Skip to content
Branch: master
Find file Copy path
Find file Copy path
6 contributors

Users who have contributed to this file

@bonsaiviking @vinamrabhatia @wongwaituck @rewanth1997 @G10h4ck @tremblerz
16086 lines (12412 sloc) 722 KB
#Nmap Changelog ($Id$); -*-text-*-
o [NSE][GH#1608] Script http-fileupload-exploiter failed to locate its resource
file unless executed from a specific working directory. [nnposter]
o [NSE][GH#1571] The HTTP library now provides transparent support for gzip-
encoded response body. (See for an
overview.) [nnposter]
o [NSE][GH#1571] The HTTP library is now enforcing a size limit on the received
response body. The default limit can be adjusted with a script argument,
which applies to all scripts, and can be overridden case-by-case with an HTTP
request option. (See for details.)
o [Nsock][Ncat][GH#1075] Add AF_VSOCK (Linux VM sockets) functionality to Nsock
and Ncat. VM sockets are used for communication between virtual machines and
the hypervisor. [Stefan Hajnoczi]
o [NSE][GH#1467] Avoid clobbering the "severity" and "ignore_404" values of
fingerprints in http-enum. None of the standard fingerprints uses these
fields. [Kostas Milonas]
o [NSE][GH#1077] Fix a crash caused by a double-free of libssh2 session data
when running SSH NSE scripts against non-SSH services. [Seth Randall]
o [NSE][GH#1565] Updates the execution rule of the mongodb scripts to be able
to run on alternate ports. [Paulino Calderon]
o [Ncat][GH#1560] Allow Ncat to connect to servers on port 0, provided that the
socket implementation allows this. [Daniel Miller]
o Update the included libpcap to 1.9.0. [Daniel Miller]
o [NSE][GH#1544] Fix a logic error that resulted in scripts not honoring the
smbdomain script-arg when the target provided a domain in the NTLM challenge.
[Daniel Miller]
o [Nsock][GH#1543] Avoid a crash (Protocol not supported) caused by trying to
reconnect with SSLv2 when an error occurs during DTLS connect. [Daniel Miller]
o [NSE][GH#1016][GH#1082] New script http-hp-ilo-info to extract information
from HP Integrated Lights-Out (iLO) servers. [rajeevrmenon97]
o [NSE][GH#1534] Removed OSVDB references from scripts and replaced them with
BID references where possible. [nnposter]
o [NSE][GH#1504] New script lu-enum.nse attempts to enumerate Logical Units
(LU) of TN3270E servers. [Soldier of Fortran]
o [NSE][GH#1504] Updates TN3270.lua and adds argument to disable TN3270E
[Soldier of Fortran]
o [GH#1504] RMI parser could crash when encountering invalid input
[Clément Notin]
o [GH#863] Avoid reporting negative latencies due to matching an ARP or ND
response to a probe sent after it was recieved. [Daniel Miller]
o [ncat][GH#1441] To avoid confusion and to support default proxy ports,
option --proxy now requires a literal IPv6 address to be specified using
square-bracket notation, such as --proxy [2001:db8::123]:456. [nnposter]
o [ncat][GH#1214][GH#1230][GH#1439] New ncat option provides control over
whether proxy destinations are resolved by the remote proxy server or
locally, by Ncat itself. See option --proxy-dns. [nnposter]
o [NSE][GH#1478] Updated script ftp-syst to prevent potential endless looping.
o [NSE][GH#1457] New script, ubiquiti-discovery, which extracts information from
the Ubiquiti Discovery service and assists version detection. [Tom Sellers]
o [GH#1454] New service probes and match lines for v1 and v2 of the Ubiquiti
Discovery protocol. Devices often leave the related service open and it
exposes significant amounts of information as well as the risk of being used
as part of a DDoS. New nmap-payload entry for v1 of the protocol. [Tom Sellers]
o [NSE] Removes hostmap-ip2hosts.nse as the API has been broken for a while
and the service will be completely shutdown on Feb 17th. [Paulino Calderon]
o [NSE][GH#1318] Adds TN3270E support and additional improvements to tn3270.lua
and updates tn3270-screen.nse to display the new setting. [mainframed]
o [NSE][GH#1346] Updates product codes and adds a check for response length in
enip-info.nse. The script now uses string.unpack. [NothinRandom]
o [Ncat][GH#1310][GH#1409] Temporary RSA keys are now 2048-bit to resolve
a compatibility issue with OpenSSL library configured with security level 2,
as seen on current Debian or Kali.
[Adrian Vollmer, nnposter]
o [NSE][GH#1227] Fix a crash (double-free) when using SSH scripts against
non-SSH services. [Daniel Miller]
o [Zenmap] Fix a crash when Nmap executable cannot be found and the system PATH
contains non-UTF-8 bytes, such as on Windows. [Daniel Miller]
o [Zenmap] Fix a crash in results search when using the dir: operator:
AttributeError: 'SearchDB' object has no attribute 'match_dir'
[Daniel Miller]
o [Ncat][GH#1372] Fixed an issue with Ncat -e on Windows that caused early
termination of connections. [Alberto Garcia Illera]
o [GH#1361] Deprecate and disable the -PR (ARP ping) host discovery option. ARP
ping is already used whenever possible, and the -PR option would not force it
to be used in any other case. [Daniel Miller]
o [NSE][GH#1243] Added http-sap-netweaver-leak to detect SAP Netweaver Portal
with the Knowledge Management Unit enabled with anonymous access. [ArphanetX]
o [NSE] Collected utility functions for string processing into a new library,
stringaux.lua. [Daniel Miller]
o [NSE][GH#1359] Fix a false-positive in http-phpmyadmin-dir-traversal when the
server responds with 200 status to a POST request to any URI. [Francesco Soncina]
o [NSE] New vulnerability state in vulns.lua, UNKNOWN, is used to indicate that
testing could not rule out vulnerability. [Daniel Miller]
o [NSE] New rand.lua library uses the best sources of random available on the
system to generate random strings. [Daniel Miller]
o [NSE] Collected utility functions for manipulating and searching tables into
a new library, tableaux.lua. [Daniel Miller]
o [GH#1355] When searching for Lua header files, actually use them where they
are found instead of forcing /usr/include. [Fabrice Fontaine, Daniel Miller]
o [NSE][GH#1331] Script traceroute-geolocation no longer crashes when returns null coordinates [Michal Kubenka, nnposter]
o Limit verbose -v and debugging -d levels to a maximum of 10. Nmap does not
use higher levels internally. [Daniel Miller]
o [NSE] bin.lua is officially deprecated. Lua 5.3, added 2 years ago in Nmap
7.25BETA2, has native support for binary data packing via string.pack and
string.unpack. All existing scripts and libraries have been updated.
[Daniel Miller]
o [NSE] tls.lua when creating a client_hello message will now only use a SSLv3
record layer if the protocol version is SSLv3. Some TLS implementations will
not handshake with a client offering less than TLSv1.0. Scripts will have to
manually fall back to SSLv3 to talk to SSLv3-only servers. [Daniel Miller]
o [NSE][GH#1322] Fix a few false-positive conditions in ssl-ccs-injection. TLS
implementations that responded with fatal alerts other than "unexpected
message" had been falsely marked as vulnerable. [Daniel Miller]
o Emergency fix to Nmap's birthday announcement so Nmap wishes itself
a "Happy 21st Birthday" rather than "Happy 21th" in verbose mode
(-v) on September 1, 2018. [Daniel Miller]
o [NSE] New knx.lua library holds common functions and definitions for
communicating with KNX/Konnex devices. [Daniel Miller]
o [NSE] Completely removed the bit.lua NSE library. All of its functions are
replaced by native Lua bitwise operations, except for `arshift` (arithmetic
shift) which has been moved to the bits.lua library. [Daniel Miller]
o [GH#1291][GH#34][GH#1339] Use pcap_create instead of pcap_live_open in Nmap,
and set immediate mode on the pcap descriptor. This solves packet loss
problems on Linux and may improve performance on other platforms.
[Daniel Cater, Mike Pontillo, Daniel Miller]
o [GH#1150] Start host timeout clocks when the first probe is sent to a host,
not when the hostgroup is started. Sometimes a host doesn't get probes until
late in the hostgroup, increasing the chance it will time out. [jsiembida]
o [GH#1147][GH#1108] Reduced LibPCRE resource limits so that version detection
can't use as much of the stack. Previously Nmap could crash when run on
low-memory systems against target services which are intentionally or
accidentally difficult to match. Someone assigned CVE-2018-15173 for this
issue. [Daniel Miller]
o [NSE] Support for edns-client-subnet (ECS) in dns.lua has been improved by:
- [GH#1271] Using ECS code compliant with RFC 7871 [John Bond]
- Properly trimming ECS address, as mandated by RFC 7871 [nnposter]
- Fixing a bug that prevented using the same ECS option table more than
once [nnposter]
o [Ncat][GH#1267] Fixed communication with commands launched with -e or -c on
Windows, especially when --ssl is used. [Daniel Miller]
o Upgraded included libpcap to 1.8.1 [Daniel Miller]
o [NSE] Script http-default-accounts can now select more than one fingerprint
category. It now also possible to select fingerprints by name to support very
specific scanning. [nnposter]
o [NSE] Script http-default-accounts was not able to run against more than one
target host/port. [nnposter]
o [NSE][GH#1251] New script-arg `` allows users to force a particular
value for the Host header in all HTTP requests.
o [NSE][GH#1258] Use smtp.domain script arg or target's domain name instead of
"" in EHLO command used for STARTTLS. [gwire]
o [NSE][GH#1233] Fix brute.lua's BruteSocket wrapper, which was crashing Nmap
with an assertion failure due to socket mixup [Daniel Miller]:
nmap: int receive_buf(lua_State*, int, lua_KContext): Assertion `lua_gettop(L) == 7' failed.
o [NSE][GH#1254] Handle an error condition in smb-vuln-ms17-010 caused by IPS
closing the connection. [Clément Notin]
o [NSE] https-redirect detects HTTP servers that redirect to the same port, but
with HTTPS. Some nginx servers do this, which made ssl-* scripts not run
properly. [Daniel Miller]
o [NSE][GH#1236] Added broadcast-jenkins-discover to discover Jenkins servers
on a LAN by sending a discovery broadcast probe. [Brendan Coles]
o [NSE][GH#1232] Added broadcast-hid-discoveryd to discover HID devices
on a LAN by sending a discoveryd network broadcast probe. [Brendan Coles]
o New service probe and match lines for adb, the Android Debug Bridge, which
allows remote code execution and is left enabled by default on many devices.
[Daniel Miller]
o [Ncat][GH#1237] Fixed literal IPv6 URL format for connecting through
HTTP proxies. [Phil Dibowitz]
o [NSE][GH#1212] Updates vendors from ODVA list for enip-info. [NothinRandom]
o [NSE][GH#1191] Add two common error strings that improve MySQL detection
by the script http-sql-injection. [Robert Taylor, Paulino Calderon]
o [NSE][GH#1220] Fix bug in http-vuln-cve2006-3392 that prevented the script to
generate the vulnerability report correctly. [rewardone]
o [NSE][GH#1218] Fix bug related to screen rendering in NSE library tn3270. This
patch also improves the brute force script tso-brute. [mainframed]
o [NSE][GH#1209] Fix SIP, SASL, and HTTP Digest authentication when
the algorithm contains lowercase characters. [Jeswin Mathai]
o [GH#1204] Nmap could be fooled into ignoring TCP response packets if they
used an unknown TCP Option, which would misalign the validation, causing it
to fail. [Clément Notin, Daniel Miller]
o [NSE]The HTTP response parser now tolerates status lines without a reason
phrase, which improves compatibility with some HTTP servers. [nnposter]
o [NSE][GH#1169][GH#1170][GH#1171]][GH#1198] Parser for HTTP Set-Cookie header
is now more compliant with RFC 6265:
- empty attributes are tolerated
- double quotes in cookie and/or attribute values are treated literally
- attributes with empty values and value-less attributes are parsed equally
- attributes named "name" or "value" are ignored
o [NSE][GH#1158] Fix parsing http-grep.match script-arg. [Hans van den Bogert]
o [Zenmap][GH#1177] Avoid a crash when recent_scans.txt cannot be written to.
[Daniel Miller]
o Fixed --resume when the path to Nmap contains spaces. Reported on Windows by
Adriel Desautels. [Daniel Miller]
Nmap 7.70 [2018-03-20]
o [Windows] We made a ton of improvements to our Npcap Windows packet
capturing library ( for greater performance and
stability, as well as smoother installer and better 802.11 raw frame
capturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to
0.99-r2, including all these changes from the last seven Npcap releases:
o Integrated all of your service/version detection fingerprints submitted from
March 2017 to August 2017 (728 of them). The signature count went up 1.02%
to 11,672, including 26 new softmatches. We now detect 1224 protocols from
filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and
watchguard. We will try to integrate the remaining submissions in the next
o Integrated all of your IPv4 OS fingerprint submissions from September 2016
to August 2017 (667 of them). Added 298 fingerprints, bringing the new total
to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and
o Integrated all 33 of your IPv6 OS fingerprint submissions from September
2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added,
as well as strengthened groups for Linux and OS X.
o Added the --resolve-all option to resolve and scan all IP addresses of a
host. This essentially replaces the resolveall NSE script. [Daniel Miller]
o [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory
traversal vulnerability) in the way the non-default http-fetch script
sanitized URLs. If a user manualy ran this NSE script against a malicious
web server, the server could potentially (depending on NSE arguments used)
cause files to be saved outside the intended destination directory. Existing
files couldn't be overwritten. We fixed http-fetch, audited our other
scripts to ensure they didn't make this mistake, and updated the httpspider
library API to protect against this by default. [nnposter, Daniel Miller]
o [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!
They are all listed at, and the summaries are
+ deluge-rpc-brute performs brute-force credential testing against Deluge
BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
+ hostmap-crtsh lists subdomains by querying Google's Certificate
Transparency logs. [Paulino Calderon]
+ [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and
reports back the IP address and port of the actual server behind the
load-balancer. [Seth Jackson]
+ http-jsonp-detection Attempts to discover JSONP endpoints in web servers.
JSONP endpoints can be used to bypass Same-origin Policy restrictions in
web browsers. [Vinamra Bhatia]
+ http-trane-info obtains information from Trane Tracer SC controllers and
connected HVAC devices. [Pedro Joaquin]
+ [GH#609] nbd-info uses the new nbd.lua library to query Network Block
Devices for protocol and file export information. [Mak Kolybabi]
+ rsa-vuln-roca checks for RSA keys generated by Infineon TPMs
vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks
SSH and TLS services. [Daniel Miller]
+ [GH#987] smb-enum-services retrieves the list of services running on a
remote Windows machine. Modern Windows systems requires a privileged domain
account in order to list the services. [Rewanth Cool]
+ tls-alpn checks TLS servers for Application Layer Protocol Negotiation
(ALPN) support and reports supported protocols. ALPN largely replaces NPN,
which tls-nextprotoneg was written for. [Daniel Miller]
o [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN. This
was causing Ncat 7.60 in connect mode to quit with error: libnsock
select_loop(): nsock_loop error 10038: An operation was attempted on
something that is not a socket. [nnposter]
o [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on
renegotiation, the same issue that was partially fixed for server mode in
[GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel
o [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle
misbehaving or rate-limiting services. Most significantly,
brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for
reporing infinite loops and proposing changes.
o [NSE] VNC scripts now support Apple Remote Desktop authentication (auth type
30) [Daniel Miller]
o [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed out.
[Aniket Pandey]
o [NSE][GH#1114] Update bitcoin-getaddr to receive more than one response
message, since the first message usually only has one address in it. [h43z]
o [Ncat][GH#1139] Ncat now selects the correct default port for a given proxy
type. [Pavel Zhukov]
o [NSE] memcached-info can now gather information from the UDP memcached
service in addition to the TCP service. The UDP service is frequently used as
a DDoS reflector and amplifier. [Daniel Miller]
o [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and
dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]
o Removed deprecated and undocumented aliases for several long options that
used underscores instead of hyphens, such as --max_retries. [Daniel Miller]
o Improved service scan's treatment of soft matches in two ways. First of all,
any probes that could result in a full match with the soft matched service
will now be sent, regardless of rarity. This improves the chances of
matching unusual services on non-standard ports. Second, probes are now
skipped if they don't contain any signatures for the soft matched service.
Previously the probes would still be run as long as the target port number
matched the probe's specification. Together, these changes should make
service/version detection faster and more accurate. For more details on how
it works, see [Daniel Miller]
o --version-all now turns off the soft match optimization, ensuring that all
probes really are sent, even if there aren't any existing match lines for
the softmatched service. This is slower, but gives the most comprehensive
results and produces better fingerprints for submission. [Daniel Miller]
o [NSE][GH#1083] New set of Telnet softmatches for version detection based on
Telnet DO/DON'T options offered, covering a wide variety of devices and
operating systems. [D Roberson]
o [GH#1112] Resolved crash opportunities caused by unexpected libpcap version
string format. [Gisle Vanem, nnposter]
o [NSE][GH#1090] Fix false positives in rexec-brute by checking responses for
indications of login failure. [Daniel Miller]
o [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
destination directories. [Aniket Pandey]
o [NSE] Added new fingerprints to http-default-accounts:
- Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
- [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob Fitzpatrick, Paulino Calderon]
o Added a new service detection match for WatchGuard Authentication Gateway.
[Paulino Calderon]
o [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays
(parameter qscan.delay). [nnposter]
o [NSE][GH#1046] Script http-headers now fails properly if the target does not
return a valid HTTP response. [spacewander]
o [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by
default, in accordance with RFC 7465. [Codarren Velvindron]
o [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused by
not checking the error code in responses. Implementations which return an
error are not vulnerable. [Juho Jokelainen]
o [NSE][GH#958] Two new libraries for NSE.
- idna - Support for internationalized domain names in applications (IDNA)
- punycode (a transfer encoding syntax used in IDNA)
[Rewanth Cool]
o [NSE] New fingerprints for http-enum:
- [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
- [GH#767] Many WordPress version detections [Rewanth Cool]
o [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues:
- Usernames and/or passwords could not be empty
- Passwords could not contain colons
- SOCKS5 authentication was not properly documented
- SOCKS5 authentication had a memory leak
o [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to be
run. [Lukas Schwaighofer]
o [GH#977] Improved DNS service version detection coverage and consistency
by using data from a Project Sonar Internet wide survey. Numerouse false
positives were removed and reliable softmatches added. Match lines for
version.bind responses were also conslidated using the technique below.
[Tom Sellers]
o [GH#977] Changed version probe fallbacks so as to work cross protocol
(TCP/UDP). This enables consolidating match lines for services where the
responses on TCP and UDP are similar. [Tom Sellers]
o [NSE][GH#532] Added the zlib library for NSE so scripts can easily
handle compression. This work started during GSOC 2014, so we're
particularly pleased to finally integrate it! [Claudiu Perta, Daniel
o [NSE][GH#1004] Fixed handling of brute.retries variable. It was being treated
as the number of tries, not retries, and a value of 0 would result in
infinite retries. Instead, it is now the number of retries, defaulting to 2
(3 total tries), with no option for infinite retries.
o [NSE] http-devframework-fingerprints.lua supports Jenkins server detection
and returns extra information when Jenkins is detected [Vinamra Bhatia]
o [GH#926] The rarity level of MS SQL's service detection probe was decreased.
Now we can find MS SQL in odd ports without increasing version intensity.
[Paulino Calderon]
o [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We
were always reporting the version number of the included source, even when a
different version was actually linked. [Pavel Zhukov]
o Add a new helper function for nmap-service-probes match lines: $I(1,">") will
unpack an unsigned big-endian integer value up to 8 bytes wide from capture
1. The second option can be "<" for little-endian. [Daniel Miller]
Nmap 7.60 [2017-07-31]
o [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several issues
with installation and compatibility with the Windows 10 Creators Update.
o [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
Khegay, Evangelos Deirmentzoglou]
o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at, and the summaries are below:
+ ftp-syst sends SYST and STAT commands to FTP servers to get system version
and connection information. [Daniel Miller]
+ [GH#916] http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting
Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
+ iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
Timorin, Daniel Miller]
+ [GH#915] openwebnet-discovery retrieves device identifying information and
number of connected devices running on openwebnet protocol. [Rewanth Cool]
+ puppet-naivesigning checks for a misconfiguration in the Puppet CA where
naive signing is enabled, allowing for any CSR to be automatically signed.
[Wong Wai Tuck]
+ [GH#943] smb-protocols discovers if a server supports dialects NT LM 0.12
(SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
smbv2-enabled script. [Paulino Calderon]
+ [GH#943] smb2-capabilities lists the supported capabilities of SMB2/SMB3
servers. [Paulino Calderon]
+ [GH#943] smb2-time determines the current date and boot date of SMB2
servers. [Paulino Calderon]
+ [GH#943] smb2-security-mode determines the message signing configuration of
SMB2/SMB3 servers. [Paulino Calderon]
+ [GH#943] smb2-vuln-uptime attempts to discover missing critical patches in
Microsoft Windows systems based on the SMB2 server uptime. [Paulino Calderon]
+ ssh-auth-methods lists the authentication methods offered by an SSH server.
[Devin Bjelland]
+ ssh-brute performs brute-forcing of SSH password credentials. [Devin Bjelland]
+ ssh-publickey-acceptance checks public or private keys to see if they could
be used to log in to a target. A list of known-compromised key pairs is
included and checked by default. [Devin Bjelland]
+ ssh-run uses user-provided credentials to run commands on targets via SSH.
[Devin Bjelland]
o [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.
o [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect (client)
mode with --udp --ssl. Also added Application Layer Protocol Negotiation
(ALPN) support with the --ssl-alpn option. [Denis Andzakovic, Daniel Miller]
o Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
o [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
Exec Agent 15 or 16. [Andrew Orr]
o [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino Calderon]
o [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed. [Aaron Heesakkers]
o [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]
o [NSE][GH#936] Function url.escape no longer encodes so-called "unreserved"
characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
o [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230. [nnposter]
o [NSE][GH#934] The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g. "1.0".
o [NSE][GH#938] Fix handling of the objectSID Active Directory attribute
by ldap.lua. [Tom Sellers]
o [NSE] Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
Carriage Return characters were being sent in the connection packets, likely
resulting in failure of the script. [Anant Shrivastava]
o [NSE][GH#141] http-useragent-checker now checks for changes in HTTP status
(usually 403 Forbidden) in addition to redirects to indicate forbidden User
Agents. [Gyanendra Mishra]
Nmap 7.50 [2017-06-13]
o [Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes
for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
o Integrated all of your service/version detection fingerprints submitted from
September to March (855 of them). The signature count went up 2.9% to 11,418.
We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon,
slmp, and zookeeper. Highlights:
o [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566!
They are all listed at, and the summaries are below:
+ [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors.
OSPFv2 authentication is supported. [Emiliano Ticci]
+ [GH#671] cics-info checks IBM TN3270 services for CICS transaction services
and extracts useful information. [Soldier of Fortran]
+ [GH#671] cics-user-brute does brute-force enumeration of CICS usernames on
IBM TN3270 services. [Soldier of Fortran]
+ [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and
Secure flags. [Steve Benson]
+ http-security-headers checks for the HTTP response headers related to
security given in OWASP Secure Headers Project, giving a brief description
of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]
+ [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache
Struts2. [Seth Jackson]
+ [GH#876] http-vuln-cve2017-5689 detects a privilege escalation
vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT)
capable systems. [Andrew Orr]
+ http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in
Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]
+ [GH#713] impress-remote-discover attempts to pair with the LibreOffice
Impress presentation remote service and extract version info. Pairing is
PIN-protected, and the script can optionally brute-force the PIN. New
service probe and match line also added. [Jeremy Hiebert]
+ [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked
Double Pulsar backdoor in Windows SMB servers. [Andrew Orr]
+ smb-vuln-cve-2017-7494 detects a remote code execution vulnerability
affecting Samba versions 3.5.0 and greater with writable shares.
[Wong Wai Tuck]
+ smb-vuln-ms17-010 detects a critical remote code execution vulnerability
affecting SMBv1 servers in Microsoft Windows systems (ms17-010). The
script also reports patched systems. [Paulino Calderon]
+ [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability
(CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]
+ vmware-version queries VMWare SOAP API for version and product information.
Submitted in 2011, this was mistakenly turned into a service probe that was
unable to elicit any matches. [Aleksey Tyurin]
o [Ncat] A series of changes and fixes based on feedback from the Red Hat community:
+ [GH#157] Ncat will now continue trying to connect to each resolved address
for a hostname before declaring the connection refused, allowing it to
fallback from IPv6 to IPv4 or to connect to names that use DNS failover.
[Jaromir Koncicky, Michal Hlavinka]
+ The --no-shutdown option now also works in connect mode, not only in listen mode.
+ Made -i/--idle-timeout not cause Ncat in server mode to close while
waiting for an initial connection. This was also causing -i to interfere
with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]
+ [GH#773] Ncat in server mode properly handles TLS renegotiations and other
situations where SSL_read returns a non-fatal error. This was causing
SSL-over-TCP connections to be dropped. [Daniel Miller]
+ Enable --ssl-ciphers to be used with Ncat in client mode, not only in
server (listen) mode. [Daniel Miller]
o [NSE] New fingerprints for http-enum:
- Endpoints for Spring MVC and Boot Actuator [Paulino Calderon]
- [GH#620][GH#715] 8 fingerprints for Hadoop infrastructure components
[Thomas Debize, Varunram Ganesh]
o [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use
fully qualified paths. SMB scripts now work against all modern versions
of Microsoft Windows. [Paulino Calderon]
o [NSE] smb library's share_get_list now properly uses anonymous connections
first before falling back authenticating as a known user.
o New service probes and matches for Apache HBase and Hadoop MapReduce.
[Paulino Calderon]
o Extended Memcached service probe and added match for Apache ZooKeeper.
[Paulino Calderon]
o [NSE] New script argument "vulns.short" will reduce vulns library script
output to a single line containing the target name or IP, the vulnerability
state, and the CVE ID or title of the vulnerability. [Daniel Miller]
o [NSE][GH#862] SNMP scripts will now take a community string provided like
`--script-args creds.snmp=private`, which previously did not work because it
was interpreted as a username. [Daniel Miller]
o [NSE] Resolved several issues in the default HTTP redirect rules:
- [GH#826] A redirect is now cancelled if the original URL contains
embedded credentials
- [GH#829] A redirect test is now more careful in determining whether
a redirect destination is related to the original host
- [GH#830] A redirect is now more strict in avoiding possible redirect
o [NSE][GH#766] The HTTP Host header will now include the port unless it is
the default one for a given scheme. [nnposter]
o [NSE] The HTTP response object has a new member, fragment, which contains
a partially received body (if any) when the overall request fails to
complete. [nnposter]
o [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which
are silently ignored (in accordance with RFC 6265). Unrecognized attributes
were previously causing HTTP requests with such cookies to fail. [nnposter]
o [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted
whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
o [NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie
header that has an extraneous trailing semicolon. [nnposter]
o [NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated
with option any_af. As an added benefit, option any_af is now available for
all connections via comm.lua, not just HTTP requests. [nnposter]
o [NSE][GH#781] There is a new common function, url.get_default_port(),
to obtain the default port number for a given scheme. [nnposter]
o [NSE][GH#833] Function url.parse() now returns the port part as a number,
not a string. [nnposter]
o No longer allow ICMP Time Exceeded messages to mark a host as down during
host discovery. Running traceroute at the same time as Nmap was causing
interference. [David Fifield]
o [NSE][GH#807] Fixed a JSON library issue that was causing long integers
to be expressed in the scientific/exponent notation. [nnposter]
o [NSE] Fixed several potential hangs in NSE scripts that used
receive_buf(pattern), which will not return if the service continues to send
data that does not match pattern. A new function in match.lua, pattern_limit,
is introduced to limit the number of bytes consumed while searching for the
pattern. [Daniel Miller, Jacek Wielemborek]
o [Nsock] Handle any and all socket connect errors the same: raise as an Nsock
error instead of fatal. This prevents Nmap and Ncat from quitting with
"Strange error from connect:" [Daniel Miller]
o [NSE] Added several commands to redis-info to extract listening addresses,
connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
o [NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting
changes at the source site ( [aDoN]
o [NSE][GH#629] Added two new fingerprints to http-default-accounts
(APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
o [NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS
probe due to a string escaping mixup. [Alexandr Savca]
o [NSE][GH#694] ike-version now outputs information about supported attributes
and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was
submitted by Alexis La Goutte. [Daniel Miller]
o [GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter]
o [GH#649] New service probe and match lines for the JMON and RSE services of
IBM Explorer for z/OS. [Soldier of Fortran]
o Removed a duplicate service probe for Memcached added in 2011 (the original
probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
o New service probe and match line for NoMachine NX Server remote desktop.
[Justin Cacak]
o [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap
was installed to /Applications/Applications/ instead of
o [Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary
directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
o [Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option,
which was added in Nmap 7.10. Previously, this was treated the same as not
specifying -v at all. [lymanZerga11]
o [GH#630] Updated or removed some OpenSSL library calls that were deprecated
in OpenSSL 1.1. [eroen]
o [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
o [NSE][GH#627] Fixed script hang in several brute scripts due to the "threads"
script-arg not being converted to a number. Error message was
"nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]
Nmap 7.40 [2016-12-20]
o [Windows] Updated the bundled Npcap from 0.10r9 to 0.78r5, with an
improved installer experience, driver signing updates to work with
Windows 10 build 1607, and bugfixes for WiFi connectivity
problems. [Yang Luo, Daniel Miller]
o Integrated all of your IPv4 OS fingerprint submissions from April to
September (568 of them). Added 149 fingerprints, bringing the new total to
5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more.
Highlights: [Daniel Miller]
o Integrated all of your service/version detection fingerprints submitted from
April to September (779 of them). The signature count went up 3.1% to 11,095.
We now detect 1161 protocols, from airserv-ng, domaintime, and mep to
nutcracker, rhpp, and usher. Highlights:
[Daniel Miller]
o Fix reverse DNS on Windows which was failing with the message "mass_dns:
warning: Unable to determine any DNS servers." This was because the interface
GUID comparison needed to be case-insensitive. [Robert Croteau]
o [NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552!
They are all listed at, and the summaries are below:
+ cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270
services. [Soldier of Fortran]
+ cics-user-enum brute-forces usernames for CICS users on TN3270 services.
[Soldier of Fortran]
+ fingerprint-strings will print the ASCII strings it finds in the service
fingerprints that Nmap shows for unidentified services. [Daniel Miller]
+ [GH#606] ip-geolocation-map-bing renders IP geolocation data as an image
via Bing Maps API. [Mak Kolybabi]
+ [GH#606] ip-geolocation-map-google renders IP geolocation data as an image
via Google Maps API. [Mak Kolybabi]
+ [GH#606] ip-geolocation-map-kml records IP geolocation data in a KML file
for import into other mapping software [Mak Kolybabi]
+ nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST
and OHOST. Helpfully, nje-node-brute can now brute force both of those
values. [Soldier of Fortran]
+ [GH#557] ssl-cert-intaddr will search for private IP addresses in TLS
certificate fields and extensions. [Steve Benson]
+ tn3270-screen shows the login screen from mainframe TN3270 Telnet services,
including any hidden fields. The script is accompanied by the new tn3270
library. [Soldier of Fortran]
+ tso-enum enumerates usernames for TN3270 Telnet services. [Soldier of Fortran]
+ tso-brute brute-forces passwords for TN3270 Telnet services. [Soldier of Fortran]
+ vtam-enum brute-forces VTAM application IDs for TN3270 services.
[Soldier of Fortran]
o [NSE][GH#518] Brute scripts are faster and more accurate. New feedback and
adaptivity mechanisms in brute.lua help brute scripts use resources more
efficiently, dynamically changing number of threads based on protocol
messages like FTP 421 errors, network errors like timeouts, etc.
[Sergey Khegay]
o [GH#353] New option --defeat-icmp-ratelimit dramatically reduces UDP scan
times in exchange for labeling unresponsive (and possibly open) ports as
"closed|filtered". Ports which give a UDP protocol response to one of Nmap's
scanning payloads will be marked "open". [Sergey Khegay]
o [NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that
service at some point. Reported by Brian Morin.
o [NSE][GH#606] New NSE library, geoip.lua, provides a common framework for
storing and retrieving IP geolocation results. [Mak Kolybabi]
o [Ncat] Restore the connection success message that Ncat prints with -v. This
was accidentally suppressed when not using -z.
o [GH#316] Added scan resume from Nmap's XML output. Now you can --resume a
canceled scan from all 3 major output formats: -oN, -oG, and -oX.
[Tudor Emil Coman]
o [Ndiff][GH#591] Fix a bug where hosts with the same IP but different
hostnames were shown as changing hostnames between scans. Made sort stable
with regard to hostnames. [Daniel Miller]
o [NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for
TLS Server Name Indication extension. The argument overrides the default use
of the host's targetname. [Bertrand Bonnefoy-Claudet]
o [GH#505] Updated Russian translation of Zenmap by Alexander Kozlov.
o [NSE][GH#588] Fix a crash in smb.lua when using smb-ls due to a
floating-point number being passed to os.time ("bad argument").
[Dallas Winger]
o [NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in
mysql-brute and other scripts due to including a null terminator in the salt
value. This bug affects Nmap 7.25BETA2 and later releases. [Daniel Miller]
o The --open option now implies --defeat-rst-ratelimit. This may result in
inaccuracies in the numbers of "Not shown:" closed and filtered ports, but
only in situations where it also speeds up scan times. [Daniel Miller]
o [NSE] Added known Diffie-Hellman parameters for haproxy, postfix, and
IronPort to ssl-dh-params. [Frank Bergmann]
o Added service probe for ClamAV servers (clam),
an open source antivirus engine used in mail scanning. [Paulino Calderon]
o Added service probe and UDP payload for Quick UDP Internet Connection (QUIC),
a secure transport developed by Google and used with HTTP/2. [Daniel Miller]
o [NSE] Enabled resolveall to run against any target provided as a hostname, so
the resolveall.hosts script-arg is no longer required. [Daniel Miller]
o [NSE] Revised script http-default-accounts in several ways [nnposter]:
- Added 21 new fingerprints, plus broadened 5 to cover more variants.
- [GH#577] It can now can test systems that return status 200 for
non-existent pages.
- [GH#604] Implemented XML output. Layout of the classic text output has also
changed, including reporting blank usernames or passwords as "<blank>",
instead of just empty strings.
- Added CPE entries to individual fingerprints (where known). They are
reported only in the XML output.
o [NSE][GH#573] Updated http.lua to allow processing of HTTP responses with
malformed header names. Such header lines are still captured in the rawheader
list but skipped otherwise. [nnposter]
o [GH#416] New service probe and match line for iperf3. [Eric Gershman]
o [NSE][GH#555] Add Drupal to the set of web apps brute forced by
http-form-brute. [Nima Ghotbi]
Nmap 7.31 [2016-10-20]
o [Windows] Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing
increased stability, bug fixes, and raw 802.11 WiFi capture (unused
by Nmap). Further details on these changes can be found at [Yang Luo]
o Fixed the way Nmap handles scanning names that resolve to the same IP. Due to
changes in 7.30, the IP was only being scanned once, with bogus results
displayed for the other names. The previous behavior is now restored.
[Tudor Emil Coman]
o [Nping][GH#559] Fix Nping's ability to use Npcap on Windows. A privilege
check was performed too late, so the Npcap loading code assumed the user had no
rights. [Yang Luo, Daniel Miller]
o [GH#350] Fix an assertion failure due to floating point error in equality
comparison, which triggered mainly on OpenBSD:
assertion "diff <= interval" failed: file "", line 440
This was reported earlier as [GH#472] but the assertion fixed there was a
different one. [David Carlier]
o [Zenmap] Fix a crash in the About page in the Spanish translation due to a
missing format specifier:
File "zenmapGUI\About.pyo", line 217, in __init__
TypeError: not all arguments converted during string formatting
[Daniel Miller]
o [Zenmap][GH#556] Better visual indication that display of hostname is tied to
address in the Topology page. You can show numeric addresses with hostnames
or without, but you can't show hostnames without numeric addresses when they
are not available. [Daniel Miller]
o To increase the number of IPv6 fingerprint submissions, a prompt for
submission will be shown with some random chance for successful matches of OS
classes that are based on only a few submissions. Previously, only
unsuccessful matches produced such a prompt. [Daniel Miller]
Nmap 7.30 [2016-09-29]
o Integrated all 12 of your IPv6 OS fingerprint submissions from June to
September. No new groups, but several classifications were strengthened,
especially Windows localhost and OS X. [Daniel Miller]
o [NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541!
They are all listed at, and the summaries are below
(authors are listed in brackets):
+ [GH#369] coap-resources grabs the list of available resources from CoAP
endpoints. [Mak Kolybabi]
+ fox-info retrieves detailed version and configuration info from Tridium
Niagara Fox services. [Stephen Hilt]
+ ipmi-brute performs authentication brute-forcing on IPMI services.
[Claudiu Perta]
+ ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows
connection without a password. [Claudiu Perta]
+ ipmi-version retrieves protocol version and authentication options from
ASF-RMCP (IPMI) services. [Claudiu Perta]
+ [GH#352] mqtt-subscribe connects to a MQTT broker, subscribes to topics,
and lists the messages received. [Mak Kolybabi]
+ pcworx-info retrieves PLC model, firmware version, and date from Phoenix
Contact PLCs. [Stephen Hilt]
o Upgraded Npcap, our new Windows packet capturing driver/library,
from version to 0.09 to 0.10r2. This includes many bug fixes, with a
particular on emphasis on concurrency issues discovered by running
hundreds of Nmap instances at a time. More details are available
from [Yang Luo, Daniel
Miller, Fyodor]
o New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx,
ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]
o Improved some output filtering to remove or escape carriage returns ('\r')
that could allow output spoofing by overwriting portions of the screen. Issue
reported by Adam Rutherford. [Daniel Miller]
o [NSE] Fixed a few bad Lua patterns that could result in denial of service due
to excessive backtracking. [Adam Rutherford, Daniel Miller]
o Fixed a discrepancy between the number of targets selected with -iR and the
number of hosts scanned, resulting in output like "Nmap done: 1033 IP
addresses" when the user specified -iR 1000. [Daniel Miller]
o Fixed a bug in port specification parsing that could cause extraneous
'T', 'U', 'S', and 'P' characters to be ignored when they should have
caused an error. [David Fifield]
o [GH#543] Restored compatibility with LibreSSL, which was lost in adding
library version checks for OpenSSL 1.1. [Wonko7]
o [Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting
in this message instead of Ndiff output:
ImportError: dlopen(/Applications/, 2): no suitable image found. Did find:
/Applications/ mach-o, but wrong architecture
Reported by Kyle Gustafson. [Daniel Miller]
o [NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to
not output TLSv1.2 info with DHE ciphersuites or others involving
ServerKeyExchange messages. [Daniel Miller]
o [NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now
shows the Subject Alternative Name extension; all extensions are shown in the
XML output. [Daniel Miller]
Nmap 7.25BETA2 [2016-09-01]
o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
SHA256 certificate. This should give our users extra peace-of-mind and avoid
triggering Microsoft's ever-increasing security warnings.
o [NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a
utf8 library, and native binary packing and unpacking functions. Removed bit
library, added bits.lua, replaced base32, base64, and bin libraries. [Patrick
o [NSE] Added 2 NSE scripts, bringing the total up to 534! They are both listed
at, and the summaries are below:
+ oracle-tns-version decodes the version number from Oracle Database Server's
TNS listener. [Daniel Miller]
+ clock-skew analyzes and reports clock skew between Nmap and services that
report timestamps, grouping hosts with similar skews. [Daniel Miller]
o Integrated all of your service/version detection fingerprints submitted from
January to April (578 of them). The signature count went up 2.2% to 10760.
We now detect 1122 protocols, from elasticsearch, fhem, and goldengate to
ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]
o Upgraded Npcap, our new Windows packet capturing driver/library,
from version 0.07-r17 to 0.09. This includes many improvements you can
read about at
o [Nsock][GH#148] Added the new IOCP Nsock engine which uses the Windows
Overlapped I/O API to improve performance of version scan and NSE against
many targets on Windows. [Tudor Emil Coman]
o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
SHA256 certificate. This should give our users extra peace-of-mind and avoid
triggering Microsoft's ever-increasing security warnings.
o Various performance improvements for large-scale high-rate scanning,
including increased ping host groups, faster probe matching, and ensuring
data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
o [NSE] Added the oracle-tns-version NSE script which decodes the version
number from Oracle Database Server's TNS
listener. [Daniel
o [NSE] Added the clock-skew NSE script which analyzes and reports clock skew
between Nmap and services that report timestamps, grouping hosts with
similar skews. [Daniel
o [Zenmap] Long-overdue Spanish language translation has been added! Muy bien!
[Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
o [Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only
zenmap.conf. User will be warned that config cannot be saved and that they
should fix the file permissions. [Daniel Miller]
o [NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support,
like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers
will label the ciphersuite strength as "unknown." Reported by Bertrand
Bonnefoy-Claudet. [Daniel Miller]
o [NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations
against LDAP services when version detection or STARTTLS were used.
[Tom Sellers]
o [GH#426] Remove a workaround for lack of selectable pcap file descriptors on
Windows, which required including pcap-int.h and locking us to a single
version of libpcap. The new method, using WaitForSingleObject should work
with all versions of both WinPcap and Npcap. [Daniel Miller]
o [NSE][GH#234] Added a --script-timeout option for limiting run time for
every individual NSE script. [Abhishek Singh]
o [Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in
traditional netcat, it can be used to quickly check the status of a
port. Port ranges are not supported since we recommend a certain other tool
for port scanning. [Abhishek Singh]
o Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and
"nmap" with no options result in the same behaviors as on Linux (and no
crashes) [Daniel Miller]
o [NSE] ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode,
which are vulnerable to the SWEET32 attack.
o [NSE][GH#117] tftp-enum now only brute-forces IP-address-based Cisco filenames when
the wordlist contains "{cisco}". Previously, custom wordlists would still end
up sending these extra 256 requests. [Sriram Raghunathan]
o [GH#472] Avoid an unnecessary assert failure in when printing estimated
completion time. Instead, we'll output a diagnostic error message:
Timing error: localtime(n) is NULL
where "n" is some number that is causing problems. [Jean-Guilhem Nousse]
o [NSE][GH#519] Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]
o [NSE] Added 9 new fingerprints for script http-default-accounts.
(Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix,
Schneider controller, Xerox printer, Citrix NetScaler, ESXi hypervisor)
o [NSE] Completed a refresh and validation of almost all fingerprints for
script http-default-accounts. Also improved the script speed. [nnposter]
o [GH#98] Added support for decoys in IPv6. Earlier we supported decoys only in
IPv4. [Abhishek Singh]
o Various performance improvements for large-scale high-rate scanning,
including increased ping host groups, faster probe matching, and ensuring
data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
o [GH#484] Allow Nmap to compile on some older Red Hat distros that disable EC
crypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]
o [GH#439] Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]
o [Ncat] Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssl
and --max-conns, due to improper accounting of file descriptors. [Daniel
o FTP Bounce scan: improved some edge cases like anonymous login without
password, 500 errors used to indicate port closed, and timeouts for LIST
command. Also fixed a 1-byte array overrun (read) when checking for
privileged ports. [Daniel Miller]
o [GH#140] Allow target DNS names up to 254 bytes. We previously imposed an
incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]
o [NSE] The hard limit on number of concurrently running scripts can now
increase above 1000 to match a high user-set --min-parallelism value. [Tudor
Emil Coman]
o [NSE] Solved a memory corruption issue that would happen if a socket connect
operation produced an error immediately, such as Network Unreachable. The
event handler was throwing a Lua error, preventing Nsock from cleaning up
properly, leaking events. [Abhishek Singh, Daniel Miller]
o [NSE] Added the datetime library for performing date and time calculations,
and as a helper to the clock-skew script.
o [GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully
handling truncated replies. If a response is too long, we now fall back to
using the system resolver to answer it. [Abhishek Singh]
o [Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]
Nmap 7.25BETA1 [2016-07-15]
o Nmap now ships with and uses Npcap, our new packet sniffing library
for Windows. It's based on WinPcap (unmaintained for years), but
uses modern Windows APIs for better performance. It also includes
security improvements and many bug fixes. See And
it enables Nmap to perform SYN scans and OS detection against
localhost, which we haven't been able to do on Windows since
Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel
Miller, Fyodor]
o [NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533!
They are all listed at, and the summaries are below
(authors are listed in brackets):
+ clamav-exec detects ClamAV servers vulnerable to unauthorized clamav
command execution. [Paulino Calderon]
+ http-aspnet-debug detects ASP.NET applications with debugging enabled.
[Josh Amishav-Zlatin]
+ http-internal-ip-disclosure determines if the web server leaks its internal
IP address when sending an HTTP/1.0 request without a Host header. [Josh
+ [GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and dumps
its configuration. [Frank Spierings]
+ [GH#365] sslv2-drown detects vulnerability to the DROWN attack, including
CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL.
[Bertrand Bonnefoy-Claudet]
+ vnc-title logs in to VNC servers and grabs the desktop title, geometry, and
color depth. [Daniel Miller]
o Integrated all of your IPv4 OS fingerprint submissions from January
to April (539 of them). Added 98 fingerprints, bringing the new total
to 5187. Additions include Linux 4.4, Android 6.0, Windows Server
2016, and more. [Daniel Miller]
o Integrated all 31 of your IPv6 OS fingerprint submissions from January to
June. The classifier added 2 groups and expanded several others. Several
Apple OS X groups were consolidated, reducing the total number of groups to
93. [Daniel Miller]
o Update oldest supported Windows version to Vista (Windows 6.0). This enables
the use of the poll Nsock engine, which has significant performance and
accuracy advantages. Windows XP users can still use Nmap 7.12, available from [Daniel Miller]
o [NSE] Fix a crash that happened when trying to print the percent done of 0
NSE script threads: bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.
This would happen if no scripts were scheduled in a scan phase and the user
pressed a key or specified a short --stats-every interval. Reported by
Richard Petrie. [Daniel Miller]
o [GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown
address family 0" crash on Windows and other platforms that do not set the
src_addr argument to recvfrom for TCP sockets. [Daniel Miller]
o Retrieve the correct network prefix length for an adapter on Windows. If more
than one address was configured on an adapter, the same prefix length would
be used for both. This incorrect behavior is still used on Windows XP and
earlier. Reported by Niels Bohr. [Daniel Miller]
o Changed libdnet-stripped to avoid bailing completely when an interface is
encountered with an unsupported hardware address type. Caused "INTERFACES:
NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address
types. [Daniel Miller]
o Improved service detection of Docker and fixed a bug in the output of
docker-version script. [Tom Sellers]
o Fix detection of Microsoft Terminal Services (RDP). Our improved TLS service
probes were matching on port 3389 before our specific Terminal Services
probe, causing the port to be labeled as "ssl/unknown". Reported by Josh
o [NSE] Update to enable smb-os-discovery to augment version detection
for certain SMB related services using data that the script discovers.
[Tom Sellers]
o Improved version detection and descriptions for Microsoft and Samba
SMB services. Also addresses certain issues with OS identification.
[Tom Sellers]
o [NSE] ssl-enum-ciphers will give a failing score to any server with an RSA
certificate whose public key uses an exponent of 1. It will also cap the
score of an RC4-ciphersuite handshake at C and output a warning referencing
RFC 7465. [Daniel Miller]
o [NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua .
[Daniel Miller]
o [GH#399] Zenmap's authorization wrapper now uses an AppleScript method for
privilege escalation on OS X, avoiding the deprecated
AuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]
o [GH#454] The OS X binary package is distributed in a .dmg disk image that now
features an instructive background image. [Vincent Dumont]
o [GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to
provide all dependencies. We no longer use Macports for this purpose.
[Vincent Dumont]
o [GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable
location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead of
next to the zenmap.exe executable. This avoids a warning message when closing
Zenmap if it produced any stderr output. [Daniel Miller]
o [GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable hosts.
Reported by alias1. [Paulino Calderon]
o [NSE][GH#371] Fix mysql-audit by adding needed library requires to the
mysql-cis.audit file. The script would fail with "Failed to load rulebase"
message. [Paolo Perego]
o [NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse.
Also added version detection and information extraction to match the
new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]
o [GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq
and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The
Probes will elicit responses from target services that allow better finger
-printing and information extraction. Also added nmap-payload entry for
detecting LDAP on udp. [Tom Sellers]
o [NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of
authentication sub-types in vnc-info, and all zero-authentication types are
recognized and reported. [Daniel Miller]
Nmap 7.12 [2016-03-29]
o [Zenmap] Avoid file corruption in zenmap.conf, reported as files containing
many null ("\x00") characters. Example exceptions:
TypeError: int() argument must be a string or a number, not 'list'
ValueError: unable to parse colour specification
o [NSE] VNC updates including vnc-brute support for TLS security type and
negotiating a lower RFB version if the server sends an unknown higher
version. [Daniel Miller]
o [NSE] Added STARTTLS support for VNC, NNTP, and LMTP [Daniel Miller]
o Added new service probes and match lines for OpenVPN on UDP and TCP.
Nmap 7.11 [2016-03-22]
o [NSE][GH#341] Added support for diffie-hellman-group-exchange-* SSH key
exchange methods to ssh2.lua, allowing ssh-hostkey to run on servers that
only support custom Diffie-Hellman groups. [Sergey Khegay]
o [NSE] Added support in sslcert.lua for Microsoft SQL Server's TDS protocol,
so you can now grab certs with ssl-cert or check ciphers with
ssl-enum-ciphers. [Daniel Miller]
o [Zenmap] Fix a crash when setting default window geometry:
TypeError: argument of type 'int' is not iterable
o [Zenmap] Fix a crash when displaying the date from an Nmap XML file due to an
empty or unknown locale:
File "zenmapCore/", line 627, in get_formatted_date
LookupError: unknown encoding:
o [Zenmap] Fix a crash due to incorrect file paths when installing to
/usr/local prefix. Example:
Exception: File '/home/blah/.zenmap/scan_profile.usp' does not exist or could not be found!
Nmap 7.10 [2016-03-17]
o [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527!
They are all listed at, and the summaries are below
(authors are listed in brackets):
+ [GH#322] http-apache-server-status parses the server status page of
Apache's mod_status. [Eric Gershman]
+ http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in
Allegro RomPager web server. Also added a fingerprint for detecting
CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]
+ [GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon"
pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]
+ imap-ntlm-info extracts hostname and sometimes OS version from
NTLM-auth-enabled IMAP services. [Justin Cacak]
+ ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes.
The discovery is the same as targets-ipv6-multicast-mld, but the subscribed
addresses are decoded and listed. [Alexandru Geana, Daniel Miller]
+ ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL
Server instances via the NTLM challenge message. [Justin Cacak]
+ nntp-ntlm-info extracts hostname and sometimes OS version from
NTLM-auth-enabled NNTP services. [Justin Cacak]
+ pop3-ntlm-info extracts hostname and sometimes OS version from
NTLM-auth-enabled POP3 services. [Justin Cacak]
+ rusers retrieves information about logged-on users from the rusersd RPC
service. [Daniel Miller]
+ [GH#333] shodan-api queries the Shodan API ( and
retrieves open port and service info from their Internet-wide scan data.
[Glenn Wilkinson]
+ smtp-ntlm-info extracts hostname and sometimes OS version from
NTLM-auth-enabled SMTP and submission services. [Justin Cacak]
+ telnet-ntlm-info extracts hostname and sometimes OS version from
NTLM-auth-enabled Telnet services. [Justin Cacak]
o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and Linux
RPM) to 1.0.2g with SSLv2 enabled.
o Integrated all of your IPv4 OS fingerprint submissions from October to
January (536 of them). Added 104 fingerprints, bringing the new total to
5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.
Highlights: [Daniel Miller]
o Integrated all of your service/version detection fingerprints submitted from
October to January (508 of them). The signature count went up 2.2% to 10532.
We now detect 1108 protocols, from icy, finger, and rtsp to ipfs,
basestation, and minecraft-pe. Highlights: [Daniel Miller]
o Integrated all 12 of your IPv6 OS fingerprint submissions from October to
January. The classifier added 3 new groups, including new and expanded groups
for OS X, bringing the new total to 96. Highlights: [Daniel Miller]
o [NSE] Upgrade to http-form-brute allowing correct handling of token-based
CSRF protections and cookies. Also, a simple database of common login forms
supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller]
o [Zenmap] [GH#247] Remember window geometry (position and size) from the
previous time Zenmap was run. [isjing]
o New service probe for CORBA GIOP (General Inter-ORB Protocol) detection
should elicit a not-found exception from GIOP services that do not respond to
non-GIOP probes. [Quentin Hardy]
o [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given
/32 netmasks regardless of actual netmask configured, resulting in failed
routing. Reported by Martin Gysi. [Daniel Miller]
o [GH#272][GH#269] Give option parsing errors after the usage statement, or
avoid printing the usage statement in some cases. The options summary has
grown quite large, requiring users to scroll to the top to see the error
message. [Abhishek Singh]
o [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's
Slow Comprehensive Scan profile. In the case of unknown OpenSSL errors,
ERR_reason_error_string would return NULL, which could not be printed with
the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]
o [GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to
not work in Zenmap on Windows.
o Changed Nmap's idea of reserved and private IP addresses to include
169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in
libnetutil's isipprivate function, is used to filter -iR randomly generated
targets. The newly-valid address ranges belong to the U.S. Department of
Defense, so users wanting to avoid those ranges should use their own
exclusion lists with --exclude or --exclude-file. [Bill Parker, Daniel
o Allow the -4 option for Nmap to indicate IPv4 address family. This is the
default, and using the option doesn't change anything, but does make it more
explicit which address family you want to scan. Using -4 with -6 is an error.
[Daniel Miller]
o [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the
screen. This happens at the time of argument parsing, so the usual meaning of
"verbosity 0" is preserved. [isjing]
o [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and
SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the
draft specification from Mozilla. [Bertrand Bonnefoy-Claudet]
o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection
against services that are not TLS encrypted by default but that support
post connection upgrade. This will enable more comprehensive detection
of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]
o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and
BeEF to http-default-accounts. [nnposter]
o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation
Required messages when tracing packets or in Nping output. Improper offset
meant we were printing the total IP length. [Sławomir Demeszko]
o [NSE] Added support for DHCP options "TFTP server name" and "Bootfile name"
to dhcp.lua and enabled checking for options with a code above 61 by default.
[Mike Rykowski]
o [NSE] whois-ip: Don't request a remote IANA assignments data file when the
local filesystem will not permit the file to cached in a local file. [jah]
o [NSE] Updated http-php-version hash database to cover all versions from PHP
4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled
from Shodan API ( [Daniel Miller]
o Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan
types, allowing periodic status updates with --stats-every or keypress
events. [Daniel Miller]
o [GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for OS
X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have
properly select-able fds. Fix by OpenBSD port maintainer [David Carlier]
o Print service info in grepable output for ports which are not listed in
nmap-services when a service tunnel (SSL) is detected. Previously, the
service info ("ssl|unknown") was not printed unless the service inside the
tunnel was positively identified.
[Daniel Miller]
o [NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent.
[Tom Sellers]
Nmap 7.01 [2015-12-09]
o Switch to using gtk-mac-bundler and jhbuild for building the OS X installer.
This promises to reduce a lot of the problems we've had with local paths and
dependencies using the py2app and macports build system. [Daniel Miller]
o The Windows installer is now built with NSIS 2.47 which features LoadLibrary
security hardening to prevent DLL hijacking and other unsafe use of temporary
directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to
us and the many other projects that use it.
o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM)
to 1.0.2e.
o [Zenmap] [GH#235] Fix several failures to launch Zenmap on OS X. The new
build process eliminates these errors:
IOError: [Errno 2] No such file or directory: '/Applications/'
LSOpenURLsWithRole() failed for the application /Applications/ with error -10810.
o [NSE] [GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers to
match the one in nmap-service-probes, which was fixed previously to correct a
length calculation error. [Daniel Miller]
o [NSE] [GH#251] Correct false positives and unexpected behavior in http-*
scripts which used http.identify_404 to determine when a file was not found
on the target. The function was following redirects, which could be an
indication of a soft-404 response. [Tom Sellers]
o [NSE] [GH#241] Fix a false-positive in hnap-info when the target responds
with 200 OK to any request. [Tom Sellers]
o [NSE] [GH#244] Fix an error response in xmlrpc-methods when run against a
non-HTTP service. The expected behavior is no output. [Niklaus Schiess]
o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett.
Nmap 7.00 [2015-11-19]
o This is the most important release since Nmap 6.00 back in May 2012!
For a list of the most significant improvements and new features,
see the announcement at:
o [NSE] Added 6 NSE scripts from 6 authors, bringing the total up to 515!
They are all listed at, and the summaries are below
(authors are listed in brackets):
+ targets-xml extracts target addresses from previous Nmap XML results files.
[Daniel Miller]
+ [GH#232] ssl-dh-params checks for problems with weak, non-safe, and
export-grade Diffie-Hellman parameters in TLS handshakes. This includes the
LOGJAM vulnerability (CVE-2015-4000). [Jacob Gajek]
+ nje-node-brute does brute-forcing of z/OS JES Network Job Entry node names.
[Soldier of Fortran]
+ ip-https-discover detectings support for Microsoft's IP over HTTPS
tunneling protocol. [Niklaus Schiess]
+ [GH#165] broadcast-sonicwall-discover detects and extracts information from
SonicWall firewalls. [Raphael Hoegger]
+ [GH#38] http-vuln-cve2014-8877 checks for and optionally exploits a
vulnerability in CM Download Manager plugin for Wordpress. [Mariusz Ziulek]
o [Ncat] [GH#151] [GH#142] New option --no-shutdown prevents Ncat from shutting
down when it reads EOF on stdin. This is the same as traditional netcat's
"-d" option. [Adam Saponara]
o [NSE] [GH#229] Improve parsing in http.lua for multiple Set-Cookie headers in
a single response. [nnposter]
Nmap 6.49BETA6 [2015-11-03]
o Integrated all of your IPv6 OS fingerprint submissions from April to October
(only 9 of them!). We are steadily improving the IPv6 database, but we need
your submissions. The classifier added 3 new groups, bringing the new total
to 93. Highlights: [Daniel Miller]
o Integrated all of your IPv4 OS fingerprint submissions from February to
October (1065 of them). Added 219 fingerprints, bringing the new total to
4985. Additions include Linux 4.1, Windows 10, OS X 10.11, iOS 9, FreeBSD
11.0, Android 5.1, and more. Highlights: [Daniel Miller]
o Integrated all of your service/version detection fingerprints submitted from
February to October (800+ of them). The signature count went up 2.5% to
10293. We now detect 1089 protocols, from afp, bitcoin, and caldav to
xml-rpc, yiff, and zebra. Highlights:
[Daniel Miller]
o [NSE] Added 10 NSE scripts from 5 authors, bringing the total up to 509!
They are all listed at, and the summaries are below
(authors are listed in brackets):
+ knx-gateway-discover and knx-gateway-info scripts gather information from
multicast and unicast KNX gateways, which connect home automation systems
to IP networks. [Niklaus Schiess, Dominik Schneider]
+ http-ls parses web server directory index pages with optional recursion.
[Pierre Lalet]
+ xmlrpc-methods perfoms introspection of xmlrpc services and lists methods
and their descriptions. [Gyanendra Mishra]
+ http-fetch can be used like wget or curl to fetch all files, specific
filenames, or files that match a given pattern. [Gyanendra Mishra]
+ http-svn-enum enumerates users of a Subversion repository by examining
commit logs. [Gyanendra Mishra]
+ http-svn-info requests information from a Subversion repository, similar to
the "svn info" command. [Gyanendra Mishra]
+ hnap-info detects and outputs info for Home Network Administration Protocol
devices. [Gyanendra Mishra]
+ http-webdav-scan detects WebDAV servers and reports allowed methods and
directory listing. [Gyanendra Mishra]
+ tor-consensus-checker checks the target's address with the Tor directory
authorities to determine if a target is a known Tor node. [Jiayi Ye]
o [NSE] Several scripts have been split, combined, or renamed:
+ [GH#171] smb-check-vulns has been split into:
* smb-vuln-conficker
* smb-vuln-cve2009-3103
* smb-vuln-ms06-025
* smb-vuln-ms07-029
* smb-vuln-regsvc-dos
* smb-vuln-ms08-067
The scripts now use the vulns library, and the "unsafe" script-arg has been
replaced by putting the scripts into the "dos" category. [Paulino Calderon]
+ http-email-harvest was removed, as the new http-grep does email address
scraping by default. [Gyanendra Mishra]
+ http-drupal-modules was renamed to http-drupal-enum. Extended to enumerate
both themes and modules of Drupal installaions. [Gyanendra Mishra]
o [Ncat] [GH#193] Fix Ncat listen mode over Unix sockets (named pipes) on OS X.
This was crashing with the error:
Ncat: getnameinfo failed: Undefined error: 0 QUITTING.
Fixed by forcing the name to "localhost" [Michael Wallner]
o [Zenmap] Fix a crash in Zenmap when using Compare Results:
AttributeError: 'NoneType' object has no attribute 'get_nmap_output'
[Daniel Miller]
o [NSE] [GH#194] Add support for reading fragmented TLS messages to
ssl-enum-ciphers. [Jacob Gajek]
o [GH#51] Added IPv6 support to nmap_mass_rdns, improved reverse DNS cache,
and refactored DNS code to improve readability and
extensibility. All in all, this makes the rDNS portion of IPv6 scans
much faster. [Gioacchino Mazzurco]
o [NSE] Added NTLM brute support to http-brute. [Gyanendra Mishra]
o [NSE] Added NTLM authentication support to http.lua and a related function to create
an ntlm v2 session response in smbauth.lua. [Gyanendra Mishra]
o [NSE] [GH#106] Added a new NSE module, ls.lua, for accumulating and
outputting file and directory listings. The afp-ls, nfs-ls, and smb-ls
scripts have been converted to use this module. [Pierre Lalet]
o [NSE] bacnet-info.nse and s7-info.nse were added to the version category.
[Paulino Calderon]
o [NSE] Added 124 new identifiers to bacnet-info.nse vendor database.
[Paulino Calderon]
o [NSE] Fixed bacnet-info.nse to bind to the service port detected
during scan instead of fixed port. [Paulino Calderon]
o [NSE] Enhanced reporting of elliptic curve names and strengths in
ssl-enum-ciphers. The name of the curve is now reported instead of just "ec"
[Brandon Paulsen]
o [GH#75] Normalize Makefile targets to use the same verb-project format, e.g.
build-ncat, check-zenmap, install-nping, clean-nsock [Gioacchino Mazzurco]
o [NSE] Added builtin pattern and multiple pattern search to http-grep. [Gyanendra Mishra]
o [NSE] http-crossdomainxml is now http-cross-domain-policy and supports client
access policies and uses the new SLAXML parser. [Gyanendra Mishra]
o [NSE] Added a patch for vulns lib that allows list of tables to be submitted
to fields in the vulns report. [Jacob Gajek]
o [NSE] Added additional checks for successful PUT request in http-put.
[Oleg Mitrofanov]
o [NSE] Added an update for http-methods that checks all possible methods not in
Allow or Public header of OPTIONS response. [Gyanendra Mishra]
o [NSE] Added SLAXML, an XML parser in Lua originally written by Gavin Kistner
(a.k.a. Phrogz). [Gyanendra Mishra]
o [NSE] [GH#122] Update the snmp-brute and other snmp-* scripts to use the
creds library to store brute-forced snmp community strings. This allows Nmap
to use the correct brute-forced string for each host. [Gioacchino Mazzurco]
o Several improvements to TLS/SSL detection in nmap-service-probes. A new
probe, TLSSessionReq, and improvements to default SSL ports should help speed
up -sV scans. [Daniel Miller]
o [Nsock] Clean up the API so that nsp_* calls are now nsock_pool_* and nsi_*
are nsock_iod_*. Simplify Nsock SSL init API, and make logging global to the
library instead of associated with a nspool. [Henri Doreau]
o [GH#181] The configure script now prints a summary of configured options.
Most importantly, it warns if OpenSSL was not found, since most users will
want this library compiled in. [Gioacchino Mazzurco]
o Define TCP Options for SYN scan in nmap.h instead of literally throughout.
This string is used by p0f and other IDS to detect Nmap scans, so having it a
compile-time option is a step towards better evasion. [Daniel Miller]
o [GH#51] Nmap's parallel reverse-DNS resolver now handles IPv6 addresses. This
should result in faster -6 scans. The old behavior is available with
--system-dns. [Gioacchino Mazzurco]
o [NSE] Fix a couple odd bugs in NSE command-line parsing. Most notably,
--script broadcast-* will now work (generally, wildcards with scripts whose
name begins with a category name were not working properly). [Daniel Miller]
o [NSE] [GH#113] http-form-fuzzer will now stop increasing the size of a
request when an HTTP 413 or 414 error indicates the web server will not
accept a larger request. [Gioacchino Mazzurco]
o [NSE] [GH#159] Add the ability to tag credentials in the creds library with
freeform text for easy retrieval. This gives necessary granularity to track
credentials to multiple web apps on a single host+port. [Gioacchino Mazzurco]
Nmap 6.49BETA5 [2015-09-25]
o Work around a bug which could cause Nmap to hang when running
multiple instances at once on Windows. The actual bug appears to be
in the WinPCAP driver in that it hanges when accessed via
OpenServiceA by multiple processes at once. So for now we have added
a mutex to prevent even multiple Nmap processes from making
concurrent calls to this part of WinPcap. We've received the reports
from multiple users on Windows 8.1 and Windows Server 2012 R2 and
this fix seems to resolve the hang for them. [Daniel Miller]
o [GH#212][NSE] Fix http.get_url function which was wrongly attempting
non-SSL HTTP requests first when passed https URLs. [jah]
o [GH#201] Fix Ndiff interpreter path problems in the OS X .dmg
installer which could prevent Ndiff (and the related Zenmap "compare
results" window) from working on OS X in some cases. [Daniel Miller]
o Fix Nmap's DTD, which did not recognize that the script element
could contain character data when a script returns a number or a
boolean. [Jonathan Daugherty]
o [GH#172][NSE] Fix reporting of DH parameter sizes by
ssl-enum-ciphers. The number shown was the length in bytes, not bits
as it should have been. Reported by Michael Staruch. [Brandon
o Our Windows Nmap packages are now compiled with the older platform
toolset (v120_xp rather than v120) and so they may work with Windows
XP again for the dwindling number of users still on that operating
o [GH#34] Disable TPACKET_V3 in our included libpcap. This version of
the Linux kernel packet ring API has problems that result in lots of
lost packets. This patch falls back to TPACKET_V2 or earlier
versions if available. [nnposter]
o [NSE] Check for socket errors in iscsi.lua. This was causing the
iscsi-info script to crash against some services. [Daniel Miller]
o [NSE] Fix http-useragent-tester, which was using cached HTTP
responses instead of testing new User-Agent strings. [Daniel Miller]
o Output a warning when deprecated options are used, and suggest the
preferred option. Currently deprecated: -i -o -m -sP -P0 -PN -oM
-sR. The warning is only visible with -v. [Daniel Miller]
o Add a fatal error for options like -oG- which is interpreted as the
deprecated -o option, outputting to a file named "G-", instead of
the expected behavior of -oG - (Grepable output to stdout). [Daniel
o [GH#196] Fix raw packet sending on FreeBSD 10.0 and later. FreeBSD
changed byte order of the IPv4 stack, so SYN scan and other raw
packet functions were broken. [Edward Napierała] Also reported in
[GH#50] by Olli Hauer.
o [GH#183] Fix compilation on Visual Studio 2010, which failed with
error: " error C2065: 'EOPNOTSUPP' :
undeclared identifier" [Daniel Miller]
o [GH#115][NSE] ssl-enum-ciphers will still produce output if OpenSSL
(required for certificate parsing) is not available. In cases where
handshake strength depends on the certificate, it will be reported
as "unknown". [jrchamp]
Nmap 6.49BETA4 [2015-07-06]
o Fix a hang on OS X in Zenmap's Topology page with error
"[857]: GError: Couldn't recognize the image file format for
file '/Applications/' [Daniel Miller]
o Fix a small memory leak for each target specified as a hostname which fails
to resolve. [Daniel Miller]
o Allow 'make check' to succeed when Nmap is configured without OpenSSL
support. This was broken due to our NSE unittest library expecting to be able
to load every library without error. [Daniel Miller]
o [NSE] Enable ssl-enum-ciphers to safely scan servers with a long handshake
intolerance issue which resulted in incomplete results when the handshake was
greater than 255 bytes. [Jacob Gajek, Daniel Miller]
o [Ncat] Fix a write overrun in Ncat that could cause a segfault if the -g
(source route) option was given too many times. [Daniel Miller]
o [NSE] [GH#168] Allow ssl-enum-ciphers to run on non-typical ports when it is
selected by name. It will now send a service detection probe if the port is
not a typical SSL port and version scan (-sV) was not used. [Daniel Miller]
Nmap 6.49BETA3 [2015-06-25]
o [GH#166] Fix Ncat listen mode on Solaris and other platforms where struct sockaddr
does not have a sa_len member. This also affected use of the -p and -s
options. Brandon Haberfeld reported the crash. [Daniel Miller]
o [GH#164] Fix a Zenmap failure ot open on OS X with the error:
"dyld: Symbol not found: _iconv Referenced from: /usr/lib/libcups.2.dylib"
We had to remove the DYLD_LIBRARY_PATH environment variable from Reported by Robert Strom. [Daniel Miller]
o Report our https URL ( in more places rather than
our non-SSL one. [David Fifield]
o [NSE] Fix Diffie-Hellman parameter extraction in tls.lua. [Jacob Gajek]
Nmap 6.49BETA2 [2015-06-16]
o [GH#154] Fix a crash (assertion error) when Nmap receives an ICMP Host
Unreachable message.
o [GH#158] Fix a configure failure when Python is not present, but no Python
projects were requested. [Gioacchino Mazzurco]
o [GH#161] [Zenmap] Fix Zenmap on OS X which was failing with
zipimport.ZipImportError due to architecture mismatch.
o [NSE] Remove checks from dnsbl.lua, since the service was shut down.
[Forrest B.]
Nmap 6.49BETA1 [2015-06-03]
o Integrated all of your IPv4 OS fingerprint submissions from May 2014 to
February 2015 (1900+ of them). Added 281 fingerprints, bringing the new total
to 4766. Addtions include Linux 3.18, Windows 8.1, OS X 10.10, Android 5.0,
FreeBSD 10.1, OpenBSD 5.6, and more. Highlights: [Daniel Miller]
o Integrated all of your service/version detection fingerprints submitted from
June 2013 to February 2015 (2500+ of them). The signature count soared over
the 10000 mark, a 12% increase. We now detect 1062 protocols, from http,
telnet, and ftp to jute, bgp, and slurm. Highlights: [Daniel Miller]
o Integrated all of your IPv6 OS fingerprint submissions from June 2013 to
April 2015 (only 97 of them!). We are steadily improving the IPv6 database,
but we need your submissions. The classifier added 9 new groups, bringing the
new total to 90. Highlights: [Daniel
o Nmap now has an official bug tracker! We are using Github Issues, which you
can reach from We welcome your bug reports,
enhancement requests, and code submissions via the Issues and Pull Request
features of Github (, though the repository
itself is just a mirror of our authoritative Subversion repository.
o [Zenmap] New Chinese-language (zh) translation from Jie Jiang, new Hindi (hi)
translation by Gyanendra Mishra, and updated translations for German (de,
Chris Leick), Italian (it, Jan Reister), Polish (pl, Jacek Wielemborek), and
French (fr, MaZ)
o Added options --data <hex string> and --data-string <string> to send custom
payloads in scan packet data. [Jay Bosamiya]
o --reason is enabled for verbosity > 2, and now includes the TTL of received
packets in Normal output (this was already present in XML) [Jay Bosamiya]
o Fix ICMP Echo (-PE) host discovery for IPv6, broken since 6.45, caused by
failing to set the ICMP ID for outgoing packets which is used to match
incoming responses. [Andrew Waters]
o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
passing a NULL pointer to a WinPcap function that then tries to write an
error message to it. [Peter Malecka]
o Enhance Nmap's tcpwrapped service detection by using a shorter timeout for
the tcpwrapped designation. This prevents falsely labeling services as
tcpwrapped which merely have a read timeout shorter than 6 seconds. Full
discussion: [nnposter, Daniel Miller]
o All pages are now available SSL-secured to improve privacy
and ensure your binaries can't be tampered with in transit. So be
sure to download from . We will soon
remove the non-SSL version of the site. We still offer GPG-signed
binaries as well:
o [NSE] Added 25 NSE scripts from 17 authors, bringing the total up to 494!
They are all listed at, and the summaries are below
(authors are listed in brackets):
+ bacnet-info gets device information from SCADA/ICS devices via BACnet
(Building Automation and Control Networks) [Stephen Hilt, Michael Toecker]
+ docker-version detects and fingerprints Docker [Claudio Criscione]
+ enip-info gets device information from SCADA/ICS devices via EtherNet/IP
[Stephen Hilt]
+ fcrdns performs a Forward-confirmed Reverse DNS lookup and reports
anomalous results. [Daniel Miller]
+ http-avaya-ipoffice-users enumerates users in Avaya IP Office 7.x systems.
[Paulino Calderon]
+ http-cisco-anyconnect gets version and tunnel information from Cisco SSL
VPNs. [Patrik Karlsson]
+ http-crossdomainxml detects overly permissive crossdomain policies and
finds trusted domain names available for purchase. [Paulino Calderon]
+ http-shellshock detects web applications vulnerable to Shellshock
(CVE-2014-6271). [Paulino Calderon]
+ http-vuln-cve2006-3392 exploits a file disclosure vulnerability in Webmin.
[Paul AMAR]
+ http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and
http-vuln-cve2014-2129 detect specific vulnerabilities in Cisco AnyConnect
SSL VPNs. [Patrik Karlsson]
+ http-vuln-cve2015-1427 detects Elasticsearch servers vulnerable to remote
code execution. [Gyanendra Mishra]
+ http-vuln-cve2015-1635 detects Microsoft Windows systems vulnerable to
MS15-034. [Paulino Calderon]
+ http-vuln-misfortune-cookie detects the "Misfortune Cookie" vulnerability
in Allegro RomPager 4.07, commonly used in SOHO routers for TR-069 access.
[Andrew Orr]
+ http-wordpress-plugins was renamed http-wordpress-enum and extended to
enumerate both plugins and themes of Wordpress installations and their
versions. http-wordpress-enum is now http-wordpress-users. [Paulino Calderon]
+ mikrotik-routeros-brute performs password auditing attacks against
Mikrotik's RouterOS API. [Paulino Calderon]
+ omron-info gets device information from Omron PLCs via the FINS service.
[Stephen Hilt]
+ s7-info gets device information from Siemens PLCs via the S7 service,
tunneled over ISO-TSAP on TCP port 102. [Stephen Hilt]
+ snmp-info gets the enterprise number and other information from the
snmpEngineID in an SNMPv3 response packet. [Daniel Miller]
+ ssl-ccs-injection detects whether a server is vulnerable to the SSL/TLS
CCS Injection vulnerability (CVE-2014-0224) [Claudiu Perta]
+ ssl-poodle detects the POODLE bug in SSLv3 (CVE-2014-3566) [Daniel Miller]
+ supermicro-ipmi-conf exploits Supermicro IPMI/BMC controllers. [Paulino
+ targets-ipv6-map4to6 generates target IPv6 addresses which correspond to
IPv4 addresses mapped within a particular IPv6 subnet. [Raúl Fuentes]
+ targets-ipv6-wordlist generates target IPv6 addresses from a wordlist made
of hexadecimal characters. [Raúl Fuentes]
o Update our Windows build system to VS 2013 on Windows 8.1. Also, we now build
our included OpenSSL with DEP, ASLR, and SafeSEH enabled. [Daniel Miller]
o Our OS X installer is now built for a minimum supported version of 10.8
(Mountain Lion), a much-needed update from 10.5 (Leopard). Additionally,
OpenSSL is now statically linked, allowing us to distribute the latest from
Macports instead of being subjected to the 0.9.8 branch still in use as of
10.9. [Daniel Miller]
o Add 2 more ASCII-art configure splash images to be rotated randomly with the
traditional dragon image. New ideas for other images to use here may be sent
to [Jay Bosamiya, Daniel Miller]
o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
passing a NULL pointer to a WinPcap function that then tries to write an
error message to it. [Peter Malecka]
o Fix compilation and several bugs on AIX. [Daniel Miller]
o Fix a bug in libdnet-stripped on Solaris that resulted in the wrong MAC
address being detected for all interfaces. [Daniel Miller]
o New features for the IPv6 OS detection engine allow for better classification
of systems: IPv6 guessed initial hop limit (TTL) and ratio of TCP initial
window size to maximum segment size. [Alexandru Geana]
o [NSE] Rework ssl-enum-ciphers to actually score the strength of the SSL/TLS
handshake, including certificate key size and DH parameters if applicable.
This is similar to Qualys's SSL Labs scanner, and means that we no longer
maintain a list of scores per ciphersuite. [Daniel Miller]
o [NSE] Improved http-form-brute autodetection and behavior to handle more
unusual-but-valid HTML syntax, non-POST forms, success/failure testing on
HTTP headers, and more. [nnposter]
o [NSE] Reduce many NSE default timeouts and base them on Nmap's detected
timeouts for those hosts from the port scan phase. Scripts which take timeout
script-args can now handle 's' and 'ms' suffixes, just like Nmap's own
options. [Daniel Miller]
o [NSE] Remove db2-discover, as its functionality was performed by service
version detection since the broadcast portion was separated into
broadcast-db2-discover. [Daniel
o Cache dnet names not found on Windows when enumerating interfaces in the
Windows Registry. Reduces startup times. [Elon Natovich]
o [NSE] Make smb-ls able to leverage results from smb-enum-shares or list of
shares specified on command line. [Pierre Lalet]
o [NSE] Fix X509 cert date parsing for dates after 2049. Reported by Teppo
Turtiainen. [Daniel Miller]
o Handle a bunch of socket errors that can result from odd ICMP Type 3
Destination Unreachable messages received during service scanning. The crash
reported was "Unexpected error in NSE_TYPE_READ callback. Error code: 92
(Protocol not available)" [Daniel Miller]
o Fixed a crash (NULL pointer dereference) in PortList::isTCPwrapped when using
-sV and -O on an unknown service not listed in nmap-services. [Pierre Lalet]
o Fixed a benign TOCTOU race between stat() and open() in mmapfile().
Reported by Camille Mougey. [Henri Doreau]
o Reduce CPU consumption when using nsock poll engine with no registered FD,
by actually calling Poll() for the time until timeout, instead of directly
returning zero and entering the loop again. [Henri Doreau]
o Change the URI for the fingerprint submitter to its new location at
o [NSE] Added a check for Cisco ASA version disclosure, CVE-2014-3398, to
http-enum in the 'security' category [Daniel Miller]
o Fixed a bug that caused Nmap to fail to find any network interface when a
Prism interface is in monitor mode. The fix was to define the
ARP_HRD_IEEE80211_PRISM header identifier in the libdnet-stripped code.
[Brad Johnson]
o Added a version probe for Tor. [David Fifield]
o [NSE] Add support to citrix-enum-apps-xml for reporting if Citrix
published applications in the list are enforcing/requiring the level
of ICA/session data encryption shown in the script result.
[Tom Sellers]
o [NSE] Updated our Wordpress plugin list to improve the
http-wordpress-enum NSE script. We can now detect 34,077 plugins,
up from 18,570. [Danila Poyarkov]
o [NSE] Add the signature algorithm that was used to sign the target port's
x509 certificate to the output of ssl-cert.nse [Tom Sellers]
o [NSE] Fixed a bug in the sslcert.lua library that was triggered against
certain services when version detection was used. [Tom Sellers]
o [NSE] vulns.Report:make_output() now generates XML structured output
reports automatically. [Paulino Calderon]
o [NSE] Add port.reason_ttl, host.reason, host.reason_ttl for use in scripts
[Jay Bosamiya]
o [NSE] If a version script is run by name, nmap.version_intensity() returns
the maximum value (9) for it [Jay Bosamiya]
o [NSE] shortport.version_port_or_service() takes an optional rarity parameter
now to run only when version intensity > rarity [Jay Bosamiya]
o [NSE] Added nmap.version_intensity() function so that NSE version scripts
can use the argument to --version-intensity (which can be overridden by the
script arg 'script-intensity') in order to decide whether to run or not
[Jay Bosamiya]
o Improve OS detection; If a port is detected to be 'tcpwrapped', then it will
not be used for OS detection. This helps in cases where a firewall might be
the port to be 'tcpwrapped' [Jay Bosamiya]
o [Zenmap] Reduce noise generated in Topology View due to anonymous
hops [Jay Bosamiya]
o Added option --exclude-ports to Nmap so that some ports can be excluded from
scanning (for example, due to policy) [Jay Bosamiya]
o [Zenmap] Catch the MemoryError caused in Zenmap due to large Nmap Output,
and display a more helpful error message [Jay Bosamiya]
o Catch badly named output files (such as those unintentionally caused by
"-oX -sV logfile.xml") [Jay Bosamiya]
o [Zenmap] Improved NmapParser to increase speed in opening scans. Large scans
now open in seconds instead of hours. [Jay Bosamiya]
o Modify the included libpcap configure script to disable certain unused
features: bluetooth, usb, usb-can, and dbus sniffing. Dbus support caused a
build problem on CentOS 6.5. [Daniel Miller]
o Updated the bundled libpcap from 1.2.1 to 1.5.3 [Jay Bosamiya]
o Correct the Target MAC Address in Nmap's ARP discovery to conform to what IP
stacks in currently popular operating systems use. [Jay Bosamiya]
o Fixed a bug which caused Nmap to be unable to have any runtime interaction
when called from sudo or from a shell script. [Jay Bosamiya]
o Improvements to whois-ip.nse: fix an unhandled error when a referred-to
response could not be understood; add a new pattern to recognise a
LACNIC "record not found" type of response and update the way ARIN is
queried. [jah]
Nmap 6.47 [2014-08-23]
o Integrated all of your IPv4 OS fingerprint submissions since June 2013
(2700+ of them). Added 366 fingerprints, bringing the new total to 4485.
Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2,
OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved.
Highlights: [Daniel Miller]
o (Windows, RPMs) Upgraded the included OpenSSL to version 1.0.1i. [Daniel Miller]
o (Windows) Upgraded the included Python to version 2.7.8. [Daniel Miller]
o Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This
was added in 6.45, and resulted in trouble for Nmap XML parsers without
network access, as well as increased traffic to Nmap's servers. The doctype
is now:
<!DOCTYPE nmaprun>
o [Ndiff] Fixed the installation process on Windows, which was missing the
actual Ndiff Python module since we separated it from the driver script.
[Daniel Miller]
o [Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution,
which was giving the error, "\Microsoft was unexpected at this time." See [Daniel Miller]
o [Zenmap] Fixed the Zenmap .dmg installer for OS X. Zenmap failed to launch,
producing this error:
Could not import the zenmapGUI.App module:
'dlopen(/Applications/, 2):
Library not loaded: /Users/david/macports-10.5/lib/libffi.5.dylib\n
Referenced from:
Reason: image not found'.
o [Ncat] Fixed SOCKS5 username/password authentication. The password length was
being written in the wrong place, so authentication could not succeed.
Reported with patch by Pierluigi Vittori.
o Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts
this to the string "(null)", but it caused segfault on Solaris. [Daniel Miller]
o [Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package
installed. Python tries to be nice and loads it when we import xml, but it
isn't compatible. Instead, we force Python to use the standard library xml
module. [Daniel Miller]
o Handle ICMP admin-prohibited messages when doing service version detection.
Crash reported by Nathan Stocks was: Unexpected error in NSE_TYPE_READ
callback. Error code: 101 (Network is unreachable) [David Fifield]
o [NSE] Fix a bug causing http.head to not honor redirects. [Patrik Karlsson]
o [Zenmap] Fix a bug in DiffViewer causing this crash:
TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-only
buffer, not NmapParserSAX
Crash happened when trying to compare two scans within Zenmap. [Daniel Miller]
Nmap 6.46 [2014-04-18]
o [NSE] Made numerous improvements to ssl-heartbleed to provide
more reliable detection of the vulnerability.
o [Zenmap] Fixed a bug which caused this crash message:
IOError: [Errno socket error] [Errno 10060] A connection attempt failed
because the connected party did not properly respond after a period of
time, or established connection failed because connected host has
failed to
The bug was caused by us adding a DOCTYPE definition to Nmap's XML
output which caused Python's XML parser to try and fetch the DTD
every time it parses an XML file. We now override that DTD-fetching
behavior. [Daniel Miller]
o [NSE] Fix some bugs which could cause snmp-ios-config and
snmp-sysdescr scripts to crash
( [Patrik Karlsson]
o [NSE] Improved performance of citrix.lua library when handling large XML
responses containing application lists. [Tom Sellers]
Nmap 6.45 [2014-04-11]
o Idle scan now supports IPv6. IPv6 packets don't usually come with
fragments identifiers like IPv4 packets do, so new techniques had to
be developed to make idle scan possible. The implementation is by
Mathias Morbitzer, who made it the subject of his master's thesis.
o When doing a ping scan (-sn), the --open option will prevent down hosts from
being shown when -v is specified. This aligns with similar output for other
scan types. [Daniel Miller]
o Fixed some syntax problems in nmap-os-db that were caused by some automated
merging of fingerprints ( [Daniel
o New service probes and fingerprints for Quake1, TeamSpeak3, xmlsysd,
Freelancer game server, All-Seeing Eye, AndroMouse, and AirHD.
o Update included WinPcap to version 4.1.3 [Rob Nicholls]
o [NSE] Convert many more scripts to emit structured XML output
( [Daniel Miller]
o [NSE] Added 24 NSE scripts from 12 authors, bringing the total up to 470.
They are all listed at, and the summaries are
below (authors are listed in brackets):
+ allseeingeye-info gathers information from games using this query protocol.
A version detection probe was also added. [Marin Maržić]
+ freelancer-info gathers information about the Freelancer game server. Also
added a related version detection probe and UDP protocol payload for
detecting the service. [Marin Maržić]
+ http-csrf detects Cross Site Request Forgeries (CSRF) vulnerabilities by
searching for CSRF tokens in HTML forms. [George Chatzisofroniou]
+ http-devframework finds out the technology behind the target website based
on HTTP headers, static URLs, and other content and resources. [George
+ http-dlink-backdoor detects DLink routers with firmware backdoor allowing
admin access over HTTP interface. [Patrik Karlsson]
+ http-dombased-xss finds potential DOM-based Cross-site Scripting (XSS)
vulnerabilities by searching for specific patterns in JavaScript resources.
[George Chatzisofroniou]
+ http-errors crawls for URIs that return error status codes (HTTP 400 and
above). [George Chatzisofroniou]
+ http-feed crawls a web site for Atom and RSS feeds. [George Chatzisofroniou]
+ http-iis-short-name-brute detects Microsoft IIS servers vulnerable to a
file/folder name disclosure and a denial of service vulnerability. The
script obtains the "shortnames" of the files and folders in the webroot
folder. [Paulino Calderon]
+ http-mobileversion-checker checks for mobile versions of web pages by
setting an Android User-Agent header and checking for HTTP redirects.
[George Chatzisofroniou]
+ http-ntlm-info gets server information from Web servers that require NTLM
authentication. [Justin Cacak]
+ http-referer-checker finds JavaScript resources that are included from other
domains, increasing a website's attack surface. [George Chatzisofroniou]
+ http-server-header grabs the Server header as a last-ditch effort to get a
software version. This can't be done as a softmatch because of the need to
match non-HTTP services that obey some HTTP requests. [Daniel Miller]
+ http-useragent-tester checks for sites that redirect common Web spider
User-Agents to a different page than browsers get. [George Chatzisofroniou]
+ http-vuln-cve2013-7091 (released as http-vuln-zimbra-lfi) looks for
CVE-2013-7091, a LFI vulnerability in Zimbra. [Paul AMAR, Ron Bowes]
+ http-xssed searches the database of Cross-site Scripting
vulnerabilities for previously-reported XSS vulnerabilities in the target.
[George Chatzisofroniou]
+ qconn-exec tests the QNX QCONN service for remote command execution.
[Brendan Coles]
+ quake1-info retrieves server and player information from Quake 1 game
servers. Reports potential DoS amplification factor. [Ulrik Haugen]
+ rfc868-time gets the date and time from an RFC 868 Time server. [Daniel
+ ssl-heartbleed detects the Heartbleed bug in OpenSSL CVE-2014-0160 [Patrik
+ sstp-discover discovers Microsoft's Secure Socket Tunnelling Protocol
( [Niklaus Schiess]
+ unittest runs unit tests found in NSE libraries. The corresponding
unittest.lua library has examples. Run `nmap --script=unittest -d` to run the tests. [Daniel Miller]
+ weblogic-t3-info detects the T3 RMI protocol used by Oracle/BEA Weblogic
and extracts the Weblogic version. [Alessandro Zanni, Daniel Miller]
+ whois-ip and whois-domain replace the whois script, which previously could
only collect whois info for IP addresses. [George Chatzisofroniou]
o [NSE] Fixed an error-handling bug in socks-open-proxy that caused it to fail
when scanning a SOCKS4-only proxy. Reported on IRC by Husky. [Daniel Miller]
o [NSE] Improved ntp-info script to handle underscores in returned
data. [nnposter]
o [NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and
other character sets to Unicode code points. Scripts that previously just
added or skipped nulls in UTF-16 data can use this to support non-ASCII
characters. [Daniel Miller]
o Significant code and documentation cleanup effort, fixing file encodings,
trailing whitespace, indentation, spelling mistakes, NSEdoc formatting
issues, PEP 8 compliance for Python, deprecation cleanup under python -3,
cleanup of warnings from LLVM's AddressSanitizer. [Daniel Miller]
o [Ncat] Added support for socks5 and corresponding regression tests.
[Marek Lukaszuk, Petr Stodulka]
o Added TCP support to dns.lua. [John Bond]
o Added safe fd_set operations. This makes nmap fail gracefully instead of
crashing when the number of file descriptors grows over FD_SETSIZE. Jacek
Wielemborek reported the crash. [Henri Doreau]
o [NSE] Added tls library for functions related to SSLv3 and TLS messages.
Existing ssl-enum-ciphers, ssl-date, and tls-nextprotoneg scripts were
updated to use this library. [Daniel Miller]
o Added NSE and Zenmap unit tests to "make check" [Daniel Miller]
o [NSE] Enable http-enum to use the large Nikto fingerprint database at runtime
if provided by the user. For licensing reasons, we do not distribute this
database, but the integration effort has the blessing of the Nikto folks.
[George Chatzisofroniou]
o Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release) [Daniel Miller]
o Added version detection signatures and probes for a bunch of Android
remote mouse/keyboard servers, including AndroMouse, AirHID,
Wifi-mouse, and RemoteMouse. [Paul Hemberger]
o [Ncat] Fixed compilation when --without-liblua is specified in
configure (an #include needed an ifdef guard). [Quentin Glidic]
o Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on
FreeBSD >9 reported by idwer on IRC. Likely affected other *BSDs. Handled by
skipping these non-network addresses. [Daniel Miller]
o Fixed a bug with UDP checksum calculation. When the UDP checksum is zero
(0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid
ambiguity with +0, which indicates no checksum was calculated. This affected
UDP on IPv4 only. Reported by Michael Weber. [Daniel Miller]
o [NSE] Removed a fixed value (28428) which was being set for the Request ID in
the snmpWalk library function; a value based on nmap.clock_ms will now be set
instead. [jah]
o The ICMP ID of ICMP probes is now matched against the sent ICMP ID,
to reduce the chance of false matches. Patch by Chris Johnson.
o [NSE] Made telnet-brute support multiple parallel guessing threads,
reuse connections, and support password-only logins. [nnposter]
o [NSE] Made the table returned by ssh1.fetch_host_key contain a "key"
element, like that of ssh2.fetch_host_key. This fixed a crash in the
ssh-hostkey script reported by Dan Farmer and Florian Pelgrim. The
"key" element of ssh2.fetch_host_key now is base64-encoded, to match
the format used by the known_hosts file. [David Fifield]
o [Nsock] Handle timers and timeouts via a priority queue (using a heap)
for improved performance. Nsock now only iterates over events which are
completed or expired instead of inspecting the entire event set at each
iteration. [Henri Doreau]
o [NSE] Update dns-cache-snoop script to use a new list of top 50
domains rather than a 2010 list. [Nicolle Neulist]
o [Zenmap] Fixed a crash that would happen when you entered a search
term starting with a colon: "AttributeError:
'FilteredNetworkInventory' object has no attribute 'match_'".
Reported by Kris Paernell. [David Fifield]
and NCAT_LOCAL_PORT environment variables being set in all --*-exec child
Nmap 6.40 [2013-07-29]
o [Ncat] Added --lua-exec. This feature is basically the equivalent of 'ncat
--sh-exec "lua <scriptname>"' and allows you to run Lua scripts with Ncat,
redirecting all stdin and stdout operations to the socket connection. See [Jacek Wielemborek]
o Integrated all of your IPv4 OS fingerprint submissions since January
(1,300 of them). Added 91 fingerprints, bringing the new total to 4,118.
Additions include Linux 3.7, iOS 6.1, OpenBSD 5.3, AIX 7.1, and more.
Many existing fingerprints were improved. Highlights: [David Fifield]
o Integrated all of your service/version detection fingerprints submitted
since January (737 of them)! Our signature count jumped by 273 to 8,979.
We still detect 897 protocols, from extremely popular ones like http, ssh,
smtp and imap to the more obscure airdroid, gopher-proxy, and
enemyterritory. Highlights: [David Fifield]
o Integrated your latest IPv6 OS submissions and corrections. We're still
low on IPv6 fingerprints, so please scan any IPv6 systems you own or
administer and submit them to Both new
fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap
guesses wrong) are useful. [David Fifield]
o [Nsock] Added initial proxy support to Nsock. Nmap version detection
and NSE can now establish TCP connections through chains of one or
more CONNECT or SOCKS4 proxies. Use the Nmap --proxies option with a
chain of one or more proxies as the argument (example:
http://localhost:8080,socks4:// Note that
only version detection and NSE are supported so far (no port
scanning or host discovery), and there are other limitations
described in the man page. [Henri Doreau]
o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 446.
They are all listed at, and the summaries are
below (authors are listed in brackets):
+ hostmap-ip2hosts finds hostnames that resolve to the target's IP address
by querying the online database at (uses Bing
search results) [Paulino Calderon]
+ http-adobe-coldfusion-apsa1301 attempts to exploit an authentication
bypass vulnerability in Adobe Coldfusion servers (APSA13-01: to
retrieve a valid administrator's session cookie. [Paulino Calderon]
+ http-coldfusion-subzero attempts to retrieve version, absolute path of
administration panel and the file '' from vulnerable
installations of ColdFusion 9 and 10. [Paulino Calderon]
+ http-comments-displayer extracts and outputs HTML and JavaScript
comments from HTTP responses. [George Chatzisofroniou]
+ http-fileupload-exploiter exploits insecure file upload forms in web
applications using various techniques like changing the Content-type
header or creating valid image files containing the payload in the
comment. [George Chatzisofroniou]
+ http-phpmyadmin-dir-traversal exploits a directory traversal
vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to
retrieve remote files on the web server. [Alexey Meshcheryakov]
+ http-stored-xss posts specially crafted strings to every form it
encounters and then searches through the website for those strings to
determine whether the payloads were successful. [George Chatzisofroniou]
+ http-vuln-cve2013-0156 detects Ruby on Rails servers vulnerable to
object injection, remote command executions and denial of service
attacks. (CVE-2013-0156) [Paulino Calderon]
+ ike-version obtains information (such as vendor and device type where
available) from an IKE service by sending four packets to the host.
This scripts tests with both Main and Aggressive Mode and sends multiple
transforms per request. [Jesper Kueckelhahn]
+ murmur-version detects the Murmur service (server for the Mumble voice
communication client) versions 1.2.X. [Marin Maržić]
+ mysql-enum performs valid-user enumeration against MySQL server using a
bug discovered and published by Kingcope
( [Aleksandar Nikolic]
+ teamspeak2-version detects the TeamSpeak 2 voice communication server
and attempts to determine version and configuration information. [Marin
+ ventrilo-info detects the Ventrilo voice communication server service
versions 2.1.2 and above and tries to determine version and
configuration information. [Marin Maržić]
o Updated the Nmap license agreement to close some loopholes and stop some
abusers. It's particularly targeted at companies which distribute
malware-laden Nmap installers as we caught doing last
year-- . The updated
license is in the all the normal places, including
o [NSE][SECURITY] Oops, there was a vulnerability in one of our 437 NSE scripts. If
you ran the (fortunately non-default) http-domino-enum-passwords script
with the (fortunately also non-default) domino-enum-passwords.idpath
parameter against a malicious server, it could cause an arbitrarily named
file to to be written to the client system. Thanks to Trustwave researcher
Piotr Duszynski for discovering and reporting the problem. We've fixed
that script, and also updated several other scripts to use a new
stdnse.filename_escape function for extra safety. This breaks our record
of never having a vulnerability in the 16 years that Nmap has existed, but
that's still a fairly good run! [David, Fyodor]
o Unicast CIDR-style IPv6 range scanning is now supported, so you can
specify targets such as Obviously it will take ages
if you specify a huge space. For example, a /64 contains
18,446,744,073,709,551,616 addresses. [David Fifield]
o It's now possible to mix IPv4 range notation with CIDR netmasks in target
specifications. For example, 192.168-170.4-100,200.5/16 is effectively the
same as 192.168.168-170.0-255.0-255. [David Fifield]
o Timeout script-args are now standardized to use the timespec that Nmap's
command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that
previously took an integer number of milliseconds will now treat that as a
number of seconds if not explicitly denoted as ms. [Daniel Miller]
o Nmap may now partially rearrange its target list for more efficient
host groups. Previously, a single target with a different interface,
or with an IP address the same as a that of a target already in the
group, would cause the group to be broken off at whatever size it
was. Now, we buffer a small number of such targets, and keep looking
through the input for more targets to fill out the current group.
[David Fifield]
o [Ncat] The -i option (idle timeout) now works in listen mode as well as
connect mode. [Tomas Hozza]
o [Ncat] Ncat now support chained certificates with the --ssl-cert
option. [Greg Bailey]
o [Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid
receiving crosstalk from other ping programs running at the same
time. [David Fifield]
o [NSE] The ipOps.isPrivate library now considers the deprecated site-local
prefix fec0::/10 to be private. [Marek Majkowski]
o Nmap's routing table is now sorted first by netmask, then by metric.
Previously it was the other way around, which could cause a very general
route with a low metric to be preferred over a specific route with a
higher metric.
o Routes are now sorted to prefer those with a lower metric. Retrieval of
metrics is supported only on Linux and Windows. [David Fifield]
o Fixed a byte-ordering problem on little-endian architectures when doing
idle scan with a zombie that uses broken ID increments. [David Fifield]
o Stop parsing TCP options after reaching EOL in libnetutil. Bug reported by
Gustavo Moreira. [Henri Doreau]
o [NSE] The dns-ip6-arpa-scan script now optionally accepts "/" syntax for a
network mask. Based on a patch by Indula Nayanamith.
o [Ncat] Reduced the default --max-conns limit from 100 to 60 on Windows, to
stay within platform limitations. Suggested by Andrey Olkhin.
o Fixed IPv6 routing table alignment on NetBSD.
o Fixed our NSEDoc system so the author field uses UTF-8 and we can spell
people's name properly, even if they use crazy non-ASCII characters like
Marin Maržić. [David Fifield]
o UDP protocol payloads were added for detecting the Murmer service (a
server for the Mumble voice communication client) and TeamSpeak 2 VoIP
o [NSE] Added http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.
o Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. This
was reported to break on -current as of May 2013. [Giovanni Bechis]
o Fixed address matching for SCTP (-PY) ping. [Marin Maržić]
o Removed some non-ANSI-C strftime format strings ("%F") and
locale-dependent formats ("%c") from NSE scripts and libraries.
C99-specified %F was noticed by Alex Weber. [Daniel Miller]
o [Zenmap] Improved internationalization support:
+ Added Polish translation by Jacek Wielemborek.
+ Updated the Italian translation. [Giacomo]
o [Zenmap] Fixed internationalization files. Running in a language other
than the default English would result in the error "ValueError: too many
values to unpack". [David Fifield]
o [NSE] Updated the included Liblua from version 5.2.1 to 5.2.2. [Patrick
o [Nsock] Added a minimal regression test suite for Nsock. [Henri Doreau]
o [NSE] Updated the redis-brute and redis-info scripts to work against the
latest versions of redis server. [Henri Doreau]
o [Ncat] Fixed errors in connecting to IPv6 proxies. [Joachim Henke]
o [NSE] Updated hostmap-bfk to work with the latest version of their website
( [Paulino Calderon]
o [NSE] Added XML structured output support to:
+ xmpp-info, irc-info, sslv2, address-info [Daniel Miller]
+ hostmap-bfk, hostmap-robtex, hostmap-ip2hosts. [Paulino Calderon]
+ http-git.nse. [Alex Weber]
o Added new service probes for:
+ Erlang distribution nodes [Michael Schierl]
+ Minecraft servers. [Eric Davisson]
+ Hazelcast data grid. [Pavel Kankovsky]
o [NSE] Rewrote telnet-brute for better compatibility with a variety of
telnet servers. [nnposter]
o Fixed a regression that changed the number of delimiters in machine
output. [Daniel Miller]
o Fixed a regression in broadcast-dropbox-listener which prevented it from
producing output. [Daniel Miller]
o Handle ICMP type 11 (Time Exceeded) responses to port scan probes. Ports
will be reported as "filtered", to be consistent with existing Connect
scan results, and will have a reason of time-exceeded. DiabloHorn
reported this issue via IRC. [Daniel Miller]
o Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and
changed output of some of the decoders slightly. [Patrik Karlsson]
o The list of name servers on Windows now ignores those from inactive
interfaces. [David Fifield]
o Namespace the pipes used to communicate with subprocesses by PID, to avoid
multiple instances of Ncat from interfering with each other. Patch by
Andrey Olkhin.
o [NSE] Changed ip-geolocation-geoplugin to use the web service's new output
format. Reported by Robin Wood.
o Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fast
connect scans could write past the end of an fd_set and cause a variety of
nmap: bool ConnectScanInfo::clearSD(int): Assertion `numSDs > 0' failed.
select failed in do_one_select_round(): Bad file descriptor (9)
[David Fifield]
o Fixed a bug that prevented Nmap from finding any interfaces when one of
them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk
interfaces. However, This support is not complete since AppleTalk
interfaces use different size hardware addresses than Ethernet. Nmap IP
level scans should work without any problem, please refer to the
'--send-ip' switch and to the following thread: This bug was reported by Steven
Gregory Johnson. [Daniel Miller]
o [Nping] Nping on Windows now skips localhost targets for privileged pings
on (with an error message) because those generally don't work. [David
o [Ncat] Ncat now keeps running in connect mode after receiving EOF from the
remote socket, unless --recv-only is in effect. [Tomas Hozza]
o Packet trace of ICMP packets now include the ICMP ID and sequence number
by default. [David Fifield]
o [NSE] Fixed various NSEDoc bugs found by David Matousek.
o [Zenmap] Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGED
environment variables. [Tyler Wagner]
o Added an ncat_assert macro. This is similar to assert(), but remains even
if NDEBUG is defined. Replaced all Ncat asserts with this. We also moved
operation with side effects outside of asserts as yet another layer of
bug-prevention [David Fifield].
o Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML into
XSL-FO, which can be converted into PDF using tools suck as Apache FOP.
o Increased the number of slack file descriptors not used during connect
scan. Previously, the calculation did not consider the descriptors used by
various open log files. Connect scans using a lot of sockets could fail
with the message "Socket creation in sendConnectScanProbe: Too many open
files". [David Fifield]
o Changed the --webxml XSL stylesheet to point to the new location of
nmap.xsl in the new repository (
It still may not work in web browsers due to same origin policy (see [David Fifield, Simon John]
o [NSE] The vulnerability library can now preserve vulnerability information
across multiple ports of the same host. The bug was reported by
iphelix. [Djalal Harouni]
o Removed the undocumented -q option, which renamed the nmap process to
something like "pine".
o Moved the Japanese man page from man1/jp to man1/ja. JP is a country code
while JA is a language code. Reported by Christian Neukirchen.
o [Nsock] Reworked the logging infrastructure to make it more flexible and
consistent. Updated Nmap, Nping and Ncat accordingly. Nsock log level can
now be adjusted at runtime by pressing d/D in nmap. [Henri Doreau, David
o [NSE] Fixed scripts using unconnected UDP sockets. The bug was reported by
Dhiru Kholia at [David Fifield]
o Made some changes to Ndiff to reduce parsing time when dealing with large
Nmap XML output files. [Henri Doreau]
o Clean up the source code a bit to resolve some false positive issues
identified by the Parfait static code analysis program. Oracle apparently
runs this on programs (including Nmap) that they ship with Solaris. See [David Fifield]
o [Zenmap] Fixed a crash that could be caused by opening the About dialog,
using the window manager to close it, and opening it again. This was
reported by Yashartha Chaturvedi and Jordan Schroeder. [David Fifield]
o [Ncat] Made exit with nonzero status if any tests
fail. This in turn causes "make check" to fail if any tests fail.
[Andreas Stieger]
o Fixed compilation with --without-liblua. The bug was reported by Rick
Farina, Nikos Chantziaras, and Alex Turbov. [David Fifield]
o Fixed CRC32c calculation (as used in SCTP scans) on 64-bit
platforms. [Pontus Andersson]
o [NSE] Added multicast group name output to
broadcast-igmp-discovery.nse. [Vasily Kulikov]
o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3,
SquirrelMail, RoundCube. [Jesper Kückelhahn]
Nmap 6.25 [2012-11-29]
o [NSE] Added CPE to smb-os-discovery output.
o [Ncat] Fixed the printing of warning messages for large arguments to
the -i and -w options. [Michal Hlavinka]
o [Ncat] Shut down the write part of connected sockets in listen mode
when stdin hits EOF, just as was already done in connect mode.
[Michal Hlavinka]
o [Zenmap] Removed a crashing error that could happen when canceling a
"Print to File" on Windows:
Traceback (most recent call last):
File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb
File "zenmapGUI\Print.pyo", line 156, in run_print_operation
GError: Error from StartDoc
This bug was reported by Imre Adácsi. [David Fifield]
o Added some new checks for failed library calls. [Bill Parker]
Nmap 6.20BETA1 [2012-11-16]
o Integrated all of your IPv4 OS fingerprint submissions since January
(more than 3,000 of them). Added 373 fingerprints, bringing the new
total to 3,946. Additions include Linux 3.6, Windows 8, Windows
Server 2012, Mac OS X 10.8, and a ton of new WAPs, printers,
routers, and other devices--including our first IP-enabled doorbell!
Many existing fingerprints were improved. [David Fifield]
o Integrated all of your service/version detection fingerprints
submitted since January (more than 1,500)! Our signature
count jumped by more than 400 to 8,645. We now detect 897
protocols, from extremely popular ones like http, ssh, smtp and imap
to the more obscure airdroid, gopher-proxy, and
enemyterritory. [David Fifield]
o Integrated your latest IPv6 OS submissions and corrections. We're
still low on IPv6 fingerprints, so please scan any IPv6 systems you
own or administer and submit them to Both
new fingerprints (if Nmap doesn't find a good match) and corrections
(if Nmap guesses wrong) are useful.
o Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto
(Next Header) probes. Previously, only TCP and ICMP were
supported. [David Fifield]
o Scripts can now return a structured name-value table so that results
are query-able from XML output. Scripts can return a string as
before, or a table, or a table and a string. In this last case, the
table will go to XML output and the string will go to screen output.
See [Daniel
Miller, David Fifield, Patrick Donnelly]
o [Nsock] Added new poll and kqueue I/O engines for improved
performance on Windows and BSD-based systems including Mac OS X.
These are in addition to the epoll engine (used on Linux) and the
classic select engine fallback for other system. [Henri Doreau]
o [Ncat] Added support for Unix domain sockets. The new -U and
--unixsock options activate this mode. These provide compatibility
with Hobbit's original Netcat. [Tomas Hozza]
o Moved some Windows dependencies, including OpenSSL, libsvn, and the
vcredist files, into a new public Subversion directory
/nmap-mswin32-aux and moved it out of the source tarball. This
reduces the compressed tarball size from 22 MB to 8 MB and similarly
reduces the bandwidth and storage required for an svn checkout.
Folks who build Nmap on Windows will need to check out
/nmap-mswin32-aux along with /nmap as described at
o Many of the great features in this release were created by college
and grad students generously sponsored by Google's Summer of Code
program. Thanks, Google Open Source Department! This year's team
of five developers is introduced at and their successes
documented at
o [NSE] Replaced old RPC grinder (RPC enumeration, performed as part
of version detection when a port seems to run a SunRPC service) with
a faster and easier to maintain NSE-based implementation. This also
allowed us to remove the crufty old pos_scan scan engine. [Hani
o Updated our Nmap Scripting Engine to use Lua 5.2 (and then 5.2.1)
rather than 5.1. See for
details. [Patrick Donnelly]
o [NSE] Added 85(!) NSE scripts, bringing the total up to 433. They
are all listed at, and the summaries are
below (authors are listed in brackets):
+ ajp-auth retrieves the authentication scheme and realm of an AJP
service (Apache JServ Protocol) that requires authentication. The
Apache JServ Protocol is commonly used by web servers to
communicate with back-end Java application server
containers. [Patrik Karlsson]
+ ajp-brute performs brute force passwords auditing against the
Apache JServ protocol. [Patrik Karlsson]
+ ajp-headers performs a HEAD or GET request against either the root
directory or any optional directory of an Apache JServ Protocol
server and returns the server response headers. [Patrik Karlsson]
+ ajp-methods discovers which options are supported by the AJP
(Apache JServ Protocol) server by sending an OPTIONS request and
lists potentially risky methods. [Patrik Karlsson]
+ ajp-request requests a URI over the Apache JServ Protocol and
displays the result (or stores it in a file). Different AJP
methods such as; GET, HEAD, TRACE, PUT or DELETE may be
used. [Patrik Karlsson]
+ bjnp-discover retrieves printer or scanner information from a
remote device supporting the BJNP protocol. The protocol is known
to be supported by network based Canon devices. [Patrik Karlsson]
+ broadcast-ataoe-discover discovers servers supporting the ATA over
Ethernet protocol. ATA over Ethernet is an ethernet protocol
developed by the Brantley Coile Company and allows for simple,
high-performance access to SATA drives over Ethernet. [Patrik
+ broadcast-bjnp-discover attempts to discover Canon devices
(Printers/Scanners) supporting the BJNP protocol by sending BJNP
Discover requests to the network broadcast address for both ports
associated with the protocol. [Patrik Karlsson]
+ broadcast-eigrp-discovery performs network discovery and routing
information gathering through Cisco's EIGRP protocol. [Hani
+ broadcast-igmp-discovery discovers targets that have IGMP
Multicast memberships and grabs interesting information. [Hani
+ broadcast-pim-discovery discovers routers that are running PIM
(Protocol Independent Multicast). [Hani Benhabiles]
+ broadcast-tellstick-discover discovers Telldus Technologies
TellStickNet devices on the LAN. The Telldus TellStick is used to
wirelessly control electric devices such as lights, dimmers and
electric outlets. [Patrik Karlsson]
+ cassandra-brute performs brute force password auditing against the
Cassandra database. [Vlatko Kosturjak]
+ cassandra-info attempts to get basic info and server status from a
Cassandra database. [Vlatko Kosturjak]
+ cups-info lists printers managed by the CUPS printing
service. [Patrik Karlsson]
+ cups-queue-info Lists currently queued print jobs of the remote
CUPS service grouped by printer. [Patrik Karlsson]
+ dict-info Connects to a dictionary server using the DICT protocol,
runs the SHOW SERVER command, and displays the result. [Patrik
+ distcc-cve2004-2687 detects and exploits a remote code execution
vulnerability in the distributed compiler daemon distcc. [Patrik
+ dns-check-zone checks DNS zone configuration against best
practices, including RFC 1912. The configuration checks are
divided into categories which each have a number of different
tests. [Patrik Karlsson]
+ dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6
network using a technique which analyzes DNS server response codes
to dramatically reduce the number of queries needed to enumerate
large networks. [Patrik Karlsson]
+ dns-nsec3-enum tries to enumerate domain names from the DNS server
that supports DNSSEC NSEC3 records. [Aleksandar Nikolic, John
+ eppc-enum-processes attempts to enumerate process info over the
Apple Remote Event protocol. When accessing an application over
the Apple Remote Event protocol the service responds with the uid
and pid of the application, if it is running, prior to requesting
authentication. [Patrik Karlsson]
+ firewall-bypass detects a vulnerability in Netfilter and other
firewalls that use helpers to dynamically open ports for protocols
such as ftp and sip. [Hani Benhabiles]
+ flume-master-info retrieves information from Flume master HTTP
pages. [John R. Bond]
+ gkrellm-info queries a GKRellM service for monitoring
information. A single round of collection is made, showing a
snapshot of information at the time of the request. [Patrik
+ gpsd-info retrieves GPS time, coordinates and speed from the GPSD
network daemon. [Patrik Karlsson]
+ hostmap-robtex discovers hostnames that resolve to the target's IP
address by querying the Robtex service at [Arturo Busleiman]
+ http-drupal-enum-users enumerates Drupal users by exploiting a an
information disclosure vulnerability in Views, Drupal's most
popular module. [Hani Benhabiles]
+ http-drupal-modules enumerates the installed Drupal modules by
using a list of known modules. [Hani Benhabiles]
+ http-exif-spider spiders a site's images looking for interesting
exif data embedded in .jpg files. Displays the make and model of
the camera, the date the photo was taken, and the embedded geotag
information. [Ron Bowes]
+ http-form-fuzzer performs a simple form fuzzing against forms
found on websites. Tries strings and numbers of increasing length
and attempts to determine if the fuzzing was successful. [Piotr
+ http-frontpage-login checks whether target machines are vulnerable
to anonymous Frontpage login. [Aleksandar Nikolic]
+ http-git checks for a Git repository found in a website's document
root (/.git/<something>) then retrieves as much repo
information as possible, including language/framework, Github
username, last commit message, and repository description. [Alex
+ http-gitweb-projects-enum retrieves a list of Git projects, owners
and descriptions from a gitweb (web interface to the Git revision
control system). [riemann]
+ http-huawei-hg5xx-vuln detects Huawei modems models HG530x,
HG520x, HG510x (and possibly others...) vulnerable to a remote
credential and information disclosure vulnerability. It also
extracts the PPPoE credentials and other interesting configuration
values. [Paulino Calderon]
+ http-icloud-findmyiphone retrieves the locations of all "Find my
iPhone" enabled iOS devices by querying the MobileMe web service
(authentication required). [Patrik Karlsson]
+ http-icloud-sendmsg sends a message to a iOS device through the
Apple MobileMe web service. The device has to be registered with
an Apple ID using the Find My iPhone application. [Patrik
+ http-phpself-xss crawls a web server and attempts to find PHP
files vulnerable to reflected cross site scripting via the
variable $_SERVER["PHP_SELF"]. [Paulino Calderon]
+ http-rfi-spider crawls webservers in search of RFI (remote file
inclusion) vulnerabilities. It tests every form field it finds and
every parameter of a URL containing a query. [Piotr Olma]
+ http-robtex-shared-ns Finds up to 100 domain names which use the
same name server as the target by querying the Robtex service at [Arturo Busleiman]
+ http-sitemap-generator spiders a web server and displays its
directory structure along with number and types of files in each
folder. Note that files listed as having an 'Other' extension are
ones that have no extension or that are a root document. [Piotr
+ http-slowloris-check tests a web server for vulnerability to the
Slowloris DoS attack without actually launching a DoS
attack. [Aleksandar Nikolic]
+ http-slowloris tests a web server for vulnerability to the
Slowloris DoS attack by launching a Slowloris attack. [Aleksandar
Nikolic, Ange Gutek]
+ http-tplink-dir-traversal exploits a directory traversal
vulnerability existing in several TP-Link wireless
routers. Attackers may exploit this vulnerability to read any of
the configuration and password files remotely and without
authentication. [Paulino Calderon]
+ http-traceroute exploits the Max-Forwards HTTP header to detect
the presence of reverse proxies. [Hani Benhabiles]
+ http-virustotal checks whether a file has been determined as
malware by virustotal. Virustotal is a service that provides the
capability to scan a file or check a checksum against a number of
the major antivirus vendors. [Patrik Karlsson]
+ http-vlcstreamer-ls connects to a VLC Streamer helper service and
lists directory contents. The VLC Streamer helper service is used
by the iOS VLC Streamer application to enable streaming of
multimedia content from the remote server to the device. [Patrik
+ http-vuln-cve2010-0738 tests whether a JBoss target is vulnerable
to jmx console authentication bypass (CVE-2010-0738). [Hani
+ http-waf-fingerprint Tries to detect the presence of a web
application firewall and its type and version. [Hani Benhabiles]
+ icap-info tests a list of known ICAP service names and prints
information about any it detects. The Internet Content Adaptation
Protocol (ICAP) is used to extend transparent proxy servers and is
generally used for content filtering and antivirus
scanning. [Patrik Karlsson]
+ ip-forwarding detects whether the remote device has ip forwarding
or "Internet connection sharing" enabled, by sending an ICMP echo
request to a given target using the scanned host as default
gateway. [Patrik Karlsson]
+ ipv6-ra-flood generates a flood of Router Advertisements (RA) with
random source MAC addresses and IPv6 prefixes. Computers, which
have stateless autoconfiguration enabled by default (every major
OS), will start to compute IPv6 suffix and update their routing
table to reflect the accepted announcement. This will cause 100%
CPU usage on Windows and platforms, preventing to process other
application requests. [Adam Stevko]
+ irc-sasl-brute performs brute force password auditing against IRC
(Internet Relay Chat) servers supporting SASL
authentication. [Piotr Olma]
+ isns-info lists portals and iSCSI nodes registered with the
Internet Storage Name Service (iSNS). [Patrik Karlsson]
+ jdwp-exec attempts to exploit java's remote debugging port. When
remote debugging port is left open, it is possible to inject java
bytecode and achieve remote code execution. This script abuses
this to inject and execute a Java class file that executes the
supplied shell command and returns its output. [Aleksandar
+ jdwp-info attempts to exploit java's remote debugging port. When
remote debugging port is left open, it is possible to inject java
bytecode and achieve remote code execution. This script injects
and execute a Java class file that returns remote system
information. [Aleksandar Nikolic]
+ jdwp-inject attempts to exploit java's remote debugging port.
When remote debugging port is left open, it is possible to inject
java bytecode and achieve remote code execution. This script
allows injection of arbitrary class files. [Aleksandar Nikolic]
+ llmnr-resolve resolves a hostname by using the LLMNR (Link-Local
Multicast Name Resolution) protocol. [Hani Benhabiles]
+ mcafee-epo-agent check if ePO agent is running on port 8081 or
port identified as ePO Agent port. [Didier Stevens and Daniel
+ metasploit-info gathers info from the Metasploit RPC service. It
requires a valid login pair. After authentication it tries to
determine Metasploit version and deduce the OS type. Then it
creates a new console and executes few commands to get additional
info. [Aleksandar Nikolic]
+ metasploit-msgrpc-brute performs brute force username and password
auditing against Metasploit msgrpc interface. [Aleksandar Nikolic]
+ mmouse-brute performs brute force password auditing against the
RPA Tech Mobile Mouse servers. [Patrik Karlsson]
+ mmouse-exec connects to an RPA Tech Mobile Mouse server, starts an
application and sends a sequence of keys to it. Any application
that the user has access to can be started and the key sequence is
sent to the application after it has been started. [Patrik
+ mrinfo queries targets for multicast routing information. [Hani
+ msrpc-enum queries an MSRPC endpoint mapper for a list of mapped
services and displays the gathered information. [Aleksandar
+ ms-sql-dac queries the Microsoft SQL Browser service for the DAC
(Dedicated Admin Connection) port of a given (or all) SQL Server
instance. The DAC port is used to connect to the database instance
when normal connection attempts fail, for example, when server is
hanging, out of memory or in other bad states. [Patrik Karlsson]
+ mtrace queries for the multicast path from a source to a
destination host. [Hani Benhabiles]
+ mysql-dump-hashes dumps the password hashes from an MySQL server
in a format suitable for cracking by tools such as John the
Ripper. Appropriate DB privileges (root) are required. [Patrik
+ mysql-query runs a query against a MySQL database and returns the
results as a table. [Patrik Karlsson]
+ mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQL
and MariaDB servers by exploiting CVE2012-2122. If its vulnerable,
it will also attempt to dump the MySQL usernames and password
hashes. [Paulino Calderon]
+ oracle-brute-stealth exploits the CVE-2012-3137 vulnerability, a
weakness in Oracle's O5LOGIN authentication scheme. The
vulnerability exists in Oracle 11g R1/R2 and allows linking the
session key to a password hash. [Dhiru Kholia]
+ pcanywhere-brute performs brute force password auditing against
the pcAnywhere remote access protocol. [Aleksandar Nikolic]
+ rdp-enum-encryption determines which Security layer and Encryption
level is supported by the RDP service. It does so by cycling
through all existing protocols and ciphers. [Patrik Karlsson]
+ rmi-vuln-classloader tests whether Java rmiregistry allows class
loading. The default configuration of rmiregistry allows loading
classes from remote URLs, which can lead to remote code
execution. The vendor (Oracle/Sun) classifies this as a design
feature. [Aleksandar Nikolic]
+ rpc-grind fingerprints the target RPC port to extract the target
service, RPC number and version. [Hani Benhabiles]
+ sip-call-spoof spoofs a call to a SIP phone and detects the action
taken by the target (busy, declined, hung up, etc.) [Hani
+ sip-methods enumerates a SIP Server's allowed methods (INVITE,
OPTIONS, SUBSCRIBE, etc.) [Hani Benhabiles]
+ smb-ls attempts to retrieve useful information about files shared
on SMB volumes. The output is intended to resemble the output of
the UNIX <code>ls</code> command. [Patrik Karlsson]
+ smb-print-text attempts to print text on a shared printer by
calling Print Spooler Service RPC functions. [Aleksandar Nikolic]
+ smb-vuln-ms10-054 tests whether target machines are vulnerable to
the ms10-054 SMB remote memory corruption
vulnerability. [Aleksandar Nikolic]
+ smb-vuln-ms10-061 tests whether target machines are vulnerable to
ms10-061 Printer Spooler impersonation vulnerability. [Aleksandar
+ snmp-hh3c-logins attempts to enumerate Huawei / HP/H3C Locally
Defined Users through the hh3c-user.mib OID [Kurt Grutzmacher]
+ ssl-date retrieves a target host's time and date from its TLS
ServerHello response. [Aleksandar Nikolic]
+ tls-nextprotoneg enumerates a TLS server's supported protocols by
using the next protocol negotiation extension. [Hani Benhabiles]
+ traceroute-geolocation lists the geographic locations of each hop
in a traceroute and optionally saves the results to a KML file,
plottable on Google earth and maps. [Patrik Karlsson]
o [NSE] Added 12 new protocol libraries, bring our total to 105! Here
they are, with authors enclosed in brackets:
+ ajp (Apache JServ Protocol) [Patrik Karlsson]
+ base32 (Base32 encoding/decoding - RFC 4648) [Philip Pickering]
+ bjnp (Canon BJNP printer/scanner discovery protocol) [Patrik Karlsson]
+ cassandra (Cassandra database protocol) [Vlatko Kosturjak]
+ eigrp (Cisco Enhanced Interior Gateway Routing Protocol) [Hani Benhabiles]
+ gps (Global Positioning System - does GPRMC NMEA decoding) [Patrik Karlsson]
+ ipp (CUPS Internet Printing Protocol) [Patrik Karlsson]
+ isns (Internet Storage Name Service) [Patrik Karlsson]
+ jdwp (Java Debug Wire Protocol) [Aleksandar Nikolic]
+ mobileme (a service for managing Apple/Mac devices) [Patrik Karlsson]
+ ospf (Open Shortest Path First routing protocol) [Patrik Karlsson]
+ rdp (Remote Desktop Protocol) [Patrik Karlsson]
o Added Common Platform Enumeration (CPE) identifiers to nearly 1,000
more OS detection signatures. Nmap 6.01 had them for 2,608 of 3,572
fingerprints (73%) and now we have them for 3,558 out of 3,946
(90%). [David Fifield]
o Scans that use OS sockets (including TCP connect scan, version
detection, and script scan) now use the SO_BINDTODEVICE sockopt on
Linux, so that the -e (select network device) option is
honored. [David Fifield]
o [Zenmap] Host filters can now do negative matching, for example you
can use "os:!linux" to match hosts NOT detected as Linux. [Daniel
o Fixed a bug that caused an incorrect source address to be set when
scanning certain addresses (apparently those ending in .0) on
Windows XP. The symptom of this bug was the messages
get_srcaddr: can't connect socket: The requested address is not valid in its context.
Failed to convert source address to presentation format!?! Error: Unknown error
Thanks to Robert Washam and Jorge Hernandez for reports and help
debugging. [David Fifield]
o Upgraded the included OpenSSL to version 1.0.1c. [David Fifield]
o [NSE] Added changes to brute and unpwdb libraries to allow more
flexible iterator specification and control. [Aleksandar Nikolic]
o Tested that our WinPcap installer works on Windows 8 and Windows
Server 2012 build 8400. Updated to installer text to recommend that
users select the option to start 'NPF' at startup. [Rob Nicholls]
o Changed libdnet's routing interface to return an interface name for
each route on the most common operating systems. This is used to
improve the quality of Nmap's matching of routes to interfaces,
which was previously done by matching routes to interface addresses.
[Djalal Harouni, David Fifield]
o Fixed a bug that prevented Nmap from finding any interfaces when one
of them had the type ARPHDR_INFINIBAND; this was the case for
IP-over-InfiniBand interfaces. However, This support is not complete
since IPoIB interfaces use 20 bytes for the hardware address, and
currently we only report and handle 6 bytes.
Nmap IP level scans should work without any problem, please refer to
the '--send-ip' switch and to the following thread:
This bug was reported by starlight.2012q3. [Djalal Harouni]
o Fixed a bug that prevented Nmap from finding any interfaces when one
of them had the type ARPHDR_IEEE80211; this was the case for wireless
interfaces operating in access point mode. This bug was reported by
Sebastiaan Vileijn. [Djalal Harouni]
o Updated the Zenmap desktop icons on Windows, Linux, and Mac with higher
resolution ones. [Sean Rivera, David Fifield]
o [NSE] Script results for a host or service are now sorted
alphabetically by script name. [Sean Rivera]
o Fixed a bug that prevented Nmap from finding any interfaces when any
interface had the type ARPHRD_VOID; this was the case for OpenVZ
venet interfaces. [Djalal Harouni, David Fifield]
o Linux unreachable routes are now properly ignored. [David Fifield]
o Added Dan Miller as an Nmap committer. He has done a ton of great
work on Nmap, as you can see by searching for him in this CHANGELOG
or reading the Nmap committers list at .
o Added a new --disable-arp-ping option. This option prevents Nmap
from implicitly using ARP or ND host discovery for discovering
directly connected Ethernet targets. This is useful in networks
using proxy ARP, which make all addresses appear to be up using ARP
scan. The previously recommended workaround for this situation,
--send-ip, didn't work on Windows because that lame excuse for an
operating system is still missing raw socket support. [David
Fifield (editorializing added by Fyodor)]
o Protocol scan (-sO) probes for TCP, UDP, and SCTP now go to ports
80, 40125, and 80 respectively, instead of being randomly generated
or going to the same port as the source port. [David Fifield]
o The Nmap --log-errors functionality (including errors and warnings
in the normal-format output file) is now always true, whether you
pass that option or not. [Sean Rivera]
o [NSE] Rewrote ftp-brute script to use the brute library for
performing password auditing. [Aleksandar Nikolic]
o Reduced the size of Port structures by about two thirds (from 176 to
64 bytes on x86_64). They had accidentally grown during the IPv6
code merge. [David Fifield]
o Made source port numbers (used to encode probe metadata) increment
so as not to overlap between different scanning phases. Previously
it was possible for an RST response to an ACK probe from host
discovery to be misinterpreted as a reply to a SYN probe from port
scanning. [Sean Rivera, David Fifield]
o [NSE] Added support for ECDSA keys to ssh-hostkey.nse. [Adam Števko]
o Changed the CPE for Linux from cpe:/o:linux:kernel to
cpe:/o:linux:linux_kernel to reflect deprecation in the official CPE
o Added some additional CPE entries to nmap-service-probes.
[Dillon Graham]
o Fixed an assertion failure with IPv6 traceroute trying to use an
unsupported protocol:
nmap: virtual unsigned char*
UDPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion
`source->ss_family == 2' failed.
This was reported by Pierre Emeriaud. [David Fifield]
o Added version detection signatures for half a dozen new or changed
products. [Tom Sellers]
o Fixed protocol number-to-name mapping. A patch was contributed by
o [NSE] The nmap.ip_send function now takes a second argument, the
destination to send to. Previously the destination address was taken
from the packet buffer, but this failed for IPv6 link-local
addresses, because the scope ID is not part of the packet. Calling
ip_send without a destination address will continue to use the old
behavior, but this practice is deprecated.
o Increased portability of configure scripts on systems using a libc
other than Glibc. Several problems were reported by John Spencer.
o [NSE] Fixed a bug in rpc-grind.nse that would cause unresponsive UDP
ports to be wrongly marked open. This was reported by Christopher
Clements. [David Fifield]
o [Ncat] Close connection endpoint when receiving EOF on
stdin. [Michal Hlavinka].
o Fixed interface listing on NetBSD. The bug was first noticed by
Fredrik Pettai and diagnosed by Jan Schaumann. [David Fifield]
o [Ncat] Applied a blocking-socket workaround for a bug that could
prevent some sends from working in listen mode. The problem was
reported by Jonas Wielicki. [Alex Weber, David Fifield]
o [NSE] Updated mssql.lua library to support additional data types,
enhanced some of the existing data types, added the DoneProc
response token, and reordered code for maintainability. [Tom
o [Nping] Nping now prints out an error and exists when the user tries to use
the -p flag for a scan option where that is meaningless. [Sean Rivera]
o [NSE] Added spoolss functions and constants to msrpc.lua. [Aleksandar Nikolic]
o [NSE] Reduced the number of names tried by http-vhosts by default.
[Vlatko Kosturjak]
o [Zenmap] Fixed a crash when using the en_NG locale: "ValueError:
unknown locale: en_NG" [David Fifield]
o [NSE] Fixed some bugs in snmp-interfaces which prevented the script from
outputting discovered interface info and caused it to abort in the
pre-scanning phase. [jah]
o [NSE] Do a connect on rpc-grind (rpc.lua) UDP sockets so that socket_lock
is invoked. This is necessary to avoid "Too many open files" errors if
RPC grind creates an excessive number of sockets. We should have a
cleaner general solution for this, and not require scripts to "connect"
their unconnected UDP sockets. But there may be a good reason for
enforcing socket locking only on connect, not on creation. [David Fifield]
o [NSE] lltd-discovery scripts now parses for hostnames and outputs network
card manufacturer. [Hani Benhabiles]
o Added protocol specific payloads for IPv6 hop-by-hop (0x00), routing (0x2b),
fragment (0x2c), and destination (0x3c). [Sean Rivera]
o [NSE] Added support for decoding OSPF Hello packets to broadcast-listener.
[Hani Benhabiles]
o [NSE] Fixed a false positive in http-vuln-cve2011-3192.nse, which detected
Apache 2.2.22 as vulnerable. [Michael Meyer]
o [NSE] Modified multiple scripts that operated against HTTP based services
so as to remove false positives that were generated when the target service
answers with a 200 response to all requests. [Tom Sellers]
o [NSOCK] Fixed an epoll-engine-specific bug. The engine didn't recognized FDs
that were internally closed and replaced by other ones. This happened during
reconnect attempts. Also, the IOD flags were not properly cleared.
[Henri Doreau, Daniel Miller]
o Added support for log type bitmasks in log_vwrite(). Also replaced a fatal()
statement by an assert(0) to get rid of a possible infinite call loop when
passed an invalid log type. [Henri Doreau]
o Added handling for the unexpected error WSAENETRESET (10052). This error is
currently wrapped in the ifdef for WIN32 as there error appears to be unique
to windows [Sean Rivera]
o [NSE] Added default values for Expires, Call-ID, Allow and Content-Length
headers in SIP requests and removed redundant code in sip library.
[Hani Benhabiles]
o [NSE] Calling methods of unconnected sockets now causes the usual
error code return value, instead of raising a Lua error. The problem
was noticed by Daniel Miller. [David Fifield]
o [NSE] Added AUTH_UNIX support to the rpc library and NFS scripts.
[Daniel Miller]
o [Zenmap] Fixed a crash in the profile editor that would happen when
the nmap binary couldn't be found. [David Fifield]
o Made the various Makefiles' treatment of makefile.dep uniform:
"make clean" keeps the file and "make distclean" deletes it.
[Michael McTernan]
o [NSE] Fixed dozens of scripts and libraries to work better on
system which don't have OpenSSL available. [Patrik Karlsson]
o [Ncat] --output logging now works in UDP mode. Thanks to Michal
Hlavinka for reporting the bug. [David Fifield]
o [NSE] More Windows 7 and Windows 2008 fixes for the smb library and smb-ls
scripts. [Patrik Karlsson]
o [NSE] Added SPNEGO authentication supporting Windows 7 and Windows 2008 to
the smb library. [Patrik Karlsson]
o [NSE] Changed http-brute so that it works against the root path
("/") by default rather than always requiring the http-brute.path
script argument. [Fyodor]
o [NSE] Applied patch from Daniel Miller that fixes bug in several scripts and
libraries [Daniel Miller]
o [Zenmap] Added Italian translation by Francesco Tombolini and
Japanese translation by Yujiy Tounai. Some typos in the Japanese
translation were corrected by OKANO Takayoshi.
o [NSE] Rewrote mysql-brute to use brute library [Aleksandar Nikolic]
o Improved the mysql library to handle multiple columns with the same name,
added a formatResultset function to format a query response to a table
suitable for script output. [Patrik Karlsson]
o The message "nexthost: failed to determine route to ..." is now a
warning rather than a fatal error. Addresses that are skipped in
this way are recorded in the XML output as "target" elements. [David
o [NSE] targets-sniffer now is capable of sniffing IPv6 addresses.
[Daniel Miller]
o [NSE] Ported the pop3-brute script to use the brute library.
[Piotr Olma]
o [NSE] Added an error message indicating script failure, when Nmap is being
run in non verbose/debug mode. [Patrik Karlsson]
o Service-scan information is now included in XML and grepable output
even if -sV wasn't used. This information can be set by scripts in the
absence of -sV. [Daniel Miller]
Nmap 6.01 [2012-06-16]
o [Zenmap] Fixed a hang that would occur on Mac OS X 10.7. A symptom
of the hang was this message in the system console:
"Couldn't recognize the image file format for file
[David Fifield]
o [Zenmap] Fixed a crash that happened when activating the host filter.
File "zenmapCore\SearchResult.pyo", line 155, in match_os
KeyError: 'osmatches'
o Fixed an error that occurred when scanning certain addresses like on Windows XP:
get_srcaddr: can't connect socket: The requested address is not valid in its context.
nexthost: failed to determine route to
[David Fifield]
o Fixed a bug that caused Nmap to fail to find any network interface when
at least one of them is in the monitor mode. The fix was to define the
ARP_HRD_IEEE80211_RADIOTAP 802.11 radiotap header identifier in the
libdnet-stripped code. Network interfaces that are in this mode are used
by radiotap for 802.11 frame injection and reception. The bug was
reported by Tom Eichstaedt and Henri Doreau.
[Djalal Harouni, Henri Doreau]
o Fixed the greppable output of hosts that time-out (when --host-timeout was
used and the host timed-out after something was received from that host).
This issue was reported by Matthew Morgan. [jah]
o [Zenmap] Updated the version of Python used to build the Windows
release from 2.7.1 to 2.7.3 to remove a false-positive security
alarm flagged by tools such as Secunia PSI. There was a minor
vulnerability in certain Python27.dll web functionality (which Nmap
doesn't use anyway) and Secunia was flagging all software which
includes that version of Python27.dll. This update should prevent
the false alarm.
Nmap 6.00 [2012-05-21]
o Most important release since Nmap 5.00 in July 2009! For a list of
the most significant improvements and new features, see the
announcement at:
o In XML output, "osclass" elements are now child elements of the
"osmatch" they belong to. Old output was thus:
New output is:
The option --deprecated-xml-osclass restores the old output, in case
you use an Nmap XML parser that doesn't understand the new
structure. The xmloutputversion has been increased to 1.04.
o Added a new "target" element to XML output that indicates when a
target specification was ignored, perhaps because of a syntax error
or DNS failure. It looks like this:
<target specification="" status="skipped" reason="invalid"/>
[David Fifield]
o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the
SAMBA pre-auth remote root vulnerability (CVE-2012-1182).
[Aleksandar Nikolic]
o [NSE] Added http-vuln-cve2012-1823.nse, which checks for PHP CGI
installations with a remote code execution vulnerability. [Paulino
o [NSE] Added script targets-ipv6-mld that sends a malformed ICMP6 MLD Query
to discover IPv6 enabled hosts on the LAN. [Niteesh Kumar]
o [NSE] Added rdp-vuln-ms12-020.nse by Aleksandar Nikolic. This tests
for two Remote Desktop vulnerabilities, including one allowing
remote code execution, that were fixed in the MS12-020 advisory.
o [NSE] Added a stun library and the scripts stun-version and stun-info, which
extract version information and the external NAT:ed address.
[Patrik Karlsson]
o [NSE] Added the script duplicates which attempts to determine duplicate
hosts by analyzing information collected by other scripts. [Patrik Karlsson]
o Fixed the routing table loop on OS X so that on-link routes appear.
Previously, they were ignored so that things like ARP scan didn't
work. [Patrik Karlsson, David Fifield]
o Upgraded included libpcap to version 1.2.1.
o [NSE] Added ciphers from RFC 5932 and Fortezza-based ciphers to
ssl-enum-ciphers.nse. The patch was submitted by Darren McDonald.
o [NSE] Renamed hostmap.nse to hostmap-bfk.nse.
o Fixed a compilation problem on Solaris 9 caused by a missing
definition of IPV6_V6ONLY. Reported by Dagobert Michelsen.
o Setting --min-parallelism by itself no longer forces the maximum
parallelism to the same value. [Chris Woodbury, David Fifield]
o Changed XML output to show the "service" element whenever a tunnel
is discovered for a port, even if the service behind it was unknown.
[Matt Foster]
o [Zenmap] Fixed a crash that would happen in the profile editor when
the script.db file doesn't exist. The bug was reported by Daniel
o [Zenmap] It is now possible to compare scans having the same name or
command line parameters. [Jah, David Fifield]
o Fixed an error that could occur with ICMPv6 probes and -d4 debugging:
"Unexpected probespec2ascii type encountered" [David Fifield]
o [NSE] Added new script http-chrono, which measures min, max and average
response times of web servers. [Ange Gutek]
o Applied a workaround to make pcap captures work better on Solaris
10. This involves peeking at the pcap buffer to ensure that captures
are not being lost. A symptom of the previous behavior was that,
when doing ARP host discovery against two targets, only one would be
reported as up. [David Fifield]
o Fixed a bug that could cause Nsock timers to fire too early. This
could happen for the timed probes in IPv6 OS detection, causing an
incorrect measurement of the TCP_ISR feature. [David Fifield]
o [Zenmap] We now build on Windows with a newer version of PyGTK, so
copy and paste should work again.
o Changed the way timeout calculations are made in the IPv6 OS engine.
In rare cases a certain interleaving of probes and responses would
result in an assertion failure.
Nmap 5.61TEST5 [2012-03-09]
o Integrated all of your IPv4 OS fingerprint submissions since June
2011 (about 1,900 of them). Added about 256 new fingerprints (and
deleted some bogus ones), bringing the new total to 3,572.
Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0
through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other
devices. Many existing fingerprints were improved. For more details,
see [David Fifield]
o Integrated all of your service/version detection fingerprints
submitted since November 2010--more than 2,500 of them! Our
signature count increased more than 10% to 7,423 covering 862
protocols. Some amusing and bizarre new services are described at [David Fifield]
o Integrated your latest IPv6 OS submissions and corrections. We're
still low on IPv6 fingerprints, so please scan any IPv6 systems you
own or administer and submit them to Both
new fingerprints (if Nmap doesn't find a good match) and corrections
(if Nmap guesses wrong) are useful.
o [NSE] Added a host-based registry which only persists (for the given
host) until all scripts have finished scanning that host. The normal
registry saves information until it is deleted or the Nmap scan
ends. That is a waste of memory for information which doesn't need
to persist that long. Use the host based registry instead if you
can. See [Patrik
o IPv6 OS detection now includes a novelty detection system which
avoids printing a match when an observed fingerprint is too
different from fingerprints seen before. As the OS database is still
small, this helps to avoid making (essentially) wild guesses when
seeing a new operating system. [David Fifield]
o Refactored the nsock library to add the nsock-engines system. This
allows system-specific scalable IO notification facilities to be
used while maintaining the portable Nsock API. This initial version
comes with an epoll-based engine for Linux and a select-based
fallback engine for all other operating systems. Also added the
--nsock-engine option to Nmap, Nping and Ncat to enforce use of a
specific Nsock IO engine. [Henri Doreau]
o [NSE] Added 43(!) NSE scripts, bringing the total up to 340. They
are all listed at, and the summaries are
below (authors are listed in brackets):
+ acarsd-info retrieves information from a listening acarsd
daemon. Acarsd decodes ACARS (Aircraft Communication Addressing
and Reporting System) data in real time. [Brendan Coles]
+ asn-to-prefix produces a list of IP prefixes for a given AS number
(ASN). It uses the external Shadowserver API (with their
permission). [John Bond]
+ broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to the
DHCPv6 multicast address, parses the response, then extracts and
prints the address along with any options returned by the
server. [Patrik Karlsson]
+ broadcast-networker-discover discovers the EMC Networker backup
software server on a LAN by using network broadcasts. [Patrik Karlsson]
+ broadcast-pppoe-discover discovers PPPoE servers using the PPPoE
Discovery protocol (PPPoED). [Patrik Karlsson]
+ broadcast-ripng-discover discovers hosts and routing information
from devices running RIPng on the LAN by sending a RIPng Request
command and collecting the responses from all responsive
devices. [Patrik Karlsson]
+ broadcast-versant-locate discovers Versant object databases using
the srvloc protocol. [Patrik Karlsson]
+ broadcast-xdmcp-discover discovers servers running the X Display
Manager Control Protocol (XDMCP) by sending a XDMCP broadcast
request to the LAN. [Patrik Karlsson]
+ cccam-version detects the CCcam service (software for sharing
subscription TV among multiple receivers). [David Fifield]
+ dns-client-subnet-scan performs a domain lookup using the
edns-client-subnet option that adds support for adding subnet
information to the query describing where the query is
originating. The script uses this option to supply a number of
geographically distributed locations in an attempt to enumerate as
many different address records as possible. [John Bond]
+ dns-nsid retrieves information from a DNS nameserver by requesting
its nameserver ID (nsid) and asking for its id.server and
version.bind values. [John Bond]
+ dns-srv-enum enumerates various common service (SRV) records for a
given domain name. The service records contain the hostname, port
and priority of servers for a given service. [Patrik Karlsson]
+ eap-info enumerates the authentication methods offered by an EAP
authenticator for a given identity or for the anonymous identity
if no argument is passed. [Riccardo Cecolin]
+ http-auth-finder spiders a web site to find web pages requiring
form-based or HTTP-based authentication. [Patrik Karlsson]
+ http-config-backup checks for backups and swap files of common
content management system and web server configuration
files. [Riccardo Cecolin]
+ http-generator displays the contents of the "generator" meta tag
of a web page (default: /) if there is one. [Michael Kohl]
+ http-proxy-brute performs brute force password guessing against a
HTTP proxy server. [Patrik Karlsson]
+ http-qnap-nas-info attempts to retrieve the model, firmware
version, and enabled services from a QNAP Network Attached Storage
(NAS) device. [Brendan Coles]
+ http-vuln-cve2009-3960 exploits cve-2009-3960 also known as Adobe
XML External Entity Injection. [Hani Benhabiles]
+ http-vuln-cve2010-2861 executes a directory traversal attack
against a ColdFusion server and tries to grab the password hash
for the administrator user. It then uses the salt value (hidden in
the web page) to create the SHA1 HMAC hash that the web server
needs for authentication as admin. [Micah Hoffman]
+ iax2-brute performs brute force password auditing against the
Asterisk IAX2 protocol. [Patrik Karlsson]
+ membase-brute performs brute force password auditing against
Couchbase Membase servers. [Patrik Karlsson]
+ membase-http-info retrieves information (hostname, OS, uptime,
etc.) from the CouchBase Web Administration port. [Patrik
+ memcached-info retrieves information (including system
architecture, process ID, and server time) from distributed memory
object caching system memcached. [Patrik Karlsson]
+ mongodb-brute performs brute force password auditing against the
MongoDB database. [Patrik Karlsson]
+ nat-pmp-mapport maps a WAN port on the router to a local port on
the client using the NAT Port Mapping Protocol (NAT-PMP). [Patrik
+ ndmp-fs-info lists remote file systems by querying the remote
device using the Network Data Management Protocol (ndmp). [Patrik
+ ndmp-version retrieves version information from the remote Network
Data Management Protocol (NDMP) service. [Patrik Karlsson]
+ nessus-xmlrpc-brute performs brute force password auditing against
a Nessus vulnerability scanning daemon using the XMLRPC
protocol. [Patrik Karlsson]
+ redis-brute performs brute force passwords auditing against a
Redis key-value store. [Patrik Karlsson]
+ redis-info retrieves information (such as version number and
architecture) from a Redis key-value store. [Patrik Karlsson]
+ riak-http-info retrieves information (such as node name and
architecture) from a Basho Riak distributed database using the
HTTP protocol. [Patrik Karlsson]
+ rpcap-brute performs brute force password auditing against the
WinPcap Remote Capture Daemon (rpcap). [Patrik Karlsson]
+ rpcap-info connects to the rpcap service (provides remote sniffing
capabilities through WinPcap) and retrieves interface
information. [Patrik Karlsson]
+ rsync-brute performs brute force password auditing against the
rsync remote file syncing protocol. [Patrik Karlsson]
+ rsync-list-modules lists modules available for rsync (remote file
sync) synchronization. [Patrik Karlsson]
+ socks-auth-info determines the supported authentication mechanisms
of a remote SOCKS 5 proxy server. [Patrik Karlsson]
+ socks-brute performs brute force password auditing against SOCKS 5
proxy servers. [Patrik Karlsson]
+ url-snarf sniffs an interface for HTTP traffic and dumps any URLs, and their
originating IP address. [Patrik Karlsson]
+ versant-info extracts information, including file paths, version
and database names from a Versant object database. [Patrik
+ vmauthd-brute performs brute force password auditing against the
VMWare Authentication Daemon (vmware-authd). [Patrik Karlsson]
+ voldemort-info retrieves cluster and store information from the
Voldemort distributed key-value store using the Voldemort Native
Protocol. [Patrik Karlsson]
+ xdmcp-discover requests an XDMCP (X display manager control
protocol) session and lists supported authentication and
authorization mechanisms. [Patrik Karlsson]
o [NSE] Added 14 new protocol libraries! They were all written by
Patrik Karlsson, except for the EAP library by Riccardo Cecolin:
+ dhcp6 (Dynamic Host Configuration Protocol for IPv6)
+ eap (Extensible Authentication Protocol)
+ iax2 (Inter-Asterisk eXchange v2 VoIP protocol)
+ membase (Couchbase Membase TAP protocol)
+ natpmp (NAT Port Mapping Protocol)
+ ndmp (Network Data Management Protocol)
+ pppoe (Point-to-point protocol over Ethernet)
+ redis (in-memory key-value data store)
+ rpcap (WinPcap Remote Capture Deamon)
+ rsync (remote file sync)
+ socks (SOCKS 5 proxy protocol)
+ sslcert (for collecting SSL certificates and storing them in the
host-based registry)
+ versant (an object database)
+ xdmcp (X Display Manager Control Protocol)
o CPE (Common Platform Enumeration) OS classification is now supported
for IPv6 OS detection. Previously it was only available for
IPv4. [David Fifield]
o [NSE] The host.os table is now a structured array of table that
include OS class information and CPE. See for documentation of the new
structure. [Henri Doreau, David]
o [NSE] Service matches can now access CPE through the
port.version.cpe array. [Henri Doreau]
o Added a new --script-args-file option which allows you to specify
the name of a file containing all of your desired NSE script
arguments. The arguments may be separated with commas or newlines
and may be overridden by arguments specified on the command-line
with --script-args. [Daniel Miller]
o Audited the nmap-service-probes database to remove all unused
captures, fixing dozens of bugs with captures either being ignored
or two fields erroneously using the same capture. [Lauri Kokkonen,
David Fifield, and Rob Nicholls]
o Added new version detection probes and match lines for:
+ Erlang Port Mapper Daemon
+ Couchbase Membase NoSQL database
+ Basho Riak distributed database protocol buffers client (PBC)
+ Tarantool in-memory data store
[Patrik Karlsson]
o Split the nmap-update client into its own binary RPM to avoid the
Nmap RPM having a dependency on the Subversion and APR libraries.
We're not yet distributing this binary nmap-update RPM since the
system isn't complete, but the source code is available in the Nmap
tarball and source RPM. [David]
o [NSE] Added authentication support to the MongoDB library and
modified existing scripts to support it. [Patrik Karlsson]
o [NSE] Added support to broadcast-listener for extracting address, native VLAN
and management IP address from CDP packets. [Tom Sellers]
o [NSE] Added RPC Call CALLIT to the RPC library and modified UDP sockets to be
unconnected in order to support broadcast. [Patrik Karlsson]
o [NSE] Modified the ssl-cert and ssl-google-cert-catalog scripts to
take advantage of the new sslcert library which retrieves and caches
SSL certificates in the registry.
o [NSE] Patch our bitcoin library to support recent changes in the
BitCoin protocol. [Andrew Orr, Patrik Karlsson]
o Fixed an error where very long messages could cause an
assertion failure: "log_vwrite: vsnprintf failed. Even after
increasing bufferlen to ---, Vsnprintf returned -1 (logt == 1)."
This was reported by David Hingos.
o Fixed an assertion failure that was printed when a fatal error
occurred while an XML tag was incomplete: "!xml.tag_open, file
..\, line 401". This was reported by David Hingos. [David
o [NSE] Added support for decoding EIGRP broadcasts from Cisco routers
to broadcast-listener. [Tom Sellers]
o [NSE] Added redirect support to the http library. All calls to
http.get and http.head now transparently handle any HTTP
redirects. The number and destination of redirects are limited by
default to avoid endless loops or unwanted follows of redirects to
different servers, but they can be configured. [Patrik Karlsson]
o [NSE] Modified the sql-injection script to use the httpspider library.
[Lauri Kokkonen]
o Added --with-apr and --with-subversion configuration options to
support systems where those libraries aren't in the usual places.
[David Fifield]
o [NSE] Fixed a bunch of global access errors in various libraries reported by
the nse_check_globals script. [Patrik Karlsson]
o Fixed an assertion failure which could occur when connecting to an
SSL server:
nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.
Thanks to Ron for reporting the bug and testing. [Henri Doreau]
o [NSE] Added support to the DNS library for the CHAOS class and NSID
requests. [John Bond]
o [NSE] Changed the dnsbl library to take a much faster threaded
approach to querying DNS blacklists. [Patrik Karlsson]
o [NSE] Added new services and the ATTACK category to the dnsbl
script. [Duarte Silva]
o [NSE] Fixed a memory leak in PortList::setServiceProbeResults()
which was noticed and reported by David Fifield. The leak was
triggered by set_port_version calls from NSE. [Henri Doreau]
o [NSE] Fixed a race condition in broadcast-dhcp-discover.nse that
could cause responses to be missed on fast networks. It was noticed
by Vasiliy Kulikov. [David Fifield]
o Fixed a bug in reverse name resolution: a name of "." would leave
the hostname unintialized and cause "Illegal character(s) in
hostname" warnings. [Gisle Vanem]
o Allow overriding the AR variable to use a different version of the
ar library creation tool when creating the liblinear library. [Nuno
o Added vcredist2008_x86.exe to the Windows zip file. This installer
from MS must be run on new Windows 2008 systems (those which don't
already have it) before running Nmap. The Nmap Windows installer
already takes care of this. [David Fifield]
o Removed about 5MB of unnecessary DocBook XSL from the Nping docs
directory. [David Fifield]
o The packet library now uses consistent naming of the address fields
for IPv4 and IPv6 packets (ip_bin_src, ip_bin_dst, ip_src, and
ip_dst). [Henri Doreau]
o Update to the latest MAC address prefix assignments from IEEE as of
March 8, 2012. [Fyodor]
o Fixed a problem in the ippackethdrinfo function which was leading to
warning messages like: "BOGUS! Can't parse supposed IP packet" during
certain IPv6 scans. [David Fifield]
o Fixed building on Arch Linux. The PCAP_IS_SUITABLE test had to be
modified to ensure that -lnl was passed on the build line. See the
r28202 svn log for further information. [David Fifield]
o Include net/if.h before net/if_arp.h in and to
hopefully fix some build problems on AIX 5.3.
o [NSE] Added IPv6 support to firewalk.nse. [Henri Doreau]
Nmap 5.61TEST4 [2012-01-02]
o [NSE] Added a new httpspider library which is used for recursively
crawling web sites for information. New scripts using this
functionality include http-backup-finder, http-email-harvest,
http-grep, http-open-redirect, and http-unsafe-output-escaping. See or the list later in this file for details
on these. [Patrik]
o Our Mac OS X packages are now x86-only (rather than universal),
reducing the download size from 30 MB to about 17. If you still
need a PowerPC version (Apple stopped selling those machines in
2006), you can use Nmap 5.51 or 5.61TEST2 from
o We set up a new SVN server for the Nmap codebase. This one uses SSL
for better security, WebDAV rather than svnserve for greater
functionality, is hosted on a faster (virtual) machine, provides
Nmap code history back to 1998 rather than 2005, and removes the
need for the special "guest" username. The new server is at More information:
o [NSE] Added a vulnerability management library (vulns.lua) to store and to
report discovered vulnerabilities. Modified these scripts to use
the new library:
- ftp-libopie.nse
- http-vuln-cve2011-3192.nse
- ftp-vuln-cve2010-4221.nse
- ftp-vsftpd-backdoor.nse
- smtp-vuln-cve2011-1720.nse
- smtp-vuln-cve2011-1764.nse
- afp-path-vuln.nse
[Djalal, Henri]
o [NSE] Added a new script force feature. You can force scripts to
run against target ports (even if the "wrong" service is detected)
by placing a plus in front of the script name passed to --script.
See [Martin
o [NSE] Added 51(!) NSE scripts, bringing the total up to 297. They
are all listed at, and the summaries are
below (authors listed in brackets):
+ amqp-info gathers information (a list of all server properties)
from an AMQP (advanced message queuing protocol)
server. [Sebastian Dragomir]
+ bitcoin-getaddr queries a Bitcoin server for a list of known
Bitcoin nodes. [Patrik Karlsson]
+ bitcoin-info extracts version and node information from a Bitcoin
server [Patrik Karlsson]
+ bitcoinrpc-info obtains information from a Bitcoin server by
calling getinfo on its JSON-RPC interface. [Toni
+ broadcast-pc-anywhere sends a special broadcast probe to discover
PC-Anywhere hosts running on a LAN. [Patrik Karlsson]
+ broadcast-pc-duo discovers PC-DUO remote control hosts and
gateways running on the LAN. [Patrik Karlsson]
+ broadcast-rip-discover discovers hosts and routing information
from devices running RIPv2 on the LAN. It does so by sending a
RIPv2 Request command and collects the responses from all devices
responding to the request. [Patrik Karlsson]
+ broadcast-sybase-asa-discover discovers Sybase Anywhere servers on
the LAN by sending broadcast discovery messages. [Patrik Karlsson]
+ broadcast-wake-on-lan wakes a remote system up from sleep by
sending a Wake-On-Lan packet. [Patrik Karlsson]
+ broadcast-wpad-discover Retrieves a list of proxy servers on the
LAN using the Web Proxy Autodiscovery Protocol (WPAD). [Patrik
+ dns-blacklist checks target IP addresses against multiple DNS
anti-spam and open proxy blacklists and returns a list of services
where the IP has been blacklisted. [Patrik Karlsson]
+ dns-zeustracker checks if the target IP range is part of a Zeus
botnet by querying ZTDNS @ [Mikael Keri]
+ ganglia-info retrieves system information (OS version, available
memory, etc.) from a listening Ganglia Monitoring Daemon or
Ganglia Meta Daemon. [Brendan Coles]
+ hadoop-datanode-info discovers information such as log directories
from an Apache Hadoop DataNode HTTP status page. [John R. Bond]
+ hadoop-jobtracker-info retrieves information from an Apache Hadoop
JobTracker HTTP status page. [John R. Bond]
+ hadoop-namenode-info retrieves information from an Apache Hadoop
NameNode HTTP status page. [John R. Bond]
+ hadoop-secondary-namenode-info retrieves information from an
Apache Hadoop secondary NameNode HTTP status page. [John R. Bond]
+ hadoop-tasktracker-info retrieves information from an Apache
Hadoop TaskTracker HTTP status page. [John R. Bond]
+ hbase-master-info retrieves information from an Apache HBase
(Hadoop database) master HTTP status page. [John R. Bond]
+ hbase-region-info retrieves information from an Apache HBase
(Hadoop database) region server HTTP status page. [John R. Bond]
+ http-apache-negotiation checks if the target http server has
mod_negotiation enabled. This feature can be leveraged to find
hidden resources and spider a web site using fewer requests. [Hani
+ http-backup-finder Spiders a website and attempts to identify
backup copies of discovered files. It does so by requesting a
number of different combinations of the filename (e.g. index.bak,
index.html~, copy of index.html). [Patrik Karlsson]
+ http-cors tests an http server for Cross-Origin Resource Sharing
(CORS), a way for domains to explicitly opt in to having certain
methods invoked by another domain. [Toni Ruottu]
+ http-email-harvest spiders a web site and collects e-mail
addresses. [Patrik Karlsson]
+ http-grep spiders a website and attempts to match all pages and
urls against a given string. Matches are counted and grouped per
url under which they were discovered. [Patrik Karlsson]
+ http-method-tamper tests whether a JBoss target is vulnerable to
jmx console authentication bypass (CVE-2010-0738). [Hani
+ http-open-redirect spiders a website and attempts to identify open
redirects. Open redirects are handlers which commonly take a URL
as a parameter and responds with a http redirect (3XX) to the
target. [Martin Holst Swende]
+ http-put uploads a local file to a remote web server using the
HTTP PUT method. You must specify the filename and URL path with
NSE arguments. [Patrik Karlsson]
+ http-robtex-reverse-ip Obtains up to 100 forward DNS names for a
target IP address by querying the Robtex service
( [riemann]
+ http-unsafe-output-escaping spiders a website and attempts to
identify output escaping problems where content is reflected back
to the user. [Martin Holst Swende]
+ http-vuln-cve2011-3368 tests for the CVE-2011-3368 (Reverse Proxy
Bypass) vulnerability in Apache HTTP server's reverse proxy
mode. [Ange Gutek, Patrik Karlsson]
+ ipv6-node-info obtains hostnames, IPv4 and IPv6 addresses through
IPv6 Node Information Queries. [David Fifield]
+ irc-botnet-channels checks an IRC server for channels that are
commonly used by malicious botnets. [David Fifield, Ange Gutek]
+ irc-brute performs brute force password auditing against IRC
(Internet Relay Chat) servers. [Patrik Karlsson]
+ krb5-enum-users discovers valid usernames by brute force querying
likely usernames against a Kerberos service. [Patrik Karlsson]
+ maxdb-info retrieves version and database information from a SAP
Max DB database. [Patrik Karlsson]
+ metasploit-xmlrpc-brute performs brute force password auditing
against a Metasploit RPC server using the XMLRPC protocol. [Vlatko
+ ms-sql-dump-hashes Dumps the password hashes from an MS-SQL server
in a format suitable for cracking by tools such as
John-the-ripper. In order to do so the user needs to have the
appropriate DB privileges. [Patrik Karlsson]
+ nessus-brute performs brute force password auditing against a
Nessus vulnerability scanning daemon using the NTP 1.2
protocol. [Patrik Karlsson]
+ nexpose-brute performs brute force password auditing against a
Nexpose vulnerability scanner using the API 1.1. [Vlatko
+ openlookup-info parses and displays the banner information of an
OpenLookup (network key-value store) server. [Toni Ruottu]
+ openvas-otp-brute performs brute force password auditing against a
OpenVAS vulnerability scanner daemon using the OTP 1.0
protocol. [Vlatko Kosturjak]
+ reverse-index creates a reverse index at the end of scan output
showing which hosts run a particular service. [Patrik Karlsson]
+ rexec-brute performs brute force password auditing against the
classic UNIX rexec (remote exec) service. [Patrik Karlsson]
+ rlogin-brute performs brute force password auditing against the
classic UNIX rlogin (remote login) service. [Patrik Karlsson]
+ rtsp-methods determines which methods are supported by the RTSP
(real time streaming protocol) server. [Patrik Karlsson]
+ rtsp-url-brute attempts to enumerate RTSP media URLS by testing
for common paths on devices such as surveillance IP
cameras. [Patrik Karlsson]
+ telnet-encryption determines whether the encryption option is
supported on a remote telnet server. Some systems (including
FreeBSD and the krb5 telnetd available in many Linux
distributions) implement this option incorrectly, leading to a
remote root vulnerability. [Patrik Karlsson, David Fifield,
+ tftp-enum enumerates TFTP (trivial file transfer protocol) filenames by testing
for a list of common ones. [Alexander Rudakov]
+ unusual-port compares the detected service on a port against the
expected service for that port number (e.g. ssh on 22, http on 80)
and reports deviations. An early version of this same idea was
written by Daniel Miller. [Patrik Karlsson]
+ vuze-dht-info retrieves some basic information, including protocol
version from a Vuze filesharing node. [Patrik Karlsson]
o [NSE] Added some new protocol libraries
+ amqp (advanced message queuing protocol) [Sebastian Dragomir]
+ bitcoin crypto currency [Patrik Karlsson
+ dnsbl for DNS-based blacklists [Patrik Karlsson
+ rtsp (real time streaming protocol) [Patrik Karlsson]
+ httpspider and vulns have separate entries in this CHANGELOG
o Nmap now includes a nmap-update program for obtaining the latest
updates (new scripts, OS fingerprints, etc.) The system is
currently only available to a few developers for testing, but we
hope to enable a larger set of beta testers soon. [David]
o On Windows, the directory [HOME]\AppData\Roaming\nmap is now
searched for data files. This is the equivalent of $HOME/.nmap on
POSIX. [David]
o Improved OS detection performance by scaling congestion control
increments by the response rate during OS scan, just as was done
for port scan before. [David]
o [NSE] The targets-ipv6-multicast-*.nse scripts now scan all
interfaces by default. They show the MAC address and interface name
now too. [David, Daniel Miller]
o Added some new version detection probes:
+ MongoDB service [Martin Holst Swende]
+ Metasploit XMLRPC service [Vlatko Kosturjak]
+ Vuze filesharing system [Patrik]
+ Redis key-value store [Patrik]
+ memcached [Patrik]
+ Sybase SQL Anywhere [Patrik]
+ VMware ESX Server [Aleksey Tyurin]
+ TCP Kerberos [Patrik]
+ PC-Duo [Patrik]
+ PC Anywhere [Patrik]
o Targets requiring different source addresses now go into different
hostgroups, not only for host discovery but also for port scanning.
Before, only responses to one of the source addresses would be
processed, and the others would be ignored. [David]
o Tidied up the version detection DB (nmap-service-probes) with a new
cleanup/canonicalization program sv-tidy. In particular, this:
- Removes excess whitespace
- Sorts templates in the order m p v i d o h cpe:
- Canonicalizes template delimiters in the order: / | % = @ #.
o The --exclude and --excludefile options for excluding targets can
now be used together. [David]
o [NSE] Added support for detecting whether a http connection was established
using SSL or not to the http.lua library [Patrik]
o [NSE] Added local port to BPF filter in snmp-brute to fix bug that would
prevent multiple scripts from receiving the correct responses. The bug was
discovered by Brendan Bird. [Patrik]
o [NSE] Changed the dhcp-discover script to use the DHCPINFORM request
to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code
from dhcp-discover and placed the script into the discovery and safe
categories. Added support for adding options to DHCP requests and
cleaned up some code in the dhcp library. [Patrik]
o [NSE] Applied patch to snmp-brute that solves problems with handling
errors that occur during community list file parsing. [Duarte
o [NSE] Added new fingerprints to http-enum for:
- Subversion, CVS and Apache Archiva [Duarte Silva]
- DVCS systems Git, Mercurial and Bazaar [Hani Benhabiles].
o [NSE] Applied some code cleanup to the snmp library. [Brendan Byrd]