Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
- Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
- Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
- Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
- Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as “nmap -v -A targethost“. Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
- Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
- Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
- Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
- Acclaimed: Nmap has won numerous awards, including “Information Security Product of the Year” by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
- Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.
Here is the full list of significant changes: • [Windows] We made a ton of improvements to our Npcap Windows packet capturing library (https://nmap.org/npcap/) for greater performance and stability, as well as smoother installer and better 802.11 raw frame capturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to 0.99-r2, including all these changes from the last seven Npcap releases: https://nmap.org/npcap/changelog • Integrated all of your service/version detection fingerprints submitted from March 2017 to August 2017 (728 of them). The signature count went up 1.02% to 11,672, including 26 new softmatches. We now detect 1224 protocols from filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and watchguard. We will try to integrate the remaining submissions in the next release. • Integrated all of your IPv4 OS fingerprint submissions from September 2016 to August 2017 (667 of them). Added 298 fingerprints, bringing the new total to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and more. • Integrated all 33 of your IPv6 OS fingerprint submissions from September 2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added, as well as strengthened groups for Linux and OS X. • Added the --resolve-all option to resolve and scan all IP addresses of a host. This essentially replaces the resolveall NSE script. [Daniel Miller] • [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory traversal vulnerability) in the way the non-default http-fetch script sanitized URLs. If a user manualy ran this NSE script against a malicious web server, the server could potentially (depending on NSE arguments used) cause files to be saved outside the intended destination directory. Existing files couldn't be overwritten. We fixed http-fetch, audited our other scripts to ensure they didn't make this mistake, and updated the httpspider library API to protect against this by default. [nnposter, Daniel Miller] • [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588! They are all listed at https://nmap.org/nsedoc/, and the summaries are below: - deluge-rpc-brute performs brute-force credential testing against Deluge BitTorrent RPC services, using the new zlib library. [Claudiu Perta] - hostmap-crtsh lists subdomains by querying Google's Certificate Transparency logs. [Paulino Calderon] - [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and reports back the IP address and port of the actual server behind the load-balancer. [Seth Jackson] - http-jsonp-detection Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers. [Vinamra Bhatia] - http-trane-info obtains information from Trane Tracer SC controllers and connected HVAC devices. [Pedro Joaquin] - [GH#609] nbd-info uses the new nbd.lua library to query Network Block Devices for protocol and file export information. [Mak Kolybabi] - rsa-vuln-roca checks for RSA keys generated by Infineon TPMs vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks SSH and TLS services. [Daniel Miller] - [GH#987] smb-enum-services retrieves the list of services running on a remote Windows machine. Modern Windows systems requires a privileged domain account in order to list the services. [Rewanth Cool] - tls-alpn checks TLS servers for Application Layer Protocol Negotiation (ALPN) support and reports supported protocols. ALPN largely replaces NPN, which tls-nextprotoneg was written for. [Daniel Miller] • [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN. This was causing Ncat 7.60 in connect mode to quit with error: libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket. [nnposter] • [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on renegotiation, the same issue that was partially fixed for server mode in [GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel Miller] • [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle misbehaving or rate-limiting services. Most significantly, brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for reporing infinite loops and proposing changes. • [NSE] VNC scripts now support Apple Remote Desktop authentication (auth type 30) [Daniel Miller] • [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed out. [Aniket Pandey] • [NSE][GH#1114] Update bitcoin-getaddr to receive more than one response message, since the first message usually only has one address in it. [h43z] • [Ncat][GH#1139] Ncat now selects the correct default port for a given proxy type. [Pavel Zhukov] • [NSE] memcached-info can now gather information from the UDP memcached service in addition to the TCP service. The UDP service is frequently used as a DDoS reflector and amplifier. [Daniel Miller] • [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter] • Removed deprecated and undocumented aliases for several long options that used underscores instead of hyphens, such as --max_retries. [Daniel Miller] • Improved service scan's treatment of soft matches in two ways. First of all, any probes that could result in a full match with the soft matched service will now be sent, regardless of rarity. This improves the chances of matching unusual services on non-standard ports. Second, probes are now skipped if they don't contain any signatures for the soft matched service. Perviously the probes would still be run as long as the target port number matched the probe's specification. Together, these changes should make service/version detection faster and more accurate. For more details on how it works, see https://nmap.org/book/vscan.html. [Daniel Miller] • --version-all now turns off the soft match optimization, ensuring that all probes really are sent, even if there aren't any existing match lines for the softmatched service. This is slower, but gives the most comprehensive results and produces better fingerprints for submission. [Daniel Miller] • [NSE][GH#1083] New set of Telnet softmatches for version detection based on Telnet DO/DON'T options offered, covering a wide variety of devices and operating systems. [D Roberson] • [GH#1112] Resolved crash opportunities caused by unexpected libpcap version string format. [Gisle Vanem, nnposter] • [NSE][GH#1090] Fix false positives in rexec-brute by checking responses for indications of login failure. [Daniel Miller] • [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate destination directories. [Aniket Pandey] • [NSE] Added new fingerprints to http-default-accounts: + Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon] + [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob Fitzpatrick, Paulino Calderon] • Added a new service detection match for WatchGuard Authentication Gateway. [Paulino Calderon] • [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays (parameter qscan.delay). [nnposter] • [NSE][GH#1046] Script http-headers now fails properly if the target does not return a valid HTTP response. [spacewander] • [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by default, in accordance with RFC 7465. [Codarren Velvindron] • [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused by not checking the error code in responses. Implementations which return an error are not vulnerable. [Juho Jokelainen] • [NSE][GH#958] Two new libraries for NSE. - idna - Support for internationalized domain names in applications (IDNA) - punycode (a transfer encoding syntax used in IDNA) [Rewanth Cool] • [NSE] New fingerprints for http-enum: - [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal] - [GH#767] Many WordPress version detections [Rewanth Cool] • [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues [nnposter]: - Usernames and/or passwords could not be empty - Passwords could not contain colons - SOCKS5 authentication was not properly documented - SOCKS5 authentication had a memory leak • [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to be run. [Lukas Schwaighofer] • [GH#977] Improved DNS service version detection coverage and consistency by using data from a Project Sonar Internet wide survey. Numerouse false positives were removed and reliable softmatches added. Match lines for version.bind responses were also conslidated using the technique below. [Tom Sellers] • [GH#977] Changed version probe fallbacks so as to work cross protocol (TCP/UDP). This enables consolidating match lines for services where the responses on TCP and UDP are similar. [Tom Sellers] • [NSE][GH#532] Added the zlib library for NSE so scripts can easily handle compression. This work started during GSOC 2014, so we're particularly pleased to finally integrate it! [Claudiu Perta, Daniel Miller] • [NSE][GH#1004] Fixed handling of brute.retries variable. It was being treated as the number of tries, not retries, and a value of 0 would result in infinite retries. Instead, it is now the number of retries, defaulting to 2 (3 total tries), with no option for infinite retries. • [NSE] http-devframework-fingerprints.lua supports Jenkins server detection and returns extra information when Jenkins is detected [Vinamra Bhatia] • [GH#926] The rarity level of MS SQL's service detection probe was decreased. Now we can find MS SQL in odd ports without increasing version intensity. [Paulino Calderon] • [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We were always reporting the version number of the included source, even when a different version was actually linked. [Pavel Zhukov] • Add a new helper function for nmap-service-probes match lines: $I(1,">") will unpack an unsigned big-endian integer value up to 8 bytes wide from capture 1. The second option can be "<" for little-endian. [Daniel Miller]