Nmap ("Network Mapper") is a free open source
utility for network exploration or security auditing. It was designed
to rapidly scan large networks, although it works fine against single
hosts. Nmap uses raw IP packets in novel ways to determine what hosts
are available on the network, what services (application name and
version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are
in use, and dozens of other characteristics. Nmap runs on most types of
computers and both console and graphical versions are available. Nmap
is free and open source (license).
Added 7 new NSE scripts for a grand total of 79! You can learn about
them all at http://nmap.org/nsedoc/. Here are the new ones:
- nfs-showmount displays NFS exports like "showmount -e" does. See
http://nmap.org/nsedoc/scripts/nfs-showmount.html. [Patrik
Karlsson]
- ntp-info prints the time and configuration variables provided by
an NTP service. It may get such interesting information as the
operating system, server build date, and upstream time server IP
address. See
http://nmap.org/nsedoc/scripts/ntp-info.html. [Richard Sammet]
- citrix-brute-xml uses the unpwdb library to guess credentials for
the Citrix PN Web Agent Service. See
http://nmap.org/nsedoc/scripts/citrix-brute-xml.html. [Patrik Karlsson]
- citrix-enum-apps and citrix-enum-apps-xml print a list of published
applications from the Citrix ICA Browser or XML service,
respectively. See
http://nmap.org/nsedoc/scripts/citrix-enum-apps.html and
http://nmap.org/nsedoc/scripts/citrix-enum-apps-xml.html. [Patrik Karlsson]
- citrix-enum-servers and citrix-enum-servers-xml.nse print a list
of Citrix servers from the Citrix ICA Browser or XML service,
respectively. See
http://nmap.org/nsedoc/scripts/citrix-enum-servers.html and
http://nmap.org/nsedoc/scripts/citrix-enum-servers-xml.html. [Patrik
Karlsson]
We performed a memory consumption audit and made changes to
dramatically reduce Nmap’s footprint. This improves performance on
all systems, but is particularly important when running Nmap on
small embedded devices such as phones. Our intensive UDP scan
benchmark saw peak memory usage decrease from 34MB to 6MB, while OS
detection consumption was reduced from 67MB to 3MB. Read about the
changes at http://seclists.org/nmap-dev/2009/q4/663. Here are the
highlights:
The size of the internal representation of nmap-os-db was reduced
more than 90%. Peak memory consumption in our OS detection
benchmark was reduced from 67MB to 3MB. [David]
The size of individual Port structures without service scan
results was reduced about 70%. [Pavel Kankovsky]
When a port receives no response, Nmap now avoids allocating a
Port structure at all, so scans against filtered hosts can be
light on memory. [David]
David started a major service detection submission integration
run. So far he has processed submissions since February for the
following services: imap, pop3, afp, sip, printer, transmission,
svnserve, vmware, domain, backdoor, finger, freeciv, hp, imaps, irc,
landesk, netbios-ssn, netsupport, nntp, oracle, radmin, routersetup,
rtorrent, serv-u, shoutcast, ssh, tcpmux, torrent, utorrent, vnc and
ipp. The rest will come in the next release, along with full stats
on the additions.
Added service detection probe for Kerberos (udp/88) and IBM DB2
DAS (523/UDP). [Patrik Karlsson]
Added a UDP payload and service detection probe for Citrix
MetaFrame, which typically runs on 1604/udp. [Thomas Buchanan]
Added a UDP SIPOptions service detection probe corresponding to the
TCP one. [Patrik Karlsson, Matt Selsky, David Fifield]
Updated service detection signatures for Microsoft SQL Server 2005
to detect recent Microsoft security update (MS09-062), and also
updated ms-sql-info.nse to support MS SQL Server 2008
detection. [Tom]
Nmap now provides Christmas greetings and a reminder of Xmas scan
(-sX) when run in verbose mode on December 25. [Fyodor]
Removed a limitation of snmp.lua which only allowed it to properly
encode OID component values up to 127. The bug was reported by
Victor Rudnev. [David]
Nmap script output now uses two spaces of indention rather than
three for the first level. This better aligns with the standard set by
the stdnse.format_output function added in the last release. Output
now looks like:
8082/tcp open http Apache httpd 2.2.13 ((Fedora))
|_http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
|_html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
...
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.4.2-0.42.fc11)
| Name: Unknown/Unknown
|_ System time: 2009-11-24 17:19:21 UTC-8
|_smbv2-enabled: Server doesn’t support SMBv2 protocol
[Fyodor]
[NSE] Fixed (we hope) a deadlock we were seeing when doing a
favicon.nse survey against millions of hosts. We now restore all
threads that are waiting on a socket lock when a thread relinquishes
its lock. We expect only one of them to be able to grab the newly
freed lock, and the rest to go back to waiting. [David, Patrick]
[Zenmap] Fixed a crash when filtering with inroute: in scans without
traceroute data. (KeyError: ’hops’) [David]
[NSE] Use a looser match pattern in auth-owners.nse for retrieving
the owner out of an identd response. See
http://seclists.org/nmap-dev/2009/q4/549. [Richard Sammet]
Improved some Cyrus pop3 and Polycom SoundStation sip match
lines. [Matt Selsky]
[Ncat] In the Windows version of netrun, we weren’t noticing when a
command fails to be executed (when CreateProcess fails). We now see
the return value and close the socket to disconnect the
client. [David]
[NSE] Updated http-iis-webdav-vuln to run against SSL-enabled
servers [Ron]
[NSE] Improved db2-info to set port product and state (rather than
just port.version.name and confidence) when a DB2 service is
positively identified. Error reporting was improved as well. [Tom]
