nmap 7.94

Nmap ("Network Mapper") is a network utility for service discovery, monitoring and security auditing. Nmap utilizes raw IP packets for host discovery, port scanning, OS fingerprinting, firewall probing, and generating various statistics. It permits inspecting large network ranges but also works for single server checks. It's cross-platform compatible and also provides a X11 reporting GUI with Zenmap, and Ncat for data transfer and debugging, Ndiff for result comparison, and Nping for response analysis.

Tags c network-scanner nmap monitoring networking
License GNU GPL
State alpha

Recent Releases

7.9421 May 2023 13:05 minor bugfix: o Zenmap and Ndiff now use Python 3! Thanks to the many contributors who made This effort possible: Zenmap Updated Zenmap to Python 3 and PyGObject. Jakub Kulík . + Ndiff Updated Ndiff to Python 3. Brian Quigley . + Additional Python 3 update by Sam James, Daniel Miller. Special thanks to those who opened Python 3-related and pull requests: Eli Schwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa, Hasan Aliyev, and others. o Windows Upgraded Npcap (our Windows raw packet capturing and. Transmission driver) from version 1.71 to the latest version 1.75. It Includes dozens of performance improvements, and feature Enhancements described at https://npcap.com/changelog. o Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M. (28-bit), and MA-L (36-bit) registrations instead of the byte MAC. Preused previously for lookups. o Added partial silent-install support to the Nmap Windows. Installer. It previously didn't offer silent mode (/S) because the Free/demo version of Npcap Windoes packet capturing driver that it Needs and ships with doesn't include a silent installer. Now with The /S option, Nmap checks whether Npcap is already installed (either the free version or OEM) and will silently install itself if so. This is similar to how the Wireshark installer works and is. Particularly helpful for organizations that want to fully automate Their Nmap (and Npcap) deployments. See Https://nmap.org/nmap-silent-install for more details. o Lots of profile-guided memory and processing improvements for Nmap, including OS fingerprint matching, probe matching and retransmission lookups for large. Hostgroups, and service name lookups. Overhauled Nmap's string interning and Several other startup-related procedures to speed up start times, especially For scans using OS detection. Daniel Miller o Integrated many of the most-submitted IPv4 OS fingerprints for recent. Versions of Windows, iOS, macOS, Linux, and BSD. Added 22 fing
7.9302 Sep 2022 07:25 minor bugfix: o This release commemorates Nmap's 25th anniversary! It all started with this September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html. o Windows Upgraded Npcap (our Windows raw packet capturing and. Transmission driver) from version 1.50 to the latest version 1.71. It Includes dozens of performance improvements, and feature Enhancements described at https://npcap.com/changelog. o Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions. Binaries for this release include OpenSSL 3.0.5. o Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1. o a that prevented Nmap from discovering interfaces on Linux. When no IPv4 addresses were configured. Daniel Miller, nnposter o NSE NSE "exception handling" with nmap.new_try() will no longer. Result in a stack traceback in deoutput nor a "ERROR: script execution Failed" message in script output, since the intended behavior has always been to end the script immediately without output. Daniel Miller . o Update the Nmap output DTD to match actual output since the. `` element was added in Nmap 7.90. o NSE newtargets support: since Nmap 7.92, scripts could not add. Targets in script pre-scanning phase. Daniel Miller o Scripts dhcp-discover and broadcast-dhcp-discover now support. Setting a client identifier. nnposter o Script oracle-tns-version was not reporting the version. Correctly for Oracle 19c or newer linholmes o Script redis-info was crashing or producing inaccurate. Information about client connections and/or cluster nodes. nnposter o Nmap and Nping were unable to obtain system routes on FreeBSD. benpratt, nnposter . o Script ipidseq was broken due to calling an unreachable library. Function. nnposter o Support for EC crypto was not properly enabled if Nmap. Was compiled with OpenSSL in a custom location. nnposter o NSE Improvements to event handling and pcap socket garbage collection. Ing potential hangs
7.9208 Aug 2021 11:45 minor feature: o Windows Upgraded Npcap (our Windows raw packet capturing and Transmission driver) from version 1.00 to the latest version 1.50. You can Read about the dozens of performance improvements, and feature Enhancements at https://npcap.org/changelog. o Windows Thanks to the Npcap 1.50 upgrade, Nmap now works on the Windows ARM architecture so you can run it on lightweight and power-efficient. Tablets like the Microsoft Surface Pro X and Samsung Galaxy Book Go. More ARM devices are on the way along with the upcoming Windows 11 release. See. The Npcap on ARM announcement at Https://seclists.org/nmap-announce/2021/2. o Windows Updated our Windows builds to Visual Studio 2019, Windows 10 SDK, and the UCRT. This prevents Nmap from working on Windows Vista and. Earlier, but they can still use older versions of Nmap on their ancient Operating system. o New Nmap option --unique will prevent Nmap from scanning the same IP. Address twice, which can happen when different names resolve to the same Address. Daniel Miller o NSE TLS 1.3 now supported by most scripts for which it is. Relevant, such as ssl-enum-ciphers. Some functions like ssl tunnel Connections and certificate parsing will require OpenSSL 1.1.1 or later to Fully support TLS 1.3. Daniel Miller o NSE Added 3 NSE scripts, from 4 authors, bringing the total up to 604! They are all listed at https://nmap.org/nsedoc/, and the summaries are. Below: Nbns-interfaces queries NetBIOS name service (NBNS) to gather IP addresses of the target's network interfaces Andrey Zhukov . + GH#711 openflow-info gathers preferred and supported protocol versions. From OpenFlow devices Jay Smith, Mak Kolybabi Port-states prints a list of ports that were found in each state. Including states that were summarized as "Not shown: X ports" Daniel Miller . o Several changes to UDP payloads to improve accuracy: + an with -sU where payload data went out-of-scope. Before it was used, causing corrupted payloads to be
7.9121 Oct 2020 01:45 minor bugfix: o NSE several places where Lua's os.time was being used to represent dates prior to January 1, 1970, which fails on Windows. Notably, NSE refused to run in UTC+X timezones with the error "time result cannot be. Represented in this installation" Clément Notin, nnposter, Daniel Miller o Zenmap a crash in the profile editor due to a missing import. o Nsock Windows Demote the IOCP Nsock engine because of some known. That will take longer to resolve. The previous default "poll" engine Will be used instead. o Nsock Windows a crash in service scan due to a previously-unknown. Error being returned from the IOCP Nsock engine. Daniel Miller o NSE MySQL library was not properly parsing server responses. Resulting in script crashes. nnposter o Silence the irrelevant warning, "Your ports include 'T:' but you. Haven't specified any TCP scan type" when running nmap -sUV
7.9005 Oct 2020 06:48 minor feature: o the "iocp" Nsock engine for Windows to be able to correctly Handle PCAP read events. This engine is now the default for Windows, which Should greatly improve performance over the previous default, the "poll" Engine. Daniel Miller o Restrict Nmap's search path for scripts and data files. NMAPDATADIR, defined on Unix and Linux as pre /share/nmap, will not be. Searched on Windows, where it was previously defined as C: Nmap. Additionally, the --script option will not interpret names as directory names. Unless they are followed by a '/'. Daniel Miller o Removed nmap-update. This program was intended to provide a way to update. Data files and NSE scripts, but the infrastructure was never fielded. It Depended on Subversion version control and would have required maintaining Separate versions of NSE scripts for compatibility. o Reduced CPU usage of OS scan by 50 by avoiding string copy. Operations and removing undocumented fingerprint syntax unused in nmap-os-db (' ' and '+' in expressions). Daniel Miller . o GH#92 a regression in ARP host discovery left over from the move from. Massping to ultra_scan in Nmap 4.22SOC8 (2007) that sometimes resulted in Missing ARP responses from targets near the end of a scan. Accuracy and speed Are both improved. Daniel Miller o Addressed over 250 code quality identified by LGTM.com. Improving our code quality score from "C" to "A+" o an assertion failure when unsolicited ARP response is received: Nmap: Target.cc:503: void Target::stopTimeOutClock(const timeval*): Assertion `htn.toclock_running == true' failed. o Allow multiple UDP payloads to be specified for a port in. Nmap-payloads. If the first payload does not get a response, the remaining Payloads are tried round-robin. Paul Miseiko, Rapid7 o 23 new UDP payloads and dozens more default ports for existing. Payloads developed for Rapid7's InsightVM scan engine. These speed up and Ensure detection of open UDP services. Paul Miseiko, Rapid7 o Ne
7.8012 Aug 2019 11:25 minor feature: o Windows The Npcap Windows packet capturing library (https://npcap.org/) is faster and more stable than ever. Nmap 7.80 updates the bundled Npcap. From version 0.99-r2 to 0.9982, including all of these changes from the Last 15 Npcap releases: https://nmap.org/npcap/changelog o NSE Added 11 NSE scripts, from 8 authors, bringing the total up to 598! They are all listed at https://nmap.org/nsedoc/, and the summaries are. Below: Broadcast-hid-discoveryd discovers HID devices on a LAN by. Sending a discoveryd network broadcast probe. Brendan Coles Broadcast-jenkins-discover discovers Jenkins servers on a LAN by sending a discovery broadcast probe. Brendan Coles . Http-hp-ilo-info extracts information from HP Integrated Lights-Out (iLO) servers. rajeevrmenon97 . Http-sap-netweaver-leak detects SAP Netweaver Portal with the Knowledge Management Unit enabled with anonymous access. ArphanetX . Https-redirect detects HTTP servers that redirect to the same port, but. With HTTPS. Some nginx servers do this, which made ssl- scripts not run Properly. Daniel Miller + lu-enum enumerates Logical Units (LU) of TN3270E servers. Soldier of Fortran . Rdp-ntlm-info extracts Windows domain information from RDP. Services. Tom Sellers Smb-vuln-webexec checks whether the WebExService is installed and allows. Code execution. Ron Bowes Smb-webexec-exploit exploits the WebExService to run arbitrary commands. With SYSTEM privileges. Ron Bowes Ubiquiti-discovery extracts information from the Ubiquiti Discovery service and assists version detection. Tom Sellers . Vulners queries the Vulners CVE database API using CPE. Information from Nmap's service and application version detection. GMedian, Daniel Miller . o GH#34 Use pcap_create instead of pcap_live_open in Nmap, and set immediate mode on the pcap descriptor. This solves packet. Loss problems on Linux and may improve performance on other platforms. Daniel Cater, Mike Pontillo, Daniel Miller .
7.7021 Mar 2018 20:45 minor feature: o Windows Updated the bundled Npcap from 0.93 to 0.99-r2, with many Stability and installation improvements, as well as to Raw 802.11 frame capture. See https://nmap.org/npcap/changelog o Integrated all of your service/version detection fingerprints submitted from March 2017 to August 2017 (728 of them). The signature count went up 1.02 to 11,672, including 26 new softmatches. We now detect 1224 protocols from. Filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and Watchguard. We will try to integrate the remaining submissions in the next Release. o Integrated all of your IPv4 OS fingerprint submissions from September 2016 to August 2017 (667 of them). Added 298 fingerprints, bringing the new total to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and. More. o Integrated all 33 of your IPv6 OS fingerprint submissions from September 2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added, as well as strengthened groups for Linux and OS X. o Added the --resolve-all option to resolve and scan all IP addresses of a. Host. This essentially replaces the resolveall NSE script. Daniel Miller o NSE SECURITY Nmap developer nnposter found a security flaw (directory. Traversal vulnerability) in the way the non-default http-fetch script Sanitized URLs. If a user manualy ran this NSE script with against a Malicious web server, the server could potentially (depending on NSE Arguments used) cause files to be saved outside the intended destination Directory. Existing files couldn't be overwritten. We http-fetch, Audited our other scripts to ensure they didn't make this mistake, and we Updated the httpspider library API to protect against this by Default. nnposter, Daniel Miller o NSE Added 9 NSE scripts, from 8 authors, bringing the total up to 588! They are all listed at https://nmap.org/nsedoc/, and the summaries are. Below: Deluge-rpc-brute performs brute-force credential testing against Deluge Bit
7.6002 Aug 2017 16:05 minor feature: o Windows Updated the bundled Npcap from 0.91 to 0.93, ing several with installation and compatibility with the Windows 10 Creators Update. o NSE GH#910 NSE scripts now have complete SSH support via libssh2. Including password brute-forcing and running remote commands, thanks to the Combined efforts of three Summer of Code students: Devin Bjelland, Sergey Khegay, Evangelos Deirmentzoglou . o NSE Added 14 NSE scripts from 6 authors, bringing the total up to 579! They are all listed at https://nmap.org/nsedoc/, and the summaries are below: Ftp-syst sends SYST and STAT commands to FTP servers to get system version. And connection information. Daniel Miller + GH#916 http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting Joomla! 3.7.x before 3.7.1. Wong Wai Tuck . Iec-identify probes for the IEC 60870-5-104 SCADA protocol. Aleksandr Timorin, Daniel Miller . + GH#915 openwebnet-discovery retrieves device identifying information and. Number of connected devices running on openwebnet protocol. Rewanth Cool Puppet-naivesigning checks for a misconfiguration in the Puppet CA where. Naive signing is enabled, allowing for any CSR to be automatically signed. Wong Wai Tuck . + GH#943 smb-protocols discovers if a server supports dialects NT LM 0.12. (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old. Smbv2-enabled script. Paulino Calderon + GH#943 smb2-capabilities lists the supported capabilities of SMB2/SMB3. Servers. Paulino Calderon + GH#943 smb2-time determines the current date and boot date of SMB2. Servers. Paulino Calderon + GH#943 smb2-security-mode determines the message signing configuration of SMB2/SMB3 servers. Paulino Calderon . + GH#943 smb2-vuln-uptime attempts to discover missing critical patches in Microsoft Windows systems based on the SMB2 server uptime. Paulino Calderon . Ssh-auth-methods lists the authentication methods offered by an SSH server. Devin Bjelland . Ssh-b
7.5015 Jun 2017 13:25 minor feature: o Windows Updated the bundled Npcap from 0.78 to 0.91, with several for WiFi connectivity problems and stability. Daniel Miller, Yang Luo o Integrated all of your service/version detection fingerprints submitted from September to March (855 of them). The signature count went up 2.9 to 11,418. We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon. Slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140 o NSE Added 14 NSE scripts from 12 authors, bringing the total up to 566! They are all listed at https://nmap.org/nsedoc/, and the summaries are below: + GH#743 broadcast-ospf2-discover discovers OSPF 2 routers and neighbors. OSPFv2 authentication is supported. Emiliano Ticci . + GH#671 cics-info checks IBM TN3270 services for CICS transaction services. And extracts useful information. Soldier of Fortran + GH#671 cics-user-brute does brute-force enumeration of CICS usernames on IBM TN3270 services. Soldier of Fortran . + GH#669 http-cookie-flags checks HTTP session cookies for HTTPOnly and Secure flags. Steve Benson . Http-security-headers checks for the HTTP response headers related to. Security given in OWASP Secure Headers Project, giving a brief description of the header and its configuration value. Vinamra Bhatia, Ícaro Torres . + GH#740 GH#759 http-vuln-cve2017-5638 checks for the RCE in Apache Struts2. Seth Jackson . + GH#876 http-vuln-cve2017-5689 detects a privilege escalation. Vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT) Capable systems. Andrew Orr Http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) Vinamra Bhatia . + GH#713 impress-remote-discover attempts to pair with the LibreOffice Impress presentation remote service and extract version info. Pairing is PIN-protected, and the script can optionally brute-force the PIN. New. Service probe and match line also added. Jeremy Hi
7.4021 Dec 2016 11:45 major feature: o Windows Updated the bundled Npcap from 0.10r9 to 0.78r5, with an Improved installer experience, driver signing updates to work with Windows 10 build 1607, and for WiFi connectivity. Problems. Yang Luo, Daniel Miller o Integrated all of your IPv4 OS fingerprint submissions from April to September (568 of them). Added 149 fingerprints, bringing the new total to 5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more. Highlights: http://seclists.org/nmap-dev/2016/q4/110 Daniel Miller . o Integrated all of your service/version detection fingerprints submitted from April to September (779 of them). The signature count went up 3.1 to 11,095. We now detect 1161 protocols, from airserv-ng, domaintime, and mep to. Nutcracker, rhpp, and usher. Highlights: http://seclists.org/nmap-dev/2016/q4/115 Daniel Miller . o reverse DNS on Windows which was failing with the message "mass_dns: Warning: Unable to determine any DNS servers." This was because the interface GUID comparison needed to be case-insensitive. Robert Croteau . o NSE Added 12 NSE scripts from 4 authors, bringing the total up to 552! They are all listed at https://nmap.org/nsedoc/, and the summaries are below: Cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270. Services. Soldier of Fortran Cics-user-enum brute-forces usernames for CICS users on TN3270 services. Soldier of Fortran . Fingerprint-strings will print the ASCII strings it finds in the service. Fingerprints that Nmap shows for unidentified services. Daniel Miller + GH#606 ip-geolocation-map-bing renders IP geolocation data as an image. Via Bing Maps API. Mak Kolybabi + GH#606 ip-geolocation-map-google renders IP geolocation data as an image. Via Google Maps API. Mak Kolybabi + GH#606 ip-geolocation-map-kml records IP geolocation data in a KML file. For import into other mapping software Mak Kolybabi Nje-pass-brute brute-forces the password to a NJE node, given a valid
7.3122 Oct 2016 21:45 minor bugfix: o Windows Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing Increased stability,, and raw 802.11 WiFi capture. Further details on these changes can be found at Https://github.com/nmap/npcap/releases. Yang Luo o the way Nmap handles scanning names that resolve to the same IP. Due to. Changes in 7.30, the IP was only being scanned once, with bogus results Displayed for the other names. The previous behavior is now restored. Tudor Emil Coman . o Nping GH#559 Nping's ability to use Npcap on Windows. A privilege. Check was performed too late, so the Npcap loading code assumed the user had no Rights. Yang Luo, Daniel Miller o GH#350 an assertion failure due to floating point error in equality. Comparison, which triggered mainly on OpenBSD: Assertion "diff
7.3001 Oct 2016 06:25 minor feature: o Integrated all 12 of your IPv6 OS fingerprint submissions from June to September. No new groups, but several classifications were strengthened. Especially Windows localhost and OS X. Daniel Miller o NSE Added 7 NSE scripts, from 3 authors, bringing the total up to 541! They are all listed at https://nmap.org/nsedoc/, and the summaries are below. (authors are listed in brackets): + GH#369 coap-resources grabs the list of available resources from CoAP. Endpoints. Mak Kolybabi Fox-info retrieves detailed version and configuration info from Tridium Niagara Fox services. Stephen Hilt . Ipmi-brute performs authentication brute-forcing on IPMI services. Claudiu Perta . Ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows. Connection without a password. Claudiu Perta Ipmi-version retrieves protocol version and authentication options from ASF-RMCP (IPMI) services. Claudiu Perta . + GH#352 mqtt-subscribe connects to a MQTT broker, subscribes to topics. And lists the messages received. Mak Kolybabi Pcworx-info retrieves PLC model, firmware version, and date from Phoenix Contact PLCs. Stephen Hilt . o Upgraded Npcap, our new Windows packet capturing driver/library. From version to 0.09 to 0.10r2. This includes many, with a Particular on emphasis on concurrency discovered by running Hundreds of Nmap instances at a time. More details are available From https://github.com/nmap/npcap/releases. Yang Luo, Daniel Miller, Fyodor . o New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx, ProConOS, and Tridium Fox, Stephen Hilt, Mak Kolybabi, Daniel Miller . o Improved some output filtering to remove or escape carriage returns (' r'). That could allow output spoofing by overwriting portions of the screen. reported by Adam Rutherford. Daniel Miller o NSE a few bad Lua patterns that could result in denial of service due to excessive backtracking. Adam Rutherford, Daniel Miller . o a discrepancy betw
7.1204 Apr 2016 03:15 minor feature: o Zenmap Avoid file corruption in zenmap.conf, reported as files containing Many null (" x00") characters. Example exceptions: TypeError: int() argument must be a string or a number, not 'list' ValueError: unable to parse colour specification. o NSE VNC updates including vnc-brute support for TLS security type and. Negotiating a lower RFB version if the server sends an unknown higher Version. Daniel Miller o NSE Added STARTTLS support for VNC, NNTP, and LMTP Daniel Miller . o Added new service probes and match lines for OpenVPN on UDP and TCP.
7.1019 Mar 2016 03:15 minor feature: o NSE Added 12 NSE scripts from 7 authors, bringing the total up to 527! They are all listed at https://nmap.org/nsedoc/, and the summaries are below. (authors are listed in brackets): + GH#322 http-apache-server-status parses the server status page of Apache's mod_status. Eric Gershman . Http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in Allegro RomPager web server. Also added a fingerprint for detecting CVE-2014-4019 to http-fingerprints.lua. Vlatko Kosturjak . + GH#226 http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon". Pre-auth SQL Injection vulnerability in Drupal. Mariusz Ziulek Imap-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled IMAP services. Justin Cacak . Ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes. The discovery is the same as targets-ipv6-multicast-mld, but the subscribed. Addresses are decoded and listed. Alexandru Geana, Daniel Miller + ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL Server instances via the NTLM challenge message. Justin Cacak . Nntp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled NNTP services. Justin Cacak . Pop3-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled POP3 services. Justin Cacak . Rusers retrieves information about logged-on users from the rusersd RPC. Service. Daniel Miller + GH#333 shodan-api queries the Shodan API (https://www.shodan.io) and. Retrieves open port and service info from their Internet-wide scan data. Glenn Wilkinson . Smtp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled SMTP and submission services. Justin Cacak . Telnet-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled Telnet services. Justin Cacak . o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and Linux RPM) to 1.0.2g with SSLv2 enabled. o Integrated all
6.4724 Aug 2014 21:22 major bugfix: More IPv4 OS fingerprints incorporated, upgraded OpenSSL to version 1.0.1i, Python to 2.7.8, removed external XML entities. Nmap fixes for installation on Windows, ndiff.bat wrapper fixed. Zenmap .dmg installed fixed. Ncat SOCKS5 auth adapted. Avoid formatting NULL as " s" when running nmap --iflist. Avoid crashes with old PyXML packages. Fix for handling of ICMP admin-prohibited messages Bugfix for HTTP HEAD requests with redirects. Gtk crash in Zenmaps DiffViewer fixed.