Nmap 7.70
更新細節:
[Windows] Updated the bundled Npcap from 0.93 to 0.99-r2, with many stability fixes and installation improvements, as well as fixes to raw 802.11 frame capture.
Integrated all of your service/version detection fingerprints submitted from March 2017 to August 2017 (728 of them). The signature count went up 1.02% to 11,672, including 26 new softmatches. We now detect 1224 protocols from filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and watchguard. We will try to integrate the remaining submissions in the next release.
Integrated all of your IPv4 OS fingerprint submissions from September 2016 to August 2017 (667 of them). Added 298 fingerprints, bringing the new total to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and more.
Integrated all 33 of your IPv6 OS fingerprint submissions from September 2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added, as well as strengthened groups for Linux and OS X.
Added the --resolve-all option to resolve and scan all IP addresses of a host. This essentially replaces the resolveall NSE script.
[NSE][SECURITY] Nmap developer nnposter found a security flaw (directory traversal vulnerability) in the way the non-default http-fetch script sanitized URLs. If a user manualy ran this NSE script with against a malicious web server, the server could potentially (depending on NSE arguments used) cause files to be saved outside the intended destination directory. Existing files couldn't be overwritten. We fixed http-fetch, audited our other scripts to ensure they didn't make this mistake, and we updated the httpspider library API to protect against this by default.
[NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
deluge-rpc-brute performs brute-force credential testing against Deluge BitTorrent RPC services, using the new zlib library.
hostmap-crtsh lists subdomains by querying Google's Certificate Transparency logs.
http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and reports back the IP address and port of the actual server behind the load-balancer.
http-jsonp-detection Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers.
http-trane-info obtains information from Trane Tracer SC controllers and connected HVAC devices.
nbd-info uses the new nbd.lua library to query Network Block Devices for protocol and file export information.
rsa-vuln-roca checks for RSA keys generated by Infineon TPMs vulnerable to Return Of Coppersmith Attack (ROCA). Checks SSH and TLS services.
smb-enum-services retrieves the list of services running on a remote Windows machine. Modern Windows systems requires a privileged domain account in order to list the services.
tls-alpn checks TLS servers for Application Layer Protocol Negotiation (ALPN) support and reports supported protocols. ALPN largely replaces NPN, which tls-nextprotoneg was written for.
Fixed Nsock on Windows giving errors when selecting on STDIN. This was causing Ncat 7.60 in connect mode to quit with error: libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket.
[Ncat] Fix --ssl connections from dropping on renegotiation, the same issue that was partially fixed for server mode in [GH#773].
[NSE] Some changes to brute.lua to better handle misbehaving or rate-limiting services. Most significantly, brute.killstagnated now defaults to true.
[NSE] VNC scripts now support Apple Remote Desktop authentication (auth type 30).
[NSE] Fix a script crash in ftp.lua when PASV connection timed out.
[NSE] Update bitcoin-getaddr to receive more than one response message, since the first message usually only has one address in it.
[Ncat] Ncat now selects the correct default port for a given proxy type.
[NSE] memcached-info can now gather information from the UDP memcached service in addition to the TCP service. The UDP service is frequently used as a DDoS reflector and amplifier.
[NSE] Changed url.absolute() behavior with respect to dot and dot-dot path segments to comply with RFC 3986, section 5.2.
Removed deprecated and undocumented aliases for several long options that used underscores instead of hyphens, such as --max_retries.
Improved service scan's treatment of soft matches in two ways. First of all, any probes that could result in a full match with the soft matched service will now be sent, regardless of rarity. This improves the chances of matching unusual services on non-standard ports. Second, probes are now skipped if they don't contain any signatures for the soft matched service. Previously the probes would still be run as long as the target port number matched the probe's specification. Together, these changes should make service/version detection faster and more accurate.
--version-all now turns off the soft match optimization, ensuring that all probes really are sent, even if there aren't any existing match lines for the softmatched service. This is slower, but gives the most comprehensive results and produces better fingerprints for submission.
[NSE] New set of Telnet softmatches for version detection based on Telnet DO/DON'T options offered, covering a wide variety of devices and operating systems.
Resolved crash opportunities caused by unexpected libpcap version string format.
[NSE] Fix false positives in rexec-brute by checking responses for indications of login failure.
[NSE] Fix http-fetch to keep downloaded files in separate destination directories.
[NSE] Added new fingerprints to http-default-accounts:
Hikvision DS-XXX Network Camera and NUOO DVR.
ActiveMQ, Purestorage, and Axis Network Cameras.
Added a new service detection match for WatchGuard Authentication Gateway.
[NSE] Script qscan was not observing interpacket delays (parameter qscan.delay).
[NSE] Script http-headers now fails properly if the target does not return a valid HTTP response.
[Ncat][Nsock] Remove RC4 from the list of TLS ciphers used by default, in accordance with RFC 7465.
[NSE] Fix a false positive condition in ipmi-cipher-zero caused by not checking the error code in responses. Implementations which return an error are not vulnerable.
[NSE] Two new libraries for NSE:
idna - Support for internationalized domain names in applications (IDNA).
punycode (a transfer encoding syntax used in IDNA).
[NSE] New fingerprints for http-enum:
Telerik UI CVE-2017-9248.
Many WordPress version detections.
Fixed Ncat proxy authentication issues:
Usernames and/or passwords could not be empty.
Passwords could not contain colons.
SOCKS5 authentication was not properly documented.
SOCKS5 authentication had a memory leak.
Fixes to autoconf header files to allow autoreconf to be run.
Improved DNS service version detection coverage and consistency by using data from a Project Sonar Internet wide survey. Numerouse false positives were removed and reliable softmatches added. Match lines for version.bind responses were also conslidated using the technique below.
Changed version probe fallbacks so as to work cross protocol (TCP/UDP). This enables consolidating match lines for services where the responses on TCP and UDP are similar.
[NSE] Added the zlib library for NSE so scripts can easily handle compression. This work started during GSOC 2014, so we're particularly pleased to finally integrate it!
[NSE] Fixed handling of brute.retries variable. It was being treated as the number of tries, not retries, and a value of 0 would result in infinite retries. Instead, it is now the number of retries, defaulting to 2 (3 total tries), with no option for infinite retries.
[NSE] http-devframework-fingerprints.lua supports Jenkins server detection and returns extra information when Jenkins is detected.
The rarity level of MS SQL's service detection probe was decreased. Now we can find MS SQL in odd ports without increasing version intensity.
Fix reporting of zlib and libssh2 versions in "nmap --version". We were always reporting the version number of the included source, even when a different version was actually linked.
Add a new helper function for nmap-service-probes match lines: $I(1,">") will unpack an unsigned big-endian integer value up to 8 bytes wide from capture 1. The second option can be "<" for little-endian.
版本下載:Nmap 7.70
Nmap 7.60
更新細節:
[Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several issues with installation and compatibility with the Windows 10 Creators Update.
[NSE]NSE scripts now have complete SSH support via libssh2, including password brute-forcing and running remote commands.
[NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579! The summaries are below:
Ftp-syst sends SYST and STAT commands to FTP servers to get system version and connection information.
Http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting Joomla! 3.7.x before 3.7.1
Iec-identify probes for the IEC 60870-5-104 SCADA protocol.
Openwebnet-discovery retrieves device identifying information and number of connected devices running on openwebnet protocol.
Puppet-naivesigning checks for a misconfiguration in the Puppet CA where naive signing is enabled, allowing for any CSR to be automatically signed.
Smb-protocols discovers if a server supports dialects NT LM 0.12 (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old smbv2-enabled script.
Smb2-capabilities lists the supported capabilities of SMB2/SMB3 servers.
Smb2-time determines the current date and boot date of SMB2 servers.
Smb2-security-mode determines the message signing configuration of SMB2/SMB3 servers.
Smb2-vuln-uptime attempts to discover missing critical patches in Microsoft Windows
Systems based on the SMB2 server uptime.
Ssh-auth-methods lists the authentication methods offered by an SSH server.
Ssh-brute performs brute-forcing of SSH password credentials.
Ssh-publickey-acceptance checks public or private keys to see if they could be used to log in to a target. A list of known-compromised key pairs is included and checked by default.
Ssh-run uses user-provided credentials to run commands on targets via SSH.
[NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3 improvements. It was fully replaced by the smb-protocols script.
[Ncat]Added Datagram TLS (DTLS) support to Ncat in connect (client) mode with --udp --ssl. Also added Application Layer Protocol Negotiation (ALPN) support with the --ssl-alpn option.
Updated the default ciphers list for Ncat and the secure ciphers list for Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH ciphersuites, anonymous ECDH suites were being allowed.
[NSE]Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup Exec Agent 15 or 16.
[NSE]Added new SMB2/3 library and related scripts.
[NSE]Added wildcard detection to dns-brute. Only hostnames that resolve to unique addresses will be listed.
[NSE]FTP scripts like ftp-anon and ftp-brute now correctly handle TLS-protected FTP services and use STARTTLS when necessary.
[NSE]Function url.escape no longer encodes so-called "unreserved" characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
[NSE]Function http.pipeline_go no longer assumes that persistent connections are supported on HTTP 1.0 target (unless the target explicitly declares otherwise), as per RFC 7230.
[NSE]The HTTP response object has a new member, version, which contains the HTTP protocol version string returned by the server, e.g. "1.0".
[NSE]Fix handling of the objectSID Active Directory attribute by ldap.lua.
[NSE] Fix line endings in the list of Oracle SIDs used by oracle-sid-brute. Carriage Return characters were being sent in the connection packets, likely resulting in failure of the script.
[NSE]http-useragent-checker now checks for changes in HTTP status (usually 403 Forbidden) in addition to redirects to indicate forbidden User Agents.
版本下載:Nmap 7.60
Nmap 7.50
更新細節:
[Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes for WiFi connectivity problems and stability issues.
Integrated all of your service/version detection fingerprints submitted from September to March (855 of them). The signature count went up 2.9% to 11,418. We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon, slmp, and zookeeper.
[NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566! summaries are below:
Broadcast-ospf2-discover discovers OSPF 2 routers and neighbors. OSPFv2 authentication is supported.
Cics-info checks IBM TN3270 services for CICS transaction services and extracts useful information.
Cics-user-brute does brute-force enumeration of CICS usernames on IBM TN3270 services.
Http-cookie-flags checks HTTP session cookies for HTTPOnly and Secure flags.
Http-security-headers checks for the HTTP response headers related to security given in OWASP Secure Headers Project, giving a brief description of the header and its configuration value.
Http-vuln-cve2017-5638 checks for the RCE bug in Apache Struts2.
Http-vuln-cve2017-5689 detects a privilege escalation vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT) capable systems.
Http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1.
Impress-remote-discover attempts to pair with the LibreOffice Impress presentation remote service and extract version info. Pairing is PIN-protected, and the script can optionally brute-force the PIN. New service probe and match line also added.
Smb-double-pulsar-backdoor detects the Shadow Brokers-leaked Double Pulsar backdoor in Windows SMB servers.
Smb-vuln-cve-2017-7494 detects a remote code execution vulnerability affecting Samba versions 3.5.0 and greater with writable shares.
Smb-vuln-ms17-010 detects a critical remote code execution vulnerability affecting SMBv1 servers in Microsoft Windows systems (ms17-010). The script also reports patched systems.
Tls-ticketbleed checks for the Ticketbleed vulnerability (CVE-2016-9244) in F5 BIG-IP appliances.
Vmware-version queries VMWare SOAP API for version and product information. Submitted in 2011, this was mistakenly turned into a service probe that was unable to elicit any matches.
[Ncat] A series of changes and fixes based on feedback from the Red Hat community:
Ncat will now continue trying to connect to each resolved address for a hostname before declaring the connection refused, allowing it to fallback from IPv6 to IPv4 or to connect to names that use DNS failover.
The --no-shutdown option now also works in connect mode, not only in listen mode.
Made -i/--idle-timeout not cause Ncat in server mode to close while waiting for an initial connection. This was also causing -i to interfere with the HTTP proxy server mode.
Ncat in server mode properly handles TLS renegotiations and other situations where SSL_read returns a non-fatal error. This was causing SSL-over-TCP connections to be dropped.
Enable --ssl-ciphers to be used with Ncat in client mode, not only in server (listen) mode.
[NSE] NSE libraries smb and msrpc now use fully qualified paths. SMB scripts now work against all modern versions of Microsoft Windows.
[NSE] smb library's share_get_list now properly uses anonymous connections first before falling back authenticating as a known user.
New service probes and matches for Apache HBase and Hadoop MapReduce.
Extended Memcached service probe and added match for Apache ZooKeeper.
[NSE] New script argument "vulns.short" will reduce vulns library script output to a single line containing the target name or IP, the vulnerability state, and the CVE ID or title of the vulnerability.
[NSE] SNMP scripts will now take a community string provided like `--script-args creds.snmp=private`, which previously did not work because it was interpreted as a username.
[NSE] Resolved several issues in the default HTTP redirect rules:
A redirect is now cancelled if the original URL contains embedded credentials.
A redirect test is now more careful in determining whether a redirect destination is related to the original host.
A redirect is now more strict in avoiding possible redirect loops.
[NSE] The HTTP Host header will now include the port unless it is the default one for a given scheme.
[NSE] The HTTP response object has a new member, fragment, which contains a partially received body (if any) when the overall request fails to complete.
[NSE]NSE now allows cookies to have arbitrary attributes, which are silently ignored (in accordance with RFC 6265). Unrecognized attributes were previously causing HTTP requests with such cookies to fail.
[NSE] NSE now correctly parses a Set-Cookie header that has unquoted whitespace in the cookie value (which is allowed per RFC 6265).
[NSE] NSE is now able to process HTTP responses with a Set-Cookie header that has an extraneous trailing semicolon.
[NSE] TLS SNI now works correctly for NSE HTTP requests initiated with option any_af. As an added benefit, option any_af is now available for all connections via comm.lua, not just HTTP requests.
[NSE] There is a new common function, url.get_default_port(), to obtain the default port number for a given scheme.
[NSE] Function url.parse() now returns the port part as a number, not a string.
No longer allow ICMP Time Exceeded messages to mark a host as down during host discovery. Running traceroute at the same time as Nmap was causing interference.
[NSE] Fixed a JSON library issue that was causing long integers to be expressed in the scientific/exponent notation.
[NSE] Fixed several potential hangs in NSE scripts that used receive_buf(pattern), which will not return if the service continues to send data that does not match pattern. A new function in match.lua, pattern_limit, is introduced to limit the number of bytes consumed while searching for the pattern.
[Nsock] Handle any and all socket connect errors the same: raise as an Nsock error instead of fatal. This prevents Nmap and Ncat from quitting with "Strange error from connect:".
[NSE] Added several commands to redis-info to extract listening addresses, connected clients, active channels, and cluster nodes.
[NSE] Refreshed script http-robtex-reverse-ip, reflecting changes at the source site.
[NSE] Added 8 new http-enum fingerprints for Hadoop infrastructure components.
[NSE] Added two new fingerprints to http-default-accounts (APC Management Card, older NetScreen ScreenOS).
[NSE] Fix for oracle-tns-version which was sending an invalid TNS probe due to a string escaping mixup.
[NSE] ike-version now outputs information about supported attributes and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was submitted by Alexis La Goutte.
Enabled support for TLS SNI on the Windows platform.
New service probe and match lines for the JMON and RSE services of IBM Explorer for z/OS.
Removed a duplicate service probe for Memcached added in 2011 (the original probe was added in 2008) and reported as duplicate in 2013.
New service probe and match line for NoMachine NX Server remote desktop.
[Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap was installed to /Applications/Applications/Zenmap.app instead of /Applications/Zenmap.app.
[Zenmap] Zenmap will no longer crash when no suitable temporary directory is found.
[Zenmap] Zenmap now properly handles the -v0 (no output) option, which was added in Nmap 7.10. Previously, this was treated the same as not specifying -v at all.
Updated or removed some OpenSSL library calls that were deprecated in OpenSSL 1.1.
[NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys.
[NSE] Fixed script hang in several brute scripts due to the "threads" script-arg not being converted to a number. Error message was "nselib/brute.lua:1188: attempt to compare number with string".
版本下載:Nmap 7.50
Nmap 7.40
更新細節:
* [Windows] Updated the bundled Npcap from 0.10r9 to 0.78r5, with an improved installer experience, driver signing updates to work with Windows 10 build 1607, and bugfixes for WiFi connectivity problems. [Yang Luo, Daniel Miller]
* Integrated all of your IPv4 OS fingerprint submissions from April to September (568 of them). Added 149 fingerprints, bringing the new total to 5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more. Highlights: http://seclists.org/nmap-dev/2016/q4/110 [Daniel Miller]
* Integrated all of your service/version detection fingerprints submitted from April to September (779 of them). The signature count went up 3.1% to 11,095. We now detect 1161 protocols, from airserv-ng, domaintime, and mep to nutcracker, rhpp, and usher. Highlights: http://seclists.org/nmap-dev/2016/q4/115 [Daniel Miller]
* Fix reverse DNS on Windows which was failing with the message "mass_dns: warning: Unable to determine any DNS servers." This was because the interface GUID comparison needed to be case-insensitive. [Robert Croteau]
* [NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552!and the summaries are below:
- cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270 services.
- cics-user-enum brute-forces usernames for CICS users on TN3270 services.
- fingerprint-strings will print the ASCII strings it finds in the service fingerprints that Nmap shows for unidentified services.
- ip-geolocation-map-bing renders IP geolocation data as an image via Bing Maps API.
- ip-geolocation-map-google renders IP geolocation data as an image via Google Maps API.
- ip-geolocation-map-kml records IP geolocation data in a KML file for import into other mapping software
- nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST and OHOST. Helpfully, nje-node-brute can now brute force both of those values. [Soldier of Fortran]
- ssl-cert-intaddr will search for private IP addresses in TLS certificate fields and extensions.
- tn3270-screen shows the login screen from mainframe TN3270 Telnet services, including any hidden fields. The script is accompanied by the new tn3270 library. [Soldier of Fortran]
- tso-enum enumerates usernames for TN3270 Telnet services.
- tso-brute brute-forces passwords for TN3270 Telnet services.
- vtam-enum brute-forces VTAM application IDs for TN3270 services.
* Brute scripts are faster and more accurate. New feedback and adaptivity mechanisms in brute.lua help brute scripts use resources more efficiently, dynamically changing number of threads based on protocol messages like FTP 421 errors, network errors like timeouts, etc.
* New option --defeat-icmp-ratelimit dramatically reduces UDP scan times in exchange for labeling unresponsive (and possibly open) ports as "closed|filtered". Ports which give a UDP protocol response to one of Nmap's scanning payloads will be marked "open".
* Removed ssl-google-cert-catalog, since Google shut off that service at some point. Reported by Brian Morin.
* New NSE library, geoip.lua, provides a common framework for storing and retrieving IP geolocation results.
* Restore the connection success message that Ncat prints with -v. This was accidentally suppressed when not using -z.
* Added scan resume from Nmap's XML output. Now you can --resume a canceled scan from all 3 major output formats: -oN, -oG, and -oX.
* Fix a bug where hosts with the same IP but different hostnames were shown as changing hostnames between scans. Made sort stable with regard to hostnames.
* Add tls.servername script-arg for forcing a name to be used for TLS Server Name Indication extension. The argument overrides the default use of the host's targetname.
* Updated Russian translation of Zenmap
* Fix a crash in smb.lua when using smb-ls due to a floating-point number being passed to os.time ("bad argument")
* Fix a bug in mysql.lua that caused authentication failures in mysql-brute and other scripts due to including a null terminator in the salt value. This bug affects Nmap 7.25BETA2 and later releases.
* The --open option now implies --defeat-rst-ratelimit. This may result in inaccuracies in the numbers of "Not shown:" closed and filtered ports, but only in situations where it also speeds up scan times.
* Added known Diffie-Hellman parameters for haproxy, postfix, and IronPort to ssl-dh-params.
* Added service probe for ClamAV servers (clam), an open source antivirus engine used in mail scanning.
* Added service probe and UDP payload for Quick UDP Internet Connection (QUIC), a secure transport developed by Google and used with HTTP/2.
* Enabled resolveall to run against any target provided as a hostname, so the resolveall.hosts script-arg is no longer required.
* Revised script http-default-accounts in several ways
- Added 21 new fingerprints, plus broadened 5 to cover more variants.
- It can now can test systems that return status 200 for non-existent pages.
- Implemented XML output. Layout of the classic text output has also changed, including reporting blank usernames or passwords as "<blank>", instead of just empty strings.
- Added CPE entries to individual fingerprints (where known). They are reported only in the XML output.
* Updated http.lua to allow processing of HTTP responses with malformed header names. Such header lines are still captured in the rawheader list but skipped otherwise.
* New service probe and match line for iperf3.
* Add Drupal to the set of web apps brute forced by http-form-brute.
版本下載:Nmap 7.40
Nmap 7.31
更新細節:
- [Windows] Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing increased stability, bug fixes, and raw 802.11 WiFi capture (unused by Nmap).
- Fixed the way Nmap handles scanning names that resolve to the same IP. Due to changes in 7.30, the IP was only being scanned once, with bogus results displayed for the other names. The previous behavior is now restored.
- Fix Nping's ability to use Npcap on Windows. A privilege check was performed too late, so the Npcap loading code assumed the user had no rights.
- Fix an assertion failure due to floating point error in equality comparison, which triggered mainly on OpenBSD: assertion "diff <= interval" failed: file "timing.cc", line 44 This was reported earlier as [GH#472] but the assertion fixed there was a different one.
- [Zenmap] Fix a crash in the About page in the Spanish translation due to a missing format specifier: File "zenmapGUIAbout.pyo", line 217, in __init__ TypeError: not all arguments converted during string formatting
- [Zenmap] Better visual indication that display of hostname is tied to address in the Topology page. You can show numeric addresses with hostnames or without, but you can't show hostnames without numeric addresses when they are not available.
- To increase the number of IPv6 fingerprint submissions, a prompt for submission will be shown with some random chance for successful matches of OS classes that are based on only a few submissions. Previously, only unsuccessful matches produced such a prompt.
版本下載:Nmap 7.31
Nmap 7.30
更新細節:
* Integrated all 12 of your IPv6 OS fingerprint submissions from June to September. No new groups, but several classifications were strengthened, especially Windows localhost and OS X.
* [NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541!
- coap-resources grabs the list of available resources from CoAP endpoints.
- fox-info retrieves detailed version and configuration info from Tridium Niagara Fox services.
- ipmi-brute performs authentication brute-forcing on IPMI services.
- ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows connection without a password.
- ipmi-version retrieves protocol version and authentication options from ASF-RMCP (IPMI) services.
- mqtt-subscribe connects to a MQTT broker, subscribes to topics, and lists the messages received.
- pcworx-info retrieves PLC model, firmware version, and date from Phoenix Contact PLCs.
* Upgraded Npcap, our new Windows packet capturing driver/library, from version to 0.09 to 0.10r2. This includes many bug fixes, with a particular on emphasis on concurrency issues discovered by running hundreds of Nmap instances at a time.
* New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx, ProConOS, and Tridium Fox,
* Improved some output filtering to remove or escape carriage returns (' ') that could allow output spoofing by overwriting portions of the screen. Issue reported by Adam Rutherford.
* [NSE] Fixed a few bad Lua patterns that could result in denial of service due to excessive backtracking.
* Fixed a discrepancy between the number of targets selected with -iR and the number of hosts scanned, resulting in output like "Nmap done: 1033 IP addresses" when the user specified -iR 1000.
* Fixed a bug in port specification parsing that could cause extraneous 'T', 'U', 'S', and 'P' characters to be ignored when they should have caused an error.
* Restored compatibility with LibreSSL, which was lost in adding library version checks for OpenSSL 1.1. [Wonko7]
* Fixed a bug in the Compare Scans window of Zenmap on OS X resulting in this message instead of Ndiff output: ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found. Did find: /Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
* Reported by Kyle Gustafson.
* [NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to not output TLSv1.2 info with DHE ciphersuites or others involving ServerKeyExchange messages.
* [NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now shows the Subject Alternative Name extension; all extensions are shown in the XML output.
版本下載:Nmap 7.30
Nmap 7.12
更新細節:
- Avoid file corruption in zenmap.conf, reported as files containing many null ("x00") characters. Example exceptions: TypeError: int() argument must be a string or a number, not 'list'. ValueError: unable to parse colour specification
- [NSE] VNC updates including vnc-brute support for TLS security type and negotiating a lower RFB version if the server sends an unknown higher version. [Daniel Miller]
- [NSE] Added STARTTLS support for VNC, NNTP, and LMTP [Daniel Miller]
- Added new service probes and match lines for OpenVPN on UDP and TCP.
版本下載:Nmap 7.12
Nmap 7.10
更新細節:
# [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527! and the summaries are below (authors are listed in brackets):
* http-apache-server-status parses the server status page of Apache's mod_status.
* http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in Allegro RomPager web server. Also added a fingerprint for detecting CVE-2014-4019 to http-fingerprints.lua.
* http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon" pre-auth SQL Injection vulnerability in Drupal.
* imap-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled IMAP services.
* ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes. The discovery is the same as targets-ipv6-multicast-mld, but the subscribed addresses are decoded and listed.
* ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL Server instances via the NTLM challenge message.
* nntp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled NNTP services.
* pop3-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled POP3 services.
* rusers retrieves information about logged-on users from the rusersd RPC service.
* shodan-api queries the Shodan API and retrieves open port and service info from their Internet-wide scan data.
* smtp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled SMTP and submission services.
* telnet-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled Telnet services.
- Updated the OpenSSL shipped with our binary builds (Windows, OS X, and Linux RPM) to 1.0.2g with SSLv2 enabled.
- Integrated all of your IPv4 OS fingerprint submissions from October to January (536 of them). Added 104 fingerprints, bringing the new total to 5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.
- Integrated all of your service/version detection fingerprints submitted from October to January (508 of them). The signature count went up 2.2% to 10532. We now detect 1108 protocols, from icy, finger, and rtsp to ipfs, basestation, and minecraft-pe.
- Integrated all 12 of your IPv6 OS fingerprint submissions from October to January. The classifier added 3 new groups, including new and expanded groups for OS X, bringing the new total to 96. Highlights:
- Upgrade to http-form-brute allowing correct handling of token-based CSRF protections and cookies. Also, a simple database of common login forms supports Django, Wordpress, MediaWiki, Joomla, and others.
- Remember window geometry (position and size) from the previous time Zenmap was run.
- New service probe for CORBA GIOP (General Inter-ORB Protocol) detection should elicit a not-found exception from GIOP services that do not respond to non-GIOP probes.
- Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given /32 netmasks regardless of actual netmask configured, resulting in failed routing. Reported by Martin Gysi.
- Give option parsing errors after the usage statement, or avoid printing the usage statement in some cases. The options summary has grown quite large, requiring users to scroll to the top to see the error message.
- Avoid a crash on Windows reported by users using Zenmap's Slow Comprehensive Scan profile. In the case of unknown OpenSSL errors, ERR_reason_error_string would return NULL, which could not be printed with the "%s" format string. Reported by Dan Baxter.
- Fix a regression in our build that caused copy-and-paste to not work in Zenmap on Windows.
- Changed Nmap's idea of reserved and private IP addresses to include 169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in libnetutil's isipprivate function, is used to filter -iR randomly generated targets. The newly-valid address ranges belong to the U.S. Department of Defense, so users wanting to avoid those ranges should use their own exclusion lists with --exclude or --exclude-file.
- Allow the -4 option for Nmap to indicate IPv4 address family. This is the default, and using the option doesn't change anything, but does make it more explicit which address family you want to scan. Using -4 with -6 is an error.
- When provided a verbosity of 0 (-v0), Nmap will not output any text to the screen. This happens at the time of argument parsing, so the usual meaning of "verbosity 0" is preserved.
- Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the draft specification from Mozilla.
- Add STARTTLS support to sslv2 to enable SSLv2 detection against services that are not TLS encrypted by default but that support post connection upgrade. This will enable more comprehensive detection of SSLv2 and DROWN (CVE-2016-0800) attack oracles.
- Added default credential checks for RICOH Web Image Monitor and BeEF to http-default-accounts.
- Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation Required messages when tracing packets or in Nping output. Improper offset meant we were printing the total IP length.
- Added support for DHCP options "TFTP server name" and "Bootfile name" to dhcp.lua and enabled checking for options with a code above 61 by default.
- whois-ip: Don't request a remote IANA assignments data file when the local filesystem will not permit the file to cached in a local file.
- Updated http-php-version hash database to cover all versions from PHP 4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled from Shodan API
- Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan types, allowing periodic status updates with --stats-every or keypress events.
- Use a shorter pcap_select timeout on OpenBSD, just as we do for OS X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have properly select-able fds. Fix by OpenBSD port maintainer
- Print service info in grepable output for ports which are not listed in nmap-services when a service tunnel (SSL) is detected. Previously, the service info ("ssl|unknown") was not printed unless the service inside the tunnel was positively identified.
- Fix multiple false-positive sources in http-backup-agent.
版本下載:Nmap 7.10
HWiNFO 5.22
Nmap 7.01
Nmap 7.00
更新細節:
- This is the most important release since Nmap 6.00 back in May 2012! For a list of the most significant improvements and new features,
- [NSE] Added 6 NSE scripts from 6 authors, bringing the total up to 515! and the summaries are below (authors are listed in brackets):
* targets-xml extracts target addresses from previous Nmap XML results files.
* ssl-dh-params checks for problems with weak, non-safe, and export-grade Diffie-Hellman parameters in TLS handshakes. This includes the LOGJAM vulnerability (CVE-2015-4000).
* nje-node-brute does brute-forcing of z/OS JES Network Job Entry node names.
* ip-https-discover detectings support for Microsoft's IP over HTTPS tunneling protocol.
* broadcast-sonicwall-discover detects and extracts information from SonicWall firewalls.
* http-vuln-cve2014-8877 checks for and optionally exploits a vulnerability in CM Download Manager plugin for Wordpress.
- New option --no-shutdown prevents Ncat from shutting down when it reads EOF on stdin. This is the same as traditional netcat's "-d" option.
- Improve parsing in http.lua for multiple Set-Cookie headers in a single response.
版本下載:Nmap 7.00
Nmap 6.47
更新細節:
- Integrated all of your IPv4 OS fingerprint submissions since June 2013. Added 366 fingerprints, bringing the new total to 4485. Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2, OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved.
- (Windows, RPMs) Upgraded the included OpenSSL to version 1.0.1i.
- (Windows) Upgraded the included Python to version 2.7.8.
- Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This was added in 6.45, and resulted in trouble for Nmap XML parsers without network access, as well as increased traffic to Nmap's servers.
- [Ndiff] Fixed the installation process on Windows, which was missing the actual Ndiff Python module since we separated it from the driver script.
- [Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution, which was giving the error, "Microsoft was unexpected at this time.
- [Zenmap] Fixed the Zenmap .dmg installer for OS X.
- [Ncat] Fixed SOCKS5 username/password authentication. The password length was being written in the wrong place, so authentication could not succeed.
- Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts this to the string "(null)", but it caused segfault on Solaris.
- [Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package installed. Python tries to be nice and loads it when we import xml, but it isn't compatible. Instead, we force Python to use the standard library xml module.
- Handle ICMP admin-prohibited messages when doing service version detection.
- [NSE] Fix a bug causing http.head to not honor redirects.
- [Zenmap] Fix a bug in DiffViewer causing this crash: TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-only buffer, not NmapParserSAX Crash happened when trying to compare two scans within Zenmap.
版本下載:Nmap 6.47
Nmap 6.46
更新細節:
- [NSE] Made numerous improvements to ssl-heartbleed to provide more reliable detection of the vulnerability.
- [Zenmap] Fixed a bug which caused this crash message: IOError: [Errno socket error] [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
- [NSE] Fix some bugs which could cause snmp-ios-config and snmp-sysdescr scripts to crash
- [NSE] Improved performance of citrixlua library when handling large XML responses containing application lists.
版本下載:Nmap 6.46
Nmap 6.45
更新細節:
- [NSE] Add ssl-heartbleed script to detect the Heartbleed bug in OpenSSL
- [NSE] Fixed an error-handling bug in socks-open-proxy that caused it to fail when scanning a SOCKS4-only proxy.
- [NSE] Improved ntp-info script to handle underscores in returned data.
- [NSE] Add quake1-info script for retrieving server and player information from Quake 1 game servers. Reports potential DoS amplification factor.
- [NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and other character sets to Unicode code points. Scripts that previously just added or skipped nulls in UTF-16 data can use this to support non-ASCII characters.
- When doing a ping scan (-sn), the --open option will prevent down hosts from being shown when -v is specified. This aligns with similar output for other scan types.
- [Ncat] Added support for socks5 and corresponding regression tests.
- [NSE] Add http-ntlm-info script for getting server information from Web servers that require NTLM authentication.
- Added TCP support to dns.lua.
- Added safe fd_set operations. This makes nmap fail gracefully instead of crashing when the number of file descriptors grows over FD_SETSIZE.
- [NSE] Added tls library for functions related to SSLv3 and TLS messages. Existing ssl-enum-ciphers, ssl-date, and tls-nextprotoneg scripts were updated to use this library.
- [NSE] Add sstp-discover script to discover Microsoft's Secure Socket Tunnelling Protocol
- [NSE] Added unittest library and NSE script for adding unit tests to NSE libraries. See unittest.lua for examples, and run `nmap --script=unittest --script-args=unittest.run -d` to run the tests.
- Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release)
- Added version detection signatures and probes for a bunch of Android remote mouse/keyboard servers, including AndroMouse, AirHID, Wifi-mouse, and RemoteMouse.
- [NSE] Added allseeingeye-info for gathering information from games using this query protocol. A version detection probe was also added.
- [NSE] Add freelancer-info to gather information about the Freelancer game server. Also added a related version detection probe and UDP protocol payload for detecting the service.
- [Ncat] Fixed compilation when --without-liblua is specified in configure (an #include needed an ifdef guard).
- [NSE] Add http-server-header script to grab the Server header as a last-ditch effort to get a software version. This can't be done as a softmatch because of the need to match non-HTTP services that obey some HTTP requests.
- [NSE] Add rfc868-time script to get the date and time from an RFC 868 Time server.
- [NSE] Add weblogic-t3-info script that detects the T3 RMI protocol used by Oracle/BEA Weblogic. Extracts the Weblogic version, as well
- Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on FreeBSD >9 .Likely affected other *BSDs. Handled by skipping these non-network addresses.
- Fixed a bug with UDP checksum calculation. When the UDP checksum is zero (0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid ambiguity with +0, which indicates no checksum was calculated. This affected UDP on IPv4 only.
- [NSE] Removed a fixed value (28428) which was being set for the Request ID in the snmpWalk library function; a value based on nmap.clock_ms will now be set instead.
- [NSE] Add http-iis-short-name-brute script that detects Microsoft IIS servers vulnerable to a file/folder name disclosure and a denial of service vulnerability. The script obtains the "shortnames" of the files and folders in the webroot folder.
- Idle scan now supports IPv6. IPv6 packets don't usually come with fragments identifiers like IPv4 packets do, so new techniques had to be developed to make idle scan possible.
- [NSE] Add http-dlink-backdoor script that detects DLink routers with firmware backdoor allowing admin access over HTTP interface.
- The ICMP ID of ICMP probes is now matched against the sent ICMP ID, to reduce the chance of false matches.
- [NSE] Made telnet-brute support multiple parallel guessing threads, reuse connections, and support password-only logins.
- [NSE] Made the table returned by ssh1.fetch_host_key contain a "key" element, like that of ssh2.fetch_host_key. This fixed a crash in the ssh-hostkey script. The "key" element of ssh2.fetch_host_key now is base64-encoded, to match the format used by the known_hosts file.
- [Nsock] Handle timers and timeouts via a priority queue (using a heap) for improved performance. Nsock now only iterates over events which are completed or expired instead of inspecting the entire event set at each iteration.
- [NSE] Update dns-cache-snoop script to use a new list of top 50 domains rather than a 2010 list.
- [NSE] Added the qconn-exec script , which tests the QNX QCONN service for remote command execution.
- [Zenmap] Fixed a crash that would happen when you entered a search term starting with a colon: "AttributeError: 'FilteredNetworkInventory' object has no attribute 'match_'".
- [Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR and NCAT_LOCAL_PORT environment variables being set in all --*-exec child processes.
版本下載:Nmap 6.45
Nmap 6.40
更新細節:
- [Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid receiving crosstalk from other ping programs running at the same time.
- [NSE] Added http-adobe-coldfusion-apsa1301.nse. It exploits an authentication bypass vulnerability in Adobe Coldfusion servers.
- [NSE] The ipOps.isPrivate library now considers the deprecated site-local prefix fec0::/10 to be private.
- [Ncat] Added --lua-exec. This feature is basically an equivalent of ncat --sh-exec "lua " and allows you to run Lua scripts with Ncat, redirecting all stdin and stdout operations to the socket connection.
- [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. If you ran the (fortunately non-default) http-domino-enum-passwords script with the (fortunately also non-default) domino-enum-passwords.idpath parameter against a malicious server, it could cause an arbitrarily named file to to be written to the client system. stdnse.filename_escape function for extra safety.
- [NSE] Added teamspeak2-version.nse
- Nmap's routing table is now sorted first by netmask, then by metric. Previously it was the other way around, which could cause a very general route with a low metric to be preferred over a specific route with a higher metric.
- [Ncat] The -i option (idle timeout) now works in listen mode as well as connect mode.
- Fixed a byte-ordering problem on little-endian architectures when doing idle scan with a zombie that uses broken ID incremements.
- [Ncat] Ncat now support chained certificates with the --ssl-cert option.
- Stop parsing TCP options after reaching EOL in libnetutil.
- [NSE] The dns-ip6-arpa-scan script now optionally accepts "/" syntax for a network mask.
- [Ncat] Reduced the default --max-conns limit from 100 to 60 on Windows, to stay within platform limitations.
- Fixed IPv6 routing table alignment on NetBSD.
- [NSE] Added http-phpmyadmin-dir-traversal
- Added a service probe for Erlang distribution nodes.
- Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. This was reported to break on -current as of May 2013.
- Fixed address matching for SCTP (-PY) ping.
- Removed some non-ANSI-C strftime format strings ("%F") and locale-dependent formats ("%c") from NSE scripts and libraries. C99-specified %F
- [Zenmap] Added Polish translation
- [NSE] Added http-coldfusion-subzero. It detects Coldfusion 9 and 10 vulnerable to a local file inclusion vulnerability and grabs the version, install path and the administrator credentials.
- [Nsock] Added a minimal regression test suite for nsock.
- [NSE] Updated redis-brute.nse and redis-info.nse to work against the latest versions of redis server.
- [Ncat] Fixed errors in conneting to IPv6 proxies.
- Added a service probe for Minecraft servers.
- [NSE] Updated hostmap-bfk to work with the latest version of their website.
- [NSE] Added XML structured output support to hostmap-bfk, hostmap-robtex, and hostmap-ip2hosts.
- [NSE] Added hostmap-ip2hosts. It uses the service provider ip2hosts.com to list domain names pointing to the same IP address.
- [NSE] Added http-vuln-cve2013-0156. It detects Ruby on Rails servers vulnerable to remote command execution.
- Added a service probe for the Hazelcast data grid.
- [NSE] Rewrote telnet-brute for better compatibility with a variety of telnet servers.
- [Nsock] Added initial proxy support to nsock. Nsock based modules (version scan, nse) of nmap can now establish TCP connections through chains of proxies. HTTP CONNECT and SOCKS4 protocols are supported, with some limitations.
- Fixed a regression that changed the number of delimiters in machine output.
- [Zenmap] Updated the Italian translation.
- Handle ICMP type 11 (Time Exceeded) responses to port scan probes. Ports will be reported as "filtered", to be consistent with existing Connect scan results, and will have a reason of time-exceeded.
- Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and changed output of some of the decoders slightly.
- Timeout script-args are now standardized to use the timespec that Nmap's command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that previously took an integer number of milliseconds will now treat that as a number of seconds if not explicitly denoted as ms.
- The list of nameservers on Windows now ignores nameservers from inactive interfaces.
- Namespace the pipes used to communicate with subprocesses by PID, to avoid multiple instances of Ncat from interfering with each other.
- Nmap may now partially rearrange its target list for more efficient host groups. Previously, a single target with a different interface, or with an IP address the same as a that of a target already in the group, would cause the group to be broken off at whatever size it was. Now, we buffer a small number of such targets, and keep looking through the input for more targets to fill out the current group.
- [NSE] Changed ip-geolocation-geoplugin to use the web service's new output format.
- Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fast connect scans could write past the end of an fd_set and cause a variety of crashes: nmap: scan_engine.cc:978: bool ConnectScanInfo::clearSD(int): Assertion `numSDs > 0' failed. select failed in do_one_select_round(): Bad file descriptor (9)
- Fixed a bug that prevented Nmap from finding any interfaces when one of them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk interfaces. However, This support is not complete since AppleTalk interfaces use different size hardware addresses than Ethernet. Nmap IP level scans should work without any problem
- [Nping] Nping now skips localhost targets for privileged pings (with an error message) because those generally don't work.
- [Ncat] Ncat now keeps running in connect mode after receiving EOF from the remote socket, unless --recv-only is in effect.
- Routes are now sorted to prefer those with a lower metric. Retrieval of metrics is supported only on Linux and Windows. [David Fifield]
- Packet trace of ICMP packets now include the ICMP ID and sequence number by default.
- [NSE] Added ike-version and a new ike library
- [NSE] Fixed various NSEDoc bugs
- [Zenmap] Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGED environment variables.
- It's now possible to mix IPv4 range notation with CIDR netmasks in target specifications. For example, 192.168-170.4-100,200.5/16 is effectively the same as 192.168.168-170.0-255.0-255.
- Added nmap-fo.xsl, This converts Nmap XML into XSL-FO, which can be converted into PDF using Apache FOP.
- Increased the number of slack file descriptors not used during connect scan. Previously, the calculation did not consider the descriptors used by various open log files. Connect scans using a lot of sockets could fail with the message "Socket creation in sendConnectScanProbe: Too many open files".
- [Zenmap] Fixed internationalization files. Running in a language other than the default English would result in the error "ValueError: too many values to unpack".
- Changed the --webxml XSL stylesheet to point to the new location of nmap.xsl in the new respository,
- [NSE] Made the vulnerability library able to preserve vulnerability information across multiple ports of the same host.
- [NSE] Added ventrilo-info, This gets information from a Ventrilo VoIP server.
- Removed the undocumented -q option, which renamed the nmap process to something like "pine".
- Moved the Japanese man page from man1/jp to man1/ja. jp is a country code while ja is a language code.
- [NSE] Added mysql-enum script which enumerates valid mysql server usernames
- [Nsock] Reworked the logging infrastructure to make it more flexible and consistent. Updated nmap, nping and ncat accordingly. Nsock log level can now be adjusted at runtime by pressing d/D in nmap.
- [NSE] Fixed scripts using unconnected UDP sockets.
- [NSE] Added structured output to http-git.nse.
- [NSE] Added murmur-version, This gets the server version and other information for Murmur, the server for the Mumble VoIP system.
- Added a corresponding UDP payload for Murmur.
- [Zenmap] Fixed a crash that could be caused by opening the About dialog, using the window manager to close it, and opening it again.
- [Ncat] Made test-addrset.sh exit with nonzero status if any tests fail. This in turn causes "make check" to fail if any tests fail.
- Fixed compilation with --without-liblua.
- Fixed CRC32c calculation (as used in SCTP scans) on 64-bit platforms.
- [NSE] Added multicast group name output to broadcast-igmp-discovery.nse.
- [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3, SquirrelMail, RoundCube.
版本下載:Nmap 6.40