Nmap is een programma voor het verkennen en controleren van een netwerk. Het is ontworpen om zonder vertragingen een groot netwerk te scannen, en werkt ook zonder problemen op een enkele host. Het programma maakt gebruik van zogeheten 'raw ip packets' om actieve hosts en informatie over de beschikbare services te achterhalen. Meer informatie over de mogelijkheden is te vinden op deze pagina. De ontwikkelaars hebben weer een nieuwe bètaversie uitgebracht waarmee verdere mogelijkheden zijn toegevoegd om de Conficker-worm op te sporen. Het versienummer is vastgezet op 4.85 bèta 8 en voorzien van de volgende lijst met aanpassingen sinds de vorige vermelding in de Meuktracker:
- Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in addition to the CONNECT tunneling method, so it can be used as a proxy with an ordinary web browser.
- Ncat can now run as an authenticated proxy in HTTP proxy mode. Use --proxy-auth to provide a username and password that will be required of proxy users. Only the insecure (not encrypted) Basic authentication method is supported.
- Ndiff's text output has been redone to look more like Nmap output and be easier to read. See the Ndiff README file for an example. The XML output is now based on Nmap's XML output as well. Zenmap's diff viewer now shows the new output with syntax highlighting.
- The new versions of the Conficker Internet worm ban infected systems from visiting Insecure.Org and Nmap.Org. We take that as a compliment to the effectiveness of our remote Conficker scanner. They also ban DNS substrings "honey" (for the Honeynet Project), "doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable Security, "coresecur" for Core Security Technologies, and "iv.cs.uni" for those meddlesome (to the Conficker authors) researchers at the University of Bonn. For people who can't reach nmap.org due to infection, I've mirrored this release at http://sectools.org/nmap/.
- New Conficker versions eliminate the loophole we were using to detect them with smb-check-vulns,nse, so we've added new methods which work with the newest variants. Here are the Conficker-related improvements since BETA7:
- Added new p2p-conficker script which detects Conficker using its P2P update ports rather than MSRPC. This is based on some new research by Symantec. See http://nmap.org/nsedoc/scripts/p2p-conficker.html
- Since new Conficker variants prevent detection by our previous MSRPC check in smb-check-vulns, we've added a new check which still works. It involves calling netpathcanonicalize on "\" rather than "\..\" and checking for a different return value. It was discovered by Felix Leder and Tillmann Werner.
- Improved smb-check-vulns Conficker error message text to be more useful.
- smb-check-vulns now defaults to using basic login rather than extended logins as this seems to work better on some machines.
- Recommended command for a fast Conficker scan (combine into 1 line): nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]
- Recommended command for a more comprehensive (but slower) scan: nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args checkall=1,safe=1 -T4 [target networks]
- [NSE] The Nmap Script Engine core (C++) was rewritten in Lua for code simplicity and extensibility. See http://seclists.org/nmap-dev/2009/q2/0090.html and http://seclists.org/nmap-dev/2009/q1/0047.html.
- [Zenmap] The "Cancel" button has been restored to the main screen. It will cancel the scan that is currently being displayed.
- Fixed an SMB library bug which could case a nil-pointer exception when scanning broken SMB implementations. Reported by Steve Horejsi.
- [Ndiff] The setup.py installation script now suggests installing the python-dev package in a certain error situation. Previously the error message it printed was misleading: error: invalid Python installation: unable to open /usr/lib/python2.6/config/Makefile (No such file or directory) The change was suggested by Aaron Leininger.
- [Nbase] The checksum functions now have an nbase_ prefix. This should prevent name collisions with internal but exported functions in shared libraries Nmap links against (e.g. adler32() in zlib). Such collisions seem to confuse the runtime linker on some platforms.
- Fixed banner.nse to remove surrounding whitespace from banners. For example, this avoids a superfluous carriage return and newline at the end of SSH greetings.
- Expanded and tweaked the product/version/info of service scans in an attempt to reduce the number of warnings like "Warning: Servicescan failed to fill info_template...". Parts of this change include:
- Improved the text of the warning to be less confusing
- Increased the internal version info buffer to 256 chars from 128
- Increased the final version string length to 160 from 128 chars
- Changed the behavior when constructing the final version string so that if it runs out of space, rather than dropping the output of that template it truncates the template with ...
- Fixed the printing of unneeded spaces between templates when one of the templates isn't going to be printed at all.
- Improved the service scan DB to remove certain problematic regex patterns which could lead to PCRE_MATCHLIMIT errors. For example, instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to ".*" as long as the DOTALL (/s) modifier was set.
- Changed some error() calls (which were more informational than error messages) to use log_write() instead, and changed a few f?printf() calls into error() or log_write().
- [Ncat] Fixed a bug in the resolve() function which could cause Ncat to resolve names using the wrong address family (such as AF_INET rather than AF_INET6) in some rare cases.
- [Zenmap] Worked around a GTK+ bug on Windows reported by Henry Nymann. It caused a crash when opening the Hosts Viewer on a host that had OS information. A window appeared saying simply "Runtime Error!".
- [Zenmap] Gracefully handle unrecognized port states in the hosts viewer. Apparently old versions of Nmap can return a state of "unknown". This prevents this crash:
File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__
File "radialnet\gui\NodeNotebook.pyo", line 257, in __create_widgets
- Rewrote the debugging error message "Found whacked packet protocol 17 in get_ping_pcap_result" because we decided that receiving a UDP packet during TCP ping scan is not egregious enough to qualify as "whacked".
- Improvements to the Conficker detection script (smb-check-vulns):
- Reduce false negative rate. We (and all the other scanners) used to require the 0x57 return code as well as a canonicalized path string including 0x5c450000. Tenable confirmed an infected system which returned a 0x00000000 path, so we now treat any hosting returning code 0x57 as likely infected.
- Add workaround for crash in older versions of OpenSSL which would occur when we received a blank authentication challenge string from the server. The error looked like: evp_enc.c(282): OpenSSL internal error, assertion failed: inl > 0".
- Add helpful text for the two most common errors seen in the Conficker check in smb-check-vulns.nse. So instead of saying things like "Error: NT_STATUS_ACCESS_DENIED", output is like:
Conficker: Likely CLEAN; access was denied.
If you have a login, try using --script-args=smbuser=xxx,smbpass=yyy
(replace xxx and yyy with your username and password). Also try smbdomain=zzz if you know the domain. (Error NT_STATUS_ACCESS_DENIED)
The other improved message is for NT_STATUS_OBJECT_NAME_NOT_FOUND.
- The NSEDoc portal at http://nmap.org/nsedoc/ now provides download links from the script and module pages to browse or download recent versions of the code. It isn't quite as up-to-date as obtaining them from svn directly, but may be more convenient. For an example, see http://nmap.org/nsedoc/scripts/smb-check-vulns.html.
- A copy of the Nmap public svn repository (/nmap, plus its zenmap, nsock, nbase, and ncat externals) is now available at http://nmap.org/svn/. We'll be updating this regularly, but it may be slightly behind the SVN version. This is particularly useful when you need to link to files in the tree, since browsers generally don't handle svn:// repository links.
- Declare a couple msrpc.lua variables as local to avoid a potential deadlock between smb-server-stats.nse instances.