Zenmap

What's new in this version:

- Fix the "iocp" Nsock engine for Windows to be able to correctly handle PCAP read events. This engine is now the default for Windows, which should greatly improve performance over the previous default, the "poll" engine
- Restrict Nmap's search path for scripts and data files. NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be searched on Windows, where it was previously defined as C:Nmap . Additionally, the --script option will not interpret names as directory names unless they are followed by a '/'
- Removed nmap-update. This program was intended to provide a way to update data files and NSE scripts, but the infrastructure was never fielded. It depended on Subversion version control and would have required maintaining separate versions of NSE scripts for compatibility.
- Reduced CPU usage of OS scan by 50% by avoiding string copy operations and removing undocumented fingerprint syntax unused in nmap-os-db ('&' and '+' in expressions)
- Fix a regression in ARP host discovery left over from the move from massping to ultra_scan in Nmap 4.22SOC8 (2007) that sometimes resulted in missing ARP responses from targets near the end of a scan. Accuracy and speed are both improved
- Addressed over 250 code quality issues identified by LGTM.com, improving our code quality score from "C" to "A+"

Fix an assertion failure when unsolicited ARP response is received:
nmap:
- Target.cc:503: void Target::stopTimeOutClock(const timeval*): Assertion `htn.toclock_running == true' failed.
- [GH#1859] Allow multiple UDP payloads to be specified for a port in nmap-payloads. If the first payload does not get a response, the remaining payloads are tried round-robin. [Paul Miseiko, Rapid7]
- [GH#1860] 23 new UDP payloads and dozens more default ports for existing payloads developed for Rapid7's InsightVM scan engine. These speed up and ensure detection of open UDP services. [Paul Miseiko, Rapid7]
- [GH#1616] New option --discovery-ignore-rst tells Nmap to ignore TCP RST responses when determining if a target is up. Useful when firewalls are spoofing RST packets.
- [Ncat][GH#2087][GH#1927][GH#1928][GH#1974] It is now possible to override the value of TLS SNI via --ssl-servername
- [GH#2104] Fixed parsing of TCP options which would hang (infinite loop) if an option had an explicit length of 0. Affects Nmap 7.80 only. [Daniel Miller, Imed Mnif]
- Script ssh2-enum-algos would fail if the server initiated the key exchange before completing the protocol version exchange [Scott Ellis, nnposter]
- Fetching of SSH2 keys might fail because of key exchange confusion
- Performance of script afp-ls has been dramatically improved
- Parsing of AFP FPGetFileDirParms and FPEnumerateExt2FPEnumerateExt2 responses was not working correctly
- Eliminated false positives in script http-shellshock caused by simple reflection of HTTP request data
- SNMP scripts are now enabled on non-standard ports where SNMP has been detected
- MQTT library was using incorrect position when parsing received responses
- IPMI library was using incorrect position when parsing received responses
- Scripts ipmi-brute and deluge-rpc-brute were not capturing successfully brute-forced credentials
- Allow resuming IPv6 scans with --resume. The address parsing was assuming IPv4 addresses, leading to "Unable to parse ip" error. In a related fix, MAC addresses will not be parsed as IP addresses when resuming from XML
- [GH#1622][GH#2068] Fix reverse-DNS handling of PTR records that are not lowercase. Nmap was failing to identify reverse-DNS names when the DNS server delivered them like ".IN-ADDR.ARPA".
- [NSE][GH#1999][GH#2005] IKE library was not properly populating the protocol number in aggressive mode requests.
- [GH#1963] Added service fingerprinting for MySQL 8.x, Microsoft SQL Server 2019, MariaDB, and Crate.io CrateDB. Updated PostreSQL coverage and added specific detection of recent versions running in Docker.
- [NSE] New script uptime-agent-info collects system information from an Idera Uptime Infrastructure Monitor agent
- [NSE] New outlib library will consolidate functions related to NSE output, both string formatting conventions and structured output
- New XML output "hosthint" tag emitted during host discovery when a target is found to be up. This gives earlier notification than waiting for the hostgroup to finish all scan phases.
- [GH#917] New UDP payloads for GPRS Tunneling Protocol (GTP) on ports 2123, 2152, and 3386.
- [NSE][GH#1825] SSH scripts now run on several ports likely to be SSH based on empirical data from Shodan.io, as well as the netconf-ssh service.
- [Zenmap][GH#1777] Stop creating a debugging output file 'tmp.txt' on the desktop in macOS.
- [Nping] Address build failure under libc++ due to "using namespace std;" in several headers, resulting in conflicting definitions of bind(). Reported by StormBytePP and Rosen Penev
- [Ncat][GH#1868] Fix a fatal error when connecting to a Linux VM socket with verbose output enabled.
- [Ncat][GH#2060] Proxy credentials can be alternatively passed onto Ncat by setting environment variable NCAT_PROXY_AUTH, which reduces the risk of the credentials getting captured in process logs.
- [NSE][GH#1723] Fixed a crash on Windows when processing a GZIP-encoded HTTP body
- Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities.
- Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API.
- [GH#1717][GH#1718] Processing of IP address CIDR blocks was not working correctly on ppc64, ppc64le, and s390x architectures.
- [Windows] Add support for the new loopback behavior in Npcap 0.9983. This enables Nmap to scan localhost on Windows without needing the Npcap Loopback Adapter to be installed, which was a source of problems for some users
- [NSE] MS SQL library has improved version resolution, from service pack level to individual cumulative updates
- [NSE][GH#2077] With increased verbosity, script http-default-accounts now reports matched target fingerprints even if no default credentials were found
- [NSE][GH#2063] IPP request object conversion to string was not working correctly
- [NSE][GH#2063] IPP response parser was not correctly processing end-of-attributes-tag
- [NSE] Script cups-info was failing due to erroneous double-decoding of the IPP printer status
- [NSE][GH#2010] Oracle TNS parser was incorrectly unmarshalling DALC byte arrays
- [NSE] The password hashing function for Oracle 10g was not working correctly for non-alphanumeric characters
- [NSE] Virtual host probing list, vhosts-full.lst, was missing numerous entries present in vhosts-default.lst
- [NSE][GH#1931][GH#1932] Script http-grep was not correctly calculating Luhn checksum
- [NSE][GH#1838] Scripts dhcp-discover and broadcast-dhcp-discover now support new argument "mac" to force a specific client MAC address
- [NSE] Code improvements in RPC Dump, benefitting NFS-related scripts
- [NSE] RPC code was using incorrect port range, which was causing some calls, such as NFS mountd, to fail intermittently
- [NSE][GH#1876] XML output from script ssl-cert now includes RSA key modulus and exponent
- [NSE][GH#1837] Nmap no longer crashes when SMB scripts, such as smb-ls, call smb.find_files
- [NSE][GH#1802] The MongoDB library was causing errors when assembling protocol payloads.
- [NSE][GH#1781][GH#1796] The RTSP library was not correctly generating request strings.
- [NSE][GH#1706] VNC handshakes were failing with insert position out of bounds error.
- [NSE][GH#1720] Function marshall_dom_sid2 in library msrpctypes was not correctly populating ID Authority.
- [NSE][GH#1720] Unmarshalling functions in library msrpctypes were attempting arithmetic on a nil argument. [Ivan Ivanov, nnposter]
- [NSE][GH#1720] Functions lsa_lookupnames2 and lsa_lookupsids2 in library msrpc were incorrectly referencing function strjoin when called with debug level 2 or higher.
- [NSE][GH#1755][GH#2096] Added HTTP default account fingerprints for Tomcat Host Manager and Dell iDRAC9
- [NSE][GH#1476][GH#1707] A MS-SMB spec non-compliance in Samba was causing protocol negotiation to fail with data string too short error
- [NSE][GH#1480][GH#1713][GH#1714] A bug in SMB library was causing scripts to fail with bad format argument error
- [NSE] New script, dicom-brute.nse, attempts to brute force the called Application Entity Title of DICOM servers
- [NSE] New script, dicom-ping.nse, discovers DICOM servers and determines if any Application Entity Title is allowed to connect
- [NSE] New library, dicom.lua, implements the DICOM protocol used for storing and transfering medical images
- [NSE][GH#1665] The HTTP library no longer crashes when code requests digest authentication but the server does not provide the necessary authentication header
- [NSE] Fixed a bug in http-wordpress-users.nse that could cause extraneous output to be captured as part of a username
- Added a UDP payload for STUN (Session Traversal Utilities for NAT)
- [NSE] Fixed an off-by-one bug in the stun.lua library that prevented parsing a server response