更新日誌 |
# [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527! and the summaries are below (authors are listed in brackets): * http-apache-server-status parses the server status page of Apache's mod_status. * http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in Allegro RomPager web server. Also added a fingerprint for detecting CVE-2014-4019 to http-fingerprints.lua. * http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon" pre-auth SQL Injection vulnerability in Drupal. * imap-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled IMAP services. * ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes. The discovery is the same as targets-ipv6-multicast-mld, but the subscribed addresses are decoded and listed. * ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL Server instances via the NTLM challenge message. * nntp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled NNTP services. * pop3-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled POP3 services. * rusers retrieves information about logged-on users from the rusersd RPC service. * shodan-api queries the Shodan API and retrieves open port and service info from their Internet-wide scan data. * smtp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled SMTP and submission services. * telnet-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled Telnet services. - Updated the OpenSSL shipped with our binary builds (Windows, OS X, and Linux RPM) to 1.0.2g with SSLv2 enabled. - Integrated all of your IPv4 OS fingerprint submissions from October to January (536 of them). Added 104 fingerprints, bringing the new total to 5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more. - Integrated all of your service/version detection fingerprints submitted from October to January (508 of them). The signature count went up 2.2% to 10532. We now detect 1108 protocols, from icy, finger, and rtsp to ipfs, basestation, and minecraft-pe. - Integrated all 12 of your IPv6 OS fingerprint submissions from October to January. The classifier added 3 new groups, including new and expanded groups for OS X, bringing the new total to 96. Highlights: - Upgrade to http-form-brute allowing correct handling of token-based CSRF protections and cookies. Also, a simple database of common login forms supports Django, Wordpress, MediaWiki, Joomla, and others. - Remember window geometry (position and size) from the previous time Zenmap was run. - New service probe for CORBA GIOP (General Inter-ORB Protocol) detection should elicit a not-found exception from GIOP services that do not respond to non-GIOP probes. - Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given /32 netmasks regardless of actual netmask configured, resulting in failed routing. Reported by Martin Gysi. - Give option parsing errors after the usage statement, or avoid printing the usage statement in some cases. The options summary has grown quite large, requiring users to scroll to the top to see the error message. - Avoid a crash on Windows reported by users using Zenmap's Slow Comprehensive Scan profile. In the case of unknown OpenSSL errors, ERR_reason_error_string would return NULL, which could not be printed with the "%s" format string. Reported by Dan Baxter. - Fix a regression in our build that caused copy-and-paste to not work in Zenmap on Windows. - Changed Nmap's idea of reserved and private IP addresses to include 169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in libnetutil's isipprivate function, is used to filter -iR randomly generated targets. The newly-valid address ranges belong to the U.S. Department of Defense, so users wanting to avoid those ranges should use their own exclusion lists with --exclude or --exclude-file. - Allow the -4 option for Nmap to indicate IPv4 address family. This is the default, and using the option doesn't change anything, but does make it more explicit which address family you want to scan. Using -4 with -6 is an error. - When provided a verbosity of 0 (-v0), Nmap will not output any text to the screen. This happens at the time of argument parsing, so the usual meaning of "verbosity 0" is preserved. - Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the draft specification from Mozilla. - Add STARTTLS support to sslv2 to enable SSLv2 detection against services that are not TLS encrypted by default but that support post connection upgrade. This will enable more comprehensive detection of SSLv2 and DROWN (CVE-2016-0800) attack oracles. - Added default credential checks for RICOH Web Image Monitor and BeEF to http-default-accounts. - Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation Required messages when tracing packets or in Nping output. Improper offset meant we were printing the total IP length. - Added support for DHCP options "TFTP server name" and "Bootfile name" to dhcp.lua and enabled checking for options with a code above 61 by default. - whois-ip: Don't request a remote IANA assignments data file when the local filesystem will not permit the file to cached in a local file. - Updated http-php-version hash database to cover all versions from PHP 4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled from Shodan API - Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan types, allowing periodic status updates with --stats-every or keypress events. - Use a shorter pcap_select timeout on OpenBSD, just as we do for OS X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have properly select-able fds. Fix by OpenBSD port maintainer - Print service info in grepable output for ports which are not listed in nmap-services when a service tunnel (SSL) is detected. Previously, the service info ("ssl|unknown") was not printed unless the service inside the tunnel was positively identified. - Fix multiple false-positive sources in http-backup-agent. |