Nmap 7 Released

November 19, 2015—The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 7.00 from https://nmap.org/. It is the product of three and a half years of work, nearly 3200 code commits, and more than a dozen point releases since the big Nmap 6 release in May 2012. Nmap turned 18 years old in September this year and celebrates its birthday with 171 new NSE scripts, expanded IPv6 support, world-class SSL/TLS analysis, and more user-requested features than ever. We recommend that all current users upgrade.

Contents:

  1. About Nmap
  2. Top 7 Improvements in Nmap 7
  3. Press
  4. Screen Shots
  5. Detailed Improvements
  6. Moving Forward (Future Plans)
  7. Acknowledgments
  8. Download and updates

About Nmap

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for network inventory, managing service upgrade schedules, monitoring host or service uptime, and many other tasks. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in nineteen movies and TV series, including The Matrix Reloaded, The Bourne Ultimatum. Girl with the Dragon Tattoo, Dredd, Elysium, and Die Hard 4. Nmap was released to the public in 1997 and has earned the trust of millions of users.

As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 7 is now available!


Top 7 Improvements in Nmap 7

Before we get into the detailed changes, here are the top 7 improvements in Nmap 7:

1. Major Nmap Scripting Engine (NSE) Expansion

As the Nmap core has matured, more and more new functionality is developed as part of our NSE subsystem instead. In fact, we've added 171 new scripts and 20 libraries since Nmap 6. Examples include firewall-bypass, supermicro-ipmi-conf, oracle-brute-stealth, and ssl-heartbleed. And NSE is now powerful enough that scripts can take on core functions such as host discovery (dns-ip6-arpa-scan), version scanning (ike-version, snmp-info, etc.), and RPC grinding (rpc-grind). There's even a proposal to implement port scanning in NSE. [More Details]

2. Mature IPv6 support

IPv6 scanning improvements were a big item in the Nmap 6 release, but Nmap 7 outdoes them all with full IPv6 support for CIDR-style address ranges, Idle Scan, parallel reverse-DNS, and more NSE script coverage. [More Details]

3. Infrastructure Upgrades

We may be an 18-year-old project, but that doesn't mean we'll stick with old, crumbling infrastructure! The Nmap Project continues to adopt the latest technologies to enhance the development process and serve a growing user base. For example, we converted all of Nmap.Org to SSL to reduce the risk of trojan binaries and reduce snooping in general. We've also been using the Git version control system as a larger part of our workflow and have an official Github mirror of the Nmap Subversion source repository and we encourage code submissions to be made as Github pull requests. We also created an official bug tracker which is also hosted on Github. Tracking bugs and enhancement requests this way has already reduced the number which fall through the cracks. [More Details]

4. Faster Scans

Nmap has continually pushed the speed boundaries of synchronous network scanning for 18 years, and this release is no exception. New Nsock engines give a performance boost to Windows and BSD systems, target reordering prevents a nasty edge case on multihomed systems, and NSE tweaks lead to much faster -sV scans. [More Details]

5. SSL/TLS scanning solution of choice

Transport Layer Security (TLS) and its predecessor, SSL, are the security underpinning of the web, so when big vulnerabilities like Heartbleed, POODLE, and FREAK come calling, Nmap answers with vulnerability detection NSE scripts. The ssl-enum-ciphers script has been entirely revamped to perform fast analysis of TLS deployment problems, and version scanning probes have been tweaked to quickly detect the newest TLS handshake versions. [More Details]

6. Ncat Enhanced

We are excited and proud to announce that Ncat has been adopted by the Red Hat/Fedora family of distributions as the default package to provide the "netcat" and "nc" commands! This cooperation has resulted in a lot of squashed bugs and enhanced compatibility with Netcat's options. Also very exciting is the addition of an embedded Lua interpreter for creating simple, cross-platform daemons and traffic filters.

7. Extreme Portability

Nmap is proudly cross-platform and runs on all sorts of esoteric and archaic systems. But our binary distributions have to be kept up-to-date with the latest popular operating systems. Nmap 7 runs cleanly on Windows 10 all the way back to Windows Vista. By popular request, we even built it to run on Windows XP, though we suggest those users upgrade their systems. Mac OS X is supported from 10.8 Mountain Lion through 10.11 El Capitan. Plus, we updated support for Solaris and AIX. And Linux users—you have it easy.


Press

Please mail Fyodor if you see (or write) reviews/articles on the Nmap 7 release. Here are the ones seen so far:

Reasonably detailed (or with many comments) English articles:

Brief English mentions: Linux Weekly News (LWN), SANS Internet Storm Center (ISC).

Permission is granted for journalists (or anyone writing about this Nmap release) to use any of the text or screen shots on this page. For quotes, you can email Fyodor at [email protected]. Leave your phone number if you want a callback.

Screen Shots

Nmap 7 provides a wealth of information about remote systems, as shown in this sample scan against a machine we maintain for scan testing purposes (scanme.nmap.org).

Screenshot of OS X terminal window running 'nmap -6 -A scanme.nmap.org'

Here is an example using Zenmap on Windows 8.1 against a couple of production web servers (Nmap.org and Reddit).

Screenshot of Zenmap 7 on Windows 8.1 showing Nmap text output

Perhaps the most visually appealing aspect of Zenmap is its network topology mapper. Here it is being used to interactively explore the routes between a source machine and a handful of interesting web sites, using the Chinese translation.

Screenshot of Zenmap 7 in XFCE4 showing the Topology tab in the Chinese language

Detailed Improvements

The Nmap Changelog describes more than 330 significant improvements since our last major release (6.00 in May 2012). Here are the highlights:

NSE Improvements

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple Lua scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. The low learning curve and powerful networking libraries of NSE make it ideal for rapid development of security scanning and service probing scripts.

Mature IPv6 Support

It came as no surprise when ARIN ran out of IPv4 addresses this year, and Nmap was already riding the wave to full IPv6 deployment. Nmap has supported IPv6 in some way since 2002, but improvements keep coming:

SSL/TLS scanning par excellence

SSL 3 deprecation, SHA-1 certificate deprecation, Heartbleed, CCS injection, POODLE, LOGJAM, FREAK, and RC4 deprecation—Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), have received a lot of attention in the past few years for security problems, and Nmap has emerged as the gold standard scanning tool for these issues.

Zenmap graphical front-end and results viewer

Zenmap screenshot thumbnail

Zenmap is our cross-platform (Linux, Windows, Mac OS X, etc.) Nmap GUI and results viewer. It aims to provide advanced features for experienced Nmap users while also making Nmap easier for beginners to use. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later, or even compared with one another to see how they differ. Our network topology viewer allows for interactive exploration of a network scanned with Nmap. Zenmap is now a mature tool, but it still got several enhancements since 6.00:

Ncat

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.

We are excited and proud to announce that Ncat has been adopted by the Red Hat/Fedora family of distributions as the default package to provide the "netcat" and "nc" commands! This cooperation has resulted in a lot of squashed bugs and enhanced compatibility with Netcat's options.

Some of the most exciting changes in Ncat 7 are:

Infrastructure Improvements

Keeping the Nmap project vibrant and productive (for developers and users) requires constant investment in our development. Improvements to Nmap's development and support infrastructure since Nmap 6 include:

IPv4 Operating System Detection

Thanks to fingerprint submissions from thousands of Nmap users around the world, our remote operating system detection system grew from 3572 signatures in Nmap 6 to 4985 now. These include the latest versions of Windows, Linux, and Mac OS X as well as more specialized entries such as PLCs, lightbulbs, televisions, mainframes, and much more. Some of the newest fingerprints are for Apple iOS 9, Android 5.1, OpenBSD 5.7, FreeBSD 11.0, and a ton of new WAPs, switches, printers, and other devices.

In addition to more than 1400 new fingerprints, we made several important performance improvements and bug fixes to the system. Most notably, if version detection determines a port to be "tcpwrapped," OS detection will prefer to use a different port for probing, since there's a good chance this is the result of a firewall interfering with TCP connections on that port.

Version Detection

The days when we could assume what was running on an open port based on the port number are long gone. These days, folks commonly run services on the "wrong" port numbers in order to defeat filtering policies, hide traffic, or work around various networking problems. Fortunately, Nmap's version detection system is able to interrogate the service listening on the open port and tell you the service running as well as (in many cases) the application name and version number. Nmap 6 had an impressive 8165 signatures matching 862 protocols, but Nmap 7 improves that to a whopping 10299 signatures for 1091 protocols!

Additionally, Nmap 7 has 23 more service probes to pull information from remote services and more than double the number of softmatch lines (103), which help short-circuit the probing process to send the most-likely probes for the detected service.

Performance Improvements

In Nmap's 18-year history, performance has always been a top priority. Whether scanning one target or 20 million, users want scans to run as fast as possible without sacrificing accuracy. Improvements since Nmap 6 include:

Even More Improvements

In addition to the pages of changes listed above, we made many improvements which defy simple categorization:

These are all just highlights from the full list of changes you can find in our CHANGELOG.

Moving Forward (Future Plans)

With this stable version out of the way, we are diving headfirst into the next development cycle. Many exciting features are in the queue, including:

You can read more of our short-term and longer-term plans from our public TODO list.

For the latest Insecure.Org and Nmap announcements, join the 117,175-member Nmap-announce announcement list. Traffic rarely exceeds one message per month. Subscribe here or read the archives at SecLists.Org. To participate in Nmap development, join the (high traffic) nmap-dev list. You can also follow us on Twitter, Facebook, or Google+.

Acknowledgments

A free open source scanner as powerful as Nmap is only possible thanks to the help of hundreds of developers and other contributors. We would like to acknowledge and thank the many people who contributed ideas and/or code since Nmap 6.00. Special thanks go out to: Adam Saponara, Adam Števko, Aleksandar Nikolic, Alessandro Zanni, Alexandru Geana, Alexey Meshcheryakov, Alex Weber, Andreas Stieger, Andrew Farabee, Andrew Orr, Andrew Waters, Andrey Olkhin, Ange Gutek, Arturo Busleiman, Bill Parker, Brad Johnson, Brandon Paulsen, Brendan Coles, Chris Johnson, Chris Leick, Claudio Criscione, Claudiu Perta, Daniel Miller, Danila Poyarkov, David Fifield, David Matousek, Dhiru Kholia, Didier Stevens, Dillon Graham, Djalal Harouni, Dominik Schneider, Edward Napierała, Elon Natovich, Eric Davisson, Forrest B., Fyodor, George Chatzisofroniou, Gioacchino Mazzurco Giovanni Bechis, Greg Bailey, Gyanendra Mishra, Hani Benhabiles, hejianet, Henri Doreau, Jacek Wielemborek, Jan Reister, Jacob Gajek, jah, Jay Bosamiya, Jesper Kückelhahn, Jiayi Ye, Joachim Henke, John Bond, John Spencer, Jonathan Daugherty, jrchamp, Justin Cacak, Kurt Grutzmacher, Marek Lukaszuk, Marek Majkowski, Marin Maržić, Mariusz Ziulek, Mathias Morbitzer, Michael McTernan, Michael Meyer, Michael Schierl, Michael Toecker, Michael Wallner, Michal Hlavinka, Nicolle Neulist, Niklaus Schiess, nnposter, Olli Hauer, Patrick Donnelly, Patrik Karlsson, Paul AMAR, Paul Hemberger, Paulino Calderon, Pavel Kankovsky, Peter Malecka, Petr Stodulka, Philip Pickering, Pierluigi Vittori, Pierre Lalet, Piotr Olma, Pontus Andersson, Quentin Glidic, Raphael Hoegger, Raúl Fuentes, riemann, Rob Nicholls, Robin Wood, Ron Bowes, Sean Rivera, Simon John, Soldier of Fortran, Stephen Hilt, Tilik Ammon, Tom Sellers, Tomas Hozza, Tyler Wagner, Ulrik Haugen, Vasily Kulikov, and Vlatko Kosturjak.

We would also like to thank the thousands of people who have submitted OS and service/version fingerprints, as well as everyone who has found and reported bugs or suggested features.

Special thanks go to Google, who has sponsored 73 students (total over the last 11 years) to spend a summer working on Nmap as part of Google's Summer of Code program. This summer, we had a team of five amazing students who contributed mightily to make Nmap even more powerful. We encourage you to read this year's project summary to learn more.

Download and Updates

Nmap is available for download from https://nmap.org/download.html in source and binary form. Nmap is free, open source software (license).

To learn about Nmap announcements as they happen, subscribe to nmap-announce! It is a very low volume (7 messages so far in 2015), moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 117,175 current subscribers by submitting your e-mail address below.


(or subscribe with custom options from the Nmap-announce list info page)

Nmap-announce is archived at SecLists.org and has an RSS feed. To participate in Nmap development, join the (high traffic) nmap-dev list as well.

You are also encouraged to follow @nmap on Twitter and check out our Facebook page:


Direct questions or comments to Fyodor ([email protected]). Report any bugs as described here.