Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.
Features
- Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
- Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
- Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
- Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
- Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
- Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
- Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
- Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
- Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.
Changelog
• [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several
issues with installation and compatibility with the Windows 10 Creators
Update.
• [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
Khegay, Evangelos Deirmentzoglou]
• [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:
- ftp-syst sends SYST and STAT commands to FTP servers to get system
version and connection information. [Daniel Miller]
- [GH#916] http-vuln-cve2017-8917 checks for an SQL injection
vulnerability affecting Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
- iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
Timorin, Daniel Miller]
- [GH#915] openwebnet-discovery retrieves device identifying information
and number of connected devices running on openwebnet protocol. [Rewanth
Cool]
- puppet-naivesigning checks for a misconfiguration in the Puppet CA
where naive signing is enabled, allowing for any CSR to be automatically
signed. [Wong Wai Tuck]
- [GH#943] smb-protocols discovers if a server supports dialects NT LM
0.12 (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
smbv2-enabled script. [Paulino Calderon]
- [GH#943] smb2-capabilities lists the supported capabilities of
SMB2/SMB3 servers. [Paulino Calderon]
- [GH#943] smb2-time determines the current date and boot date of SMB2
servers. [Paulino Calderon]
- [GH#943] smb2-security-mode determines the message signing
configuration of SMB2/SMB3 servers. [Paulino Calderon]
- [GH#943] smb2-vuln-uptime attempts to discover missing critical
patches in Microsoft Windows systems based on the SMB2 server uptime.
[Paulino Calderon]
- ssh-auth-methods lists the authentication methods offered by an SSH
server. [Devin Bjelland]
- ssh-brute performs brute-forcing of SSH password credentials. [Devin
Bjelland]
- ssh-publickey-acceptance checks public or private keys to see if they
could be used to log in to a target. A list of known-compromised key pairs
is included and checked by default. [Devin Bjelland]
- ssh-run uses user-provided credentials to run commands on targets via
SSH. [Devin Bjelland]
• [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.
• [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect
(client) mode with --udp --ssl. Also added Application Layer Protocol
Negotiation (ALPN) support with the --ssl-alpn option. [Denis Andzakovic,
Daniel Miller]
• Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
• [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas
Backup Exec Agent 15 or 16. [Andrew Orr]
• [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino
Calderon]
• [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed. [Aaron Heesakkers]
• [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]
• [NSE][GH#936] Function url.escape no longer encodes so-called
"unreserved" characters, including hyphen, period, underscore, and tilde,
as per RFC 3986. [nnposter]
• [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230. [nnposter]
• [NSE][GH#934] The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g.
"1.0". [nnposter]
• [NSE][GH#938] Fix handling of the objectSID Active Directory attribute by
ldap.lua. [Tom Sellers]
• [NSE] Fix line endings in the list of Oracle SIDs used by
oracle-sid-brute. Carriage Return characters were being sent in the
connection packets, likely resulting in failure of the script. [Anant
Shrivastava]
• [NSE][GH#141] http-useragent-checker now checks for changes in HTTP
status (usually 403 Forbidden) in addition to redirects to indicate
forbidden User Agents. [Gyanendra Mishra]