# Nmap Changelog ($Id: CHANGELOG 35745 2016-03-29 15:27:50Z dmiller $); -*-text-*-

Nmap 7.12 [2016-03-29]

o [Zenmap] Avoid file corruption in zenmap.conf, reported as files containing
  many null ("\x00") characters. Example exception:
    ValueError: unable to parse colour specification

o [NSE] VNC updates including vnc-brute support for TLS security type and
  negotiating a lower RFB version if the server sends an unknown higher
  version.  [Daniel Miller]

o [NSE] Added STARTTLS support for VNC, NNTP, and LMTP [Daniel Miller]

o Added new service probes and match lines for OpenVPN on UDP and TCP.

Nmap 7.11 [2016-03-22]

o [NSE][GH#341] Added support for diffie-hellman-group-exchange-* SSH key
  exchange methods to ssh2.lua, allowing ssh-hostkey to run on servers that
  only support custom Diffie-Hellman groups. [Sergey Khegay]

o [NSE] Added support in sslcert.lua for Microsoft SQL Server's TDS protocol,
  so you can now grab certs with ssl-cert or check ciphers with
  ssl-enum-ciphers.  [Daniel Miller]

o [Zenmap] Fix a crash when setting default window geometry:
    TypeError: argument of type 'int' is not iterable

o [Zenmap] Fix a crash when displaying the date from an Nmap XML file due to an
  empty or unknown locale:
    File "zenmapCore/NmapParser.py", line 627, in get_formatted_date
      locale.getpreferredencoding())
    LookupError: unknown encoding:

o [Zenmap] Fix a crash due to incorrect file paths when installing to
  /usr/local prefix. Example:
    Exception: File '/home/blah/.zenmap/scan_profile.usp' does not exist or could not be found!

Nmap 7.10 [2016-03-17]

o [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + [GH#322] http-apache-server-status parses the server status page of
    Apache's mod_status. [Eric Gershman]

  + http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in
    Allegro RomPager web server. Also added a fingerprint for detecting
    CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]

  + [GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon"
    pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]

  + imap-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled IMAP services. [Justin Cacak]

  + ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes.
    The discovery is the same as targets-ipv6-multicast-mld, but the subscribed
    addresses are decoded and listed.  [Alexandru Geana, Daniel Miller]

  + ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL
    Server instances via the NTLM challenge message. [Justin Cacak]

  + nntp-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled NNTP services. [Justin Cacak]

  + pop3-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled POP3 services. [Justin Cacak]

  + rusers retrieves information about logged-on users from the rusersd RPC
    service. [Daniel Miller]

  + [GH#333] shodan-api queries the Shodan API (https://www.shodan.io) and
    retrieves open port and service info from their Internet-wide scan data.
    [Glenn Wilkinson]

  + smtp-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled SMTP and submission services. [Justin Cacak]

  + telnet-ntlm-info extracts hostname and sometimes OS version from
    NTLM-auth-enabled Telnet services. [Justin Cacak]

o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and Linux
  RPM) to 1.0.2g with SSLv2 enabled.

o Integrated all of your IPv4 OS fingerprint submissions from October to
  January (536 of them). Added 104 fingerprints, bringing the new total to
  5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.
  Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted from
  October to January (508 of them). The signature count went up 2.2% to 10532.
  We now detect 1108 protocols, from icy, finger, and rtsp to ipfs,
  basestation, and minecraft-pe. Highlights:
  http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]

o Integrated all 12 of your IPv6 OS fingerprint submissions from October to
  January. The classifier added 3 new groups, including new and expanded groups
  for OS X, bringing the new total to 96. Highlights:
  http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]

o [NSE] Upgrade to http-form-brute allowing correct handling of token-based
  CSRF protections and cookies. Also, a simple database of common login forms
  supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller]

o [Zenmap] [GH#247] Remember window geometry (position and size) from the
  previous time Zenmap was run. [isjing]

o New service probe for CORBA GIOP (General Inter-ORB Protocol) detection
  should elicit a not-found exception from GIOP services that do not respond to
  non-GIOP probes. [Quentin Hardy]

o [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given
  /32 netmasks regardless of actual netmask configured, resulting in failed
  routing. Reported by Martin Gysi. [Daniel Miller]

o [GH#272][GH#269] Give option parsing errors after the usage statement, or
  avoid printing the usage statement in some cases. The options summary has
  grown quite large, requiring users to scroll to the top to see the error
  message. [Abhishek Singh]

o [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's
  Slow Comprehensive Scan profile.  In the case of unknown OpenSSL errors,
  ERR_reason_error_string would return NULL, which could not be printed with
  the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]

o [GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to
  not work in Zenmap on Windows.

o Changed Nmap's idea of reserved and private IP addresses to include
  169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in
  libnetutil's isipprivate function, is used to filter -iR randomly generated
  targets. The newly-valid address ranges belong to the U.S. Department of
  Defense, so users wanting to avoid those ranges should use their own
  exclusion lists with --exclude or --exclude-file.  [Bill Parker, Daniel
  Miller]

o Allow the -4 option for Nmap to indicate IPv4 address family. This is the
  default, and using the option doesn't change anything, but does make it more
  explicit which address family you want to scan. Using -4 with -6 is an error.
  [Daniel Miller]

o [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the
  screen. This happens at the time of argument parsing, so the usual meaning of
  "verbosity 0" is preserved. [isjing]

o [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and
  SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the
  draft specification from Mozilla. [Bertrand Bonnefoy-Claudet]

o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection
  against services that are not TLS encrypted by default but that support
  post connection upgrade. This will enable more comprehensive detection
  of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]

o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and
  BeEF to http-default-accounts. [nnposter]

o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation
  Required messages when tracing packets or in Nping output. Improper offset
  meant we were printing the total IP length. [Sławomir Demeszko]

o [NSE] Added support for DHCP options "TFTP server name" and "Bootfile name"
  to dhcp.lua and enabled checking for options with a code above 61 by default.
  [Mike Rykowski]

o [NSE] whois-ip: Don't request a remote IANA assignments data file when the
  local filesystem will not permit the file to cached in a local file. [jah]

o [NSE] Updated http-php-version hash database to cover all versions from PHP
  4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled
  from Shodan API (https://www.shodan.io/) [Daniel Miller]

o Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan
  types, allowing periodic status updates with --stats-every or keypress
  events.  [Daniel Miller]

o [GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for OS
  X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have
  properly select-able fds. Fix by OpenBSD port maintainer [David Carlier]

o Print service info in grepable output for ports which are not listed in
  nmap-services when a service tunnel (SSL) is detected. Previously, the
  service info ("ssl|unknown") was not printed unless the service inside the
  tunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260
  [Daniel Miller]

o [NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent.
  [Tom Sellers]

Nmap 7.01 [2015-12-09]

o Switch to using gtk-mac-bundler and jhbuild for building the OS X installer.
  This promises to reduce a lot of the problems we've had with local paths and
  dependencies using the py2app and macports build system. [Daniel Miller]

o The Windows installer is now built with NSIS 2.47 which features LoadLibrary
  security hardening to prevent DLL hijacking and other unsafe use of temporary
  directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to
  us and the many other projects that use it.

o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM)
  to 1.0.2e.

o [Zenmap] [GH#235] Fix several failures to launch Zenmap on OS X. The new
  build process eliminates these errors:
    IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in'
    LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810.

o [NSE] [GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers to
  match the one in nmap-service-probes, which was fixed previously to correct a
  length calculation error. [Daniel Miller]

o [NSE] [GH#251] Correct false positives and unexpected behavior in http-*
  scripts which used http.identify_404 to determine when a file was not found
  on the target. The function was following redirects, which could be an
  indication of a soft-404 response. [Tom Sellers]

o [NSE] [GH#241] Fix a false-positive in hnap-info when the target responds
  with 200 OK to any request. [Tom Sellers]

o [NSE] [GH#244] Fix an error response in xmlrpc-methods when run against a
  non-HTTP service. The expected behavior is no output. [Niklaus Schiess]

o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett.

Nmap 7.00 [2015-11-19]

o This is the most important release since Nmap 6.00 back in May 2012!
  For a list of the most significant improvements and new features,
  see the announcement at: https://nmap.org/7

o [NSE] Added 6 NSE scripts from 6 authors, bringing the total up to 515!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + targets-xml extracts target addresses from previous Nmap XML results files.
    [Daniel Miller]

  + [GH#232] ssl-dh-params checks for problems with weak, non-safe, and
    export-grade Diffie-Hellman parameters in TLS handshakes. This includes the
    LOGJAM vulnerability (CVE-2015-4000). [Jacob Gajek]

  + nje-node-brute does brute-forcing of z/OS JES Network Job Entry node names.
    [Soldier of Fortran]

  + ip-https-discover detectings support for Microsoft's IP over HTTPS
    tunneling protocol. [Niklaus Schiess]

  + [GH#165] broadcast-sonicwall-discover detects and extracts information from
    SonicWall firewalls. [Raphael Hoegger]

  + [GH#38] http-vuln-cve2014-8877 checks for and optionally exploits a
    vulnerability in CM Download Manager plugin for Wordpress. [Mariusz Ziulek]

o [Ncat] [GH#151] [GH#142] New option --no-shutdown prevents Ncat from shutting
  down when it reads EOF on stdin. This is the same as traditional netcat's
  "-d" option. [Adam Saponara]

o [NSE] [GH#229] Improve parsing in http.lua for multiple Set-Cookie headers in
  a single response.  [nnposter]

Nmap 6.49BETA6 [2015-11-03]

o Integrated all of your IPv6 OS fingerprint submissions from April to October
  (only 9 of them!). We are steadily improving the IPv6 database, but we need
  your submissions. The classifier added 3 new groups, bringing the new total
  to 93. Highlights: http://seclists.org/nmap-dev/2015/q4/61 [Daniel Miller]

o Integrated all of your IPv4 OS fingerprint submissions from February to
  October (1065 of them). Added 219 fingerprints, bringing the new total to
  4985. Additions include Linux 4.1, Windows 10, OS X 10.11, iOS 9, FreeBSD
  11.0, Android 5.1, and more. Highlights:
  http://seclists.org/nmap-dev/2015/q4/60 [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted from
  February to October (800+ of them). The signature count went up 2.5% to
  10293. We now detect 1089 protocols, from afp, bitcoin, and caldav to
  xml-rpc, yiff, and zebra. Highlights: http://seclists.org/nmap-dev/2015/q4/62
  [Daniel Miller]

o [NSE] Added 10 NSE scripts from 5 authors, bringing the total up to 509!
  They are all listed at http://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + knx-gateway-discover and knx-gateway-info scripts gather information from
    multicast and unicast KNX gateways, which connect home automation systems
    to IP networks. [Niklaus Schiess, Dominik Schneider]

  + http-ls parses web server directory index pages with optional recursion.
    [Pierre Lalet]

  + xmlrpc-methods perfoms introspection of xmlrpc services and lists methods
    and their descriptions. [Gyanendra Mishra]

  + http-fetch can be used like wget or curl to fetch all files, specific
    filenames, or files that match a given pattern. [Gyanendra Mishra]

  + http-svn-enum enumerates users of a Subversion repository by examining
    commit logs. [Gyanendra Mishra]

  + http-svn-info requests information from a Subversion repository, similar to
    the "svn info" command. [Gyanendra Mishra]

  + hnap-info detects and outputs info for Home Network Administration Protocol
    devices. [Gyanendra Mishra]

  + http-webdav-scan detects WebDAV servers and reports allowed methods and
    directory listing. [Gyanendra Mishra]

  + tor-consensus-checker checks the target's address with the Tor directory
    authorities to determine if a target is a known Tor node. [Jiayi Ye]

o [NSE] Several scripts have been split, combined, or renamed:

  + [GH#171] smb-check-vulns has been split into:
    * smb-vuln-conficker
    * smb-vuln-cve2009-3103
    * smb-vuln-ms06-025
    * smb-vuln-ms07-029
    * smb-vuln-regsvc-dos
    * smb-vuln-ms08-067
    The scripts now use the vulns library, and the "unsafe" script-arg has been
    replaced by putting the scripts into the "dos" category. [Paulino Calderon]

  + http-email-harvest was removed, as the new http-grep does email address
    scraping by default. [Gyanendra Mishra]

  + http-drupal-modules was renamed to http-drupal-enum. Extended to enumerate
    both themes and modules of Drupal installaions. [Gyanendra Mishra]

o [Ncat] [GH#193] Fix Ncat listen mode over Unix sockets (named pipes) on OS X.
  This was crashing with the error:
    Ncat: getnameinfo failed: Undefined error: 0 QUITTING.
  Fixed by forcing the name to "localhost" [Michael Wallner]

o [Zenmap] Fix a crash in Zenmap when using Compare Results:
    AttributeError: 'NoneType' object has no attribute 'get_nmap_output'
  [Daniel Miller]

o [NSE] [GH#194] Add support for reading fragmented TLS messages to
  ssl-enum-ciphers. [Jacob Gajek]

o [GH#51] Added IPv6 support to nmap_mass_rdns, improved reverse DNS cache,
  and refactored DNS code to improve readability and
  extensibility. All in all, this makes the rDNS portion of IPv6 scans
  much faster. [Gioacchino Mazzurco]

o [NSE] Added NTLM brute support to http-brute. [Gyanendra Mishra]

o [NSE] Added NTLM authentication support to http.lua and a related function to create
  an ntlm v2 session response in smbauth.lua. [Gyanendra Mishra]

o [NSE] [GH#106] Added a new NSE module, ls.lua, for accumulating and
  outputting file and directory listings. The afp-ls, nfs-ls, and smb-ls
  scripts have been converted to use this module. [Pierre Lalet]

o [NSE] bacnet-info.nse and s7-info.nse were added to the version category.
  [Paulino Calderon] 

o [NSE] Added 124 new identifiers to bacnet-info.nse vendor database.
  [Paulino Calderon] 

o [NSE] Fixed bacnet-info.nse to bind to the service port detected 
  during scan instead of fixed port. [Paulino Calderon] 

o [NSE] Enhanced reporting of elliptic curve names and strengths in
  ssl-enum-ciphers. The name of the curve is now reported instead of just "ec"
  [Brandon Paulsen]

o [GH#75] Normalize Makefile targets to use the same verb-project format, e.g.
  build-ncat, check-zenmap, install-nping, clean-nsock [Gioacchino Mazzurco]

o [NSE] Added builtin pattern and multiple pattern search to http-grep. [Gyanendra Mishra]

o [NSE] http-crossdomainxml is now http-cross-domain-policy and supports client
  access policies and uses the new SLAXML parser. [Gyanendra Mishra]

o [NSE] Added a patch for vulns lib that allows list of tables to be submitted
  to fields in the vulns report. [Jacob Gajek]

o [NSE] Added additional checks for successful PUT request in http-put.
  [Oleg Mitrofanov]

o [NSE] Added an update for http-methods that checks all possible methods not in
  Allow or Public header of OPTIONS response. [Gyanendra Mishra]

o [NSE] Added SLAXML, an XML parser in Lua originally written by Gavin Kistner
  (a.k.a. Phrogz). [Gyanendra Mishra]

o [NSE] [GH#122] Update the snmp-brute and other snmp-* scripts to use the
  creds library to store brute-forced snmp community strings. This allows Nmap
  to use the correct brute-forced string for each host. [Gioacchino Mazzurco]

o Several improvements to TLS/SSL detection in nmap-service-probes. A new
  probe, TLSSessionReq, and improvements to default SSL ports should help speed
  up -sV scans. http://seclists.org/nmap-dev/2015/q2/17 [Daniel Miller]

o [Nsock] Clean up the API so that nsp_* calls are now nsock_pool_* and nsi_*
  are nsock_iod_*. Simplify Nsock SSL init API, and make logging global to the
  library instead of associated with a nspool. [Henri Doreau]

o [GH#181] The configure script now prints a summary of configured options.
  Most importantly, it warns if OpenSSL was not found, since most users will
  want this library compiled in. [Gioacchino Mazzurco]

o Define TCP Options for SYN scan in nmap.h instead of literally throughout.
  This string is used by p0f and other IDS to detect Nmap scans, so having it a
  compile-time option is a step towards better evasion. [Daniel Miller]

o [GH#51] Nmap's parallel reverse-DNS resolver now handles IPv6 addresses. This
  should result in faster -6 scans. The old behavior is available with
  --system-dns. [Gioacchino Mazzurco]

o [NSE] Fix a couple odd bugs in NSE command-line parsing. Most notably,
  --script broadcast-* will now work (generally, wildcards with scripts whose
  name begins with a category name were not working properly). [Daniel Miller]

o [NSE] [GH#113] http-form-fuzzer will now stop increasing the size of a
  request when an HTTP 413 or 414 error indicates the web server will not
  accept a larger request. [Gioacchino Mazzurco]

o [NSE] [GH#159] Add the ability to tag credentials in the creds library with
  freeform text for easy retrieval. This gives necessary granularity to track
  credentials to multiple web apps on a single host+port. [Gioacchino Mazzurco]

Nmap 6.49BETA5 [2015-09-25]

o Work around a bug which could cause Nmap to hang when running
  multiple instances at once on Windows. The actual bug appears to be
  in the WinPCAP driver in that it hanges when accessed via
  OpenServiceA by multiple processes at once. So for now we have added
  a mutex to prevent even multiple Nmap processes from making
  concurrent calls to this part of WinPcap. We've received the reports
  from multiple users on Windows 8.1 and Windows Server 2012 R2 and
  this fix seems to resolve the hang for them. [Daniel Miller]

o [GH#212][NSE] Fix http.get_url function which was wrongly attempting
  non-SSL HTTP requests first when passed https URLs. [jah]

o [GH#201] Fix Ndiff interpreter path problems in the OS X .dmg
  installer which could prevent Ndiff (and the related Zenmap "compare
  results" window) from working on OS X in some cases. [Daniel Miller]

o Fix Nmap's DTD, which did not recognize that the script element
  could contain character data when a script returns a number or a
  boolean.  [Jonathan Daugherty]

o [GH#172][NSE] Fix reporting of DH parameter sizes by
  ssl-enum-ciphers. The number shown was the length in bytes, not bits
  as it should have been.  Reported by Michael Staruch. [Brandon
  Paulsen]

o Our Windows Nmap packages are now compiled with the older platform
  toolset (v120_xp rather than v120) and so they may work with Windows
  XP again for the dwindling number of users still on that operating
  system.

o [GH#34] Disable TPACKET_V3 in our included libpcap. This version of
  the Linux kernel packet ring API has problems that result in lots of
  lost packets. This patch falls back to TPACKET_V2 or earlier
  versions if available. [nnposter]

o [NSE] Check for socket errors in iscsi.lua. This was causing the
  iscsi-info script to crash against some services. [Daniel Miller]

o [NSE] Fix http-useragent-tester, which was using cached HTTP
  responses instead of testing new User-Agent strings. [Daniel Miller]

o Output a warning when deprecated options are used, and suggest the
  preferred option. Currently deprecated: -i -o -m -sP -P0 -PN -oM
  -sR. The warning is only visible with -v. [Daniel Miller]

o Add a fatal error for options like -oG- which is interpreted as the
  deprecated -o option, outputting to a file named "G-", instead of
  the expected behavior of -oG - (Grepable output to stdout). [Daniel
  Miller]

o [GH#196] Fix raw packet sending on FreeBSD 10.0 and later. FreeBSD
  changed byte order of the IPv4 stack, so SYN scan and other raw
  packet functions were broken. [Edward Napierała] Also reported in
  [GH#50] by Olli Hauer.

o [GH#183] Fix compilation on Visual Studio 2010, which failed with
  error: "service_scan.cc(2559): error C2065: 'EOPNOTSUPP' :
  undeclared identifier" [Daniel Miller]

o [GH#115][NSE] ssl-enum-ciphers will still produce output if OpenSSL
  (required for certificate parsing) is not available. In cases where
  handshake strength depends on the certificate, it will be reported
  as "unknown". [jrchamp]

Nmap 6.49BETA4 [2015-07-06]

o Fix a hang on OS X in Zenmap's Topology page with error
  "zenmap_wrapper.py[857]: GError: Couldn't recognize the image file format for
  file '/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'
  http://seclists.org/nmap-dev/2015/q3/8 [Daniel Miller]

o Fix a small memory leak for each target specified as a hostname which fails
  to resolve. [Daniel Miller]

o Allow 'make check' to succeed when Nmap is configured without OpenSSL
  support. This was broken due to our NSE unittest library expecting to be able
  to load every library without error. [Daniel Miller]

o [NSE] Enable ssl-enum-ciphers to safely scan servers with a long handshake
  intolerance issue which resulted in incomplete results when the handshake was
  greater than 255 bytes. [Jacob Gajek, Daniel Miller]

o [Ncat] Fix a write overrun in Ncat that could cause a segfault if the -g
  (source route) option was given too many times. [Daniel Miller]

o [NSE] [GH#168] Allow ssl-enum-ciphers to run on non-typical ports when it is
  selected by name. It will now send a service detection probe if the port is
  not a typical SSL port and version scan (-sV) was not used. [Daniel Miller]

Nmap 6.49BETA3 [2015-06-25]

o [GH#166] Fix Ncat listen mode on Solaris and other platforms where struct sockaddr
  does not have a sa_len member. This also affected use of the -p and -s
  options. Brandon Haberfeld reported the crash. [Daniel Miller]

o [GH#164] Fix a Zenmap failure ot open on OS X with the error:
  "dyld: Symbol not found: _iconv Referenced from: /usr/lib/libcups.2.dylib"
  We had to remove the DYLD_LIBRARY_PATH environment variable from
  zenmap_wrapper.py. Reported by Robert Strom. [Daniel Miller]

o Report our https URL (https://nmap.org) in more places rather than
  our non-SSL one. [David Fifield]

o [NSE] Fix Diffie-Hellman parameter extraction in tls.lua. [Jacob Gajek]

Nmap 6.49BETA2 [2015-06-16]

o [GH#154] Fix a crash (assertion error) when Nmap recieves an ICMP Host
  Unreachable message.

o [GH#158] Fix a configure failure when Python is not present, but no Python
  projects were requested. [Gioacchino Mazzurco]

o [GH#161] [Zenmap] Fix Zenmap on OS X which was failing with
  zipimport.ZipImportError due to architecture mismatch.

o [NSE] Remove ahbl.org checks from dnsbl.lua, since the service was shut down.
  [Forrest B.]

Nmap 6.49BETA1 [2015-06-03]

o Integrated all of your IPv4 OS fingerprint submissions from May 2014 to
  February 2015 (1900+ of them). Added 281 fingerprints, bringing the new total
  to 4766. Addtions include Linux 3.18, Windows 8.1, OS X 10.10, Android 5.0,
  FreeBSD 10.1, OpenBSD 5.6, and more. Highlights:
  http://seclists.org/nmap-dev/2015/q2/169 [Daniel Miller]

o Integrated all of your service/version detection fingerprints submitted from
  June 2013 to February 2015 (2500+ of them). The signature count soared over
  the 10000 mark, a 12% increase. We now detect 1062 protocols, from http,
  telnet, and ftp to jute, bgp, and slurm. Highlights:
  http://seclists.org/nmap-dev/2015/q2/171 [Daniel Miller]

o Integrated all of your IPv6 OS fingerprint submissions from June 2013 to
  April 2015 (only 97 of them!). We are steadily improving the IPv6 database,
  but we need your submissions. The classifier added 9 new groups, bringing the
  new total to 90. Highlights: http://seclists.org/nmap-dev/2015/q2/170 [Daniel
  Miller]

o Nmap now has an official bug tracker! We are using Github Issues, which you
  can reach from http://issues.nmap.org/. We welcome your bug reports,
  enhancement requests, and code submissions via the Issues and Pull Request
  features of Github (https://github.com/nmap/nmap), though the repository
  itself is just a mirror of our authoritative Subversion repository.

o [Zenmap] New Chinese-language (zh) translation from Jie Jiang, new Hindi (hi)
  translation by Gyanendra Mishra, and updated translations for German (de,
  Chris Leick), Italian (it, Jan Reister), Polish (pl, Jacek Wielemborek), and
  French (fr, MaZ)

o Added options --data <hex string> and --data-string <string> to send custom
  payloads in scan packet data. [Jay Bosamiya]

o --reason is enabled for verbosity > 2, and now includes the TTL of received
  packets in Normal output (this was already present in XML) [Jay Bosamiya]

o Fix ICMP Echo (-PE) host discovery for IPv6, broken since 6.45, caused by
  failing to set the ICMP ID for outgoing packets which is used to match
  incoming responses. [Andrew Waters]

o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
  passing a NULL pointer to a WinPcap function that then tries to write an
  error message to it. [Peter Malecka]

o Enhance Nmap's tcpwrapped service detection by using a shorter timeout for
  the tcpwrapped designation. This prevents falsely labeling services as
  tcpwrapped which merely have a read timeout shorter than 6 seconds. Full
  discussion: http://issues.nmap.org/39 [nnposter, Daniel Miller]

o All nmap.org pages are now available SSL-secured to improve privacy
  and ensure your binaries can't be tampered with in transit. So be
  sure to download from https://nmap.org/download.html . We will soon
  remove the non-SSL version of the site. We still offer GPG-signed
  binaries as well: https://nmap.org/book/install.html#inst-integrity

o [NSE] Added 25 NSE scripts from 17 authors, bringing the total up to 494!
  They are all listed at https://nmap.org/nsedoc/, and the summaries are below
  (authors are listed in brackets):

  + bacnet-info gets device information from SCADA/ICS devices via BACnet
    (Building Automation and Control Networks) [Stephen Hilt, Michael Toecker]

  + docker-version detects and fingerprints Docker [Claudio Criscione]

  + enip-info gets device information from SCADA/ICS devices via EtherNet/IP
    [Stephen Hilt]

  + fcrdns performs a Forward-confirmed Reverse DNS lookup and reports
    anomalous results. [Daniel Miller]

  + http-avaya-ipoffice-users enumerates users in Avaya IP Office 7.x systems.
    [Paulino Calderon]

  + http-cisco-anyconnect gets version and tunnel information from Cisco SSL
    VPNs. [Patrik Karlsson]

  + http-crossdomainxml detects overly permissive crossdomain policies and
    finds trusted domain names available for purchase. [Paulino Calderon]

  + http-shellshock detects web applications vulnerable to Shellshock
    (CVE-2014-6271). [Paulino Calderon]

  + http-vuln-cve2006-3392 exploits a file disclosure vulnerability in Webmin.
    [Paul AMAR]

  + http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and
    http-vuln-cve2014-2129 detect specific vulnerabilities in Cisco AnyConnect
    SSL VPNs. [Patrik Karlsson]

  + http-vuln-cve2015-1427 detects Elasticsearch servers vulnerable to remote
    code execution. [Gyanendra Mishra]

  + http-vuln-cve2015-1635 detects Microsoft Windows systems vulnerable to
    MS15-034. [Paulino Calderon]

  + http-vuln-misfortune-cookie detects the "Misfortune Cookie" vulnerability
    in Allegro RomPager 4.07, commonly used in SOHO routers for TR-069 access.
    [Andrew Orr]

  + http-wordpress-plugins was renamed http-wordpress-enum and extended to
    enumerate both plugins and themes of Wordpress installations and their
    versions. http-wordpress-enum is now http-wordpress-users. [Paulino Calderon]

  + mikrotik-routeros-brute performs password auditing attacks against
    Mikrotik's RouterOS API. [Paulino Calderon]

  + omron-info gets device information from Omron PLCs via the FINS service.
    [Stephen Hilt]

  + s7-info gets device information from Siemens PLCs via the S7 service,
    tunneled over ISO-TSAP on TCP port 102. [Stephen Hilt]

  + snmp-info gets the enterprise number and other information from the
    snmpEngineID in an SNMPv3 response packet. [Daniel Miller]

  + ssl-ccs-injection detects whether a server is vulnerable to the SSL/TLS
    CCS Injection vulnerability (CVE-2014-0224) [Claudiu Perta]

  + ssl-poodle detects the POODLE bug in SSLv3 (CVE-2014-3566) [Daniel Miller]

  + supermicro-ipmi-conf exploits Supermicro IPMI/BMC controllers. [Paulino
    Calderon]

  + targets-ipv6-map4to6 generates target IPv6 addresses which correspond to
    IPv4 addresses mapped within a particular IPv6 subnet. [Raúl Fuentes]

  + targets-ipv6-wordlist generates target IPv6 addresses from a wordlist made
    of hexadecimal characters. [Raúl Fuentes]

o Update our Windows build system to VS 2013 on Windows 8.1. Also, we now build
  our included OpenSSL with DEP, ASLR, and SafeSEH enabled. [Daniel Miller]

o Our OS X installer is now built for a minimum supported version of 10.8
  (Mountain Lion), a much-needed update from 10.5 (Leopard). Additionally,
  OpenSSL is now statically linked, allowing us to distribute the latest from
  Macports instead of being subjected to the 0.9.8 branch still in use as of
  10.9. [Daniel Miller]

o Add 2 more ASCII-art configure splash images to be rotated randomly with the
  traditional dragon image. New ideas for other images to use here may be sent
  to dev@nmap.org. [Jay Bosamiya, Daniel Miller]

o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
  passing a NULL pointer to a WinPcap function that then tries to write an
  error message to it. [Peter Malecka]

o Fix compilation and several bugs on AIX. [Daniel Miller]

o Fix a bug in libdnet-stripped on Solaris that resulted in the wrong MAC
  address being detected for all interfaces.
  http://seclists.org/nmap-dev/2015/q2/1 [Daniel Miller]

o New features for the IPv6 OS detection engine allow for better classification
  of systems: IPv6 guessed initial hop limit (TTL) and ratio of TCP initial
  window size to maximum segment size. [Alexandru Geana]

o [NSE] Rework ssl-enum-ciphers to actually score the strength of the SSL/TLS
  handshake, including certificate key size and DH parameters if applicable.
  This is similar to Qualys's SSL Labs scanner, and means that we no longer
  maintain a list of scores per ciphersuite. [Daniel Miller]

o [NSE] Improved http-form-brute autodetection and behavior to handle more
  unusual-but-valid HTML syntax, non-POST forms, success/failure testing on
  HTTP headers, and more. [nnposter]

o [NSE] Reduce many NSE default timeouts and base them on Nmap's detected
  timeouts for those hosts from the port scan phase. Scripts which take timeout
  script-args can now handle 's' and 'ms' suffixes, just like Nmap's own
  options. [Daniel Miller]

o [NSE] Remove db2-discover, as its functionality was performed by service
  version detection since the broadcast portion was separated into
  broadcast-db2-discover. http://seclists.org/nmap-dev/2014/q3/415 [Daniel
  Miller]

o Cache dnet names not found on Windows when enumerating interfaces in the
  Windows Registry. Reduces startup times. [Elon Natovich]

o [NSE] Make smb-ls able to leverage results from smb-enum-shares or list of
  shares specified on command line. [Pierre Lalet]

o [NSE] Fix X509 cert date parsing for dates after 2049. Reported by Teppo
  Turtiainen. [Daniel Miller]

o Handle a bunch of socket errors that can result from odd ICMP Type 3
  Destination Unreachable messages received during service scanning. The crash
  reported was "Unexpected error in NSE_TYPE_READ callback.  Error code: 92
  (Protocol not available)" [Daniel Miller]

o Fixed a crash (NULL pointer dereference) in PortList::isTCPwrapped when using
  -sV and -O on an unknown service not listed in nmap-services. [Pierre Lalet]

o Fixed a benign TOCTOU race between stat() and open() in mmapfile().
  Reported by Camille Mougey. [Henri Doreau]

o Reduce CPU consumption when using nsock poll engine with no registered FD,
  by actually calling Poll() for the time until timeout, instead of directly
  returning zero and entering the loop again. [Henri Doreau]

o Change the URI for the fingerprint submitter to its new location at
  https://nmap.org/cgi-bin/submit.cgi

o [NSE] Added a check for Cisco ASA version disclosure, CVE-2014-3398, to
  http-enum in the 'security' category [Daniel Miller]

o Fixed a bug that caused Nmap to fail to find any network interface when a
  Prism interface is in monitor mode. The fix was to define the
  ARP_HRD_IEEE80211_PRISM header identifier in the libdnet-stripped code.
  [Brad Johnson]

o Added a version probe for Tor. [David Fifield]

o [NSE] Add support to citrix-enum-apps-xml for reporting if Citrix
  published applications in the list are enforcing/requiring the level
  of ICA/session data encryption shown in the script result.
  [Tom Sellers]

o [NSE] Updated our Wordpress plugin list to improve the
  http-wordpress-enum NSE script. We can now detect 34,077 plugins,
  up from 18,570. [Danila Poyarkov]

o [NSE] Add the signature algorithm that was used to sign the target port's
  x509 certificate to the output of ssl-cert.nse [Tom Sellers]

o [NSE] Fixed a bug in the sslcert.lua library that was triggered against
  certain services when version detection was used. [Tom Sellers]

o [NSE] vulns.Report:make_output() now generates XML structured output
  reports automatically. [Paulino Calderon]

o [NSE] Add port.reason_ttl, host.reason, host.reason_ttl for use in scripts
  [Jay Bosamiya]

o [NSE] If a version script is run by name, nmap.version_intensity() returns
  the maximum value (9) for it [Jay Bosamiya]

o [NSE] shortport.version_port_or_service() takes an optional rarity parameter
  now to run only when version intensity > rarity [Jay Bosamiya]

o [NSE] Added nmap.version_intensity() function so that NSE version scripts
  can use the argument to --version-intensity (which can be overridden by the
  script arg 'script-intensity') in order to decide whether to run or not
  [Jay Bosamiya]

o Improve OS detection; If a port is detected to be 'tcpwrapped', then it will
  not be used for OS detection. This helps in cases where a firewall might be
  the port to be 'tcpwrapped' [Jay Bosamiya]

o [Zenmap] Reduce noise generated in Topology View due to anonymous
  hops [Jay Bosamiya]

o Added option --exclude-ports to Nmap so that some ports can be excluded from
  scanning (for example, due to policy) [Jay Bosamiya]

o [Zenmap] Catch the MemoryError caused in Zenmap due to large Nmap Output,
  and display a more helpful error message [Jay Bosamiya]

o Catch badly named output files (such as those unintentionally caused by
  "-oX -sV logfile.xml") [Jay Bosamiya]

o [Zenmap] Improved NmapParser to increase speed in opening scans. Large scans
  now open in seconds instead of hours. [Jay Bosamiya]

o Modify the included libpcap configure script to disable certain unused
  features: bluetooth, usb, usb-can, and dbus sniffing. Dbus support caused a
  build problem on CentOS 6.5. [Daniel Miller]

o Updated the bundled libpcap from 1.2.1 to 1.5.3 [Jay Bosamiya]

o Correct the Target MAC Address in Nmap's ARP discovery to conform to what IP
  stacks in currently popular operating systems use. [Jay Bosamiya]

o Fixed a bug which caused Nmap to be unable to have any runtime interaction
  when called from sudo or from a shell script. [Jay Bosamiya]

o Improvements to whois-ip.nse: fix an unhandled error when a referred-to
  response could not be understood; add a new pattern to recognise a
  LACNIC "record not found" type of response and update the way ARIN is
  queried. [jah]

Nmap 6.47 [2014-08-23]

o Integrated all of your IPv4 OS fingerprint submissions since June 2013
  (2700+ of them). Added 366 fingerprints, bringing the new total to 4485.
  Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2,
  OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved.
  Highlights: http://seclists.org/nmap-dev/2014/q3/325 [Daniel Miller]

o (Windows, RPMs) Upgraded the included OpenSSL to version 1.0.1i. [Daniel Miller]

o (Windows) Upgraded the included Python to version 2.7.8. [Daniel Miller]

o Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This
  was added in 6.45, and resulted in trouble for Nmap XML parsers without
  network access, as well as increased traffic to Nmap's servers. The doctype
  is now:
  <!DOCTYPE nmaprun>

o [Ndiff] Fixed the installation process on Windows, which was missing the
  actual Ndiff Python module since we separated it from the driver script.
  [Daniel Miller]

o [Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution,
  which was giving the error, "\Microsoft was unexpected at this time." See
  https://support.microsoft.com/kb/2524009 [Daniel Miller]

o [Zenmap] Fixed the Zenmap .dmg installer for OS X. Zenmap failed to launch,
  producing this error:
    Could not import the zenmapGUI.App module:
    'dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so, 2):
    Library not loaded: /Users/david/macports-10.5/lib/libffi.5.dylib\n
    Referenced from:
    /Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so\n
    Reason: image not found'.

o [Ncat] Fixed SOCKS5 username/password authentication. The password length was
  being written in the wrong place, so authentication could not succeed.
  Reported with patch by Pierluigi Vittori.

o Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts
  this to the string "(null)", but it caused segfault on Solaris. [Daniel Miller]

o [Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package
  installed. Python tries to be nice and loads it when we import xml, but it
  isn't compatible. Instead, we force Python to use the standard library xml
  module. [Daniel Miller]

o Handle ICMP admin-prohibited messages when doing service version detection.
  Crash reported by Nathan Stocks was: Unexpected error in NSE_TYPE_READ
  callback.  Error code: 101 (Network is unreachable) [David Fifield]

o [NSE] Fix a bug causing http.head to not honor redirects. [Patrik Karlsson]

o [Zenmap] Fix a bug in DiffViewer causing this crash:
     TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-only
     buffer, not NmapParserSAX
  Crash happened when trying to compare two scans within Zenmap. [Daniel Miller]

Nmap 6.46 [2014-04-18]

o [NSE] Made numerous improvements to ssl-heartbleed to provide
  more reliable detection of the vulnerability.

o [Zenmap] Fixed a bug which caused this crash message:
     IOError: [Errno socket error] [Errno 10060] A connection attempt failed
     because the connected party did not properly respond after a period of
     time, or established connection failed because connected host has
     failed to
     respond
  The bug was caused by us adding a DOCTYPE definition to Nmap's XML
  output which caused Python's XML parser to try and fetch the DTD
  every time it parses an XML file.  We now override that DTD-fetching
  behavior. [Daniel Miller]

o [NSE] Fix some bugs which could cause snmp-ios-config and
  snmp-sysdescr scripts to crash
  (http://seclists.org/nmap-dev/2014/q2/120) [Patrik Karlsson]

o [NSE] Improved performance of citrix.lua library when handling large XML
  responses containing application lists. [Tom Sellers]

Nmap 6.45 [2014-04-11]

o Idle scan now supports IPv6. IPv6 packets don't usually come with
  fragments identifiers like IPv4 packets do, so new techniques had to
  be developed to make idle scan possible. The implementation is by
  Mathias Morbitzer, who made it the subject of his master's thesis.

o When doing a ping scan (-sn), the --open option will prevent down hosts from
  being shown when -v is specified. This aligns with similar output for other
  scan types. [Daniel Miller]

o Fixed some syntax problems in nmap-os-db that were caused by some automated
  merging of fingerprints (http://seclists.org/nmap-dev/2013/q4/68) [Daniel
  Miller]

o New service probes and fingerprints for Quake1, TeamSpeak3, xmlsysd,
  Freelancer game server, All-Seeing Eye, AndroMouse, and AirHD.

o Update included WinPcap to version 4.1.3 [Rob Nicholls]

o [NSE] Convert many more scripts to emit structured XML output
  (https://nmap.org/book/nse-api.html#nse-structured-output) [Daniel Miller]

o [NSE] Added 24 NSE scripts from 12 authors, bringing the total up to 470.
  They are all listed at https://nmap.org/nsedoc/, and the summaries are
  below (authors are listed in brackets):

  + allseeingeye-info gathers information from games using this query protocol.
    A version detection probe was also added. [Marin Maržić]

  + freelancer-info gathers information about the Freelancer game server. Also
    added a related version detection probe and UDP protocol payload for
    detecting the service. [Marin Maržić]

  + http-csrf detects Cross Site Request Forgeries (CSRF) vulnerabilities by
    searching for CSRF tokens in HTML forms. [George Chatzisofroniou]

  + http-devframework finds out the technology behind the target website based
    on HTTP headers, static URLs, and other content and resources. [George
    Chatzisofroniou]

  + http-dlink-backdoor detects DLink routers with firmware backdoor allowing
    admin access over HTTP interface. [Patrik Karlsson]

  + http-dombased-xss finds potential DOM-based Cross-site Scripting (XSS)
    vulnerabilities by searching for specific patterns in JavaScript resources.
    [George Chatzisofroniou]

  + http-errors crawls for URIs that return error status codes (HTTP 400 and
    above). [George Chatzisofroniou]

  + http-feed crawls a web site for Atom and RSS feeds. [George Chatzisofroniou]

  + http-iis-short-name-brute detects Microsoft IIS servers vulnerable to a
    file/folder name disclosure and a denial of service vulnerability. The
    script obtains the "shortnames" of the files and folders in the webroot
    folder. [Paulino Calderon]

  + http-mobileversion-checker checks for mobile versions of web pages by
    setting an Android User-Agent header and checking for HTTP redirects.
    [George Chatzisofroniou]

  + http-ntlm-info gets server information from Web servers that require NTLM
    authentication. [Justin Cacak]

  + http-referer-checker finds JavaScript resources that are included from other
    domains, increasing a website's attack surface. [George Chatzisofroniou]

  + http-server-header grabs the Server header as a last-ditch effort to get a
    software version. This can't be done as a softmatch because of the need to
    match non-HTTP services that obey some HTTP requests. [Daniel Miller]

  + http-useragent-tester checks for sites that redirect common Web spider
    User-Agents to a different page than browsers get. [George Chatzisofroniou]

  + http-vuln-cve2013-7091 (released as http-vuln-zimbra-lfi) looks for
    CVE-2013-7091, a LFI vulnerability in Zimbra. [Paul AMAR, Ron Bowes]

  + http-xssed searches the xssed.com database of Cross-site Scripting
    vulnerabilities for previously-reported XSS vulnerabilities in the target.
    [George Chatzisofroniou]

  + qconn-exec tests the QNX QCONN service for remote command execution.
    [Brendan Coles]

  + quake1-info retrieves server and player information from Quake 1 game
    servers. Reports potential DoS amplification factor.  [Ulrik Haugen]

  + rfc868-time gets the date and time from an RFC 868 Time server. [Daniel
