Nmap 7 Released

November 19, 2015—The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 7.00 from https://nmap.org/. It is the product of three and a half years of work, nearly 3200 code commits, and more than a dozen point releases since the big Nmap 6 release in May 2012. Nmap turned 18 years old in September this year and celebrates its birthday with 171 new NSE scripts, expanded IPv6 support, world-class SSL/TLS analysis, and more user-requested features than ever. We recommend that all current users upgrade.

Contents:

About Nmap

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for network inventory, managing service upgrade schedules, monitoring host or service uptime, and many other tasks. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in nineteen movies and TV series, including The Matrix Reloaded, The Bourne Ultimatum. Girl with the Dragon Tattoo, Dredd, Elysium, and Die Hard 4. Nmap was released to the public in 1997 and has earned the trust of millions of users.

As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 7 is now available!

Top 7 Improvements in Nmap 7

Before we get into the detailed changes, here are the top 7 improvements in Nmap 7:

1. Major Nmap Scripting Engine (NSE) Expansion As the Nmap core has matured, more and more new functionality is developed as part of our NSE subsystem instead. In fact, we've added 171 new scripts and 20 libraries since Nmap 6. Examples include firewall-bypass, supermicro-ipmi-conf, oracle-brute-stealth, and ssl-heartbleed. And NSE is now powerful enough that scripts can take on core functions such as host discovery (dns-ip6-arpa-scan), version scanning (ike-version, snmp-info, etc.), and RPC grinding (rpc-grind). There's even a proposal to implement port scanning in NSE. [More Details] 2. Mature IPv6 support IPv6 scanning improvements were a big item in the Nmap 6 release, but Nmap 7 outdoes them all with full IPv6 support for CIDR-style address ranges, Idle Scan, parallel reverse-DNS, and more NSE script coverage. [More Details] 3. Infrastructure Upgrades We may be an 18-year-old project, but that doesn't mean we'll stick with old, crumbling infrastructure! The Nmap Project continues to adopt the latest technologies to enhance the development process and serve a growing user base. For example, we converted all of Nmap.Org to SSL to reduce the risk of trojan binaries and reduce snooping in general. We've also been using the Git version control system as a larger part of our workflow and have an official Github mirror of the Nmap Subversion source repository and we encourage code submissions to be made as Github pull requests. We also created an official bug tracker which is also hosted on Github. Tracking bugs and enhancement requests this way has already reduced the number which fall through the cracks. [More Details] 4. Faster Scans Nmap has continually pushed the speed boundaries of synchronous network scanning for 18 years, and this release is no exception. New Nsock engines give a performance boost to Windows and BSD systems, target reordering prevents a nasty edge case on multihomed systems, and NSE tweaks lead to much faster -sV scans. [More Details] 5. SSL/TLS scanning solution of choice Transport Layer Security (TLS) and its predecessor, SSL, are the security underpinning of the web, so when big vulnerabilities like Heartbleed, POODLE, and FREAK come calling, Nmap answers with vulnerability detection NSE scripts. The ssl-enum-ciphers script has been entirely revamped to perform fast analysis of TLS deployment problems, and version scanning probes have been tweaked to quickly detect the newest TLS handshake versions. [More Details] 6. Ncat Enhanced We are excited and proud to announce that Ncat has been adopted by the Red Hat/Fedora family of distributions as the default package to provide the "netcat" and "nc" commands! This cooperation has resulted in a lot of squashed bugs and enhanced compatibility with Netcat's options. Also very exciting is the addition of an embedded Lua interpreter for creating simple, cross-platform daemons and traffic filters. 7. Extreme Portability Nmap is proudly cross-platform and runs on all sorts of esoteric and archaic systems. But our binary distributions have to be kept up-to-date with the latest popular operating systems. Nmap 7 runs cleanly on Windows 10 all the way back to Windows Vista. By popular request, we even built it to run on Windows XP, though we suggest those users upgrade their systems. Mac OS X is supported from 10.8 Mountain Lion through 10.11 El Capitan. Plus, we updated support for Solaris and AIX. And Linux users—you have it easy.

Press

Please mail Fyodor if you see (or write) reviews/articles on the Nmap 7 release. Here are the ones seen so far:

Reasonably detailed (or with many comments) English articles:

Brief English mentions: Linux Weekly News (LWN), SANS Internet Storm Center (ISC).

Permission is granted for journalists (or anyone writing about this Nmap release) to use any of the text or screen shots on this page. For quotes, you can email Fyodor at fyodor@nmap.org. Leave your phone number if you want a callback.



Screen Shots

Detailed Improvements

The Nmap Changelog describes more than 330 significant improvements since our last major release (6.00 in May 2012). Here are the highlights:

NSE Improvements

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple Lua scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. The low learning curve and powerful networking libraries of NSE make it ideal for rapid development of security scanning and service probing scripts.

Mature IPv6 Support

It came as no surprise when ARIN ran out of IPv4 addresses this year, and Nmap was already riding the wave to full IPv6 deployment. Nmap has supported IPv6 in some way since 2002, but improvements keep coming:

Idle scan is now supported with IPv6. IPv6 packets don't usually come with fragment identifiers like IPv4 packets do, so new techniques had to be developed to make idle scan possible. The implementation is by Mathias Morbitzer, who made it the subject of his master's thesis.

Unicast CIDR-style IPv6 range scanning is now supported, so you can specify targets such as "en.wikipedia.org/120". Obviously it will take ages if you specify a huge space. For example, a /64 contains 18,446,744,073,709,551,616 addresses.

In addition to ensuring IPv6 support in the majority of NSE scripts , Nmap 7 adds several IPv6-specific scripts for advanced host discovery and even denial-of-service: dns-ip6-arpa-scan performs a quick reverse-DNS lookup of an IPv6 network using a technique which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks. targets-ipv6-wordlist preys on the tendency of human network operators to use the enormous IPv6 address space and the hexadecimal alphabet to assign addresses that form words like "dead:beef". The wordlist is configurable, and the results are surprising! targets-ipv6-map4to6 similarly searches for manually configured addresses that correspond to a smaller range of IPv4 addresses that may be assigned to the same network. ipv6-ra-flood generates a flood of Router Advertisements (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS), will start to compute IPv6 suffix and update their routing table to reflect the accepted announcement. This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests.

Nmap's parallel reverse-DNS resolver now handles IPv6 addresses. GSoC 2015 student Gioacchino Mazzurco rewrote the old C-style DNS code in beautiful C++ and a test suite, then fuzzed the living daylights out of it with afl. In addition to being very safe, this should result in faster -6 scans.

IPv6 OS fingerprinting is improved, thanks to the efforts of Mathias Morbitzer and Alexandru Geana. Building on Mathias's research into new IPv6 OS fingerprinting methods, Alexandru spent the spring and summer of 2015 testing and adding features to our machine learning OS classifier. Using IPv6 guessed initial Hop Limit (analogous to IPv4's TTL) and the ratio of TCP initial window size to Maximum Segment Size (MSS), the classifier now matches with more confidence than ever. He also completed an extension of the classifier's training process to impute missing values from dropped or filtered packets, which lets Nmap make better guesses when network conditions are poor.

Nmap's advanced traceroute is no longer limited to just using ICMP and TCP for tracing IPv6 hosts. The IPv6 --traceroute option is now equivalent to the IPv4 version and capable of using UDP, SCTP, and IPProto (Next Header) probes.

SSL/TLS scanning par excellence

SSL 3 deprecation, SHA-1 certificate deprecation, Heartbleed, CCS injection, POODLE, LOGJAM, FREAK, and RC4 deprecation—Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), have received a lot of attention in the past few years for security problems, and Nmap has emerged as the gold standard scanning tool for these issues.

One of our most popular NSE scripts is ssl-enum-ciphers, which enumerates SSL/TLS protocol versions (SSL 3 deprecation!) and ciphersuites (RC4 deprecation and weak export ciphers!). It has been enhanced beyond the old behavior of simply reporting "weak" or "strong" for each ciphersuite—it now scores each handshake using guidance from Qualys SSL Labs and taking into account server certificate strength, Diffie-Hellman parameter size, and encryption bit strength. It can safely scan the most finicky of SSL servers, safely negotiating long handshake intolerance issues and fragmented TLS messages. And it can run independently of version scan, since it is now capable of detecting TLS on unusual ports on its own.

Detection of SSL and TLS by -sV has been boosted by including more popular TLS ports in the default lists and adding a new TLS-only service probe. Also, NSE scripts can now do TLS checks against LDAP, IMAP, and POP3 services which support STARTTLS (FTP, SMTP, and XMPP were already supported).

At the core of our TLS NSE scripts is the new tls library, which enables quick development of robust scripts for checking vulnerabilities (ssl-heartbleed, ssl-poodle, ssl-ccs-injection, ssl-dh-params) or reporting configurations (tls-nextprotoneg, ssl-date).

Zenmap graphical front-end and results viewer

Zenmap is our cross-platform (Linux, Windows, Mac OS X, etc.) Nmap GUI and results viewer. It aims to provide advanced features for experienced Nmap users while also making Nmap easier for beginners to use. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later, or even compared with one another to see how they differ. Our network topology viewer allows for interactive exploration of a network scanned with Nmap. Zenmap is now a mature tool, but it still got several enhancements since 6.00:

Zenmap features a full translation capability for all menus, labels, buttons, and messages. Translations are available for 11 languages, including new Italian, Japanese, Polish, Chinese, and Hindi translations. The German and French translations were also updated.

Support for large scans has drastically improved. We solved a CPU usage bug in opening large files and prevented the most common cause of out-of-memory problems by dropping the scrolling output window if it becomes a problem. Don't worry! The output is still saved to disk. Additionally, scans which have a lot of anonymous (unresponsive) traceroute hops will take up less space on the Topology page, since Zenmap will now assume hops at the same distance are the same device.

Zenmap's display can filter hosts based on OS, ports, hostnames, and other criteria. Since 6.00 we also added negative matching, so you can exclude Windows systems for example with "os:!windows".

Another sign of a maturing codebase, we've enabled unittest discovery in Zenmap, so running "make check" will run most of the existing Zenmap tests. Watch for more improvements in this area in upcoming versions!

Ncat

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.

We are excited and proud to announce that Ncat has been adopted by the Red Hat/Fedora family of distributions as the default package to provide the "netcat" and "nc" commands! This cooperation has resulted in a lot of squashed bugs and enhanced compatibility with Netcat's options.

Some of the most exciting changes in Ncat 7 are:

Ncat now features an embedded Lua interpreter! Similar to the Nmap Scripting Engine, the "--lua-exec" option makes it easy to write simple traffic filters and daemons in easy-to-learn Lua. A collection of example scripts, including a simple HTTP server, is included with the Ncat source.

Ncat now supports Unix domain sockets (named pipes) on systems where those sockets are available. This is another Netcat compatibility enhancement, and it makes testing of Unix local services possible with Ncat.

Ncat's proxy support was extended to support SOCKS5 with authentication.

More compatibility corrections resulted in correct handling of EOF on all sockets, whether running as a client or as a server. The new --no-shutdown option keeps Ncat up and receiving network input after stdin is closed, just like traditional netcat's -d option.

Infrastructure Improvements

Keeping the Nmap project vibrant and productive (for developers and users) requires constant investment in our development. Improvements to Nmap's development and support infrastructure since Nmap 6 include:

The Nmap.org web site is now 100% HTTPS. This gives our users much-needed protection when downloading Nmap source and binary releases or submitting new service and OS fingerprints. Also, the GNU Mailman subscription pages for the Nmap-Announce, Nmap-Dev, and Full Disclosure mailing lists are hosted on Nmap.org and HTTPS-protected, so your subscription settings are safe, too.

The Nmap Project has fully embraced Github Issues as its bug tracking solution. The Nmap-Dev mailing list is still going strong for discussion of Nmap development issues, but for user-submitted bug reports and enhancement requests, Github is the place to be. We also encourage code submissions to be made as Github pull requests. Even though the Github repo is still a read-only mirror of our authoritative Subversion repository, Github offers a great code review and discussion interface, as well as integrated code-quality-checking tools. As a convenience, issues.nmap.org is a redirector for issue numbers: http://issues.nmap.org/229 for example.

On the subject of code quality, Nmap now integrates with Travis CI for continuous integration testing. If the build breaks, Nmap developers are notified immediately. Code contributions made as Github pull requests are automatically checked for build breakage, too. This is made possible by a concerted effort to enable "make check" to actually check and test Nmap code. So far, "make check" enables: Ncat test suite Nsock test suite Zenmap auto-discovered unit tests NSE tests through the unittest NSE script Ndiff tests Nmap's reverse-DNS engine test suite

Nmap's changelog page is now displayed in linked and cross-referenced HTML, instead of as a simple dump of the CHANGELOG text file. URLs, issue numbers, script names, and NSE library names are all linked to the appropriate pages.

SecWiki.org continues to be used by the Nmap development team for documentation and collaboration on long-term projects. Some popular pages are Nmap Code Standards, Nmap on Android, NSE Script Ideas, and the Nmap FAQ pages.

IPv4 Operating System Detection

Thanks to fingerprint submissions from thousands of Nmap users around the world, our remote operating system detection system grew from 3572 signatures in Nmap 6 to 4985 now. These include the latest versions of Windows, Linux, and Mac OS X as well as more specialized entries such as PLCs, lightbulbs, televisions, mainframes, and much more. Some of the newest fingerprints are for Apple iOS 9, Android 5.1, OpenBSD 5.7, FreeBSD 11.0, and a ton of new WAPs, switches, printers, and other devices.

In addition to more than 1400 new fingerprints, we made several important performance improvements and bug fixes to the system. Most notably, if version detection determines a port to be "tcpwrapped," OS detection will prefer to use a different port for probing, since there's a good chance this is the result of a firewall interfering with TCP connections on that port.

Version Detection

The days when we could assume what was running on an open port based on the port number are long gone. These days, folks commonly run services on the "wrong" port numbers in order to defeat filtering policies, hide traffic, or work around various networking problems. Fortunately, Nmap's version detection system is able to interrogate the service listening on the open port and tell you the service running as well as (in many cases) the application name and version number. Nmap 6 had an impressive 8165 signatures matching 862 protocols, but Nmap 7 improves that to a whopping 10299 signatures for 1091 protocols!

Additionally, Nmap 7 has 23 more service probes to pull information from remote services and more than double the number of softmatch lines (103), which help short-circuit the probing process to send the most-likely probes for the detected service.

Performance Improvements

In Nmap's 18-year history, performance has always been a top priority. Whether scanning one target or 20 million, users want scans to run as fast as possible without sacrificing accuracy. Improvements since Nmap 6 include:

For scans of targets that use different routes or interfaces, Nmap may now partially rearrange its target list for more efficient host groups. Previously, a single target with a different interface, or with an IP address the same as a that of a target already in the group, would cause the group to be broken off at whatever size it was. Now, we buffer a small number of such targets, and keep looking through the input for more targets to fill out the current group.

Timeouts for many NSE scripts were reduced from tens of seconds to use a scaled timeout based on Nmap's portscan-phase timing determinations. A simple library function, stdnse.get_timeout, makes it easy for new script authors to do the same.

Version scan is quicker now because of 56 more softmatch lines that prevent Nmap from sending irrelevant probes to certain services. Also, NSE scripts in the version category now obey the version intensity setting, so using an option like --version-light will prevent nearly all of these heavy-duty version probing scripts from running (unless you choose them by name).

The old RPC Grinder, which used the original pos_scan engine from 1998, has been replaced by a much faster NSE script implementation. Scan times for version scanning (-sV) ought to improve greatly.

New poll and kqueue Nsock engines allow for increased socket performance in Nsock-based scan phases (NSE and version scanning) on Windows, OS X, and BSD-derived systems that previously had to use the old select-based engine. Linux has had an epoll engine since Nmap 6.00.

Even More Improvements

In addition to the pages of changes listed above, we made many improvements which defy simple categorization:

The oft-requested --exclude-ports option has now been implemented! Easily avoid scanning off-limits or troublesome ports, without constructing complicated port ranges to avoid them. Safely integrates with -p, -F, and --top-ports.

Nsock (and by extension Nmap's -sV and NSE) now supports connecting through chained proxies. Nmap adds the --proxies option to specify this proxy chain. While port scanning is not yet included, GSoC student and mentor Jacek Wielemborek has done groundbreaking work towards implementing TCP Connect scan in Nsock, so stay tuned!

Instead of simply appending random data to Nmap scan packets with --data-length, try sending a message with the --data-string or --data options. Safely attribute your research or taunt your foes—it's up to you.

Though in most cases ARP ping is the stealthiest, fastest, and most reliable host discovery method, you can now force the usual layer-3 discovery probes with the --disable-arp-ping option. This is useful in networks using proxy ARP, which make all addresses appear to be up using ARP scan. The previously recommended workaround for this situation, --send-ip, didn't work on Windows it is still missing raw socket support.

For raw packet scans (i.e. not -sT), Nmap now reports the TTL of recieved packets in the Normal output if the --reason option is used. This was previously only available in the XML output, but is useful for detecting interfering firewalls in some cases. Additionally, --reason is enabled at verbosity 2 and higher.

Fixed a bug which caused Nmap to be unable to have any runtime interaction when called from sudo or from a shell script on Linux. This was especially appreciated on Debian-based systems where Nmap is usually invoked with sudo.

The beloved Nmap ASCII Dragon configure art now shares its spot with two other ASCII art pieces. Which one you get when you run ./configure is randomly chosen. Immediately below the art is a summary of what configure options were chosen, including a warning if OpenSSL could not be found and you didn't explicitly disable it.

Nping now checks for a matching ICMP ID to avoid colliding with other running ping processes.

These are all just highlights from the full list of changes you can find in our CHANGELOG.

Moving Forward (Future Plans)

With this stable version out of the way, we are diving headfirst into the next development cycle. Many exciting features are in the queue, including:

A modern upgrade to the aging WinPcap is coming! We already have a working replacement called Npcap developed by GSoC student Yang Luo that is updated to use the NDIS 6 API and LWF. Cooperating with the WinPcap group, we can be sure that these improvements will be available in Nmap very soon.

Nmap on mobile devices is already a reality for Android, but we want to expand support to other mobile platforms and perhaps develop a really useful app interface, since console applications tend to be difficult to use on those tiny screens.

We are always working on improving performance, and you can expect we will deliver. Nmap's --min-rate option has the potential to scale to Internet-wide scans, and we intend to benchmark and demonstrate this ability. More large-scale scanning research should help us improve the port popularity rankings and fine-tune Nmap's internals for optimum performance.

It doesn't take a Nostrodamus to predict that NSE will continue to expand at a blinding pace. We have dozens of NSE scripts waiting in the wings, and pages of ideas for new ones. Maybe your name will grace our CHANGELOG as a script author in the next release!

You can read more of our short-term and longer-term plans from our public TODO list.

For the latest Insecure.Org and Nmap announcements, join the 117,175-member Nmap-announce announcement list. Traffic rarely exceeds one message per month. Subscribe here or read the archives at SecLists.Org. To participate in Nmap development, join the (high traffic) nmap-dev list. You can also follow us on Twitter, Facebook, or Google+.

Acknowledgments

A free open source scanner as powerful as Nmap is only possible thanks to the help of hundreds of developers and other contributors. We would like to acknowledge and thank the many people who contributed ideas and/or code since Nmap 6.00. Special thanks go out to: Adam Saponara, Adam Števko, Aleksandar Nikolic, Alessandro Zanni, Alexandru Geana, Alexey Meshcheryakov, Alex Weber, Andreas Stieger, Andrew Farabee, Andrew Orr, Andrew Waters, Andrey Olkhin, Ange Gutek, Arturo Busleiman, Bill Parker, Brad Johnson, Brandon Paulsen, Brendan Coles, Chris Johnson, Chris Leick, Claudio Criscione, Claudiu Perta, Daniel Miller, Danila Poyarkov, David Fifield, David Matousek, Dhiru Kholia, Didier Stevens, Dillon Graham, Djalal Harouni, Dominik Schneider, Edward Napierała, Elon Natovich, Eric Davisson, Forrest B., Fyodor, George Chatzisofroniou, Gioacchino Mazzurco Giovanni Bechis, Greg Bailey, Gyanendra Mishra, Hani Benhabiles, hejianet, Henri Doreau, Jacek Wielemborek, Jan Reister, Jacob Gajek, jah, Jay Bosamiya, Jesper Kückelhahn, Jiayi Ye, Joachim Henke, John Bond, John Spencer, Jonathan Daugherty, jrchamp, Justin Cacak, Kurt Grutzmacher, Marek Lukaszuk, Marek Majkowski, Marin Maržić, Mariusz Ziulek, Mathias Morbitzer, Michael McTernan, Michael Meyer, Michael Schierl, Michael Toecker, Michael Wallner, Michal Hlavinka, Nicolle Neulist, Niklaus Schiess, nnposter, Olli Hauer, Patrick Donnelly, Patrik Karlsson, Paul AMAR, Paul Hemberger, Paulino Calderon, Pavel Kankovsky, Peter Malecka, Petr Stodulka, Philip Pickering, Pierluigi Vittori, Pierre Lalet, Piotr Olma, Pontus Andersson, Quentin Glidic, Raphael Hoegger, Raúl Fuentes, riemann, Rob Nicholls, Robin Wood, Ron Bowes, Sean Rivera, Simon John, Soldier of Fortran, Stephen Hilt, Tilik Ammon, Tom Sellers, Tomas Hozza, Tyler Wagner, Ulrik Haugen, Vasily Kulikov, and Vlatko Kosturjak.

We would also like to thank the thousands of people who have submitted OS and service/version fingerprints, as well as everyone who has found and reported bugs or suggested features.

Special thanks go to Google, who has sponsored 73 students (total over the last 11 years) to spend a summer working on Nmap as part of Google's Summer of Code program. This summer, we had a team of five amazing students who contributed mightily to make Nmap even more powerful. We encourage you to read this year's project summary to learn more.

Download and Updates

Nmap is available for download from https://nmap.org/download.html in source and binary form. Nmap is free, open source software (license).

To learn about Nmap announcements as they happen, subscribe to nmap-announce! It is a very low volume (7 messages so far in 2015), moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 117,175 current subscribers by submitting your e-mail address below.



(or subscribe with custom options from the Nmap-announce list info page)

Nmap-announce is archived at SecLists.org and has an RSS feed. To participate in Nmap development, join the (high traffic) nmap-dev list as well.

You are also encouraged to follow @nmap on Twitter and check out our Facebook page:

Direct questions or comments to Fyodor (fyodor@nmap.org). Report any bugs as described here.