nmap (“Network Mapper“) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine to scan single hosts. nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
The output from nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered.
- Open means that an application on the target machine is listening for connections/packets on that port.
- Filtered means that a firewall, filter, or other network obstacle is blocking the port so that nmap cannot tell whether it is open or closed.
- Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered. when they are responsive to nmap’s probes, but nmap cannot determine whether they are open or closed. nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP protocol scan is requested (-sO), nmap provides information on supported IP protocols rather than listening ports.
In addition to the interesting ports table, nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses.
Nmap 7.70 changelog:
- Integrated all 33 of your IPv6 OS fingerprint submissions from September 2016 to August 2017. New groups or OpenBSD 6.0 and FreeBSD 11.0 were added, as well as strengthened groups for Linux and OS X.
- Added the –resolve-all option to resolve and scan all IP addresses of a host. This essentially replaces the resolveall NSE script. [Daniel Miller]
- •[NSE][SECURITY] Nmap developer nnposter found a security flaw (directory traversal vulnerability) in the way the non-default http-fetch script sanitized URLs. If a user manualy ran this NSE script against a malicious
web server, the server could potentially (depending on NSE arguments used) cause files to be saved outside the intended destination directory. Existing files couldn’t be overwritten. We fixed http-fetch, audited our
other scripts to ensure they didn’t make this mistake, and updated the httpspider library API to protect against this by default. [nnposter, Daniel Miller]
- [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
- – deluge-rpc-brute performs brute-force credential testing against Deluge BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
- – hostmap-crtsh lists subdomains by querying Google’s Certificate Transparency logs. [Paulino Calderon]
- – [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and reports back the IP address and port of the actual server behind the load-balancer. [Seth Jackson]
- – http-jsonp-detection Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers. [Vinamra Bhatia]
- – http-trane-info obtains information from Trane Tracer SC controllers and connected HVAC devices. [Pedro Joaquin]
- – [GH#609] nbd-info uses the new nbd.lua library to query Network Block Devices for protocol and file export information. [Mak Kolybabi]
- – rsa-vuln-roca checks for RSA keys generated by Infineon TPMs vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks SSH and TLS services. [Daniel Miller]
- – [GH#987] smb-enum-services retrieves the list of services running on a remote Windows machine. Modern Windows systems requires a privileged domain account in order to list the services. [Rewanth Cool]
- – tls-alpn checks TLS servers for Application Layer Protocol Negotiation (ALPN) support and reports supported protocols. ALPN largely replaces NPN, which tls-nextprotoneg was written for. [Daniel Miller]
How to update Nmap:
- Download Nmap released tarball here
- Extract this file
- Use command:
ddos@ddos ~/Downloads/nmap-7.70 $ ./configure
ddos@ddos ~/Downloads/nmap-7.70 $ make
ddos@ddos ~/Downloads/nmap-7.70 $ sudo make install