Shulou(Shulou.com)06/01 Report--

Editor to share with you what are the functions of the new version of Nmap7.8. I hope you will get something after reading this article. Let's discuss it together.

Npcap update

Students who are familiar with Nmap know that there is a Windows data capture packet program Npcap in the Nmap suite, which is mainly used for Windows packet sniffing and sending. Including the famous package grabbing program Wireshark, the underlying layer is now using Npcap.

Previous versions of Npcap are mainly based on Winpcap (2013 stop) and improved and improved through Microsoft Light-Weight Filter (NDIS 6 LWF) technology and Windows Filtering Platform (NDIS 6 WFP).

The Npcap open source project was launched in 2013 by Nmap founder Gordon Lyon and Dr. Luo Yang of Peking University, sponsored by the Google Summer of Code Project and released under the MIT agreement. Because Winpcap has stopped updating, Npcap has built its own Npcap raw packet capture / send driver through underlying development, which is compatible with WinpcapAPI and uses a more modern API interface, which is better than the old version in terms of function, performance and security.

This update iterates through 15 versions of Npcap updates, and the latest version of Npcap is 0.9982.

NSE improvement

NSE (Nmap scripting Engine) is a script that extends the script execution engine provided by Nmap. Penetration testing can be done by executing scripts through NSE. The scripts supported by NSE use Lua programming language, which is simple, fast and efficient. If Nmap is the best scanner, then with NSE, we can say that Nmap is a full-function security platform that integrates network discovery, fingerprint version detection, vulnerability detection, vulnerability exploitation and other functions.

In addition to Npcap,Nmap 7.8, there are more than 80 various updates and improvements, including 11 new NSE scripts, a bunch of new libraries, bug fixes and performance improvements.

Add scripts and libraries

After adding 11 new NSE scripts, there are a total of 598 NSE scripts. This time, the new scripts are:

Broadcast-hid-discoveryd: used to discover discovery HID devices on a local area network by sending webcast probes. [Brendan Coles]

Broadcast-jenkins-discove: used to discover Jenkins servers on the local area network by sending discovery broadcast probes. [Brendan Coles]

Http-hp-ilo-info: used to extract information from a HP Integrated Lights-Out (iLO) server. [rajeevrmenon97]

Http-sap-netweaver-leak: anonymous access probe SAP Netweaver Portal from which the anonymous access knowledge management unit is opened. [ArphanetX]

Https-redirect: used to detect the redirection of HTTPS websites to HTTP servers with the same port. Some nginx servers do this, invalidating the ssl-* script. [Daniel Miller]

Lu-enum: logical units (LU) used to enumerate TN3270E servers. [Soldier of Fortran]

Rdp-ntlm-info: used to extract RDP domain information from Windows services. [Tom Sellers]

Smb-vuln-webexec: used to check if WebExService is installed and if code execution is allowed. [Ron Bowes]

Smb-webexec-exploit: run arbitrary commands with the SYSTEM permission WebExService. [RonBowes]

Ubiquiti-discovery: extract information using the Ubiquiti Discovery Service and assisted version detection. [om Sellers]

The CPE information detected by the Nmap service and the application version is used to call the API interface for querying the CVE vulnerability database. [GMedian,Daniel Miller]

Stringaux.lua, string library. The collection of string handlers is packaged into the new library.

Rand.lua, random library. Use the best random sources on the system to generate random strings. The rand.lua library uses the best random sources.

Oops.lua, debug information base. The new library makes error reporting easier, showing debugging details if necessary, and rejecting clutter.

Tableaux.lua, a new function library for utility table manipulation and search.

Knx.lua, the new KNX/Konnex library. Contains functions and definitions commonly used for KNX/Konnex device communication.

Other NSE features and improvements

HTTP library, the new version of response text (response body) provides transparent support for gzip encoding. Enforces a size limit on the response body. You can use scripts to adjust the default limit parameters, which apply to all scripts, and you can use the HTTP request option to reset each parameter.

The HTTP response parser can now tolerate state phrases for no reason, which improves compatibility with some HTTP servers.

CR characters are supported in the script XML output and are no longer considered illegal.

Rdp-enum-encryption, add support for TLS. Allows you to determine the version of the protocol for servers that need TLS, and to lay the foundation for some NLA/CredSSP information collection.

Http-enum library to avoid destroying the "severity" and "ignore_404" values in fingerprint information. There is no standard fingerprint to use these fields. [Kostas Milonas]

Update the execution rules of the mongodb script to support instances running on unused ports (not 27017).

Update TN3270.lua and add parameters to disable TN3270E.

The ftp-syst script has been updated to prevent potential endless loops of bug.

Parsers for HTTP Set-Cookie headers are now more compliant with RFC 6265: fault tolerance for empty attributes; double quotation marks in cookie and / or attribute values are treated as characters; null and non-valued attributes are resolved to equivalents; attributes named "name" or "value" are ignored.

Update the enip-info vendor from the ODVA list.

The script http-sql-injection adds two common error strings that can improve MySQL detection.

Script http-default-accounts new support for selecting multiple fingerprint categories. You can also select fingerprints by name to support very specific scanning. No more than one target host / port is supported.

Adding the option http-host allows the user to force the host value of the host header in all HTTP requests.

The smtp.domain script, which uses arg or the target domain name instead, replaces exampledotcom in the EHLO command of STARTTLS.

Support for edns-client-subnet (ECS) in dns.lua has been improved, including:

Use RFC7871-compliant ECS code; correctly trim ECS addresses as required by RFC7871; fixed bugs that prevent the use of the same ECS option table.

Tls.lua if the protocol version is SSLv3, only the SSLv3 record layer is used when creating client_hello messages. Some TLS implementations do not shake hands with clients that provide less than TLSv1.0. The script must manually fall back to SSLv3 to communicate with the SLv3 server

The new vulnerability status UNKNOWN in vulns.lua is used to indicate that the test cannot eliminate the vulnerability.

Tn3270.lua adds TN3270E support and other improvements and updates tn3270-screen.nse to show new content settings.

Enip-info.nse, update the product code and add check response length. The script now uses string.unpack as the underlying library.

Bug repair

Solve the two protocol parsing problems in rdp-enum-encryption and the interruption of RDP nse library scanning under Windows XP. And clarify the type of agreement.

Fixed http-fileupload-exploiter where the bug of the resource file could not be found when executing the script from a specific directory.

Fixed a crash caused by releasing libssh3 session data twice when the SSH NSE script was running on a non-SSH service.

Fixed a logic error in the NTLM test that caused the script not to comply with the smbdomain-arg option when the target was provided as a domain name.

Fixed the parsed bug of the parameter option of http-grep.match.

Fixed bug in http-vuln-cve2006-3392 that prevented scripts from correctly generating vulnerability reports.

Fix the bug related to screen rendering in the NSE library TN3270. This patch also improves the brute force script tso-brute.

Fixed SIP,SASL and HTTP digest authentication when the algorithm contains bug for lowercase characters.

Fixed BruteSocket wrapper for brute.lua that crashed Nmap due to socket confusion: nmap:nse_nsock.cc:672: int receive_buf (lua_State*, int

Lua_KContext): assertion`lua _ gettop (L) = = 7 'failed.

Fixed smb-vuln-ms17-010 error due to IPS closing the connection.

Fixed some false positive conditions in ssl-ccs-injection, causing some vulnerabilities to be incorrectly marked to use fatal alerts instead of "unexpectedmessage".

Fixed the bug that crashed when the script traceroute-geolocation returned null coordinates due to GeoPlugin.

Fixed false positives on the response code 200 of any POST request URI in the script http-phpmyadmin-dir-traversal.

Fixed a crash (double-free) caused by using SSH scripts for non-SSH services.

Feature deletion

Remove OSVDB references from the script and replace them with BID references whenever possible.

Bin.lua, has been officially deprecated. Two years ago, Nmap7.25BETA2 added Lua 5.3, which provides native support for binary data packaging through string.pack and string.unpack. All existing scripts and libraries have been updated.

Bit.lua, delete completely. All its functions are replaced by native Lua bitwise operations, and arshift (arithmetic shift) is transferred to the bits.lua library.

Hostmap-ip2hosts.nse, deleted. API has expired and the service was completely shut down on February 17, 2019.

Ncat update

Another feature-rich multi-platform network utility in the NcatNmap project suite, known as the "network Swiss Army knife", supports reading and writing data across the network from the command line. Ncat was originally developed to support Nmap and is a big improvement on the old Netcat re-implementation. It uses TCP and UDP to communicate and is designed to be a reliable back-end tool that provides network connectivity to other applications and users. Not only can Ncat use IPv4 and IPv6, but it also provides users with almost unlimited potential uses.

The updates to the Nmap7.8 Squadron Ncat are as follows:

1. Allow Ncat to connect to port 0 of the server if Socket allows it. 、

2. In order to avoid confusion and support non-default proxy ports, the option-proxy needs to use square brackets to indicate 3 and specify the IPv6 address, for example-- proxy [2001:db8::123]: 456.

4. The new ncat option-proxy-dns controls whether the proxy target is parsed by the remote proxy server or locally. It can be set through the-- proxy-dns option.

5. The temporary RSA key is updated to 2048 bits, which is used to solve the compatibility problems of OpenSSL libraries with security level 2, such as those caused by Debian or Kali operating systems.

6. Add AF_VSOCK (Linux VM socket) function to Nsock and Ncat. Linux VM sockets are used for communication between virtual machines and hypervisors.

7. Fix the problem of early termination of the connection caused by Ncat-e on Windows.

8. Fixed communication for commands started when using the-e or-c option on Windows, especially if-ssl was used.

9. Fixed IPv6 URL text format connected through HTTP proxy.

Zenmap update

Cross-platform graphical UI interface software in Zenmap Nmap suite. Zenmap is an open source free graphical interface written in Python that supports different operating systems, including Windows/Linux/Unix/Mac OS.

Zenmap is designed to provide users with a simpler way to operate nmap. Simple and commonly used operation commands can be saved as profile, and then users can choose to reuse through profile when scanning, and different scanning results can be easily compared.

In the new version of namp 7.8, Zenmap mainly fixes the following bug:

Fixed a crash where the Nmap executable file could not be found and the system PATH contained non-UTF-8 bytes, such as on Windows.

Fixed crash due to result search when using dir: operator: AttributeError:'SearchDB' object has no attribute 'match_dir'

Fixed crash when recent_scans.txt is not writable.

Bugs were found to be much easier to use and faster in the Window 10 test, and used to die when sweeping.

Other features and security updates

Fix the CVE-2019-1552 vulnerability. By prefixing the OpenSSL address with "C:\ Program Files (x86)\ Nmap\ OpenSSL", prevent unauthorized users from writing and modifying the OpenSSL default configuration to this directory.

Fix the CVE-2018-15173 vulnerability. By reducing the LibPCRE resource limit so that version detection cannot use too many stacks. Previously, Nmap could crash due to target services that were deliberately or unexpectedly difficult to match when running on low-memory systems.

Allows you to resume nmap scans using a lengthy command line.

Fixed bug that the RMI parser might crash when invalid input was encountered.

The new version uses pcap_create instead of pcap_live_open, and sets the immediate mode on the pcap descriptor. It solves the problem of packet loss on Linux and improves performance on other platforms.

The new service probe for adb matches the row. AndroidDebug Bridge, which allows code to be executed remotely and is enabled by default on many devices.

Fixed bug that failed authentication because Nmap uses an unknown TCP option, which may cause TCP response packets to be ignored.

Avoid trying to reconnect to the SSLv2 when an error occurs during the DTLS connection and resolve the resulting crash.

Avoid delays caused by matching probe after receiving an ARP or ND response.

Support for new service probe and rule configuration for v1 and v2 of the Ubiquiti Discovery protocol. Devices usually keep related services open, which exposes a lot of information and may be used for DdoS attacks. And a new nmap-payload entry for v1 protocol has been added.

When searching for Lua header files, use the directory that is actually used, rather than forcing the search for / usr/include.

The level of detail of vfurowv is limited to a maximum of 10 levels, and higher levels are not used within Nmap.

The first time the probe is sent to the host, the host timeout clock is started, and the host group starts when it is started. Sometimes, the host does not get probe until the end of the host group, which leads to the possibility of timeout.

Urgently fix Nmap's birthday announcement so that Nmap wishes himself "Happy 21st Birthday" instead of "Happy 21" in detailed mode (- v option) on Sept. 1, 2018.

The-PR option is deprecated. And disabled. When the host discovers the scan, ARP ping has been enabled by default where it can be used, but in cases where it cannot be used-PR has no effect.

Download and install

The installation of nmap is also relatively simple. Officials provide binary installation packages for Linux RPM,Mac and Windows, which can be downloaded and installed directly. Download address: https://nmap.org/download.html

Window

Download directly from the official download page, download: nmap-7.80-setup.exe, download URL:

Https://nmap.org/dist/nmap-7.80-setup.exe

Click install after download:

During the installation steps, you will be prompted to use a new version of Npcap, using WinPcpAPI compatibility mode, which uninstalls WinPcp.

Mac

Download nmap-7.80.dmg directly from the official download page with the following URL:

Https://nmap.org/dist/nmap-7.80.dmg

After downloading, open the installation package to install:

Linux binary installation

Redhat, Mandrake, Suse, and other linux that support RPM packages can be downloaded directly from the official binary RPM installation package.

Rpm-vhU https://nmap.org/dist/nmap-7.80-1.x86_64.rpm

Rpm-vhU https://nmap.org/dist/zenmap-7.80-1.noarch.rpm

Rpm-vhU https://nmap.org/dist/ncat-7.80-1.x86_64.rpm

Rpm-vhU https://nmap.org/dist/nping-0.7.80-1.x86_64.rpm

Source code installation

A platform that does not provide a binary installation package can be installed manually using source code installation.

First download the source code package from the official download page and download the URL as follows:

Https://nmap.org/dist/nmap-7.80.tar.bz2

Note that you can also clone the source repository from nmap's official Github:

Git clone https://github.com/nmap/nmap

Bzip2-cd nmap-7.80.tar.bz2 | tar xvf-

Cd nmap-7.80

. / configure

Make

Make install

Note that if your system is relatively new and may lack components, you need to install these components first, for example, when installing under Ubuntu, you need to install gcc,make,g++, etc., you can install them directly with the following command

Apt install gcc make gathers + flex bison

After reading this article, I believe you have a certain understanding of "what are the functions of the new version of Nmap7.8". If you want to know more about it, you are welcome to follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.