixed a bug in port specification parsing that could cause extraneous
  'T', 'U', 'S', and 'P' characters to be ignored when they should have
  caused an error. [David Fifield]

o [GH#543] Restored compatibility with LibreSSL, which was lost in adding
  library version checks for OpenSSL 1.1. [Wonko7]

o [Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting
  in this message instead of Ndiff output:
    ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found.  Did find:
    /Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
  Reported by Kyle Gustafson. [Daniel Miller]

o [NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to
  not output TLSv1.2 info with DHE ciphersuites or others involving
  ServerKeyExchange messages. [Daniel Miller]

o [NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now
  shows the Subject Alternative Name extension; all extensions are shown in the
  XML output. [Daniel Miller]

Nmap 7.25BETA2 [2016-09-01]

o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
  SHA256 certificate. This should give our users extra peace-of-mind and avoid
  triggering Microsoft's ever-increasing security warnings.

o [NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a
  utf8 library, and native binary packing and unpacking functions. Removed bit
  library, added bits.lua, replaced base32, base64, and bin libraries. [Patrick
  Donnelly]

o [NSE] Added 2 NSE scripts, bringing the total up to 534!  They are both listed
  at https://nmap.org/nsedoc/, and the summaries are below:

  + oracle-tns-version decodes the version number from Oracle Database Server's
    TNS listener. [Daniel Miller]

  + clock-skew analyzes and reports clock skew between Nmap and services that
    report timestamps, grouping hosts with similar skews. [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted from
  January to April (578 of them). The signature count went up 2.2% to 10760.
  We now detect 1122 protocols, from elasticsearch, fhem, and goldengate to
  ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]

o Upgraded Npcap, our new Windows packet capturing driver/library,
  from version 0.07-r17 to 0.09. This includes many improvements you can
  read about at https://github.com/nmap/npcap/releases.

o [Nsock][GH#148] Added the new IOCP Nsock engine which uses the Windows
  Overlapped I/O API to improve performance of version scan and NSE against
  many targets on Windows. [Tudor Emil Coman]

o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
  SHA256 certificate. This should give our users extra peace-of-mind and avoid
  triggering Microsoft's ever-increasing security warnings.

o Various performance improvements for large-scale high-rate scanning,
  including increased ping host groups, faster probe matching, and ensuring
  data types can handle an Internet's-worth of targets. [Tudor Emil Coman]

o [NSE] Added the oracle-tns-version NSE script which decodes the version
  number from Oracle Database Server's TNS
  listener. https://nmap.org/nsedoc/scripts/oracle-tns-version.html [Daniel
  Miller]

o [NSE] Added the clock-skew NSE script which analyzes and reports clock skew
  between Nmap and services that report timestamps, grouping hosts with
  similar skews. https://nmap.org/nsedoc/scripts/clock-skew.html [Daniel
  Miller]

o [Zenmap] Long-overdue Spanish language translation has been added! Muy bien!
  [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]

o [Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only
  zenmap.conf. User will be warned that config cannot be saved and that they
  should fix the file permissions. [Daniel Miller]

o [NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support,
  like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers
  will label the ciphersuite strength as "unknown." Reported by Bertrand
  Bonnefoy-Claudet. [Daniel Miller]

o [NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations
  against LDAP services when version detection or STARTTLS were used.
  [Tom Sellers]

o [GH#426] Remove a workaround for lack of selectable pcap file descriptors on
  Windows, which required including pcap-int.h and locking us to a single
  version of libpcap. The new method, using WaitForSingleObject should work
  with all versions of both WinPcap and Npcap. [Daniel Miller]

o [NSE][GH#234] Added a --script-timeout option for limiting run time for
  every individual NSE script. [Abhishek Singh]

o [Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in
  traditional netcat, it can be used to quickly check the status of a
  port. Port ranges are not supported since we recommend a certain other tool
  for port scanning. [Abhishek Singh]

o Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and
  "nmap" with no options result in the same behaviors as on Linux (and no
  crashes) [Daniel Miller]

o [NSE] ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode,
  which are vulnerable to the SWEET32 attack.

o [NSE][GH#117] tftp-enum now only brute-forces IP-address-based Cisco filenames when
  the wordlist contains "{cisco}". Previously, custom wordlists would still end
  up sending these extra 256 requests. [Sriram Raghunathan]

o [GH#472] Avoid an unnecessary assert failure in timing.cc when printing estimated
  completion time. Instead, we'll output a diagnostic error message:
    Timing error: localtime(n) is NULL
  where "n" is some number that is causing problems. [Jean-Guilhem Nousse]

o [NSE][GH#519] Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]

o [NSE] Added 9 new fingerprints for script http-default-accounts.
  (Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix,
  Schneider controller, Xerox printer, Citrix NetScaler, ESXi hypervisor)
  [nnposter]

o [NSE] Completed a refresh and validation of almost all fingerprints for
  script http-default-accounts. Also improved the script speed. [nnposter]

o [GH#98] Added support for decoys in IPv6. Earlier we supported decoys only in
  IPv4. [Abhishek Singh]

o Various performance improvements for large-scale high-rate scanning,
  including increased ping host groups, faster probe matching, and ensuring
  data types can handle an Internet's-worth of targets. [Tudor Emil Coman]

o [GH#484] Allow Nmap to compile on some older Red Hat distros that disable EC
  crypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]

o [GH#439] Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]

o [Ncat] Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssl
  and --max-conns, due to improper accounting of file descriptors. [Daniel
  Miller]

o FTP Bounce scan: improved some edge cases like anonymous login without
  password, 500 errors used to indicate port closed, and timeouts for LIST
  command. Also fixed a 1-byte array overrun (read) when checking for
  privileged ports. [Daniel Miller]

o [GH#140] Allow target DNS names up to 254 bytes. We previously imposed an
  incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]

o [NSE] The hard limit on number of concurrently running scripts can now
  increase above 1000 to match a high user-set --min-parallelism value. [Tudor
  Emil Coman]

o [NSE] Solved a memory corruption issue that would happen if a socket connect
  operation produced an error immediately, such as Network Unreachable. The
  event handler was throwing a Lua error, preventing Nsock from cleaning up
  properly, leaking events. [Abhishek Singh, Daniel Miller]

o [NSE] Added the datetime library for performing date and time calculations,
  and as a helper to the clock-skew script.

o [GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully
  handling truncated replies. If a response is too long, we now fall back to
  using the system resolver to answer it. [Abhishek Singh]

o [Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]

Nmap 7.25BETA1 [2016-07-15]

o Nmap now ships with and uses Npcap, our new packet sniffing library
  for Windows. It's based on WinPcap (unmaintained for years), but
  uses modern Windows APIs for better performance. It also includes
  security improvements and many bug fixes. See http://npcap.org. And
  it enables Nmap to perform SYN scans and OS detection against
  localhost, which we haven't been able to do on Windows since
  Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel
  Miller, Fyodor]

o [NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + clamav-exec detects ClamAV servers vulnerable to unauthorized clamav
    command execution. [Paulino Calderon]

  + http-aspnet-debug detects ASP.NET applications with debugging enabled.
    [Josh Amishav-Zlatin]

  + http-internal-ip-disclosure determines if the web server leaks its internal
    IP address when sending an HTTP/1.0 request without a Host header. [Josh
    Amishav-Zlatin]

  + [GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and dumps
    its configuration. [Frank Spierings]

  + [GH#365] sslv2-drown detects vulnerability to the DROWN attack, including
    CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL.
    [Bertrand Bonnefoy-Claudet]

  + vnc-title logs in to VNC servers and grabs the desktop title, geometry, and
    color depth. [Daniel Miller]

o Integrated all of your IPv4 OS fingerprint submissions from January
  to April (539 of them). Added 98 fingerprints, bringing the new total
  to 5187. Additions include Linux 4.4, Android 6.0, Windows Server
  2016, and more. [Daniel Miller]

o Integrated all 31 of your IPv6 OS fingerprint submissions from January to
  June. The classifier added 2 groups and expanded several others. Several
  Apple OS X groups were consolidated, reducing the total number of groups to
  93. [Daniel Miller]

o Update oldest supported Windows version to Vista (Windows 6.0). This enables
  the use of the poll Nsock engine, which has significant performance and
  accuracy advantages. Windows XP users can still use Nmap 7.12, available from
  https://nmap.org/dist/?C=M&O=D [Daniel Miller]

o [NSE] Fix a crash that happened when trying to print the percent done of 0
  NSE script threads:
    timing.cc:710 bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.
  This would happen if no scripts were scheduled in a scan phase and the user
  pressed a key or specified a short --stats-every interval. Reported by
  Richard Petrie. [Daniel Miller]

o [GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown
  address family 0" crash on Windows and other platforms that do not set the
  src_addr argument to recvfrom for TCP sockets. [Daniel Miller]

o Retrieve the correct network prefix length for an adapter on Windows. If more
  than one address was configured on an adapter, the same prefix length would
  be used for both. This incorrect behavior is still used on Windows XP and
  earlier. Reported by Niels Bohr. [Daniel Miller]

o Changed libdnet-stripped to avoid bailing completely when an interface is
  encountered with an unsupported hardware address type. Caused "INTERFACES:
  NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address
  types. [Daniel Miller]

o Improved service detection of Docker and fixed a bug in the output of
  docker-version script. [Tom Sellers]

o Fix detection of Microsoft Terminal Services (RDP). Our improved TLS service
  probes were matching on port 3389 before our specific Terminal Services
  probe, causing the port to be labeled as "ssl/unknown". Reported by Josh
  Amishav-Zlatin.

o [NSE] Update to enable smb-os-discovery to augment version detection
  for certain SMB related services using data that the script discovers.
  [Tom Sellers]

o Improved version detection and descriptions for Microsoft and Samba
  SMB services. Also addresses certain issues with OS identification.
  [Tom Sellers]

o [NSE] ssl-enum-ciphers will give a failing score to any server with an RSA
  certificate whose public key uses an exponent of 1. It will also cap the
  score of an RC4-ciphersuite handshake at C and output a warning referencing
  RFC 7465. [Daniel Miller]

o [NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua .
  [Daniel Miller]

o [GH#399] Zenmap's authorization wrapper now uses an AppleScript method for
  privilege escalation on OS X, avoiding the deprecated
  AuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]

o [GH#454] The OS X binary package is distributed in a .dmg disk image that now
  features an instructive background image. [Vincent Dumont]

o [GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to
  provide all dependencies. We no longer use Macports for this purpose.
  [Vincent Dumont]

o [GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable
  location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead of
  next to the zenmap.exe executable. This avoids a warning message when closing
  Zenmap if it produced any stderr output. [Daniel Miller]

o [GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable hosts.
  Reported by alias1. [Paulino Calderon]

o [NSE][GH#371] Fix mysql-audit by adding needed library requires to the
  mysql-cis.audit file. The script would fail with "Failed to load rulebase"
  message. [Paolo Perego]

o [NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse.
  Also added version detection and information extraction to match the
  new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]

o [GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq
  and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The
  Probes will elicit responses from target services that allow better finger
  -printing and information extraction. Also added nmap-payload entry for
  detecting LDAP on udp. [Tom Sellers]

o [NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of
  authentication sub-types in vnc-info, and all zero-authentication types are
  recognized and reported. [Daniel Miller]

Nmap 7.12 [2016-03-29]

o [Zenmap] Avoid file corruption in zenmap.conf, reported as files containing
  many null ("\x00") characters. Example exceptions:
    TypeError: int() argument must be a string or a number, not 'list'
    ValueError: unable to parse colour specification

o [NSE] VNC updates including vnc-brute support for TLS security type and
  negotiating a lower RFB version if the server sends an unknown higher
  version.  [Daniel Miller]

o [NSE] Added STARTTLS support for VNC, NNTP, and LMTP [Daniel Miller]

o Added new service probes and match lines for OpenVPN on UDP and TCP.

Nmap 7.11 [2016-03-22]

o [NSE][GH#341] Added support for diffie-hellman-group-exchange-* SSH key
  exchange methods to ssh2.lua, allowing ssh-hostkey to run on servers that
  only support custom Diffie-Hellman groups. [Sergey Khegay]

o [NSE] Added support in sslcert.lua for Microsoft SQL Server's TDS protocol,
  so you can now grab certs with ssl-cert or check ciphers with
  ssl-enum-ciphers.  [Daniel Miller]

o [Zenmap] Fix a crash when setting default window geometry:
    TypeError: argument of type 'int' is not iterable

o [Zenmap] Fix a crash when displaying the date from an Nmap XML file due to an
  empty or unknown locale:
    File "zenmapCore/NmapParser.py", line 627, in get_formatted_date
      locale.getpreferredencoding())
    LookupError: unknown encoding:

o [Zenmap] Fix a crash due to incorrect file paths when installing to
  /usr/local prefix. Example:
    Exception: File '/home/blah/.zenmap/scan_profile.usp' does not exist or could not be found!

Nmap 7.10 [2016-03-17]

o [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + [GH#322] http-apache-server-status parses the server status page of
    Apache's mod_status. [Eric Gershman]

  + http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in
    Allegro RomPager web server. Also added a fingerprint for detecting
    CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]

  + [GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon"
    pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]

  + imap-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled IMAP services. [Justin Cacak]

  + ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes.
    The discovery is the same as targets-ipv6-multicast-mld, but the subscribed
    addresses are decoded and listed.  [Alexandru Geana, Daniel Miller]

  + ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL
    Server instances via the NTLM challenge message. [Justin Cacak]

  + nntp-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled NNTP services. [Justin Cacak]

  + pop3-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled POP3 services. [Justin Cacak]

  + rusers retrieves information about logged-on users from the rusersd RPC
    service. [Daniel Miller]

  + [GH#333] shodan-api queries the Shodan API (https://www.shodan.io) and
    retrieves open port and service info from their Internet-wide scan data.
    [Glenn Wilkinson]

  + smtp-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled SMTP and submission services. [Justin Cacak]

  + telnet-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled Telnet services. [Justin Cacak]

o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and Linux
  RPM) to 1.0.2g with SSLv2 enabled.

o Integrated all of your IPv4 OS fingerprint submissions from October to
  January (536 of them). Added 104 fingerprints, bringing the new total to
  5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.
  Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted from
  October to January (508 of them). The signature count went up 2.2% to 10532.
  We now detect 1108 protocols, from icy, finger, and rtsp to ipfs,
  basestation, and minecraft-pe. Highlights:
  http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]

o Integrated all 12 of your IPv6 OS fingerprint submissions from October to
  January. The classifier added 3 new groups, including new and expanded groups
  for OS X, bringing the new total to 96. Highlights:
  http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]

o [NSE] Upgrade to http-form-brute allowing correct handling of token-based
  CSRF protections and cookies. Also, a simple database of common login forms
  supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller]

o [Zenmap] [GH#247] Remember window geometry (position and size) from the
  previous time Zenmap was run. [isjing]

o New service probe for CORBA GIOP (General Inter-ORB Protocol) detection
  should elicit a not-found exception from GIOP services that do not respond to
  non-GIOP probes. [Quentin Hardy]

o [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given
  /32 netmasks regardless of actual netmask configured, resulting in failed
  routing. Reported by Martin Gysi. [Daniel Miller]

o [GH#272][GH#269] Give option parsing errors after the usage statement, or
  avoid printing the usage statement in some cases. The options summary has
  grown quite large, requiring users to scroll to the top to see the error
  message. [Abhishek Singh]

o [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's
  Slow Comprehensive Scan profile.  In the case of unknown OpenSSL errors,
  ERR_reason_error_string would return NULL, which could not be printed with
  the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]

o [GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to
  not work in Zenmap on Windows.

o Changed Nmap's idea of reserved and private IP addresses to include
  169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in
  libnetutil's isipprivate function, is used to filter -iR randomly generated
  targets. The newly-valid address ranges belong to the U.S. Department of
  Defense, so users wanting to avoid those ranges should use their own
  exclusion lists with --exclude or --exclude-file.  [Bill Parker, Daniel
  Miller]

o Allow the -4 option for Nmap to indicate IPv4 address family. This is the
  default, and using the option doesn't change anything, but does make it more
  explicit which address family you want to scan. Using -4 with -6 is an error.
  [Daniel Miller]

o [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the
  screen. This happens at the time of argument parsing, so the usual meaning of
  "verbosity 0" is preserved. [isjing]

o [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and
  SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the
  draft specification from Mozilla. [Bertrand Bonnefoy-Claudet]

o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection
  against services that are not TLS encrypted by default but that support
  post connection upgrade. This will enable more comprehensive detection
  of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]

o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and
  BeEF to http-default-accounts. [nnposter]

o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation
  Required messages when tracing packets or in Nping output. Improper offset
