Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Nmap Changelog
# Nmap Changelog ($Id: CHANGELOG 14005 2009-07-02 03:36:43Z josh $); -*-text-*-

o Fixed two memory leaks in ncat_posix.c and a bug where an open file was not
  being closed in libdnet-stripped/src/intf.c [Josh Marlow]

o Added a convenience top-level BSD makefile redirecting BSD make
  to GNU make on BSD systems.  This should help prevent bogus
  error reports when users run "make" instead of "gmake" on BSD
  systems. [Daniel Roethlisberger]

o [Zenmap] Added support to zenmap for the SCTP options: -PY, -sY and -sZ, as
  well as making a comment in zenmapCore/NmapOptions.py on how to add new
  options. [Josh Marlow]

o The configure script now allows cross-compiling by assuming that
  libpcap is recent enough. Previously it would quit because a test
  program could not be run. libpcap will always be recent enough when
  the included copy is used. The patch was contributed by Mike
  Frysinger.

Nmap 4.90RC1 [2009-06-25]

o [Zenmap] Fixed a display hanging problem on Mac OS X reported by
  Christopher Caldwell at
  http://seclists.org/nmap-dev/2009/q2/0721.html.  This was done by
  adding gtk2 back to macports-1.8.0-universal.diff and removing the
  dependency on shared-mime-info so it doesn't expect /usr/share/mime
  files at runtime. Also included GDK pixbuf loaders statically rather
  than as external loadable modules.  [David]

o Fixed a memory bug (access of freed memory) when loading exclude
  targets with --exclude. This was reported to occasionally cause a
  crash. Will Cladek reported the bug and contributed an initial
  patch. [David]

o Zenmap application icons were regenerated using the newer SVG
  representation of the Nmap eye. [David]

Nmap 4.85BETA10 [2009-06-12]

o The host discovery (ping probe) defaults have been enhanced to
  include twice as many probes.  The default is now "-PE -PS443 -PA80
  -PP". In exhaustive testing of 90 different probes, this emerged as
  the best four-probe combination, finding 14% more Internet hosts
  than the previous default, "-PE -PA80". The default for non-root
  users is -PS80,443, replacing the previous default of -PS80. In
  addition, ping probes are now sent in order of effectiveness (-PE
  first) so that less effective probes may not have to be sent. ARP
  ping is still the default on local ethernet networks. [David,
  Fyodor]

o Added SCTP port scanning support to Nmap. SCTP is a layer 4 protocol
  used mostly for telephony related applications.  This brings the
  following new features:
  o SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
    chunk, closed ones an ABORT chunk.  This is the SCTP equivalent
    of a TCP SYN stealth scan.
  o SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
    closed ports return an ABORT chunk.
  o SCTP INIT chunk ping probes (-PY): host discovery using SCTP
    INIT chunk packets.
  o SCTP-specific IP protocol scan (-sO -p sctp).
  o SCTP-specific traceroute support (--traceroute).
  o The ability to use the deprecated Adler32 algorithm as specified
    in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
  o 42 well-known SCTP ports were added to the nmap-services file.
  o The server scanme.csnc.ch has been set up for your SCTP scan
    testing pleasure. But note that SCTP doesn't pass through most
    NAT devices. See http://seclists.org/nmap-dev/2009/q2/0669.html.
  Part of the work on SCTP support was kindly sponsored by
  Compass Security AG, Switzerland. [Daniel Roethlisberger]

o [NSE] Added http-iis-webdav-vuln.nse, which detects the recently
  discovered WebDAV unicode bug in MS IIS 5.1/6.0 web server which can
  allow arbitrary users to access password protected folders without
  authentication. See
  http://nmap.org/svn/scripts/http-iis-webdav-vuln.nse. [Ron]

o The Nmap Reference Guide has been translated to German by Open
  Source Press and Indonesian by Tedi Heriyanto. You can now read it
  in 16 languages at http://nmap.org/docs.html. We're always looking
  for more translations of Nmap and it's documentation--if you'd like
  to help, see http://seclists.org/nmap-dev/2009/q2/0667.html.

o Open Source Press completed and released the German translation of
  the official Nmap book (Nmap Network Scanning). Learn more at
  http://nmap.org/book/#translations.

o [NSE] Added socks-open-proxy.nse for scanning networks for open
  SOCKS proxy servers. See
  http://nmap.org/nsedoc/scripts/socks-open-proxy.html. [Joao Correa]

o [NSE] http-open-proxy.nse has been updated to attempt HEAD and
  CONNECT methods as well as previously supported GET method.  It
  still tries to reach http://www.google.com through the proxy by
  default, but now also offers an argument for specifying a different
  URL. [Joao Correa]

o [Ncat] There is a backwards-incompatible change in the way that
  listen mode works. The new default behavior is to accept only one
  connection, and quit when the connection ends. This was necessary to
  prevent data loss in some situations; some programs require Ncat to
  send an EOF before they flush their internal buffers and finish
  processing the last bit of data. See
  http://seclists.org/nmap-dev/2009/q2/0528.html for more information.
  Use the new -k or --keep-open option to get the old behavior, in
  which Ncat will accept multiple simultaneous connection, combine all
  their input, and accept more connections after a disconnection.
  [Daniel Roethlisberger, David]

o Ncat handling of newlines on Windows has been improved. CRLF is
  automatically converted to a bare LF when input is from the console,
  but left untouched when it is from a pipe or a file. No newline
  translation is done on output (where it was being done before). This
  makes it possible to transfer binary files with Ncat on Windows
  without any corruption, while still being able to interactively ncat
  into UNIX shells and other processes which require bare
  newlines. Ncat clients now work the same way on UNIX and Windows in
  that respect.  For cases where you do want \r\n line endings (such
  as connections to web and email servers or Windows cmd.exe shells),
  specify -C whether your client is running on UNIX or
  Windows. [David]

o Nmap RPM packages (x86 and x86-64) are now built with OpenSSL
  support (statically linked in to avoid dependencies).  They are also
  now built on CentOS 5.3 for compatibility with RHEL, Fedora, and
  other distributions. Please let us know if you discover any
  compatibility problems (or other issues) with the new RPMs. [Fyodor]

o [Zenmap] The Topology tab now has a "Save Graphic" button that
  allows saving the current topology display as a PNG, postscript,
  PDF, and SVG image.  [Joao Medeiros, David]

o Changed the default UDP ping (-PU) port from 31338 to 40125.  This
  appears to be a better port based on David's empirical testing.

o [NSE] Added the imap-capabilities script, which uses the CAPABILITY
  command to determine the capabilities of a target IMAP mail server.
  A simple supporting IMAP library was added as well. See
  http://nmap.org/nsedoc/scripts/imap-capabilities.html. [Brandon]

o [NSE] Brandon Enright from UCSD reports that, thanks to all the NSE
  fixes in this release, he no longer sees any Nmap crashes in his
  large scale scans. See
  http://seclists.org/nmap-dev/2009/q2/0639.html.

o Zenmap now works on RHEL/CentOS since it no longer requires the
  hashlib library (which was introduced in Python 2.5, but RHEL 5
  still uses 2.4) and removing the pysqlite2 requirement (RHEL does
  not offer that module).  It is still desirable to have pysqlite2
  when available, since it enables Zenmap searching and database
  saving features. [David]

o Ncat can now send SSL certificates in connect mode for client
  authentication by using the --ssl-cert and --ssl-key options.  The
  specified certificates are only sent when requested by the
  server. [Venkat]

o Nmap can now handle -PS and -PA at the same time when running nmap
  as non-root or using IPv6.  It now combines the two port lists [Josh
  Marlow]

o [Ncat] SSL in listen mode now works on systems like BSD in which a
  socket inherits its blocking or non-blocking status from the
  listening socket. [David, Daniel Roethlisberger]

o The --packet-trace/--version-trace options now shows the names of
  version detection probes as they are sent, making the version
  detection process easier to understand and debug. [Tom Sellers]

o The GPG detached signatures for Nmap releases now use the more
  standard .asc extension rather than .gpg.txt.  They can still be
  found at http://nmap.org/dist/sigs/ and the .gpg.txt versions for
  previous releases are still available for compatibility reasons. For
  instructions on verifying Nmap package integrity, see
  http://nmap.org/book/install.html#inst-integrity. [Fyodor]

o [Zenmap] Fixed two bugs: 1) When two scans are performed in Zenmap
  and aggregated, the first one was being modified in the process,
  preventing you from doing diffs in the "compare scans" dialogue or
  properly saving the first scan individually. 2) If you start two
  scans, then the faster one finishes and you cancel and remove the
  slower one while still in progress, much of the results from both
  scans are lost. [Josh Marlow]

o [Ncat] When connecting to an SSL service in verbose mode, Ncat now
   prints confirmation of the SSL connection, some certificate
   information, and a cert fingerprint. For example:
   SSL connection to 64.147.188.3:443. Electronic Frontier Foundation
   SHA-1 fingerprint: 28BE B476 2E49 7ED5 3A9B 4D79 AD1E 69A9 82DB C75A

o [NSE] Clean up output (generally reducing default verbosity) for the
  p2p-conficker, smb-check-vulns, and http-iis-webdav-vuln scripts. In
  general, we don't ask scripts to report that a host is clean unless
  Nmap's verbosity level (-v) is at least one or two. [Ron, Fyodor]

o [Zenmap] Added the -PS22,25,80 option found in the Quick Traceroute
  profile to some of the Intense scan profiles for improved host
  discovery. [Josh Marlow]

o Fixed a bug with the --defeat-rst-ratelimit option which prevented
  it from working properly.  See this thread:
  http://seclists.org/nmap-dev/2009/q2/0476.html. [Josh]

o [Ndiff] Avoid printing a "Not shown:" line if there weren't any
  ports in the non-shown (extraports) list. [David]

o [Ncat] Fixed Ncat compilation with versions of OpenSSL before 0.9.7.
  Previously it would fail in ncat_openssl.c with the message
  "structure has no member named `it'". The problem was reported by
  Jaroslav Fojtik. [David]

o [NSE] Removed the packet.hextobin(str) and packet.bintohex(str)
  functions. They are redundant since you get the same functionality
  by calling bin.pack("H", str) and bin.unpack("H", str),
  respectively. [Patrick]

o [NSE] Fixed the parsing of --script-args, which was only accepting
  alphanumeric characters and underscores in values. Now a key, value,
  or array value may be a sequence of any characters except '{', '}',
  ',', '=', and all space characters. You may overcome this
  restriction by using quotes (single or double) to allow all
  characters within the quotation marks. You may also use the quote
  delimiter inside the sequence so long as it is escaped by a
  backslash. See
  http://seclists.org/nmap-dev/2009/q2/0211.html. [Patrick]

o [NSE] When a script ends for any reason, all of its mutexes are now
  unlocked.  This prevents a permanent (and painful to debug) deadlock
  when a script crashes without unlocking a mutex. See
  http://seclists.org/nmap-dev/2009/q2/0533.html. [Patrick]

o Fixed a bug wherein nmap would not display the post-scan count of
  raw packets sent during a SYN ping scan (-sP -PS). [Josh Marlow]

o Changed the ICMP ping probes to use a random non-zero ICMP id.
  David's empirical testing found that some hosts drop probes when the
  ICMP id is 0 [Josh Marlow]

o [NSE] Fixed a --script argument processing bug in which Nmap would
  abort when an expression matches a set of scripts which were loaded
  by other expressions first (a simple example is "--script
  default,DEFAULT". [Patrick]

o [Zenmap] Operating system icons are now always loaded as PNGs, even on
  platforms which support SVG images. That is much faster, and Zenmap
  currently never scales the images anyway. [Josh]

o [Ncat] The Nmap Windows uninstaller now removes the Ncat CA list
  (ca-bundle.crt) which has been installed since 4.85BETA9. [Jah]

o Optimized some Nmap version detection match lines for slightly
  better performance. See
  http://seclists.org/nmap-dev/2009/q2/0328.html. [Brandon]

o [NSE] Upon connection failure, a socket now immediately unlocks its
  "socket lock" to allow other pending socket connections to succeed
  sooner. This slightly improves scan speeds by eliminating the wait
  for garbage collection to free the resource. [Patrick]

o [NSE] Corrected a bug in nse_nsock.cc that could result in a crash
  from the use of an invalid Lua state if a thread is collected due to
  timeout or other rare reasons. Essentially, the callbacks from the
  nsock library were returning to an already-collected Lua state. We
  now maintain a reference to the Lua State Thread in the nsock
  userdata environment table to prevent early collection.  This is a
  temporary patch for the stable release pending a more detailed
  review of the NSE nsock library binding. [Patrick]

o [NSE] When an NSE script in the database (script.db) is requested
  but not found on the filesystem, Nmap now prints a warning rather
  than aborting. We accidentally shipped with such a phantom script
  (smb-check-vulns-2.nse) in 4.85BETA8. [Patrick]

o Fixed a bug where an ICMP echo, timestamp, or address mask reply
  could be matched up with the wrong ICMP probe if more than one ICMP
  probe type was being sent (as with the new default ping). This lead
  to timing calculation problems. [David]

o Improved the host expression parser to better handle a few cases
  where invalid target specifiers would case Nmap to scan unintended
  hosts. See http://seclists.org/nmap-dev/2009/q2/0319.html. [Jah]

o [Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when
  searching scan results by date. [David]
  The error message was: File "zenmapGUI\SearchGUI.pyo", line 816, in
  set_date TypeError: argument must be sequence of length 9, not 3

o Patched configure.ac to detect Lua include and library files in
  "lua5.1" subdirectories of /usr/include and the like. Debian
  apparently puts them there. We still check the likes of
  /usr/include/lua.h and /usr/include/lua/lua.h as well. [Jan
  Christoph Nordholz]

o Improved nsock's fselect() to be a more complete replacement for
  select() on the Windows platform. In particularly, any or all of the
  FD sets can be null or empty descriptor sets. This fixes an error
  ("nsock_loop error 10022") which would occur when you ran ncat
  --send-only on Windows. [David]

o The --with-openssl= directive now works for specifying the SSL
  location to the nsock library.  It was previously not passing the
  proper include file path to the compiler. [Fyodor]

o The --traceroute feature is now properly disabled for IPv6 ping
  scans (-6 -sP) since IPv6 traceroute is not currently
  supported. [Jah]

o Fixed an assertion failure which could occur on at least SPARC Linux
  The error looked like "nsock_core.c:294: handle_connect_result:
  Assertion `0' failed. Aborted". [David Fifield, Fabio Pedretti]

o Nmap's make install target now uses $(INSTALL) rather than cp to
  copy NSE scripts and libraries to ensure that file permissions are
  set properly. [Fyodor]

o Improved the Oracle DB version detection signatures. [Tom Sellers]

o [NSE] Remove the old nse_macros.h header file. This involved
  removing the SCRIPT_ENGINE_* status defines, moving the likes of
  SCRIPT_ENGINE_LUA_DIR to nse_main.h, removing the last remaining use
  of SCRIPT_ENGINE_TRY, and moving the FILES and DIRS defines to
  nse_fs.h. [Patrick]

o Cleaned up the libpcre build system a bit by removing Makefile.am
  and modifying configure.ac to prevent unnecessary removal of
  pcre_chartables.cc in some instances. [Fyodor]

o Fixed a bug which would cause Nmap to sometimes miscount the number
  of hosts scanned and produce warnings such as "WARNING: No targets
  were specified, so 0 hosts scanned" when --traceroute and -sP were
  combined. [Jah]

o Changed Nmap and Ncat's configure.ac files to check in more
  situations whether -ldl is required for compilation and add it where
  necessary. [Fyodor]

o When building Nmap RPMs using the spec file, you can now pass in an
  openssl argument, the contents of which are passed to ./configure's
  --with-openssl option. So you can pass rpmbuild an option such as
  --define "openssl /usr/local/ssl". [Fyodor]

o Fixed the make distclean target to avoid a failure which could occur
  when you ran it right after a make clean (it might have failed in
  other situations as well). [David]

o Updated nmap-mac-prefixes with the latest MAC address prefix data
  from http://standards.ieee.org/regauth/oui/oui.txt as of
  5/20/09. [Fyodor]

o Ncat now makes sockets blocking before handing them off to another
  program with --exec or --sh-exec. This is to resolve a failure where
  the command "ncat --exec /usr/bin/yes localhost" would stop sending
  because yes would send data so quickly that kernel send buffers
  could not keep up and socket writes would start generating EAGAIN
  errors. [Venkat]

o Ncat now ignores SIGPIPE in listen mode.  This fixes the command
  "yes | ncat -l --keep-open --send-only", which was failing after the
  first client disconnected due to a broken pipe signal when Ncat
  would try to write more date before realizing that the client had
  closed the connection.

o Version detection can now detect Ncat's --chat mode. [David]

Nmap 4.85BETA9 [2009-05-12]

o Integrated all of your 1,156 of your OS detection submissions and
  your 50 corrections since January 8.  Please keep them coming!  The
  second generation OS detection DB has grown 14% to more than 2,000
  fingerprints!  That is more than we ever had with the first system.
  The 243 new fingerprints include Microsoft Windows 7 beta, Linux
  2.6.28, and much more.  See
  http://seclists.org/nmap-dev/2009/q2/0335.html. [David]

o [Ncat] A whole lot of work was done by David to improve SSL
  security and functionality:
  o Ncat now does certificate domain and trust validation against
    trusted certificate lists if you specify --ssl-verify.
  o [Ncat] To enable SSL certificate verification on systems whose
    default trusted certificate stores aren't easily usable by
    OpenSSL, we install a set of certificates extracted from Windows
    in the file ca-bundle.crt. The trusted contents of this file are
    added to whatever default trusted certificates the operating
    system may provide. [David]
  o Ncat now automatically generates a temporary keypair and
    certificate in memory when you request it to act as an SSL server
    but you don't specify your own key using --ssl-key and --ssl-cert
    options. [David]
  o [Ncat] In SSL mode, Ncat now always uses secure connections,
    meaning that it uses only good ciphers and doesn't use
    SSLv2. Certificates can optionally be verified with the
    --ssl-verify and --ssl-trustfile options. Nsock provides the
    option of making SSL connections that prioritize either speed or
    security; Ncat uses security while version detection and NSE
    continue to use speed. [David]

o [NSE] Added Boolean Operators for --script. You may now use ("and",
  "or", or "not") combined with categories, filenames, and wildcarded filenames
  to match a set files.  Parenthetical subexpressions are allowed for
  precedence too.  For example, you can now run:

  nmap --script "(default or safe or intrusive) and not http-*" scanme.nmap.org

  For more details, see
  http://nmap.org/book/nse-usage.html#nse-args. [Patrick]

o [Ncat] The HTTP proxy server now works on Windows too. [David]

o [Zenmap] The command wizard has been removed. The profile editor has
  the same capabilities with a better interface that doesn't require
  clicking through many screens. The profile editor now has its own
  "Scan" button that lets you run an edited command line immediately
  without saving a new profile. The profile editor now comes up
  showing the current command rather than being blank. [David]

o [Zenmap] Added an small animated throbber which indicates that a
  scan is still running (similar in concept to the one on the
  upper-right Firefox corner which animates while a page is
  loading). [David]

o Regenerate script.db to remove references to non-existent
  smb-check-vulns-2.nse. This caused the following error messages when
  people used the --script=all option: "nse_main.lua:319:
  smb-check-vulns-2.nse is not a file!"  The script.db entries are now
  sorted again to make diffs easier to read. [David,Patrick]

o Fixed --script-updatedb on Windows--it was adding bogus backslashes
  preceding file names in the generated script.db. Reported by
  Michael Patrick at http://seclists.org/nmap-dev/2009/q2/0192.html,
  and fixed by Jah.  The error message was also improved.

o The official Windows binaries are now compiled with MS Visual C++
  2008 Express Edition SP1 rather than the RTM version. We also now
  distribute the matching SP1 version of the MS runtime components
  (vcredist_x86.exe). A number of compiler warnings were fixed
  too. [Fyodor,David]

o Fixed a bug in the new NSE Lua core which caused it to round
  fractional runlevel values to the next integer. This could cause
  dependency problems for the smb-* scripts and others which rely on
  floating point runlevel values (e.g. that smb-brute at runlevel 0.5
  will run before smb-system-info at the default runlevel of 1).

o The SEQ.CI OS detection test introduced in 4.85BETA4 now has some
  examples in nmap-os-db and has been assigned a MatchPoints value of
  50. [David]

o [Ncat] When using --send-only, Ncat will now close the network
  connection and terminate after receiving EOF on standard input.
  This is useful for, say, piping a file to a remote ncat where you
  don't care to wait for any response.  [Daniel Roethlisberger]

o [Ncat] Fix hostname resolution on BSD systems where a recently
  fixed libc bug caused getaddrinfo(3) to fail unless a socket type
  hint is provided. Patch originally provided by Hajimu Umemoto of
  FreeBSD. [Daniel Roethlisberger]

o [NSE] Fixed bug in the DNS library which caused the error message
  "nselib/dns.lua:54: 'for' limit must be a number". [Jah]

o Fixed Solaris 10 compilation by renaming a yield structure which
  conflicted with a yield function declared in unistd.h on that
  platform. [Pieter Bowman, Patrick]

o [Ncat] Minor code cleanup of Ncat memory allocation and string
  duplication calls. [Ithilgore]

o Fixed a bug which could cause -iR to only scan the first host group
  and then terminate prematurely.  The problem related to the way
  hosts are counted by o.numhosts_scanned. [David]

o Fixed a bug in the su-to-zenmap.sh script so that, in the cases
  where it calls su, it uses the proper -c option rather than
  -C. [Michal Januszewski, Henry Gebhardt]

o Overhaul the NSE documentation "Usage and Examples" section and add
  many more examples: http://nmap.org/book/nse-usage.html [David]

o [NSE] Made hexify in nse_nsock.cc take an unsigned char * to work
  around an assertion in Visual C++ in Debug mode. The isprint,
  isalpha, etc. functions from ctype.h have an assertion that the
  value of the character passed in is <= 255. If you pass a character
  whose value is >= 128, it is cast to an unsigned int, making it a
  large positive number and failing the assertion. This is the same
  thing that was reported in
  http://seclists.org/nmap-dev/2007/q2/0257.html, in regard to
  non-ASCII characters in nmap-mac-prefixes. [David]

o [NSE] Fixed a segmentation fault which could occur in scripts which
  use the NSE pcap library. The problem was reported by Lionel Cons
  and fixed by Patrick.

o [NSE] Port script start/finish debug messages now show the target
  port number as well as the host/IP. [Jah]

o Updated IANA assignment IP list for random IP (-iR)
  generation. [Kris]

o [NSE] Fixed http.table_argument so that user-supplied HTTP headers
  are now properly sent in HTTP requests. [Jah]

Nmap 4.85BETA8 [2009-04-21]

o Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in
  addition to the CONNECT tunneling method, so it can be used as a
  proxy with an ordinary web browser.[David]

o Ncat can now run as an authenticated proxy in HTTP proxy mode. Use
  --proxy-auth to provide a username and password that will be required
  of proxy users. Only the insecure (not encrypted) Basic authentication
  method is supported. [David]

o Ndiff's text output has been redone to look more like Nmap output
  and be easier to read. See the Ndiff README file for an example. The
  XML output is now based on Nmap's XML output as well. Zenmap's diff
  viewer now shows the new output with syntax highlighting. [David]

o The new versions of the Conficker Internet worm ban infected systems
  from visiting Insecure.Org and Nmap.Org.  We take that as a
  compliment to the effectiveness of our remote Conficker scanner.
  They also ban DNS substrings "honey" (for the Honeynet Project),
  "doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable
  Security, "coresecur" for Core Security Technologies, and
  "iv.cs.uni" for those meddlesome (to the Conficker authors)
  researchers at the University of Bonn.  For people who can't reach
  nmap.org due to infection, I've mirrored this release at
  http://sectools.org/nmap/. [Fyodor]

o New Conficker versions eliminate the loophole we were using to
  detect them with smb-check-vulns,nse, so we've added new methods
  which work with the newest variants. Here are the Conficker-related
  improvements since BETA7:
  o Added new p2p-conficker script which detects Conficker using its
    P2P update ports rather than MSRPC.  This is based on some new
    research by Symantec. See
    http://nmap.org/nsedoc/scripts/p2p-conficker.html [Ron]
  o Since new Conficker variants prevent detection by our previous
    MSRPC check in smb-check-vulns, we've added a new check which still
    works. It involves calling netpathcanonicalize on "\" rather than
    "\..\" and checking for a different return value.  It was discovered
    by Felix Leder and Tillmann Werner. [Ron]
  o Improved smb-check-vulns Conficker error message text to be more
    useful. [David]
  o smb-check-vulns now defaults to using basic login rather than
    extended logins as this seems to work better on some
    machines. [Ron]
  o Recommended command for a fast Conficker scan (combine into 1 line):
    nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns
    --script-args checkconficker=1,safe=1 -T4 [target networks]
  o Recommended command for a more comprehensive (but slower) scan:
    nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p-
    --script-args checkall=1,safe=1 -T4 [target networks]

o [NSE] The Nmap Script Engine core (C++) was rewritten in Lua for
  code simplicity and extensibility. See
  http://seclists.org/nmap-dev/2009/q2/0090.html and
  http://seclists.org/nmap-dev/2009/q1/0047.html. [Patrick]

o [Zenmap] The "Cancel" button has been restored to the main screen.
  It will cancel the scan that is currently being displayed. [David]

o Fixed an SMB library bug which could case a nil-pointer exception
  when scanning broken SMB implementations. Reported by Steve
  Horejsi. [Ron]

o [Ndiff] The setup.py installation script now suggests installing the
  python-dev package in a certain error situation. Previously the
  error message it printed was misleading:
    error: invalid Python installation: unable to open
    /usr/lib/python2.6/config/Makefile (No such file or directory)
  The change was suggested by Aaron Leininger. [David]

o [Nbase] The checksum functions now have an nbase_ prefix.  This
  should prevent name collisions with internal but exported functions
  in shared libraries Nmap links against (e.g. adler32() in zlib).
  Such collisions seem to confuse the runtime linker on some platforms.
  [Daniel Roethlisberger]

o Fixed banner.nse to remove surrounding whitespace from banners. For
  example, this avoids a superfluous carriage return and newline at the
  end of SSH greetings. [Patrick]

o Expanded and tweaked the product/version/info of service scans in an
  attempt to reduce the number of warnings like "Warning: Servicescan
  failed to fill info_template...".  Parts of this change include:
  o Improved the text of the warning to be less confusing
  o Increased the internal version info buffer to 256 chars from 128
  o Increased the final version string length to 160 from 128 chars
  o Changed the behavior when constructing the final version string so
    that if it runs out of space, rather than dropping the output of that
    template it truncates the template with ...
  o Fixed the printing of unneeded spaces between templates when one of the
    templates isn't going to be printed at all.
  [Brandon]

o Improved the service scan DB to remove certain problematic regex
  patterns which could lead to PCRE_MATCHLIMIT errors. For example,
  instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to
  ".*" as long as the DOTALL (/s) modifier was set. [Brandon]

o Changed some error() calls (which were more informational than error
  messages) to use log_write() instead, and changed a few f?printf()
  calls into error() or log_write(). [Brandon]

o [Ncat] Fixed a bug in the resolve() function which could cause Ncat
  to resolve names using the wrong address family (such as AF_INET
  rather than AF_INET6) in some rare cases. [Daniel Roethlisberger]

o [Zenmap] Worked around a GTK+ bug on Windows reported by Henry Nymann.
  It caused a crash when opening the Hosts Viewer on a host that had OS
  information. A window appeared saying simply "Runtime Error!". [David]

o [Zenmap] Gracefully handle unrecognized port states in the hosts
  viewer. Apparently old versions of Nmap can return a state of
  "unknown". This prevents this crash:
      File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__
      File "radialnet\gui\NodeNotebook.pyo", line 257, in __create_widgets
    KeyError: u'unknown'
  [David]

o Rewrote the debugging error message "Found whacked packet protocol
  17 in get_ping_pcap_result" because we decided that receiving a UDP
  packet during TCP ping scan is not egregious enough to qualify as
  "whacked". [David]

Nmap 4.85BETA7 [2009-04-1]

o Improvements to the Conficker detection script (smb-check-vulns):
  o Reduce false negative rate.  We (and all the other scanners) used
    to require the 0x57 return code as well as a canonicalized path
    string including 0x5c450000.  Tenable confirmed an infected system
    which returned a 0x00000000 path, so we now treat any hosting
    returning code 0x57 as likely infected. [Ron]
  o Add workaround for crash in older versions of OpenSSL which would
    occur when we received a blank authentication challenge string
    from the server.  The error looked like: evp_enc.c(282): OpenSSL
    internal error, assertion failed: inl > 0". [Ron]
  o Add helpful text for the two most common errors seen in the
    Conficker check in smb-check-vulns.nse.  So instead of saying
    things like "Error: NT_STATUS_ACCESS_DENIED", output is like:
    |  Conficker: Likely CLEAN; access was denied.
    |  |  If you have a login, try using --script-args=smbuser=xxx,smbpass=yyy
    |  |  (replace xxx and yyy with your username and password). Also try
    |  |_ smbdomain=zzz if you know the domain. (Error NT_STATUS_ACCESS_DENIED)
    The other improved message is for
    NT_STATUS_OBJECT_NAME_NOT_FOUND. [David]

o The NSEDoc portal at http://nmap.org/nsedoc/ now provides download
  links from the script and module pages to browse or download recent versions
  of the code.  It isn't quite as up-to-date as obtaining them from
  svn directly, but may be more convenient. For an example, see
  http://nmap.org/nsedoc/scripts/smb-check-vulns.html. [David, Fyodor]

o A copy of the Nmap public svn repository (/nmap, plus its zenmap,
  nsock, nbase, and ncat externals) is now available at
  http://nmap.org/svn/.  We'll be updating this regularly, but it may
  be slightly behind the SVN version.  This is particularly useful
  when you need to link to files in the tree, since browsers generally
  don't handle svn:// repository links. [Fyodor]

o Declare a couple msrpc.lua variables as local to avoid a potential
  deadlock between smb-server-stats.nse instances. [Ron]

Nmap 4.85BETA6 [2009-03-31]

o Fixed some bugs with the Conficker detection script
 (smb-check-vulns) [Ron]:
 o SMB response timeout raised to 20s from 5s to compensate for
   slow/overloaded systems and networks.
 o MSRPC now only signs messages if OpenSSL is available (avoids an
   error).
 o Better error checking for MS08-067 patch
 o Fixed forgotten endian-modifier (caused problems on big-endian
   systems such as Solaris on SPARC).

o Host status messages (up/down) are now uniform between ping scanning
  and port scanning and include more information. They used to vary
  slightly, but now all look like
    Host  is up (Xs latency).
    Host  is down.
  The new latency information is Nmap's estimate of the round trip
  time. In addition, the reason for a host being up is now printed for
  port scans just as for ping scans, with the --reason option. [David]

o Version detection now has a generic match line for SSLv3 servers,
  which matches more servers than the already-existing set of specific
  match lines. The match line found 13% more SSL servers in a test.
  Note that Nmap will not be able to do SSL scan-through against a
  small fraction of these servers, those that are SSLv3-only or
  TLSv1-only, because that ability is not yet built into Nsock. There
  is also a new version detection probe that works against SSLv2-only
  servers. These have shown themselves to be very rare, so that probe
  is not sent by default. Kristof Boeynaems provided the patch and did
  the testing.

o [Zenmap] A typo that led to a crash if the ndiff subprocess
  terminated with an error was fixed. [David] The message was
    File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
  UnboundLocalError: local variable 'error_test' referenced before assignment

o [Zenmap] A crash was fixed:
      File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed
    KeyError: "Syst\xc3\xa8me d'Exploitation"
  The text could be different, because the error was caused by
  translating a string that was also being used as an index into an
  internal data structure. The string will be untranslated until that
  part of the code can be rewritten. [David]

o [Zenmap] A bug was fixed that caused a crash when doing a keyword:
  or target: search over hosts that had a MAC address. [David] 
  The crash output was
      File "zenmapCore\SearchResult.pyo", line 86, in match_keyword
      File "zenmapCore\SearchResult.pyo", line 183, in match_target
    TypeError: argument of type 'NoneType' is not iterable

o Fixed a bug which prevented all comma-separated --script arguments
  from being shown in Nmap normal and XML output files where they show
  the original Nmap command. [David]

o Fixed ping scanner's runtime statistics system so that instead of
  saying "0 undergoing Ping Scan" it gives the actual number of hosts in
  the group (e.g. 4096). [David]

o [Zenmap] A crash was fixed in displaying the "Error creating the
  per-user configuration directory" dialog:
      File "zenmap", line 104, in 
      File "zenmapGUI\App.pyo", line 129, in run
    UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
                        invalid data
  The crash would only happen to users with paths containing
  multibyte characters in a non-UTF-8 locale, who also had some error
  preventing the creation of the directory. [David]

Nmap 4.85BETA5 [2009-03-30]

o Ron (in just a few hours of furious coding) added remote detection
  of the Conficker worm to smb-check-vulns. It is based on new
  research by Tillmann Werner and Felix Leder.  You can scan your
  network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
  -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

o Ndiff now includes service (version detection) and OS detection
  differences. [David]

o [Ncat] The --exec and --sh-exec options now work in UDP mode like
  they do in TCP mode: the server handles multiple concurrent clients
  and doesn't have to be restarted after each one. Marius Sturm
  provided the patch.

o [Ncat] The -v option (used alone) no longer floods the screen with
  debugging messages. With just -v, we now only print the most
  important status messages such as "Connected to ...", a startup
  banner, and error messages.  At -vv, minor debugging messages are
  enabled, such as what command is being executed by --sh-exec.  With
  -vvv you get detailed debugging messages. [David]

o [Ncat] Chat mode now lets other participants know when someone
  connects or disconnects, and it also broadcasts a current list of
  participants at such times. [David]

o [Ncat] Fixed a socket handling bug which could occur when you
  redirect Ncat stdin, such as "ncat -l --chat < /dev/null".  The next
  user to connect would end up with file descriptor 0 (which is
  normally stdin) and thus confuse Ncat. [David]

o [Zenmap] The "Scan Output" expanders in the diff window now behave
  more naturally. Some strange behavior on Windows was noted by Jah.
  [David]

o The following OS detection tests are no longer included in OS
  fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
  and SI were found not be helpful in distinguishing operating systems
  because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
  but now they are not included in prints at all. [David]

o The compile-time Nmap ASCII dragon is now more ferocious thanks to
  better teeth alignment. [David]

o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI
  test that could cause a closed-port IP ID to be written into the
  array for the SEQ.TI test and cause erroneous results. The bug was
  found and fixed by Guillaume Prigent.

o Nbase has grown routines for calculating Adler32 and CRC32C
  checksums. This is needed for future SCTP support. [Daniel
  Roethlisberger]

o [Zenmap] Zenmap no longer shows an error message when running Nmap
  with options that cause a zero-length XML file to be produced (like
  --iflist). [David]

o Fixed an off-by-one error in printableSize() which could cause Nmap
  to crash while reporting NSE results. Also, NmapOutputTable's memory
  allocation strategy was improved to conserve memory. [Brandon,
  Patrick]

o [Zenmap] We now give the --force option to setup.py for installation
  to ensure that it replaces all files. [David]

o Nmap's --packet-trace, --version-trace, and --script-trace now use
  an Nsock trace level of 2 rather than 5.  This removes some
  superfluous lines which can flood the screen. [David]

o [Zenmap] Fixed a crash which could occur when loading the help URL
   if the path contains multibyte characters. [David]

o [Ncat] The version number is now matched to the Nmap release it came
  with rather than always being 0.2. [David]

o Fixed a strtok issue between load_exclude and
  TargetGroup::parse_expr that caused only the first exclude on
  a line to be loaded as well as an invalid read into free()'d
  memory in load_exclude(). [Brandon, David]

o NSE's garbage collection system (for cleaning up sockets from
  completed threads, etc.) has been improved. [Patrick]

Nmap 4.85BETA4 [2009-3-15]

o Added two new SMB/MSRPC NSE scripts by Ron Bowes:
  smb-brute.nse: Bruteforce to discover SMB accounts. Has advanced
    features, such as lockout detection, username validation, username
    enumeration, and optimized case detection.
  smb-pwdump.nse: Uses executables from the Pwdump6 project to dump
    password hashes from a remote machine (and optionally crack them
    with Rainbow Crack). Pwdump6 files have to be downloaded
    separately

o [Ncat] The --exec and --sh-exec options now work on Windows. This
  was a big job, considering that Windows doesn't even have a fork()
  call and has all sorts of socket idiosyncrasies. [David]

o Doug performed one of the largest version detection integration runs
  ever, processing 1,746 submissions and 18 corrections.  We are now
  current with all submissions up to February 3.  Keep them coming.
  The version detection database has grown to 5,476 signatures for 510
  application protocols. Doug posted his notes on the integration at
  http://hcsw.org/blog.pl/37.  We now have 1,868 http server
  signatures, and the number of gopher signatures has bumped up from 5
  to 6.

o Released the new Ncat guide which contains practical real-life Ncat
  usage examples for Ncat's major features.  It complements the more
  option-centric man page.  Read it here: http://nmap.org/ncat/guide/
  [David, Fyodor]

o Ndiff is now included in the Windows zip distribution. For space
  reasons, it is not an executable compiled with py2exe as in the
  executable installer, rather it is the Ndiff source code (ndiff.py)
  and a batch file wrapper (ndiff.bat). Because it's not precompiled,
  it's necessary to have a Python interpreter installed. [David]

o The new --stats-every option takes a time interval that controls how
  often timing status updates are printed. It's intended to be used
  when Nmap is run by another program as a subprocess. Thanks to
  Aleksandar Petrinic for the initial implementation. [David]

o [NSE] A new function stdnse.sleep allows a script to sleep for a
  given time (and yield control to other scripts). [David]

o [Ncat] In --chat mode (formerly --talk), the server now announces to
  everyone when someone connects or disconnects. Besides letting you
  know who's connected, this also informs you of your "user name" as
  soon as you connect. [David]

o [Ncat] Ncat now works interactively on Windows. Before,
  peculiarities in the way Windows handles reading from the keyboard
  meant that typing interactively into Ncat would cause it to quit
  with a write timeout. [David]

o Refactored SMB and MSRPC NSE scripts significantly, moving much of
  the code into the smb.lua and msrpc.lua modules where it can be
  leveraged by other scripts. For example, the user enumeration
  functions are used by smb-brute.nse. [Ron Bowes]

o [Ncat] The syntax accepted by the --allow, --deny, --allowfile, and
  --denyfile options is now the same as Nmap's target specifications.
  Additionally any errors in the allow or deny specifications are
  reported when the program starts, not deferred until a connection is
  received. [David]

o You can now use '-' by itself in a target IP specification to mean
  0-255, so you could scan 192.168.-.-.  An asterisk can also still be
  used as an octet wildcard, but then you have to deal with shell
  escaping on many platforms. [David]

o Nmap was discovered in another movie!  In the Russian film
  Khottabych, teenage hacker Gena uses Nmap (and telnet) to hack
  Microsoft.  In response, MS sends a pretty female hacker to flush
  him out.  More details and screenshots: http://nmap.org/movies.html.

o Improved operating system support for the smb-enum-sessions NSE
  script; previous revisions worked on Windows 2003 or Windows 2000,
  but never both.  Currently, it is tested and working on both
  versions.  [Ron Bowes]

o Implemented file-management functions in SMB, including file upload, 
  file download, and file delete. Only leverages by smb-pwdump.nse at
  the moment, these functions give scripts the ability to perform 
  checks against the filesystem of a server. [Ron Bowes]

o [Zenmap] A crash was fixed that occurred when you ran a scan
  that didn't produce any host output (like "nmap --iflist") and then
  tried to remove it from the inventory. [David]
  The crash looked like
    ValueError: list.remove(x): x not in list

o [Ncat] In --chat mode, the server escapes potentially dangerous
  control characters (in octal) before sending them to
  clients. [David]

o [Ndiff] Added a workaround for a bug in PyXML. The bug would cause a
  crash that looked like "KeyError: 0". [David]

o [Zenmap] Fixed a crash when something that looked like a format
  specifier (like %y) appeared in a profile. The error message was
    ValueError: unsupported format character 'y' (0x79)
  [David]

o A bug was fixed in route finding on BSD Unix. The libdnet function
  addr_stob didn't handle the special case of the sa_len member of
  struct sockaddr being equal to 0 and accessed unrelated memory past
  the end of the sockaddr. A symptom of this was the fatal error
    nexthost: failed to determine route to ...
  which was caused by the default route being assigned a netmask other
  than 0.0.0.0. [David]

o Added bindings for the service control (SVCCTL) and at service (ATSVC)
  services. These are both related to running processes on the remote 
  system (identical to how PsExec-style scripts work). These bindings
  are used by smb-pwdump.nse. [Ron Bowes]

o Refactored SMB authentication code into its own module, smbauth.lua. 
  Improved scripts' ability to store and retrieve login information 
  discovered by modules such as smb-brute.nse. [Ron Bowes]

o Added message signing to SMB. Connections will no longer fail if the
  server requires message signatures. This is a rare case, but comes up
  on occasion. If a server allows but doesn't require message signing, 
  smb.lua will negotiate signing. This improves security by preventing
  man in the middle attacks. [Ron Bowes]

o Fixed the daytime.nse script to work for UDP again (it was checking
  a "proto" field when the field name is actually "protocol"). [Jah]

o Implemented extended security negotiations in the NSE SMB
  module. Creates no noticeable change from the user's perspective,
  but it's a more modern protocol. [Ron Bowes]

o Nmap wins LinuxQuestions.Org Network Security Application of the
  Year for the sixth year in a row! See
  http://seclists.org/nmap-dev/2009/q1/0395.html.

o [Zenmap] Removed some unnecessary (mostly GTK+-related) files from
  the Windows installer--nmap-4.85BETA4-setup.exe is now smaller than
  it has ever been since Nmap 4.22SOC6, which was released in August
  2007! [David]

o Fixed the install-zenmap make target for Solaris portability.
  Solaris /bin/sh does not have test(1) -e. [Daniel Roethlisberger]

o Version detection used to omit the "ssl/" service name prefix if an
  SSL-tunneled port didn't respond to any version probes. Now it keeps
  "ssl/" as an indication that SSL was discovered, even if the service
  behind it wasn't identified. Kristof Boeynaems reported the problem
  and contributed a patch. [David]

o [Ncat] The --talk option has been renamed --chat. --talk remains as an
  undocumented alias.

o There is a new OS detection test named SEQ.CI. Like TI and II, CI
  classifies the target's IP ID sequence generation algorithm. CI is
  based on the responses received to the probes sent to a closed port.
  The algorithm for closed ports has been observed to differ from that
  for open ports on some operating systems (though we don't yet know
  which ones).  The new test won't have an effect until new
  fingerprints containing it are added to nmap-os-db. We got the idea
  from some notes sent in by Dario Ciccarone. [David,Fyodor]

o OS fingerprints now include the SEQ.II test (ICMP IP ID sequence
  generation) even if there are no other SEQ test results. The
  previous omission of SEQ.II in that case was a bug. [David]

o [Ncat] The --send-only and --recv-only options now work in listen
  mode as well as connect mode. [David]

o [Ncat] An error in formatting bytes with the high bit set in hex
  dump output was fixed. [David]

o [Zenmap] New translation: Croatian (contributed by Vlatko Kosturjak).

o Fixed a DNS decoding bug in dns-zone-transfer.nse that created
  garbage output and could crash Zenmap by including 0x0C bytes in XML
  files. The Zenmap crash looked like
    SAXParseException: .../zenmap-XXXXXX.xml:39:290: not well-formed
    (invalid token)
  Thanks to Anino Belan and Eric Nickel for sending in affected log
  files. [David]

o [NSEDoc] Scripts that use modules automatically have the script
  arguments defined by those modules included in their documentation.
  It's no longer necessary to manually supply @args for the arguments
  in the modules you use. For those who haven't seen the NSEDoc portal
  yet, check out http://nmap.org/nsedoc/. [David]

o An integer overflow in the scan progress meter was fixed. It caused
  nonsense output like
    UDP Scan Timing: About 11.34% done; ETC: 03:21 (-688:-41:-48 remaining)
  during very long scans. [Henri Doreau]

o [Zenmap] A better method of detecting the system locale is used, so
  it should not be necessary to set the LANG environment variable on
  Windows to get internationalized text. Thanks to Dirk Loss for the
  suggestion. [David]

o [Ncat] Added a number of automated tests for ensuring that Ncat is
  working correctly.  They are in /ncat/test in SVN. [David]

o [Ncat] Now builds again when using the --without-openssl
  option. [David]

o [Zenmap] Fix auto-scroll behavior while Nmap is producing output, as
  that previously failed in some cases involving wide lines in
  output. [David]

o [Zenmap] The network topology feature (Radialnet) has been
  internationalized so its strings will be localized as well (as soon
  as the relevant language's translation files are updated.  To help
  out, see http://nmap.org/book/zenmap-lang.html. Some remaining search
  interface elements were internationalized as well. [David]

o Improved the efficiency of the xml_convert() routine which handles
  XML escaping.  It was so inefficient that this stupid little routine
  was noticeably slowing Nmap down in some cases. [David]

o Removed 9 OS detection device types which only had one or two
  instances in our whole database (ATM, TV, oscilloscope, etc.) and
  made some other cleanups as well. We plan to enhance this even
  further for the next release. [Fyodor,David,Doug]

o [Zenmap] Removed some unnecessary GTK+ files from the files
  installed by the Windows executable installer. [David]

o [Zenmap] Tweaked the file format of the topology icons
  (firewall.png, padlock.png, etc.) in an attempt to improve
  compatibility with some versions of GTK+. This may fix a crash like
    File "radialnet/gui/Image.py", line 53, in get_pixbuf
      self.__cache[icon + image_type] = gtk.gdk.pixbuf_new_from_file(file)
    GError: Couldn't recognize the image file format for file 'radialnet/padlock.png'
  Thanks to Trevor Bain for a report and help debugging. [David]

o Removed a bunch of unnecessary files (mostly GTK related) from the
  Win32 exe installer to reduce its size. [David]

o Fixed an NSE crash (assertion error) which looked like
  "nsock_core.c:293: handle_connect_result: Assertion `0'
  failed". Brandon reported the bug, which was fixed by Doug and
  David.  See http://seclists.org/nmap-dev/2009/q1/0546.html.

Nmap 4.85BETA3 [2009-2-2]

o Revert the temporary GTK DLL workaround (r11899) which added
  duplicate DLL files to the distribution.  David found that using a
  different GTK download fixed the problem (see
  docs/win32-installer-zenmap-buildguide.txt) and Fyodor was able to
  reproduce and implement.

o The conditions for printing OS fingerprints to XML output are now
  the same as are used to decide whether to print them in the other
  formats. So they will be printed if submission is desirable,
  otherwise they are only printed if debugging is enabled or verbosity
  is 2 or higher. [Tom Sellers]

o Removed some Brazilian poetry/lyrics from Zenmap source code
  (NmapOutputViewer.py). We've seen enough of it in the debug logs. "E
  nao se entrega, nao".

o Fix Ncat compilation with the MingW windows compiler. [Gisle Vanem]

o Corrected some NSE libraries (datafiles, tab) which were using the
  old arg table interface. [Patrick]

o [Zenmap] Fixed a crash that happened when running a scan directly
  from the command wizard without saving a profile [David]:
    NmapParser.py", line 417, in set_target
      self.ops.target_specs = target.split()
    AttributeError: 'NoneType' object has no attribute 'split'

o Fixed an NSE pop3 library error which gave a message such as:
  SCRIPT ENGINE (506.424s): ./scripts/pop3-capabilities.nse against
  a.b.1.47:995 ended with error: ./scripts/pop3-capabilities.nse:32:
  bad argument #1 to 'pairs' (table expected, got string) [Jah]

o Upgraded the OpenSSL binaries shipped in our Windows installer to
  version 0.9.8j. [Kris]

o Updated IANA assignment IP list for random IP (-iR)
  generation. [Kris]

Nmap 4.85BETA2 [2009-1-29]

o Added some duplicate GTK DLLs to Windows installer, as a temporary
  fix for this issue: http://seclists.org/nmap-dev/2009/q1/0207.html.
  The problem caused a warning message complaining of problems finding
  librsvg-2-2.dll to pop up 32 times before Zenmap would start.  We're
  still looking for a better fix. [Fyodor, Rob, Jah]

o Made a few improvements to nmap.xsl (details:
  http://seclists.org/nmap-dev/2009/q1/0210.html) [Tom Sellers]

o [Zenmap] New translation: French (contributed by Gutek)

o Updated the mswin32 installer build guide and posted it to
  http://nmap.org/data/win32-installer-zenmap-buildguide.txt [Fyodor]

o The xampp-default-auth.nse script was renamed to ftp-brute.nse since
  it has become more general.

Nmap 4.85BETA1 [2009-1-23]

o Added Ncat, a much-improved reimplementation of the venerable Netcat
  tool which adds modern features and makes use of Nmap's efficient
  networking libraries.  Features include SSL support, proxy
  connections (client or server, socks4 or connect-based, with or
  without authentication, optionally chained), TCP and UDP connection
  redirection, connection brokering (facilitating connections between
  machines which are behind NAT gateways), and much more.  It is
  cross-platform (Linux, Windows, Mac, etc.) and supports IPv6 as well
  as standard IPv4.  See http://nmap.org/ncat/ for details.  It is now
  included in our binary packages (Windows, Linux, and Mac OS X), and
  built by default.  You can skip it with the --without-ncat configure
  option.  Thanks to Kris and David for their great work on this!

o Added the Ndiff utility, which compares the results of two Nmap
  scans and describes the new/removed hosts, newly open/cosed ports,
  changed operating systems, etc.  This makes it trivial to scan your
  networks on a regular basis and create a report (XML or text format)
  on all the changes.  See http://nmap.org/ndiff/ and ndiff/README for
  more information. Ndiff is included in our binary packages and built
  by default, though you can prevent it from being built by specifying
  the --without-ndiff configure flag.  Thanks to David and Michael
  Pattrick for their great work on this.

o Released Nmap Network Scanning: The Official Nmap Project Guide to
  Network Discovery and Security Scanning.  From explaining port
  scanning basics for novices to detailing low-level packet crafting
  methods used by advanced hackers, this book suits all levels of
  security and networking professionals. A 42-page reference guide
  documents every Nmap feature and option, while the rest of the book
  demonstrates how to apply those features to quickly solve real-world
  tasks.  It was briefly the #1 selling computer book on Amazon.
  Translations to the German, Korean, and Brazilian Portuguese
  languages are forthcoming.  More than half of the book is already
  free online.  For more, see http://nmap.org/book/.

o David spent more than a month working on algorithms to improve port
  scan performance while retaining or improving accuracy.  The changes
  are described at http://seclists.org/nmap-dev/2009/q1/0054.html. He
  was able to reduce our "benchmark scan time" (which involves many
  different scan types from many source networks to many targets) from
  1879 seconds to 1321 without harming accuracy.  That is a 30% time
  reduction!

o Introduced the NSE documentation portal, which documents every NSE
  script and library included with Nmap. See http://nmap.org/nsedoc/.
  Script documentation was improved substantially in the process.
  Scripts and libraries must use the new NSEDoc format, which is
  described at http://nmap.org/book/nsedoc.html.  Thanks to Patrick
  and David for their great work on this.

o The 2nd Generation OS Detection System was dramatically improved for
  improved accuracy.  After substantial testing, David and Fyodor made
  the following changes:
  o The "T" (TTL test) result ranges were widened to prevent minor
    routing (and device hardware inconsistency) variations from causing
    so many matches to fail.
  o The TG (TTL guess) results were canonicalized. Nmap is only
    capable of assigning the values 0x20, 0x40, 0x80, and 0xFF for
    these tests, yet many fingerprints had different values.  This was
    due to bugs in our fingerprint integration tools.
  o The U1.TOS and IE.TOSI tests (both having to do with the IP Type
    of Service field) have been effectively eliminated (MatchPoints
    set to 0).  These proved particularly susceptible to false results
    due to networking hardware along the packet route manipulating the
    TOS header field.
  o An important bug in OS detection's congestion control algorithms
    was fixed.  It could lead to Nmap sending packets much too quickly
    in some cases, which hurt accuracy.

o Integrated all of your OS detection fingerprint submissions and
  corrections up to January 8.  The DB has grown more than 17% to
  1,761 fingerprints.  Newly detected services include Mac OS X
  10.5.6, Linux 2.6.28, iPhone 2.1, and all manner of WAPs, VoIP
  phones, routers, oscilloscopes, employee timeclocks, etc. Keep those
  submissions coming!

o Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmap
  to interrogate Windows machines much more completely.  He added
  three new nselib modules: msrpc, netbios, and smb. As the names
  suggest, they contain common code for scripts using MSRPC, NetBIOS,
  and SMB. These modules allow scripts to extract a great deal of
  information from hosts running Windows, particularly Windows
  2000. New or updated scripts using the modules are:
    nbstat.nse: get NetBIOS names and MAC address.
    smb-enum-domains.nse: enumerate domains and policies.
    smb-enum-processes.nse: allows a user with administrator
       credentials to view a tree of the processes running on the
       remote system (uses HKEY_PERFORMANCE_DATA hive).
    smb-enum-sessions.nse: enumerate logins and SMB sessions.
    smb-enum-shares.nse: enumerate network shares.
    smb-enum-users.nse: enumerate users and information about them.
    smb-os-discovery.nse: get operating system over SMB (replaces
      netbios-smb-os-discovery.nse).
    smb-security-mode.nse: determine if a host uses user-level or
      share-level security, and what other security features it
      supports.
    smb-server-stats.nse: grab statistics such as network traffic
      counts.
    smb-system-info.nse: get lots of information from the registry.

o A problem that caused OS detection to fail for most hosts in a
  certain case was fixed. It happened when sending raw Ethernet frames
  (by default on Windows or on other platforms with --send-eth) to
  hosts on a switched LAN. The destination MAC address was wrong for
  most targets. The symptom was that only one out of each scan group
  of 20 or 30 hosts would have a meaningful OS fingerprint. Thanks go
  to Michael Head for running tests and especially Trent Snyder for
  testing and finding the cause of the problem. [David]

o Zenmap now runs ndiff to for its "Compare Results" function. This
  completely replaces the old diff view. The diff window size is now
  more flexible for user resizing as well. [David]

o Added a Russian translation of the Nmap Reference Guide by Guz
  Alexander. We now have translations in 15 languages available from
  http://nmap.org/docs.html. More volunteer translators are welcome,
  as we are still missing some important languages. Translation
  instructions are available from that docs.html page.

o Update Windows installer to handle Windows 7 (tested with the Beta
  build 7000) [Rob Nicholls]

o Improved port scan performance by changing the list of high priority
  ports which Nmap shifts closer to the beginning of scans because
  they are more likely to be responsive.  We based the change on
  empirical data from large-scale scanning.  The new port list is:
    21, 22, 23, 25, 53, 80, 110, 111, 113, 135, 139, 143, 199, 256,
    443, 445, 554, 587, 993, 995, 1025, 1720, 1723, 3306, 3389, 5900, 
    8080, 8888 [Fyodor, David]

o [NSE] Almost all scripts were renamed to be more consistent.  They
  are now all lowercase and most of them start with the name of the
  service name they query.  Words are separated by hyphens. [David,
  Fyodor]

o [NSE] Now that scripts are better named, the "Id" field has been
  removed and the script name (sans the .nse or directory path
  information) is used in script output instead. [David]

o [NSE] Added banner.nse, a simple script which connects to open TCP
  ports and prints out anything sent in the first five seconds by the
  listening service. [Jah]

o [NSE] Added a new OpenSSL library with functions for multiprecision
  integer arithmetic, hashing, HMAC, symmetric encryption and
  symmetric decryption. [Sven]

o [Zenmap] Internationalization has been fixed [David]. Currently
  Zenmap has two translations:
    o German by Chris Leick
    o Brazilian Portuguese by Adriano Monteiro Marques (partial)
  For details on using an existing translation or localizing Zenmap
  into your own native language, see
  http://nmap.org/book/zenmap-lang.html. [David]

o Zenmap no longer outputs XML elements and attributes that are not in
  the Nmap XML DTD. This was done mostly by removing things from
  Zenmap's output, and adding a few new optional things to the Nmap
  DTD. A scan's profile name, host comments, and interactive text
  output are what were added to nmap.dtd. The .usr filename extension
  for saved Zenmap files is deprecated in favor of the .xml extension
  commonly used with Nmap. Because of these changes the
  xmloutputversion has been increased to 1.03. [David]

o The NSE registry now persists across host groups so that values
  stored in it will remain until they are explicitly removed or Nmap
  execution ends. [David]

o Enhanced the AS Numbers script (ASN.nse) to better consolidate
  results and bail out if the DNS server doesn't support the ASN
  queries. [Jah]

o Complete re-write of the marshaling logic for Microsoft RPC calls. 
  [Ron Bowes]

o Added a script that checks for ms08-067-vulnerable hosts
  (smb-check-vulns.nse) using the smb nselib. It also checks for an
  unfixed denial of service vulnerability Ron discovered in the
  Windows 2000 registry service. [Ron Bowes]

o [Zenmap] Text size is larger on Mac OS X thanks to a new included
  gtkrc file. [David]

o Reduced memory consumption for some longer-running scans by removing
  completed hosts from the lists after two minutes.  These hosts are
  kept around in case there is a late response, but this draws the
  line on how long we wait and hence keep this information in memory.
  See http://seclists.org/nmap-dev/2008/q3/0902.html for more. [Kris]

o The Windows installer now uses Zenmap binaries built using Python
  2.6.1 rather than 2.5.1 [Fyodor]

o When a system route can't be matched up directly with an interface
  by comparing addresses, Nmap now tries to match the route through
  another route. This helps for instance with a PPP connection where
  the default route's gateway address is routed through a different
  route, the one associated with the address of the PPP device. The
  problem would show itself as an inability to scan through the
  default route and the error message
    WARNING: Unable to find appropriate interface for system route to ...
  [David]

o Removed a code comment which simply declared /* WANKER ALERT! */ for
  no good reason. [Fyodor]

o NSE prints messages in debugging mode whenever a script starts or
  finishes. [Patrick, David]

o [Ncat] The -l option can now be specified w/o a port number to
  listen on Ncat's default port number (31337).

o [Zenmap] The Nmap output window now scrolls automatically as a scan
  progresses. [David]

o [NSE] We now have a canonical way for scripts to check for
  dependency libraries such as OpenSSL.  This allows them to handle
  the issue gracefully (by exiting or doing some of their work if
  possible) rather than flooding the console with error messages as
  before. See http://nmap.org/nsedoc/modules/openssl.html. [Pattrick,
  David, Fyodor]

o Nmap now reports a proper error message when you combine an IPv6
  scan (-6) with random IPv4 address selection (-iR). [Henri Doreau]

o Nmap now builds with the _FORTIFY_SOURCE=2 define.  With modern
  versions of GCC, this adds extra buffer overflow protection and
  other security checks.  It is described at
  http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html. [David,
  Doug]

o The --excludefile option correctly handles files with no terminating
  newline instead of claiming "Exclude file line 0 was too long to
  read." [Henri Doreau]

o [NSE] Changed the datafiles library to remove constraining input
  checks, move nmap.fetch_file() to read_from_file(), and make
  get_array() and get_assoc_array() into normal functions. [Sven]

o [NSE] Fixed some bugs and typos in the datafiles library. [Jah]

o Nsock handles a certain Windows connect error, WSAEADDRNOTAVAIL
  (errno 10049), preventing an assertion failure that looked like
    Strange connect error from 203.65.42.255 (10049): No such file or directory
    Assertion failed: 0, file .\src\nsock_core.c, line 290
  The error could be seen by running a version scan against a
  broadcast address. Thanks to Tilo Köppe and James Liu for reporting
  the problem. [David]

o An "elapsed" attribute has been added to the XML output (in the
  "finished" tag), representing the total Nmap scanning time in
  seconds (floating point). [Kris]

o Fixed a division by zero error in the packet rate measuring code
  that could cause a display of infinity packets per seconds near the
  start of a scan. [Jah]

o Substantially updated the Nmap Scripting Engine guide/chapter
  (http://nmap.org/book/nse.html) so that it is up-to-date with all
  the latest NSE improvements.

o Fixed a bug in the IP validation code which would have let a specially
  crafted reply sent from a host on the same LAN slip through and cause
  Nmap to segfault.  Thanks to ithilgore of sock-raw.homeunix.org for
  the very detailed bug report. [Kris]

o [Zenmap] The crash reporter further enhances user privacy by showing
  all the information that will be submitted so you can edit it to
  remove identifying information such as the name of your home
  directory. If you provide an email address the report will be marked
  private so it will not appear on the public bug tracker. [David]

o [Zenmap] Zenmap now parses and records XSL stylesheet information
  from Nmap XML files, so files saved by Zenmap will be viewable in a
  web browser just like those produced by Nmap. [David]

o A possible Lua stack overflow in the DNS module was fixed. Lua detects
  these sorts of overflows and quits. [David]

o [NSE] Improved html-title script to support http-alt and https-alt
  (with SSL) and to handle a wider variety of redirects. [Jah]

o NSE scripts that require a list of DNS servers (currently only
  ASN.nse) now work when IPv6 scanning. Previously it gave an error
  message: "Failed to send dns query.  Response from dns.query(): 9".
  [Jah, David]

o [Zenmap] Added a workaround for a crash
    GtkWarning: could not open display
  on Mac OS X 10.5. The problem is caused by setting the DISPLAY
  environment variable in one of your shell startup files; that
  shouldn't be done under 10.5 and removing it will make other
  X11-using applications work better. Zenmap will now handle the
  situation automatically. [David]

o http-auth.nse now properly checks for default authentication
  credentials. A bug prevented it from working before. [Vlatko
  Kosturjak]

o Renamed irc-zombie.nse to auth-spoof and improved its description
  and output a bit. [Fyodor]

o Removed some unnecessary "demo" category NSE scripts: echoTest,
  chargenTest, showHTTPVersion, and showSMTPVersion.nse.  Moved
  daytimeTest from the "demo" category to "discovery".  Removed
  showHTMLTitle from the "demo" category, but it remains in the
  "default" and "safe" categories. This leaves just smtp-open-relay in
  the undocumented "demo" category. [Fyodor]

o [NSE] Removed ripeQuery.nse because we now have the much more robust
  whois.nse which handles all the major registries. [Fyodor]

o [NSE] Removed showSSHVersion.nse. Its only real claim to fame was
  the ability to trick some SSH servers (including at least OpenSSH
  4.3p2-9etch3) into not logging the connection.  This trick doesn't
  seem to work with newer versions of OpenSSH, as my
  openssh-server-4.7p1-4.fc8 does log the connection. Without the
  stealth advantage, the script has no real benefit over version
  detection or the upcoming banner grabbing script. [Fyodor]

o [Zenmap] Profile updates: The -sS option was added to the "Intense
  scan plus UDP" and "Slow comprehensive scan" profiles.  The -PN (ping
  only) option was added to "Quick traceroute". [David]

o [NSE] The smtp-commands script output is now more compact. [Jason
  DePriest, David]

o [Zenmap] Added a simple workaround for a bug in PyXML (an add-on
  Python XML library) that caused a crash. The crash would happen when
  loading an XML file and looked like "KeyError: 0". [David]

o A crash caused by an incorrect test condition was fixed. It would
  happen when running a ping scan other than a protocol ping, without
  debugging enabled, if an ICMP packet was received referring to a
  packet that was not TCP, UDP, or ICMP. Thanks to Brandon Enright and
  Matt Castelein for reporting the problem. [David]

o [Zenmap] The keyboard shortcut for "Save to Directory" has been
  changed from Ctrl+v to Ctrl+Alt+s so as not to conflict with the
  usual paste shortcut. [Jah, Michael]

o Nmap now quits if you give a "backwards" port or protocol range like
  -p 20-10. The issue was noted by Arturo "Buanzo" Busleiman. [David]

o Fixed a bug which caused Nmap to infer an improper distance against
  some hosts when performing OS detection against a group whose
  distance varies between members. [David, Fyodor]

o [Zenmap] Host information windows are now like any other windows,
  and will not become unclosable by having their controls offscreen.
  Thanks to Robert Mead for the bug report.

o [NSE] showHTMLTitle can now follow (non-standard) relative
  redirects, and may do a DNS lookup to find if the redirected-to host
  has the same IP address as the scanned host. [Jah]

o [NSE] Enhanced the tohex() function in the stdnse library to support
  strings and added options to control the formatting. [Sven]

o [NSE] The http module tries to deal with non-standards-compliant
  HTTP traffic, particularly responses in which the header fields are
  separated by plain LF rather than CRLF. [Jah, Sven]

o [Zenmap] The help function now properly converts the pathname of the
  local help file to a URL, for better compatibility with different
  web browsers. [David]
  This should fix the crash
  WindowsError: [Error 2] The system cannot find the file specified:
  'file://C:\\Program Files\\Nmap\\zenmap\\share\\zenmap\\docs\\help.html'

o [NSE] Fixed a number of small bugs in the Nmap library
  (nse_nmaplib.cc), as described at
  http://seclists.org/nmap-dev/2008/q4/0663.html [Patrick]

o The HTTP_open_proxy.nse script was updated to match Google Web
  Server's changed header field: "Server: gws" instead of
  "Server: GWS/".  [Vlatko Kosturjak]

o Enhanced the ssh service detection signatures to properly
  detect protocol version 2 services. [Matt Selsky]

o Nsock now uses fselect() to work around problems with select() not
  working properly on non-socket descriptors on Windows.  This was
  needed for Ncat to work properly on that platform. See
  http://seclists.org/nmap-dev/2008/q3/0766.html. [Kris]

o Removed trailing null bytes from Ncat's responses in HTTP proxy
  mode. [David]

o [NSE] daytime.nse now runs against TCP ports in addition to the UDP
  ports it already handled. The output format was also
  improved. [David]

o XML output now contains the full path to nmap.xml on Windows. The
  path is converted to a file:// URL to provide better compatibility
  across browsers. [Jah]

o Made DNS timeouts in NSE a bit more aggressive at higher timing
  levels such as -T4 and -T5. [Jah]

o A script could be executed twice if it was given with the --script
  option, also in the "version" category, and version detection (-sV)
  was requested. This has been fixed. [David]

o Fixed port number representation in some Nmap and Nsock message
  output.  Incorrect conversion modifiers caused high ports to wrap
  around and be shown as negative values. [Kris]

o Upgraded the shipped libdnet library to version 1.12 (with our
  modifications). [Kris]

o Upgraded the OpenSSL binaries shipped in our Windows installer to
  version 0.9.8i. [Kris]

o [NSE] The SSLv2-support script no longer prints duplicate cyphers if
  they exist in the server's supported cypher list. [Kris]

o Fix compilation w/IPv6 support on Solaris by checking for inet_addr
  in -lnsr before using APR_CHECK_WORKING_GETNAMEINFO in
  configure. [David]

o Removed the nbase_md5.* and nbase_sha1.* files because our
  new nse_openssl library includes that functionality. [David]

o The robots.txt NSE script is now silent when there are no
  interesting results, rather than printing that robots.txt "is empty
  or has no disallowed entries". [Kris]

o Fixed a file (socket) descriptor leak which could occur when connect
  scan probes receive certain unusual error messages (including
  EHOSTUNREACH, and EHOSTDOWN). This led to error messages such as
  "Socket creation in sendConnectScanProbe: Too many open files (24)"
  [David]

o [Zenmap] Made floating host details windows into normal top-level
  windows. This avoids a problem where the edge of a window could be
  off the edge of a screen and it would not be closable. The bug was
  reported by Robert Mead. [David]

o Use TIMEVAL_AFTER(...) instead of TIMEVAL_SUBTRACT(...) > 0 when
  deciding whether a probe response counts as a drop for scan delay
  purposes.  This prevents an integer overflow which could
  substantially degrade scan performance. [David]

o Reorganized macosx/Makefile to make it easier to add in new packages
  such as Ncat and Ndiff. Also removed the bogus clean-nmap and
  clean-zenmap targets. [David]

o [Zenmap] Fixed a crash related to the use of NmapOptions in
  ScanNotebook.py using the old interface (ops.num_random_targes,
  ops.input_filename) rather than the newer dict-style
  interface. [Jah]

o Split parallel DNS resolution and system DNS resolution into
  separate functions. Previously system DNS resolution was encapsulated
  inside the parallel DNS function, inside a big if block. Now the if
  is on the outside and decides which of the two functions to
  call. [David]

o [NSE] Remove "\r\r" in script output. If you print "\r\n", the
  Windows C library will transform it to "\r\r\n". So we just print
  "\n" with no special case for Windows.  Also fixed
  showSMTPversion.nse so that it doesn't print "\r\r" in the first
  place. [David]

o Updated IANA assignment IP list for random IP (-iR)
  generation. [Kris]

o OS scan point matching code can now handle tests worth zero
  points. We now assign zero points to ignore a couple tests which
  proved ineffective. [David]

o [Zenmap] Catch the exceptions that are caused when there's no XML
  output file, an empty one, or one that's half-complete. You can
  cause these three situations, respectively, with: "nmap -V", "nmap
  --iflist", or "nmap 0".  Also remove the target requirement for scans
  because you should be able to run commands such as "nmap --iflist"
  from Zenmap. [David]

o [Zenmap] Guard against the topology graph becoming empty in the
  middle of an animation.  This could happen if you removed a scan
  from the list of scans during an animation. The error looked like:
    File "usr/lib/python2.5/site-packages/radialnet/gui/RadialNet.py",
    line 1533, in __livens_up AttributeError: 'NoneType' object has no
    attribute 'get_nodes' [David]

o [Zenmap] Fixed a crash which could occur when you entered a command
  containing only whitespace.  David fixed various other possible
  crashes found in the crash report tracker too.  Zenmap users really
  are capable of finding every possible edge case which could cause a
  crash :).

Nmap 4.76 [2008-9-12]

o There is a new "external" script category, for NSE scripts which
  rely on a third-party network resource. Scripts that send data to
  anywhere other than the target are placed in this category. Initial
  members are ASN.nse, dns-safe-recursion-port.nse,
  dns-safe-recursion-txid.nse, ripeQuery.nse, HTTP_open_proxy.nse, and
  whois.nse [David]

o [Zenmap] A crash was fixed that affected Windows users with
  non-ASCII characters in their user names. [David]
  The error looked like this (with many variations):
    UnicodeDecodeError: 'utf8' codec can't decode byte 0x9c in position 28:
    unexpected code byte

o [Zenmap] Several corner-case crashes were fixed: [David]
    File "radialnet\gui\NodeNotebook.pyo", line 429, in __create_widgets
    KeyError: 'tcp'
    File "radialnet\gui\RadialNet.pyo", line 1531, in __livens_up
    AttributeError: 'NoneType' object has no attribute 'get_nodes'
    File "zenmapGUI\MainWindow.pyo", line 308, in _create_ui_manager
    GError: Odd character '\'
    File "radialnet/gui/ControlWidget.py", line 104, in __create_widgets
    AttributeError: 'module' object has no attribute 'STOCK_INFO'
    File "radialnet\util\integration.pyo", line 385, in make_graph_from_hosts
    KeyError: 'hops'

o [Zenmap] A crash was fixed that happened when opening the Hosts
  Viewer with an empty list of hosts. [David]
  The error message was
    File "radialnet\gui\HostsViewer.pyo", line 167, in __cursor_callback
    TypeError: GtkTreeModel.get_iter requires a tree path as its argument

o Improved rpcinfo.nse to correctly parse a wider variety of server
  responses. [Sven Klemm]

o [Zenmap] Fixed a data encoding bug which could cause the crash
  reporter itself to crash! [David]

o Nmap's Windows self-installer now correctly registers/deletes the
  npf (WinPcap) service during install/uninstall. Also the silent
  install mode was improved to avoid a case where the WinPcap
  uninstaller was (non-silently) shown. [Rob Nicholls]

o Nmap's Windows self-installer now checks whether the MS Visual C++
  runtime components have already been installed to avoid running it
  again (which doesn't hurt anything, but slows down
  installation). [Rob Nicholls]

o Fixed an assertion failure where raw TCP timing ping probes were
  wrongly used during a TCP connect scan:
  nmap: scan_engine.cc:2843: UltraProbe* sendIPScanProbe(UltraScanInfo*,
    HostScanStats*, const probespec*, u8, u8):
    Assertion `USI->scantype != CONNECT_SCAN' failed.
  Thanks to LevelZero for the report. [David]

o Update the NSE bit library to replace deprecated use of
  luaL_openlib() with luaL_register(). This fixes a build error which
  occurred on systems which have Lua libraries installed but
  LUA_COMPAT_OPENLIB not defined [Sven]

o [Zenmap] The automatic crash reporter no longer requires an email
  address. [David]

o [Zenmap] Highlighting of hostnames was improved to avoid wrongful
  highlighting of certain elapsed times, byte counts, and other
  non-hostname data. The blue highlight effects are now more subtle
  (no longer bold, underlined, or italic) [David]

o [Zenmap] A warning that would occur when a host had the same service
  running on more than one port was removed. Thanks to Toralf Förster
  for the bug report. [David]
    GtkWarning: gtk_box_pack_start: assertion `child->parent == NULL' failed
      self.pack_start(widget, expand=False, fill=False)

Nmap 4.75 [2008-9-7]

o [Zenmap] Added a new Scan Topology system. The idea is that if we
  are going to call Nmap the "Network Mapper", it should at least be
  able to draw you a map of the network!  And that is what this new
  system does. It was achieved by integrating the RadialNet Nmap
  visualization tool (http://www.dca.ufrn.br/~joaomedeiros/radialnet),
  into Zenmap. Joao Medeiros has been developing RadialNet for more
  than a year. For details, complete with some of the most beautiful
  Zenmap screen shots ever, visit
  http://nmap.org/book/zenmap-topology.html. The integration work was
  done by SoC student Vladimir Mitrovic and his mentor David Fifield.

o [Zenmap] Another exciting new Zenmap feature is Scan Aggregation.
  This allows you to visualize and analyze the results of multiple
  scans at once, as if they were from one Nmap execution. So you might
  scan one network, analyze the results a bit, then scan some of the
  machines more intensely or add a completely new subnet to the
  scan. The new results are seamlessly added to the old, as described
  at http://nmap.org/book/zenmap-scanning.html#aggregation. [David,
  Vladimir]

o Expanded nmap-services to include information on how frequently each
  port number is found open.  The results were generated by scanning
  tens of millions of IPs on the Internet this summer, and augmented
  with internal network data contributed by some large
  organizations. [Fyodor]

o Nmap now scans the most common 1,000 ports by default in either
  protocol (UDP scan is still optional).  This is a decrease from
  1,715 TCP ports and 1,488 UDP ports in Nmap 4.68.  So Nmap is faster
  by default and, since the port selection is better thanks to the
  port frequency data, it often finds more open ports as
  well. [Fyodor]

o Nmap fast scan (-F) now scans the top 100 ports by default in either
  protocol.  This is a decrease from 1,276 (TCP) and 1,017 (UDP) in
  Nmap 4.68. Port scanning time with -F is generally an order of
  magnitude faster than before, making -F worthy of its "fast scan"
  moniker. [Fyodor]

o The --top-ports option lets you specify the number of ports you wish
  to scan in each protocol, and will pick the most popular ports for
  you based on the new frequency data.  For both TCP and UDP, the top
  10 ports gets you roughly half of the open ports.  The top 1,000
  (out of 65,536 possible) finds roughly 93% of the open TCP ports and
  more than 95% of the open UDP ports. [Fyodor, Doug Hoyte]

o David integrated all of your OS detection fingerprint and correction
  submissions from March 11 until mid-July.  In the process, we
  reached the 1500-signature milestone for the 2nd generation OS
  detection system. We can now detect the newest iPhones, Linux
  2.6.25, OS X Darwin 9.2.2, Windows Vista SP1, and even the Nintendo
  Wii. Nmap now has 1,503 signatures, vs. 1,320 in 4.68. Integration
  is now faster and more pleasant thanks to the new OSassist
  application developed by Nmap SoC student Michael Pattrick. See
  http://seclists.org/nmap-dev/2008/q3/0089.html and
  http://seclists.org/nmap-dev/2008/q3/0139.html for more details.

o Nmap now works with Windows 2000 again, after being broken by our
  IPv6 support improvements in version 4.65. A couple new dependencies
  are required to run on Win2K, as described at
  http://nmap.org/book/inst-windows.html#inst-win2k .

o [Zenmap] Added a context-sensitive help system to the Profile
  Editor.  You can now mouse-over options to learn more about what
  they are used for and their proper argument syntax. [Jurand Nogiec]

o When Nmap finds a probe during ping scan which elicits a response,
  it now saves that information for the port scan and later phases.
  It can then "ping" the host with that probe as necessary to collect
  timing information even if the host is not responding to the normal
  port scan packets. Previously, Nmap's port scan timing pings could
  only use information gathered during that port scan itself.  A
  number of other "port scan ping" system improvements were made at
  the same time to improve performance against firewalled hosts. For
  full details, see http://seclists.org/nmap-dev/2008/q3/0647.html
  [David, Michael, Fyodor]

o --traceroute now uses the timing ping probe saved from host
  discovery and port scanning instead of finding its own probe. The
  timing ping probe is always the best probe Nmap knows about for
  eliciting a response from a target. This will have the most effect
  on traceroute after a ping scan, where traceroute would sometimes
  pick an ineffective probe and traceroute would fail even though the
  target was up. [David]

o Added dns-safe-recursion-port and dns-safe-recursion-txid
  (non-default NSE scripts) which use the 3rd party dns-oarc.net
  lookup to test the source port and transaction ID randomness of
  discovered DNS servers (assuming they allow recursion at all).
  These scripts, which test for the "Kaminsky" DNS bugs, were
  contributed by Brandon Enright.

o Added whois.nse, which queries the Regional Internet Registries
  (RIRs) to determine who the target IP addresses are assigned
  to. [Jah]

o [Zenmap] Overhauled the default list of scan profiles based on
  nmap-dev discussion.  Users now have a much more diverse and useful
  set of default profile options. And if they don't like any of those
  canned scan commands, they can easily create their own in the
  Profile Editor! [David]

o Fyodor made a number of performance tweaks, such as:
  o increase host group sizes in many cases, so Nmap will now commonly
    scan 64 hosts at a time rather than 30
  o align host groups with common network boundaries, such as /24 or
   /25
  o Increase maximum per-target port-scan ping frequency to one every
    1.25 seconds rather than every five. Port scan pings happen
    against heavily firewalled hosts and the like when Nmap is not
    receiving enough responses to normal scan to properly calculate
    timing variables and detect packet drops.

o Added a new NSE binlib library, which offers bin.pack() and
  bin.unpack() functions for dealing with storing values in and
  extracting them from binary strings.  For details, see
  http://nmap.org/book/nse-library.html#nse-binlib . [Philip
  Pickering]

o Added a new NSE DNS library. See this thread:
  http://seclists.org/nmap-dev/2008/q3/0310.html [Philip Pickering]

o Added new NSE libraries for base64 encoding, SNMP, and POP3 mail
  operations.  They are described at
  http://seclists.org/nmap-dev/2008/q3/0233.html . [Philip Pickering]

o Added NSE scripts popcapa (retrieves POP3 server capabilities) and
  brutePOP3 (brute force POP3 authentication cracker) which make use
  of the new POP3 library. [Philip Pickering]

o Added the SNMPcommunitybrute NSE script, which is a brute force
  community string cracker. Also modified SNMPsysdescr to use the new
  SNMP library. [Philip Pickering]

o Fixed the SMTPcommands script so that it can't return multiple
  values (which was causing problems). Thanks to Jah for tracking down
  the problem and sending a fix for SMTPcommands. Then Patrick fixed
  NSE so it can handle misbehaving scripts like this without causing
  mysterious side effects.

o Added a new NSE Unpwdb (username/password database) library for
  easily obtaining usernames or passwords from a list.  The functions
  usernames() and passwords() return a closure which returns a new
  list entry with every call, or nil when the list is exhausted.  You
  can specify your own username and/or password lists via the script
  arguments userdb and passdb, respectively. [Kris]

o Nmap's Nsock-utilizing subsystems (DNS, NSE, version detection) have
  been updated to support the -S and --ip-options flags. [Kris]

o A new --max-rate option was added, which complements --min-rate. It
  allows you to specify the maximum byte rate that Nmap is allowed to
  send packets. [David]

o Added --ip-options support for the connect() scan (-sT). [Kris]

o Nsock now supports binding to a local address and setting IPv4
  options with nsi_set_localaddr() and nsi_set_ipoptions(),
  respectively. [Kris]

o Added IPProto Ping (-PO) support to Traceroute, and fixed support for
  IPProto Scan (-sO) and the ICMP Pings (-PE, -PP, -PM) in Traceroute
  as well.  These could cause Nmap to hang during Traceroute. [Kris]

o [Zenmap] Added a "Cancel" button for cancelling a scan in progress
  without losing any Nmap output obtained so far. [Jurand Nogiec]

o Improve the netbios-smb-os-discovery NSE script to improve target
  port selection and to also decode the system's timestamp from an SMB
  response. [Ron at SkullSecurity]

o Nmap now avoids collapsing large numbers of ports in open|filtered
  state (e.g. just printing that 500 ports are in that state rather
  than listing them individually) if verbosity or debugging levels are
  greater than two.  See this thread:
  http://seclists.org/nmap-dev/2008/q3/0312.html . [Fyodor]

o The NSE http library now supports chunked encoding. [Sven Klemm]

o The NSE datafiles library now has generic file parsing routines, and
  the parsing of the standard nmap data files (e.g. nmap-services,
  nmap-protocols, etc.) now uses those generic routines.  NSE scripts
  and libraries may find them useful for dealing with their own data
  files, such as password lists. [Jah]

o Passed the big revision 10,000 milestone in the Nmap project SVN
  server: http://seclists.org/nmap-dev/2008/q3/0682.html

o Added some Windows and MinGW compatibility patches submitted by
  Gisle Vanem.

o Improved nse_init so that compilation/runtime errors in NSE scripts
  no longer cause the script engine to abort. [Patrick]

o Fix a cosmetic bug in --script-trace hex dump output which resulting
  in bytes with the highest bit set being prefixed with ffffff. [Sven
  Klemm]

o Removed the nselib-bin directory. The last remaining shared NSE
  module, bit, has been made static by Patrick. Shared modules were
  broken for static builds of Nmap, such as those in the RPMS. We also
  had the compilation problems (particularly on OpenBSD) with shared
  modules which lead us to make PCRE static a while back. [David]

o Updated rpcinfo NSE script to use the new pack/unpack (binlib)
  functions, use the new tab library, include better documentation, and
  fix some bugs. [Sven Klemm]

o Add useful details to the error message printed when an NSE script
  fails to load (due to syntax error, etc.) [Patrick]

o Fix a bug in the NSE http library which would cause some scripts to
  give the error: SCRIPT ENGINE: C:\Program
  Files\Nmap\nselib/http.lua:77: attempt to call field 'parse' (a nil
  value) [Jah]

o Fixed a couple of Makefile problems (race condition) which could
  lead to build failures when launching make in parallel mode (e.g.
  -j4). [Michal Januszewski, Chris Clements]

o Added new addrow() function to NSE tab library.  It allows
  developers to add a whole row at once rather than doing a separate
  add() call for each column in a row. [Sven Klemm]

o Completion time estimates provided in verbose mode or when you hit a
  key during scanning are now more accurate thanks to algorithm
  improvements by David.

o Fixed a number of NSE scripts which used print_debug()
  incorrectly. See
  http://seclists.org/nmap-dev/2008/q3/0470.html. [Sven Klemm]

o [Zenmap] The Ports/Hosts view now provides full version detection
  values rather than just a simple summary. [Jurand Nogiec]
  
o [Zenmap] When you edit the command-entry field, then change the
  target selection, Nmap no longer blows away your edits in favor of
  using your current profile. [Jurand Nogiec]

o Nsock now returns data from UDP packets individually, preserving the
  packet boundary, rather than concatenating the data from multiple
  packets into a single buffer.  This fixes a problem related to our
  reverse-DNS system, which can only handle one DNS packet at a time.
  Thanks to Tim Adam of ManageSoft for debugging the problem and
  sending the patch.  Doug Hoyte helped with testing, and it was
  applied by Fyodor.

o [Zenmap] Fixed a crash which would occur when you try to compare two
  files, either of which has more than one extraports element. [David]

o Added the undocumented (except here) --nogcc option which disables
  global/group congestion control algorithms and so each member of a
  scan group of machines is treated separately.  This is just an
  experimental option for now. [Fyodor]

o [Zenmap] The Ports/Hosts display now has different colors for open
  and closed ports. [Vladimir]

o Fixed Zenmap so that it displays all Nmap errors.  Previously, only
  stdout was redirected into the window, and not stderr.  Now they are
  both redirected. [Vladimir]

o NSE can now be used in combination with ping scan (e.g. "-sP
  --script") so that you can execute host scripts without needing to
  perform a port scan. [Kris]

o [NSE] Category names are now case insensitive. [Patrick]

o [NSE] Each thread for a script now gets its own action closure (and
   upvalues). See: http://seclists.org/nmap-dev/2008/q2/0549.html
  [Patrick]

o [NSE] The script_scan_result structure has been changed to a class,
  ScriptResult, which now holds a Script's output in an std::string.
  This removes the need to use malloc and free to manage this memory.
  A similar change was made to the run_record structure. [Patrick]

o [NSE] Fixed a socket exhaustion deadlock which could prevent a
  script scan from ever finishing. Now, rather than limit the total
  number of sockets which can be open, we limit the number of scripts
  which can have sockets open at once.  And once a script has one
  socket opened, it is permitted to open as many more as it
  needs. [Patrick]

o A hashing library (code from OpenSSL) was added to NSE.  hashlib
  contains md5 and sha1 routines. [Philip Pickering]

o Fixed host discovery probe matching when looking at the returned TCP
  data in an ICMP error message.  This could formerly lead to
  incorrectly discarded responses and the debugging error message:
  "Bogus trynum or sequence number in ICMP error message" [Kris]

o Fixed a segmentation fault in Nsock which occurred when calling
  nsock_write() with a data length of -1 (which means the data is a
  NUL-terminated string and Nsock should take the length itself) and
  the Nsock trace level was at least 2. [Kris]

o The NSE Comm library now defaults to trying to read as many bytes as
  are available rather than lines if neither the "bytes" nor "lines"
  options are given.  Thanks to Brandon for reporting a problem which
  he noticed in the dns-test-open-recursion script. [Kris]

o Updated zoneTrans.nse to replace length bytes in returned domain
  names to periods itself rather than relying on NSE's old behavior of
  replacing non-printable characters with periods.  Thanks to Rob
  Nicholls for reporting the problem. [Kris]

o Some Zenmap crashes have been fixed: trying to "refresh" the output
  of a scan loaded from a file, and trying to re-save a file loaded
  from the command line in some circumstances. [David]

o [Zenmap] The file selector now remembers what directory it was last
  looking at. [David]

o Added an extra layer of validity checking to received packets
  (readip_pcap), just to be extra safe. See
  http://seclists.org/nmap-dev/2008/q3/0644.html . [Kris]

o Zenmap defaults to showing files matching both *.xml and *.usr in
  the file selector. Previously it only showed those matching *.usr.
  The new combined format will be XML and .usr will be deprecated.
  See http://seclists.org/nmap-dev/2008/q3/0093.html .

o Nmap avoids printing the sending rate in bytes per second during a
  TCP connect scan. Because the number of bytes per probe is not
  known, it used to print current sending rates: 11248.85 packets / s,
  0.00 bytes / s.  Now it will print simply print rates like "11248.85
  packets / s". [David]

o [Zenmap] Nmap's installation process now include .desktop files
  which install menu items for launching Zenmap as a privileged or
  non-privileged process on Linux. This will mainly affect people who
  install nmap and Zenmap directly from the source code. [Michael]

o Improved performance of IP protocol scan by fixing a bug related to
  timing calculations on ICMP probe responses.  See r8754 svn log for
  full details. [David]

o Nmap --reason output no longer falsely reports a localhost-response
  during -PN scans. See
  http://seclists.org/nmap-dev/2008/q3/0188.html. [Michael]

o [Zenmap] The higwidgets Python package has moved so it is now a
  subpackage of zenmapGUI. This avoids naming conflicts with Umit,
  which uses a slightly different version of higwidgets. [David]

o A bug that could cause some host discovery probes to be incorrectly
  interpreted as drops was fixed. This occurred only when the IP
  protocol ping (-PO) option was combined with other ping
  types. [David]

o A new scanflags attribute has been added to XML output, which lists
  all user specified --scanflags for the scan. nmap.dtd has been
  modified to account for this. [Michael]

o The loading of the nmap-services file has been made much
  faster--roughly 9 times faster in common cases.  This is important
  for the new (much larger) frequency augmented nmap-services
  file. [David]

o Added a script (ASN.nse) which uses Team Cymru's DNS interface to
  determine the routing AS numbers of scanned IP addresses.  They even
  set up a special domain just for Nmap queries.  The script is still
  experimental and non-default. [Jah, Michael]

o [Zenmap] Clicking "Cancel" in a file chooser in the diff interface
  no longer causes a crash. [David]

o The shtool build helper script has been updated to version 2.0.8. An
  older version of shutil caused installation to fail when the locale
  was set to et_EE. Thanks to Michal Januszewski for the bug
  report. [David]

o [Zenmap] Removed services.dmp and os_dmp.dmp and all the files that
  referred to them. They are not needed with the new search
  interface. Also removed an unused search progress bar.  And some
  broken fingerprint submission code.  Yay for de-bloating! [David]

o [Zenmap] Added "%F" to the Exec link in the new Zenmap desktop
  file. We expect (hope) that this will allow dragging and dropping
  XML files onto the icon. [David]

o [Zenmap] The -o[XGASN] options can now be specified, just as you can
  at the console. [Vladimir]

o [Zenmap] You can now shrink the scan window below its default
  size thanks to NmapOutputViewer code enhancements. [David]

o [Zenmap] Removed optional use of the Psyco Python optimizer since
  Zenmap is not the kind of CPU-bound application which benefits from
  Psyco.

o [Zenmap] You can now select more than one host in the "Ports /
  Hosts" view by control-clicking them in the column at left.

o [Zenmap] The profile editor now offers the --traceroute option.

o Zenmap now uses Unicode objects pervasively when dealing with Nmap
  text output, though the only internationalized text Nmap currently
  outputs is the user's time zone. [David]

o Unprintable characters in NSE script output (which really shouldn't
  happen anyway) are now printed like \xHH, where HH is the
  hexadecimal representation of the character. See
  http://seclists.org/nmap-dev/2008/q3/0180.html . [Patrick]

o Nmap sometimes sent packets with incorrect IP checksums,
  particularly when sending the UDP probes in OS detection. This has
  been fixed. Thanks to Gisle Vanem for reporting and investigating the
  bug. [David]

o Fixed the --without-liblua configure option so that it works
  again. [David]

o In the interest of forward compatibility, the xmloutputversion
  attribute in Nmap XML output is no longer constrained to be a
  certain string ("1.02"). The xmloutputversion should be taken as
  merely advisory by authors of parsers.

o Zenmap no longer leaves any temporary files lying around. [David]

o Nmap only prints an uptime guess in verbose mode now, because in
  some situations it can be very inaccurate. See the discussion at
  http://seclists.org/nmap-dev/2008/q3/0392.html. [David]

Nmap 4.68 [2008-6-28]

o Doug integrated all of your version detection submissions and
  corrections for the year up to May 31.  There were more than 1,000
  new submissions and 18 corrections.  Please keep them coming!  And
  don't forget that corrections are very important, so do submit them
  if you ever catch Nmap making a version detection or OS detection
  mistake.  The version detection DB has grown to 5,054 signatures
  representing 486 service protocols.  Protocols span the gamut from
  abc, acap, access-remote-pc, activefax, and activemq, to zebedee,
  zebra, zenimaging, and zenworks.  The most popular protocols are
  http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
  pop3 (201).

o Nmap compilation on Windows is now done with Visual C++ Express 2008
  rather than 2005.  Windows compilation instructions have been
  updated at http://nmap.org/book/inst-windows.html#inst-win-source .
  [Kris]

o The Nmap Windows self-installer now automatically installs the MS
  Visual C++ 2008 runtime components if they aren't already installed
  on a system.  These are some reasonably small DLLs that are
  generally necessary for applications compiled with Visual C++ (with
  dynamic linking).  Many or most systems already have these installed
  from other software packages.  The lack of these components led to
  the error message "The Application failed to initialize properly
  (0xc0150002)." with Nmap 4.65.  A related change is that Nmap on
  Windows is now compiled with /MD rather than /MT so that it
  consistently uses these runtime libraries.  The patch was created by
  Rob Nicholls.

o Added advanced search functionality to Zenmap so that you can locate
  previous scans using criteria such as which ports were open, keywords
  in the target names, OS detection results, etc.  Try it out with
  Ctrl-F or "Tools->Search Scan Results". [Vladimir]

o Nmap's special WinPcap installer now handles 64-bit Windows machines
  by installing the proper 64-bit npf.sys. [Rob Nicholls]

o Added a new NSE Comm (common communication) library for common
  network discovery tasks such as banner-grabbing (get_banner()) and
  making a quick exchange of data (exchange()).  16 scripts were
  updated to use this library. [Kris]

o The Nmap Scripting Engine now supports mutexes for gracefully
  handling concurrency issues.  Mutexes are documented at
  http://nmap.org/book/nse-api.html#nse-mutex . [Patrick]

o Added a UDP SNMPv3 probe to version detection, along with 9 vendor
  match lines. The patch was from Tom Sellers, who contributed other
  probes and match lines to this release as well.

o Added a new timing_level() function to NSE which reports the Nmap
  timing level from 0 to 5, as set by the Nmap -T option.  The default
  is 3. [Thomas Buchanan]

o Update the HTTP library to use the new timing_level functionality to
  set connection and response timeouts. An error preventing the new
  timing_level feature from working was also fixed.  [Jah]

o Optimized the doAnyOutstandingProbes() function to make Nmap a bit
  faster and more efficient.  This makes a particularly big difference
  in cases where --min-rate is being used to specify a very high
  packet sending rate. [David]

o Fixed an integer overflow which prevented a target specification of
  "*.*.*.*" from working.  Support for the CIDR /0 is now also
  available for those times you wish to scan the entire
  Internet. [Kris]

o The robots.nse script has been improved to print output more
  compactly and limit the number of entries of large robots.txt files
  based on Nmap verbosity and debugging levels. [Eddie Bell]

o The Nmap NSE scripts have been re-categorized in a more logical
  fashion.  The new categories are described at
  http://nmap.org/book/nse-usage.html#nse-categories . [Kris]

o Improve AIX support by linking against -lodm and -lcfg on that
  platform. [David]

o Updated showHTMLTitle NSE script to follow one HTTP redirect if
  necessary as long as it is on the same server. [Jah]

o Michael Pattrick and David created a new OSassist application which
  streamlines the OS fingerprint submission integration process and
  prevents certain previously common errors.  OSassist isn't part of
  Nmap, but the system was used to integrate some submissions for this
  release.  13 fingerprints were added during OSassist testing, and
  some existing fingerprints were improved as well.  Expect many more
  fingerprints coming soon.

o Improved the mapping from dnet device names (like eth0) and WinPcap
  names (like \Device\NPF_{28700713...}).  You can see this mapping
  with --iflist, and the change should make Nmap more likely to work
  on Windows machines with unusual networking configurations. [David]

o Service fingerprints in XML output are no longer be truncated to
  2kb.  [Michael]

o Some laptops report the IP Family as NULL for disabled WiFi cards.
  This could lead to a crash with the "sin->sin_family == AF_INET6"
  assertion failure.  Nmap no longer quits when this is
  encountered. [Michael]

o On systems without the GNU getopt_long_only() function, Nmap has its
  own replacement.  That replacement used to call the system's
  getopt() function if it exists.  But the AIX and Solaris getopt()
  functions proved insufficient/buggy, so Nmap now always calls its
  own internal getopt() now from its getopt_long_only()
  replacement. [David]

o Integrated several service match lines from Tom Sellers.

o An error was fixed where Zenmap would crash when trying to load from
  the recent scans database a file containing non-ASCII
  characters. The error looked like
    pysqlite2.dbapi2.OperationalError: Could not decode to UTF-8 column
      'nmap_xml_output' with text
    '
    = 0.0" assertion failed.  I think the problem was
  actually caused by SMP machines which didn't sync the clock time
  perfectly.  This lead to gettimeofday() sometimes reporting that
  time decreased by some microseconds.  Now Nmap is willing to
  tolerate decreases of up to 1 millisecond in this function. [Fyodor]

o Nmap now returns correct values for --iflist in windows even
  if interface aliases have been set. Previously it would misreport
  the windevices and not list all interfaces. [Michael]

o Nmap no longer crashes with an 'assert' error when its told to
  access a disabled WiFi NIC on some laptops. [Michael]

o Upgraded the OpenSSL shipped for Windows to 0.9.8h. [Kris]

o The NSE http library was updated to gracefully handle certain bogus
  (non-)http responses. [Jah]

o The zoneTrans.nse script now takes a "domain" script argument to
  specify the desired domain name to transfer.  You can narrow the
  scope down with the form "zoneTrans={domain=xxx}". [Kris]

o Increase write buffer length for Nmap output on Windows. This should
  prevent error messages like: "log_vwrite: vsnprintf failed.  Even
  after increasing bufferlen to 819200, Vsnprintf returned -1 (logt ==
  1)."  Thanks to prozente0 for the report. [Fyodor]

o Fixed the --script-updatedb command, which was claiming to be
  "Aborting database update" even when the update was performed
  perfectly.  See http://seclists.org/nmap-dev/2008/q2/0623.html .
  Thanks to Jah for the report.

Nmap 4.65 [2008-6-1]

o A Mac OS X Nmap/Zenmap installer is now available from the Nmap
  download page!  It is rather straightforward, but detailed
  instructions are available anyway at
  http://nmap.org/book/inst-macosx.html .  As a universal installer,
  it works on both Intel and PPC Macs. It is distributed as a disk
  image file (.dmg) containing an mpkg package.  The installed Nmap
  does include OpenSSL support.  It also supports Authorization
  Services so that Zenmap can run as root.  David created this
  installer.  He wants to thank Benson Kalahar and Vlad Alexa for
  extensive testing of the nine test releases.

o The Windows version of Nmap now supports OpenSSL just as the UNIX
  versions have for years.  Both the .zip and executable installer
  binary packages we ship from the Nmap download page now include
  OpenSSL. [Kris, Thomas Buchanan]

o We now compile in IPv6 support on Windows.  In order to use this,
  you need to have IPv6 set up.  It is installed by default on Vista,
  but must be downloaded from Microsoft for XP.  See
  http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx . [Kris]

o Seven Google-sponsored Summer of Code students began working on
  exciting Nmap projects full times.  The winning students and their
  Nmap development projects are described at
  http://seclists.org/nmap-dev/2008/q2/0132.html .

o Our WinPcap installer now starts the NPF driver running as a
  service immediately upon installation and after restarts. You can
  disable this with new check-boxes. This behavior is important for
  Vista and Windows Server 2008 machines when User Account
  Control (UAC) is enabled. [Rob Nicholls]

o Nmap and Nmap-WinPcap silent installation now works.  Nmap can
  be silently installed with the /S option to the installer.
  If you install Nmap from the zip file, you can install just
  WinPcap silently with the /S option to that
  installer. [Rob Nicholls]

o Our WinPcap installer is now included with the Nmap Win32 zip
  file. [Fyodor]

o Numerous miscellaneous improvements were made to our Win32
  installer, such as using the "Modern" NSIS UI for WinPcap,
  improving the option description labels, and showing a finish
  page in all cases. [Rob Nicholls]

o The nmap-dev and nmap-hackers mailing list RSS feeds at seclists.org
  now include message excerpts to make it easier to identify
  interesting messages and speed the process of reading through the
  list.  Feeds for all other mailing lists archived at SecLists.Org
  have been similarly augmented.  For details, see
  http://seclists.org/nmap-dev/2008/q2/0333.html . [David]

o A new "default" Nmap Scripting Engine category was added.  Only
  scripts in this category now run by default (except for "version"
  scripts which run when version detection was requested).
  Previously, any scripts in the "safe" or "intrusive" categories were
  run.  21 scripts are now in this default category. [Kris]

o The NSE HTTP library now uses the host name specified on the command
  line when making requests, which improves script scanning against
  web servers with virtual hosts. Thanks to Sven Klemm for the patch.

o Added some new and improved version detection signatures. [Brandon]

o Fixed an OS detection bug that prevented the R1.UID test result from
  being recorded properly when scanning certain printers from
  little-endian computers. Updated nmap-os-db to compensate for
  signatures that had an incorrect U1.RID value.  [Michael]

o Updated to include the latest MAC Address prefixes from the IEEE in
  nmap-mac-prefixes [Fyodor]

o Updated the SMTPcommands NSE script to work better against Postfix
  and reduce verbosity. [Jason DePriest, Fyodor]

o Reorganized the way ping probes are handled internally.  Rather than
  being stored in the NmapOps structure, they are now stored within
  the individual scan_lists structures.  This is a cleaner
  organization. [Michael]

o Fix grepable output's "Ignored State" reporting.  Only one ignored
  state (the one with the highest numbers of ports) is shown. [David]

o Update to Lua version 5.1.3 [Patrick]

o Add NSE stdnse library to include tobinary, tooctal, and tohex
  functions. [Patrick]

o Fixed a bug which caused the Zenmap crash reporter to, uh,
  crash. [David]

o NSE engine was cleaned up significantly.  nse_auxiliar was removed,
  and file system manipulation functions were moved from nse_init.cc
  into a new nse_fs.cc file.  Numerous interfaces between Nmap and Lua
  were improved.  Most of these functions are now callable directly by
  Lua. [Patrick]

o Fixed a bug in the showOwner NSE script which caused it to try UDP
  ports instead of just TCP ports.  This made it very slow in the
  common case where there are many UDP ports in the open|filtered
  state.  Thanks to Jason DePriest for reporting the problem and Jah
  for tracking it down and fixing it.

o Nbase now generates pseudo-random numbers itself rather than using
  /dev/urandom on Linux and the terrible rand() function on Windows.
  The new system uses ARC4 based on libdnet's
  implementation. [Brandon]

o Made a number of updates and improvements to the Zenmap Users' Guide
  at http://nmap.org/book/zenmap.html . [David]

o Fixed the way Zenmap handles command-line entry to prevent your
  custom command-line to be overwritten with the current profile's
  command just because you edited the target field. [Jurand]

o Nsock was improved to better support reading from non-network
  descriptors such as stdin.  This is important for the upcoming Ncat
  project Mixter is working on. [Mixter]

o A bug was fixed that could cause Zenmap to crash when loading a
  results file that had multibyte characters in it. The error looked
  like:
  Gtk-ERROR **: file gtktextsegment.c: line 196
  (_gtk_char_segment_new): assertion failed:
  (gtk_text_byte_begins_utf8_char (text))
  [David]

o Removed a superfluous test for the existence of the C++ compiler in
  the configure script. The test was not robust when configured with
  CXX="ccache g++". Thanks to Rainer Müller for the report.

o Optimized cached DNS lookups so they are equally efficient when
  running on big-endian or little-endian systems. [Michael]

o Fixed the nmap_command_path Zenmap configuration variable so that it
  is actually used to start the specified Nmap executable
  path. [Jurand Nogiec]

o Nmap now reports scan start and end times for individual hosts
  within a larger scan. The information is added to the XML host
  element like so: [host starttime="1198292349" endtime="1198292370"]
  (but of course with angle brackets rather than square ones).  It is
  also printed in normal output if -d or "-v -v" are
  specified. [Brandon, Kris, Fyodor]

o "make uninstall" now uninstalls Zenmap as well as Nmap. The
  uninstall_zenmap script now deletes directories that were
  installed. [David]

o Fixed a bug which caused Nmap to send bad checksums on Solaris 10
  x86.  This was due to a workaround for an Ancient Solaris 2.1 bug
  which activated when the OS string matched "solaris2.1*".  The
  problem has now been resolved until Solaris 20 comes out and hits
  our "solaris2.2*" bug workarounds. Thanks to Nathan Bills for the
  problem report.  Fixed by Fyodor.

o Fixed a minor memory leak in getpts_simple which occurs when no
  ports are to be added to 'list'. 'porttbl' is now free'd regardless
  of how the function returns. [Michael]

o Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs.
  On Windows, this ID has to be a numeric index.  On Linux and some
  other OS's, this ID can instead be an interface name.  Some examples
  of this syntax:
    fe80::20f:b0ff:fec6:15af%2
    fe80::20f:b0ff:fec6:15af%eth0
  [Kris]

o The Zenmap installer and uninstaller are more careful about escaping
  filenames and dea