Proper implementation of Cisco SNMP fingerprinting and dictionary attacks, SNMPv3 support included.

NTP-based fingerprinting. NTPd spits out quite a lot of information and is often open to the outside 
world on Cisco hosts. There is a Nessus plugin, that does NTP fingerprinting, but more can be done on
this side.

Classless CIDR netmask support in input.

SSL support for HTTPS scanning (find that PIX!)

Check for ECHO port for FX IOSniff attack against IOS 11.x

More Cisco vulnerabilities implemented for automated search.

Using DON'T as well as DO for Telnet fingerprinting. 

More Telnetd fingerprints in fingerprints.db

GUI (not necessary, but nice)
