Nmap 7 Released

November 19, 2015—The Nmap Project is pleased to announce theimmediate, free availability of the Nmap Security Scanner version 7.00 fromhttps://nmap.org/. It is the product of threeand a half years of work, nearly 3200 code commits, and more than a dozen pointreleases since the bigNmap 6 release in May2012. Nmap turned 18 years old in September this year and celebrates itsbirthday with 171 new NSE scripts, expanded IPv6 support, world-class SSL/TLSanalysis, and more user-requested features than ever.We recommend that all current usersupgrade.

Contents:

1. About Nmap
2. Top 7 Improvements in Nmap 7
3. Press
4. Screen Shots
5. Detailed Improvements
6. Moving Forward (Future Plans)
7. Acknowledgments
8. Download and updates

About Nmap

Nmap (“Network Mapper”) is a free and open source(license) utility for networkdiscovery and security auditing. Many systems and network administrators alsofind it useful for network inventory, managing service upgrade schedules,monitoring host or service uptime, and many other tasks. Nmap uses raw IPpackets in novel ways to determine what hosts are available on the network, whatservices (application name and version) those hosts are offering, what operatingsystems (and OS versions) they are running, what type of packetfilters/firewalls are in use, and dozens of other characteristics. It wasdesigned to rapidly scan large networks, but works fine against single hosts.Nmap runs on all major computer operating systems, and official binary packagesare available for Linux, Windows, and Mac OS X. In addition to the classiccommand-line Nmap executable, the Nmap suite includes an advanced GUI andresults viewer (Zenmap), a flexible datatransfer, redirection, and debugging tool(Ncat), a utility for comparing scanresults (Ndiff), and a packet generationand response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal,Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured innineteen movies and TV series, includingThe Matrix Reloaded,The Bourne Ultimatum.Girl with the Dragon Tattoo,Dredd,Elysium,andDie Hard 4. Nmap wasreleased to the public in 1997 and has earned the trust of millions ofusers.

As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 7 is now available!

Top 7 Improvements in Nmap 7

Before we get into thedetailed changes, hereare the top 7 improvements in Nmap 7:

1. Major Nmap Scripting Engine (NSE) Expansion

As the Nmap core has matured, more and more new functionality is developed as part of our NSE subsystem instead. In fact, we've added 171 new scripts and 20 libraries since Nmap 6. Examples includefirewall-bypass,supermicro-ipmi-conf,oracle-brute-stealth, andssl-heartbleed. And NSE is now powerful enough that scripts can take on core functions such as host discovery (dns-ip6-arpa-scan), version scanning (ike-version,snmp-info, etc.), and RPC grinding (rpc-grind). There's even a proposal toimplement port scanning in NSE. [More Details]

2. Mature IPv6 support

IPv6 scanning improvements were a big item in the Nmap 6 release, but Nmap 7 outdoes them all with full IPv6 support for CIDR-style address ranges, Idle Scan, parallel reverse-DNS, and more NSE script coverage. [More Details]

3. Infrastructure Upgrades

We may be an 18-year-old project, but that doesn't mean we'll stick with old, crumbling infrastructure! The Nmap Project continues to adopt the latest technologies to enhance the development process and serve a growing user base. For example, we converted all of Nmap.Org to SSL to reduce the risk of trojan binaries and reduce snooping in general. We've also been using theGit version control system as a larger part of our workflow and have an officialGithub mirror of the Nmap Subversion source repository and we encourage code submissions to be made as Github pull requests. We also created anofficial bug tracker which is also hosted on Github. Tracking bugs and enhancement requests this way has already reduced the number which fall through the cracks. [More Details]

4. Faster Scans

Nmap has continually pushed the speed boundaries of synchronous network scanning for 18 years, and this release is no exception. New Nsock engines give a performance boost to Windows and BSD systems, target reordering prevents a nasty edge case on multihomed systems, and NSE tweaks lead to much faster -sV scans. [More Details]

5. SSL/TLS scanning solution of choice

Transport Layer Security (TLS) and its predecessor, SSL, are the security underpinning of the web, so when big vulnerabilities like Heartbleed, POODLE, and FREAK come calling, Nmap answers with vulnerability detection NSE scripts. Thessl-enum-ciphers script has been entirely revamped to perform fast analysis of TLS deployment problems, and version scanning probes have been tweaked to quickly detect the newest TLS handshake versions. [More Details]

6. Ncat Enhanced

We are excited and proud to announce that Ncat has been adopted by the Red Hat/Fedora family of distributions as the default package to provide the "netcat" and "nc" commands! This cooperation has resulted in a lot of squashed bugs and enhanced compatibility with Netcat's options. Also very exciting is the addition of an embedded Lua interpreter for creating simple, cross-platform daemons and traffic filters.

7. Extreme Portability

Nmap is proudly cross-platform and runs on all sorts of esoteric and archaic systems. But our binary distributions have to be kept up-to-date with the latest popular operating systems. Nmap 7 runs cleanly on Windows 10 all the way back to Windows Vista. By popular request, we even built it to run on Windows XP, though we suggest those users upgrade their systems. Mac OS X is supported from 10.8 Mountain Lion through 10.11 El Capitan. Plus, we updated support for Solaris and AIX. And Linux users—you have it easy.

Press

Pleasemail Fyodor if you see (or write)reviews/articles on the Nmap 7 release. Here are the ones seen so far:

Reasonably detailed (or with many comments) English articles:

• Reddit:Nmap 7 Released!
• Hacker News:Nmap 7 Release Notes
• The Register:New Wireshark, Nmap releases bring pre-Xmas cheer to infosec types
• Softpedia:After Wireshark 2.0, Nmap 7 Free Network Scanner Is Finally Here
• n0where.net:Network Exploration with Nmap: Nmap v7 Released.
• SecurityWeek:Nmap 7 Brings Faster Scans, Other Improvements
• SD Times:Nmap 7 is released
• InfoWorld:Nmap 7 brings faster scanning and improved IPv6 support
• Help Net Security:The top 7 improvements in Nmap 7
• eSecurity Planet:5 Key New Features in Nmap Network Security Tool

Brief English mentions:Linux Weekly News (LWN),SANS Internet Storm Center (ISC).

Permission is granted for journalists (or anyone writing about this Nmaprelease) to use any of the text or screen shots on this page. For quotes, youcan emailFyodor atfyodor@nmap.org. Leave your phone numberif you want a callback.

Screen Shots

Nmap 7 provides a wealth of information about remote systems, as shown in this sample scan against a machine we maintain for scan testing purposes (scanme.nmap.org).

Here is an example using Zenmap on Windows 8.1 against a couple of production web servers (Nmap.org andReddit).

Perhaps the most visually appealing aspect of Zenmap is itsnetwork topology mapper. Here it is being used to interactively explore the routes between a source machine and a handful of interesting web sites, using the Chinese translation.

Detailed Improvements

TheNmap Changelogdescribes more than 330 significant improvements since our last majorrelease(6.00 in May 2012).Here are the highlights:

NSE Improvements

TheNmap Scripting Engine (NSE)is one of Nmap's most powerful and flexible features. Itallows users to write (and share) simpleLuascripts to automate a wide variety of networking tasks. Those scripts are thenexecuted in parallel with the speed and efficiency you expect from Nmap. Thelow learning curve and powerful networking libraries of NSE make it ideal forrapid development of security scanning and service probing scripts.

• Script count has jumped from 348 to 515 scripts! That is 171 new scripts, minus four deletions. Of these, 109will run by default when you use -sC, and another 35 will run with -sV forversion detection. The list of new scripts is so long that we can't even include the summaries here, but each script is linked to it's own page on theNSE Documentation Portal for full details:

  ajp-auth,ajp-brute,ajp-headers,ajp-methods,ajp-request,allseeingeye-info,bacnet-info,bjnp-discover,broadcast-ataoe-discover,broadcast-bjnp-discover,broadcast-eigrp-discovery,broadcast-igmp-discovery,broadcast-pim-discovery,broadcast-sonicwall-discover,broadcast-tellstick-discover,cassandra-brute,cassandra-info,cups-info,cups-queue-info,dict-info,distcc-cve2004-2687,dns-check-zone,dns-ip6-arpa-scan,dns-nsec3-enum,docker-version,enip-info,eppc-enum-processes,fcrdns,firewall-bypass,flume-master-info,freelancer-info,gkrellm-info,gpsd-info,hnap-info,hostmap-ip2hosts,hostmap-robtex,http-adobe-coldfusion-apsa1301,http-avaya-ipoffice-users,http-cisco-anyconnect,http-coldfusion-subzero,http-comments-displayer,http-cross-domain-policy,http-csrf,http-devframework,http-dlink-backdoor,http-dombased-xss,http-drupal-enum,http-drupal-enum-users,http-errors,http-exif-spider,http-feed,http-fetch,http-fileupload-exploiter,http-form-fuzzer,http-frontpage-login,http-git,http-gitweb-projects-enum,http-huawei-hg5xx-vuln,http-icloud-findmyiphone,http-icloud-sendmsg,http-iis-short-name-brute,http-ls,http-mobileversion-checker,http-ntlm-info,http-phpmyadmin-dir-traversal,http-phpself-xss,http-referer-checker,http-rfi-spider,http-robtex-shared-ns,http-server-header,http-shellshock,http-sitemap-generator,http-slowloris-check,http-slowloris,http-stored-xss,http-svn-enum,http-svn-info,http-tplink-dir-traversal,http-traceroute,http-useragent-tester,http-virustotal,http-vlcstreamer-ls,http-vuln-cve2006-3392,http-vuln-cve2010-0738,http-vuln-cve2013-0156,http-vuln-cve2013-7091,http-vuln-cve2014-2126,http-vuln-cve2014-2127,http-vuln-cve2014-2128,http-vuln-cve2014-2129,http-vuln-cve2014-8877,http-vuln-cve2015-1427,http-vuln-cve2015-1635,http-vuln-misfortune-cookie,http-vuln-wnr1000-creds,http-waf-fingerprint,http-webdav-scan,http-wordpress-users,http-xssed,icap-info,ike-version,ip-forwarding,ip-https-discover,ipv6-ra-flood,irc-sasl-brute,isns-info,jdwp-exec,jdwp-info,jdwp-inject,knx-gateway-discover,knx-gateway-info,llmnr-resolve,mcafee-epo-agent,metasploit-info,metasploit-msgrpc-brute,mikrotik-routeros-brute,mmouse-brute,mmouse-exec,mrinfo,msrpc-enum,ms-sql-dac,mtrace,murmur-version,mysql-dump-hashes,mysql-enum,mysql-query,mysql-vuln-cve2012-2122,nje-node-brute,omron-info,oracle-brute-stealth,pcanywhere-brute,qconn-exec,quake1-info,rdp-enum-encryption,rfc868-time,rmi-vuln-classloader,rpc-grind,s7-info,sip-call-spoof,sip-methods,smb-ls,smb-print-text,smb-vuln-conficker,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos,snmp-hh3c-logins,snmp-info,ssl-ccs-injection,ssl-date,ssl-dh-params,ssl-heartbleed,ssl-poodle,sstp-discover,supermicro-ipmi-conf,targets-ipv6-map4to6,targets-ipv6-wordlist,targets-xml,teamspeak2-version,tls-nextprotoneg,tor-consensus-checker,traceroute-geolocation,unittest,ventrilo-info,weblogic-t3-info,whois-domain,xmlrpc-methods

• NSE became the tool of choice for rapid vulnerability scanning with theadvent of celebrity vulnerabilities in 2014. NSE scripts have you covered forHeartbleed (ssl-heartbleed),Shellshock (http-shellshock),POODLE (ssl-poodle),Misfortune Cookie (http-vuln-misfortune-cookie),LOGJAM (ssl-dh-params),Stuxnet (smb-vuln-ms10-061),and even Slowloris (http-slowloris-check).Of course if you're also worried about less-celebrated vulnerabilities, theother 41 new"vuln"-category scriptsshould keep you busy.

• NSE joins the rest of Nmap in being able to output parseable XML. Instead ofjust a text blob inNmap's XMLoutput, scripts can now returnstructuredinformation that can be quickly extracted with an XML parser. All newscripts produce structured output, most older scripts have been converted, andany script using thevulnslibrary is automatically upgraded.

• The venerable RPC grinder which used to run with -sV is now an NSEscript:rpc-grind.This allowed us to cull a bunch of old C code in favor of more maintainable Lua,as well as make a noticeable improvement in scanning speed, all while using afifth of the number of code lines.

• HTTP and web scanning continued to dominate our NSE development. Over athird (57) of our new scripts were HTTP-related. Exceptionally exciting is theaddition of NTLM authentication to the http library, which meanshttp-brute canbruteforce Windows passwords, too. Script highlights include:

  • http-slowlorisexploits a resource exhaustion denial-of-service in Apache and similarwebservers, based on the 6-year-old Slowloris attack script from RSnake.
  • http-fetchacts a bit like a multi-target curl or wget, fetching the files you specify fromevery discovered webserver.
  • http-server-headergrabs the Server header from webservers and uses it to fill in service versioninformation if -sV failed to find a match.
  • http-webdav-scandetects WebDAV servers and grabs a directory listing.
  • http-cross-domain-policy,http-csrf,http-dombased-xss,http-phpself-xss,andhttp-stored-xsscheck for various generic Web vulnerabilities. Similarly,http-errorschecks for server-side bugs resulting in HTTP error codes.

• Oops, there was a vulnerability in one of our NSE scripts. If you ranthe (fortunately non-default)http-domino-enum-passwordsscript with the (fortunately also non-default) domino-enum-passwords.idpathparameter against a malicious server, it could cause an arbitrarily named fileto to be written to the client system. Thanks to Trustwave researcher PiotrDuszynski for discovering and reporting the problem. We've fixed that script,and also updated several other scripts to use a new stdnse.filename_escapefunction for extra safety. This broke our record of never having a vulnerabilityin the 16 years that Nmap has existed, but that's still a fairly goodrun!

• NSE libraries allow scripts to share code. In addition to the usual setof protocol helpers, some interesting additions include the LPeg parsingexpression grammar library, a "ls" library for formatting directory listings,the "slaxml" XML parser, a pure-Lua Unicode library, and a unittest librarycurrently used by 6 other libraries.

  anyconnect,base32,bjnp,cassandra,eigrp,formulas,ike,isns,jdwp,lfs,lpeg,lpeg-utility,ls,ospf,rdp,re,slaxml,tls,unicode,unittest

Mature IPv6 Support

It came as no surprise when ARIN ran out of IPv4 addresses this year, andNmap was already riding the wave to full IPv6 deployment. Nmap has supportedIPv6 in some way since 2002, but improvements keep coming:

• Idle scan is now supported with IPv6. IPv6 packets don't usually come with fragment identifiers like IPv4 packets do,so new techniques had to be developed to make idle scan possible. Theimplementation is by Mathias Morbitzer, who made it the subject of his master'sthesis.

• UnicastCIDR-style IPv6 range scanning is now supported, soyou can specify targets such as "en.wikipedia.org/120". Obviously it will takeages if you specify a huge space. For example, a /64 contains18,446,744,073,709,551,616 addresses.

• In addition to ensuring IPv6 support in the majority ofNSEscripts, Nmap 7 adds several IPv6-specific scripts for advanced hostdiscovery and even denial-of-service:

  • dns-ip6-arpa-scanperforms a quick reverse-DNS lookup of an IPv6 network using a technique whichanalyzes DNS server response codes to dramatically reduce the number of queriesneeded to enumerate large networks.
  • targets-ipv6-wordlistpreys on the tendency of human network operators to use the enormous IPv6address space and the hexadecimal alphabet to assign addresses that form wordslike "dead:beef". The wordlist is configurable, and the results aresurprising!
  • targets-ipv6-map4to6similarly searches for manually configured addresses that correspond to asmaller range of IPv4 addresses that may be assigned to the same network.
  • ipv6-ra-floodgenerates a flood of Router Advertisements (RA) with random source MACaddresses and IPv6 prefixes. Computers, which have stateless autoconfigurationenabled by default (every major OS), will start to compute IPv6 suffix andupdate their routing table to reflect the accepted announcement. This will cause100% CPU usage on Windows and platforms, preventing to process other applicationrequests.

• Nmap'sparallel reverse-DNS resolver now handles IPv6addresses. GSoC 2015 student Gioacchino Mazzurco rewrote the old C-style DNScode in beautiful C++ and a test suite, then fuzzed the living daylights out ofit withafl. In addition to beingvery safe, this should result in faster -6 scans.

• IPv6 OS fingerprinting is improved, thanks to the effortsof Mathias Morbitzer and Alexandru Geana. Building on Mathias's research intonew IPv6 OS fingerprinting methods, Alexandru spent the spring and summer of2015 testing and adding features to our machine learning OS classifier. UsingIPv6 guessed initial Hop Limit (analogous to IPv4's TTL) and the ratio of TCPinitial window size to Maximum Segment Size (MSS), the classifier now matcheswith more confidence than ever. He also completed an extension of theclassifier's training process to impute missing values from dropped or filteredpackets, which lets Nmap make better guesses when network conditions arepoor.

• Nmap'sadvanced traceroute is no longer limited to justusing ICMP and TCP for tracing IPv6 hosts. The IPv6 --traceroute option is nowequivalent to the IPv4 version and capable of using UDP, SCTP, and IPProto (NextHeader) probes.

SSL/TLS scanningpar excellence

SSL 3 deprecation, SHA-1 certificate deprecation, Heartbleed, CCS injection,POODLE, LOGJAM, FREAK, and RC4 deprecation—Secure Sockets Layer (SSL) and itssuccessor, Transport Layer Security (TLS), have received a lot of attention inthe past few years for security problems, and Nmap has emerged as the goldstandard scanning tool for these issues.

• One of our most popular NSE scripts isssl-enum-ciphers,which enumerates SSL/TLS protocol versions (SSL 3 deprecation!) and ciphersuites(RC4 deprecation and weak export ciphers!). It has been enhanced beyond the oldbehavior of simply reporting "weak" or "strong" for each ciphersuite—itnow scores each handshake using guidance from Qualys SSL Labs and taking intoaccount server certificate strength, Diffie-Hellman parameter size, andencryption bit strength. It can safely scan the most finicky of SSL servers,safely negotiating long handshake intolerance issues and fragmented TLSmessages. And it can run independently of version scan, since it is now capableof detecting TLS on unusual ports on its own.

• Detection of SSL and TLS by -sVhas been boosted byincluding more popular TLS ports in the default lists and adding a new TLS-onlyservice probe. Also, NSE scripts can now do TLS checks against LDAP, IMAP, andPOP3 services which support STARTTLS (FTP, SMTP, and XMPP were alreadysupported).

• At the core of our TLS NSE scripts is the newtls library, which enablesquick development of robust scripts for checking vulnerabilities(ssl-heartbleed,ssl-poodle,ssl-ccs-injection,ssl-dh-params)or reporting configurations (tls-nextprotoneg,ssl-date).

Zenmap graphical front-end and results viewer

Zenmap is our cross-platform (Linux,Windows, Mac OS X, etc.) Nmap GUI and results viewer. It aims to provideadvanced features for experienced Nmap users while also making Nmap easier forbeginners to use. Frequently used scans can be saved as profiles to make themeasy to run repeatedly. A command creator allows interactive creation of Nmapcommand lines. Scan results can be saved and viewed later, or even compared withone another to see how they differ. Ournetwork topology viewerallows for interactive exploration of a network scanned with Nmap. Zenmap is nowa mature tool, but it still got several enhancements since 6.00:

• Zenmap features afulltranslation capability for all menus, labels, buttons, and messages.Translations are available for 11 languages, including new Italian, Japanese,Polish, Chinese, and Hindi translations. The German and French translations werealso updated.

• Support for large scans has drastically improved. We solved a CPU usage bugin opening large files and prevented the most common cause of out-of-memoryproblems by dropping the scrolling output window if it becomes a problem. Don'tworry! The output is still saved to disk. Additionally, scans which have a lotof anonymous (unresponsive) traceroute hops will take up less space on theTopology page, since Zenmap will now assume hops at the same distance are thesame device.

• Zenmap's display can filter hosts based on OS, ports, hostnames, and othercriteria. Since 6.00 we also added negative matching, so you can exclude Windowssystems for example with "os:!windows".

• Another sign of a maturing codebase, we've enabled unittest discovery inZenmap, so running "make check" will run most of the existing Zenmap tests.Watch for more improvements in this area in upcoming versions!

Ncat

Ncat is a feature-packed networkingutility which reads and writes data across networks from the command line. Ncatwas written for the Nmap Project as a much-improved reimplementation of thevenerableNetcat. It uses bothTCP and UDP for communication and is designed to be a reliable back-end tool toinstantly provide network connectivity to other applications and users. Ncatwill not only work with IPv4 and IPv6 but provides the user with a virtuallylimitless number of potential uses.

We are excited and proud to announce that Ncat has been adopted by the RedHat/Fedora family of distributions as the default package to provide the"netcat" and "nc" commands! This cooperation has resulted in a lot of squashedbugs and enhanced compatibility with Netcat's options.

Some of the most exciting changes in Ncat 7 are:

• Ncat now features an embedded Lua interpreter! Similar to the NmapScripting Engine, the "--lua-exec" option makes it easy to write simple trafficfilters and daemons in easy-to-learnLua. Acollection of example scripts, including a simple HTTP server, is included withthe Ncat source.

• Ncat now supports Unix domain sockets (named pipes) on systems wherethose sockets are available. This is another Netcat compatibility enhancement,and it makes testing of Unix local services possible with Ncat.

• Ncat's proxy support was extended to support SOCKS5 withauthentication.

• More compatibility corrections resulted in correct handling of EOF on allsockets, whether running as a client or as a server. The new --no-shutdownoption keeps Ncat up and receiving network input after stdin is closed, justlike traditional netcat's -d option.

Infrastructure Improvements

Keeping the Nmap project vibrant and productive (for developers and users)requires constant investment in our development. Improvements to Nmap'sdevelopment and support infrastructure since Nmap 6 include:

• TheNmap.org web site is now 100% HTTPS. This gives our users much-needed protection when downloading Nmap source and binary releases or submitting new service and OS fingerprints. Also, the GNU Mailman subscription pages for theNmap-Announce,Nmap-Dev, andFull Disclosure mailing lists are hosted on Nmap.org and HTTPS-protected, so your subscription settings are safe, too.

• The Nmap Project has fully embracedGithub Issues as its bug tracking solution. The Nmap-Dev mailing list is still going strong for discussion of Nmap development issues, but for user-submitted bug reports and enhancement requests, Github is the place to be. We also encourage code submissions to be made as Github pull requests. Even though the Github repo is still a read-only mirror of our authoritativeSubversion repository, Github offers a great code review and discussion interface, as well as integrated code-quality-checking tools. As a convenience,issues.nmap.org is a redirector for issue numbers:http://issues.nmap.org/229 for example.

• On the subject of code quality, Nmap now integrates with Travis CI for continuous integration testing. If the build breaks, Nmap developers are notified immediately. Code contributions made as Github pull requests are automatically checked for build breakage, too. This is made possible by a concerted effort to enable "make check" to actually check and test Nmap code. So far, "make check" enables:

  • Ncat test suite
  • Nsock test suite
  • Zenmap auto-discovered unit tests
  • NSE tests through theunittest NSE script
  • Ndiff tests
  • Nmap's reverse-DNS engine test suite

• Nmap'schangelog page is now displayed in linked and cross-referenced HTML, instead of as a simple dump of the CHANGELOG text file. URLs, issue numbers, script names, and NSE library names are all linked to the appropriate pages.

• SecWiki.org continues to be used by the Nmap development team for documentation and collaboration on long-term projects. Some popular pages areNmap Code Standards,Nmap on Android,NSE Script Ideas, and theNmap FAQ pages.

IPv4 Operating System Detection

Thanks to fingerprint submissions from thousands of Nmap users around theworld, ourremote operating system detection system grew from 3572 signatures in Nmap 6 to 4985 now. Theseinclude the latest versions of Windows, Linux, and Mac OS X as well as morespecialized entries such as PLCs, lightbulbs, televisions, mainframes, and muchmore. Some of the newest fingerprints are for Apple iOS 9, Android 5.1, OpenBSD5.7, FreeBSD 11.0, and a ton of new WAPs, switches, printers, and otherdevices.

In addition to more than 1400 new fingerprints, we made several importantperformance improvements and bug fixes to the system. Most notably, if versiondetection determines a port to be "tcpwrapped," OS detection will prefer to usea different port for probing, since there's a good chance this is the result ofa firewall interfering with TCP connections on that port.

Version Detection

The days when we could assume what was running on an open port based on theport number are long gone. These days, folks commonly run services on the"wrong" port numbers in order to defeat filtering policies, hide traffic, orwork around various networking problems. Fortunately, Nmap'sversion detection system is able tointerrogate the service listening on the open port and tell you the servicerunning as well as (in many cases) the application name and version number.Nmap 6 had an impressive 8165 signatures matching 862 protocols, but Nmap 7improves that to a whopping 10299 signatures for 1091 protocols!

Additionally, Nmap 7 has 23 more service probes to pull information fromremote services and more than double the number of softmatch lines (103), whichhelp short-circuit the probing process to send the most-likely probes for thedetected service.

Performance Improvements

In Nmap's 18-year history, performance has always been a top priority.Whether scanning one target or 20 million, users want scans to run as fast aspossible without sacrificing accuracy. Improvements since Nmap 6 include:

• For scans of targets that use different routes or interfaces, Nmap may now partially rearrange its target list for more efficient host groups. Previously, a single target with a different interface, or with an IP address the same as a that of a target already in the group, would cause the group to be broken off at whatever size it was. Now, we buffer a small number of such targets, and keep looking through the input for more targets to fill out the current group.

• Timeouts for many NSE scripts were reduced from tens of seconds to use a scaled timeout based on Nmap's portscan-phase timing determinations. A simple library function,stdnse.get_timeout, makes it easy for new script authors to do the same.

• Version scan is quicker now because of 56 more softmatch lines that prevent Nmap from sending irrelevant probes to certain services. Also, NSE scripts in theversion category now obey the version intensity setting, so using an option like --version-light will prevent nearly all of these heavy-duty version probing scripts from running (unless you choose them by name).

• The old RPC Grinder, which used the original pos_scan engine from 1998, has been replaced by a much faster NSE script implementation. Scan times for version scanning (-sV) ought to improve greatly.

• New poll and kqueue Nsock engines allow for increased socket performance in Nsock-based scan phases (NSE and version scanning) on Windows, OS X, and BSD-derived systems that previously had to use the old select-based engine. Linux has had an epoll engine since Nmap 6.00.

Even More Improvements

In addition to the pages of changes listed above, we made many improvementswhich defy simple categorization:

• The oft-requested--exclude-ports option has now been implemented! Easily avoid scanning off-limits or troublesome ports, without constructing complicated port ranges to avoid them. Safely integrates with -p, -F, and --top-ports.

• Nsock (and by extension Nmap's -sV and NSE) now supports connecting through chained proxies. Nmap adds the--proxies option to specify this proxy chain. While port scanning is not yet included, GSoC student and mentor Jacek Wielemborek has done groundbreaking work towards implementing TCP Connect scan in Nsock, so stay tuned!

• Instead of simply appending random data to Nmap scan packets with --data-length, try sending a message with the--data-string or--data options. Safely attribute your research or taunt your foes—it's up to you.

• Though in most cases ARP ping is the stealthiest, fastest, and most reliable host discovery method, you can now force the usual layer-3 discovery probes with the--disable-arp-ping option. This is useful in networks using proxy ARP, which make all addresses appear to be up using ARP scan. The previously recommended workaround for this situation, --send-ip, didn't work on Windows it is still missing raw socket support.

• For raw packet scans (i.e. not -sT), Nmap now reports the TTL of recieved packets in the Normal output if the --reason option is used. This was previously only available in the XML output, but is useful for detecting interfering firewalls in some cases. Additionally, --reason is enabled at verbosity 2 and higher.

• Fixed a bug which caused Nmap to be unable to have any runtime interaction when called from sudo or from a shell script on Linux. This was especially appreciated on Debian-based systems where Nmap is usually invoked with sudo.

• The beloved Nmap ASCII Dragon configure art now shares its spot with two other ASCII art pieces. Which one you get when you run ./configure is randomly chosen. Immediately below the art is a summary of what configure options were chosen, including a warning if OpenSSL could not be found and you didn't explicitly disable it.

• Nping now checks for a matching ICMP ID to avoid colliding with other running ping processes.

These are all just highlights from the full list of changes you canfind inour CHANGELOG.

Moving Forward (Future Plans)

With this stable version out of the way, we are diving headfirst into thenext development cycle. Many exciting features are in the queue, including:

• A modern upgrade to the aging WinPcap is coming! We already have a working replacement calledNpcap developed by GSoC student Yang Luo that is updated to use the NDIS 6 API and LWF. Cooperating with the WinPcap group, we can be sure that these improvements will be available in Nmap very soon.

• Nmap on mobile devices is already a reality for Android, but we want to expand support to other mobile platforms and perhaps develop a really useful app interface, since console applications tend to be difficult to use on those tiny screens.

• We are always working on improving performance, and you can expect we will deliver. Nmap's --min-rate option has the potential to scale to Internet-wide scans, and we intend to benchmark and demonstrate this ability. More large-scale scanning research should help us improve the port popularity rankings and fine-tune Nmap's internals for optimum performance.

• It doesn't take a Nostrodamus to predict that NSE will continue to expand at a blinding pace. We have dozens of NSE scripts waiting in the wings, and pages of ideas for new ones. Maybe your name will grace our CHANGELOG as a script author in the next release!

You can read more of our short-term and longer-term plans from ourpublic TODO list.

For the latest Insecure.Org and Nmap announcements, join the 117,175-memberNmap-announce announcement list. Traffic rarely exceeds one message per month.Subscribe hereorread the archives at SecLists.Org.To participate in Nmap development, join the (high traffic)nmap-dev list. You can alsofollow us onTwitter,Facebook,orGoogle+.

Acknowledgments

A free open source scanner as powerful as Nmap is only possiblethanks to the help of hundreds of developers and other contributors.We would like to acknowledge and thank the many people who contributedideas and/or code since Nmap 6.00. Special thanks go out to:Adam Saponara,Adam Števko,Aleksandar Nikolic,Alessandro Zanni,Alexandru Geana,Alexey Meshcheryakov,Alex Weber,Andreas Stieger,Andrew Farabee,Andrew Orr,Andrew Waters,Andrey Olkhin,Ange Gutek,Arturo Busleiman,Bill Parker,Brad Johnson,Brandon Paulsen,Brendan Coles,Chris Johnson,Chris Leick,Claudio Criscione,Claudiu Perta,Daniel Miller,Danila Poyarkov,David Fifield,David Matousek,Dhiru Kholia,Didier Stevens,Dillon Graham,Djalal Harouni,Dominik Schneider,Edward Napierała,Elon Natovich,Eric Davisson,Forrest B.,Fyodor,George Chatzisofroniou,Gioacchino MazzurcoGiovanni Bechis,Greg Bailey,Gyanendra Mishra,Hani Benhabiles,hejianet,Henri Doreau,Jacek Wielemborek,Jan Reister,Jacob Gajek,jah,Jay Bosamiya,Jesper Kückelhahn,Jiayi Ye,Joachim Henke,John Bond,John Spencer,Jonathan Daugherty,jrchamp,Justin Cacak,Kurt Grutzmacher,Marek Lukaszuk,Marek Majkowski,Marin Maržić,Mariusz Ziulek,Mathias Morbitzer,Michael McTernan,Michael Meyer,Michael Schierl,Michael Toecker,Michael Wallner,Michal Hlavinka,Nicolle Neulist,Niklaus Schiess,nnposter,Olli Hauer,Patrick Donnelly,Patrik Karlsson,Paul AMAR,Paul Hemberger,Paulino Calderon,Pavel Kankovsky,Peter Malecka,Petr Stodulka,Philip Pickering,Pierluigi Vittori,Pierre Lalet,Piotr Olma,Pontus Andersson,Quentin Glidic,Raphael Hoegger,Raúl Fuentes,riemann,Rob Nicholls,Robin Wood,Ron Bowes,Sean Rivera,Simon John,Soldier of Fortran,Stephen Hilt,Tilik Ammon,Tom Sellers,Tomas Hozza,Tyler Wagner,Ulrik Haugen,Vasily Kulikov, andVlatko Kosturjak.

We would also like to thank the thousands of people who have submitted OS andservice/version fingerprints, as well as everyone who has found and reportedbugs or suggested features.

Special thanks go to Google, who has sponsored 73 students (total over thelast 11 years) to spend a summer working on Nmap as part of Google'sSummer of Code program.This summer, we had a team of five amazing students who contributed mightily tomake Nmap even more powerful. We encourage you toread this year's project summary to learn more.

Download and Updates

Nmap is available for download fromhttps://nmap.org/download.htmlin source and binary form. Nmap is free, open source software(license).

To learn about Nmap announcements as they happen, subscribe to nmap-announce!It is a very low volume (7 messages so far in 2015), moderated list forannouncements about Nmap, Insecure.org, and related projects. You can join the117,175 current subscribers by submitting your e-mail address below.

Nmap-announce is archived atSecLists.org and has anRSS feed. To participate in Nmapdevelopment, join the (high traffic)nmap-dev list as well.

You are also encouraged to follow@nmap on Twitter and check outour Facebook page:

Direct questions or comments to Fyodor(fyodor@nmap.org).Report any bugs asdescribed here.