Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.
- [NSE] Added the script http-traceroute, which exploits the Max-Forwards HTTP header to detect reverse proxies.
- Added the script distcc-CVE-2004-2687 that checks and exploits a remote command execution vulnerability in distcc.
- Added two new scripts mysql-query and mysql-dump-hashes, which add support for performing custom MySQL queries and dump MySQL password hashes.
- Improved the mysql library to handle multiple columns with the same name, added a formatResultset function to format a query response to a table suitable for script output.
- The message "nexthost: failed to determine route to ..." is now a warning rather than a fatal error. Addresses that are skipped in this way are recorded in the XML output as elements.
- [NSE] Added the script http-drupal-modules, which enumerates the installed Drupal modules using drupal-modules.lst.
- [NSE] Added http-vuln-cve2012-1823.nse, which checks for PHP CGI installations with a remote code execution vulnerability.
- [NSE] Added the script dict-info, which retrieves information from a DICT server, by issuing the SHOW SERVER command.
- [NSE] Added the script gkrellm-info, which displays information retrieved from the GKRellm monitoring service.
- [NSE] Added the script ajp-request, which adds support for creating custom Apache JServer Protocol requests.
- [NSE] Added the script ajp-brute, which enables password brute force auditing against the Apache JServ Protocol service.
- [NSE] Added the script broadcast-tellstick-discover, which discovers Telldus Technologies TellStickNet devices on the LAN.
- [NSE] Added the Apache JServer Protocol (AJP) library and the scripts ajp-methods, ajp-headers and ajp-auth.
- In XML output, elements are now child elements of the they belong to. Old output was thus:
New output is:
The option --deprecated-xml-osclass restores the old output, in case you use an Nmap XML parser that doesn't understand the new structure. The xmloutputversion has been increased to 1.04.
- Added a new element to XML output that indicates when a target specification was ignored, perhaps because of a syntax error or DNS failure. It looks like this:
- Nmap's development pace has increased because Google (again) sponsored 5 full-time college and graduate student programmer interns this summer as part of their Summer of Code program!
- [NSE] Added the script mmouse-exec that connects to a Mobile Mouse server, starts an application, and sends a sequence of keystrokes to it.
- [NSE] Added the script mmouse-brute that performs brute force password auditing against the Mobile Mouse service.
- [NSE] Added the script cups-queue-info that lists the contents of a remote CUPS printer queue.
- [NSE] Added the script ip-forwarding that detects devices that have IP forwarding enabled (acting as routers).
- [NSE] Added the script samba-vuln-cve-2012-1182 which detects the SAMBA CVE 2012-1182 vulnerability.
- [NSE] Added the script dns-check-zone that checks DNS configuration against best practices including RFC 1912.
- [NSE] Added the http-gitweb-projects-enum that queries a gitweb for a list of Git projects, their authors and descriptions.
- [NSE] targets-sniffer now is capable of sniffing IPv6 addresses.
- [NSE] Added the script traceroute-geolocation that queries geographic locations of each traceroute hop and allows to export the results to KLM, allowing the hops to be plotted on a map.
- [NSE] Added the ipp library and the script cups-info that lists available printers by querying the cups network daemon.
- [NSE] Added the mobilme library and the scripts http-icloud-findmyiphone and http-icloud-sendmsg, that finds the location of iOS devices and provides functionality to send them messages.
- [NSE] Added gps library and the gpsd-info script that collects GPS data from the gpsd daemon.
- [NSE] Ported the pop3-brute script to use the brute library.
- Fixed a compilation problem on Solaris 9 caused by a missing definition of IPV6_V6ONLY.
- Upgraded included libpcap to version 1.2.1.
- [NSE] Added hostmap-robtex.nse by Arturo Busleiman, which finds other domain names sharing the IP address of the target.
- [NSE] Renamed hostmap.nse to hostmap-bfk.nse.
- [NSE] Added http-robtex-shared-ns by Arturo Busleiman, finding domain names that share the same name server as the target.
- [NSE] Added the script http-vlcstreamer-ls which queries the VLC Streamer helper service for a list of files in a given directory.
- [NSE] Added the script targets-ipv6-mld that sends a malformed ICMP6 MLD Query to discover IPv6 enabled hosts on the LAN.
- [NSE] Added script http-virustotal that allows checking files, or hashes of previously scanned files, against the major antivirus engines.
- Setting --min-parallelism by itself no longer forces the maximum parallelism to the same value.
- [NSE] Added an error message indicating script failure, when Nmap is being run in non verbose/debug mode.
- Service-scan information is now included in XML and grepable output even if -sV wasn't used. This information can be set by scripts in the absence of -sV.
- [NSE] Added the script dns-ip6-arpa-scan which uses a very efficient technique to scan the ip6.arpa zone for PTR records.
- Changed XML output to show the "service" element whenever a tunnel is discovered for a port, even if the service behind it was unknown.
- [Zenmap] Fixed a crash that would happen in the profile editor when the script.db file doesn't exist.
- [Zenmap] It is now possible to compare scans having the same name or command line.
- [NSE] Added rdp-vuln-ms12-020.nse by Aleksandar Nikolic. This tests for two Remote Desktop vulnerabilities, including one allowing remote code execution, that were fixed in the MS12-020 advisory.
- Fixed an error that could occur with ICMPv6 probes and -d4 debugging: "Unexpected probespec2ascii type encountered"
- Fixed the routing table loop on OS X so that on-link routes appear. Previously, they were ignored so that things like ARP scan didn't work.
- [NSE] Added new script http-chrono, which measures min, max and average response times of web servers.
- Applied a workaround to make pcap captures work better on Solaris 10. This involves peeking at the pcap buffer to ensure that captures are not being lost. A symptom of behavior before this fix was that, when doing ARP host discovery against two targets, only one would be reported up.
- Added ciphers from RFC 5932 and Fortezza-based ciphers to ssl-enum-ciphers.nse.
- [NSE] Added new script http-drupal-users-enum, which enumerates all available Drupal user accounts by exploiting a vulnerability in the Views module.
- [NSE] Added new script broadcast-ataoe-discover, which discovers ATA over Ethernet capable devices through LAN ethernet broadcasts.
- Fixed a bug that could cause Nsock timers to fire too early. This could happen for the timed probes in IPv6 OS detection, causing an incorrect measurement of the TCP_ISR feature.
- [NSE] Added a stun library and the scripts stun-version and stun-info, which extract version information and the external NAT:ed address.
- [NSE] Added the script duplicates which attempts to determine duplicate hosts by analyzing information collected by other scripts.
- Changed the way timeout calculations are made in the IPv6 OS engine. In rare cases a certain interleaving of probes and responses would result in an assertion failure.