Download Nmap 7.40

Nmap is a program for exploring and monitoring a network. It is designed to scan a large network without delays and also runs smoothly on a single host. The program uses raw ip packets to retrieve active hosts and information about available services. It comes bundled with NSE, which lets you scripts can be used to detect vulnerabilities, similar in idea to Nessus or OpenVAS. In addition, it is bundled with Zenmapwhich generates a visual topology of the detected network environment, and with Ncat, which allows you to intercept, analyze, modify, and so on network traffic. More information about the possibilities can be found at this page. The developers have released Nmap 7.40 with the following announcement on the mailing list:

Nmap 7.40 Holiday Release: a dozen new NSE scripts, hundreds of new fingerprints, new Npcap, faster brute forcing, and more…

Happy holidays from the Nmap Project! In case your Christmas break plans involve a lot of port scanning, we’re delighted to announce our holiday Nmap 7.40 release! This version stuffs your stockings with dozens of new features, including:

• 12 new NSE scripts
• Hundreds of updated OS and version detection detection signatures
• Faster brute force authentication cracking and other NSE library improvements
• A much-improved version of our Npcap Windows packet capturing driver/library

There are many more improvements which are all describe below. Nmap 7.40 source code and binary packages for Linux, Windows, and Mac are available for free download from the usual spot.

If you find any bugs in this release, please let us know on the Nmap Dev list or bug tracker as described at https://nmap.org/book/man-bugs.html.

Here are the changes since Nmap 7.31 from October:

• [Windows] Updated the bundled Npcap from 0.10r9 to 0.78r5, with an improved installer experience, driver signing updates to work with Windows 10 build 1607, and bug fixes for WiFi connectivity problems.
• Integrated all of your IPv4 OS fingerprint submissions from April to September (568 of them). Added 149 fingerprints, bringing the new total to 5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more. Highlights:
• Integrated all of your service/version detection fingerprints submitted from April to September (779 of them). The signature count went up 3.1% to 11,095. We now detect 1161 protocols, from airserv-ng, domaintime, and mep to nutcracker, rhpp, and usher. Highlights:
• Fix reverse DNS on Windows which was failing with the message “mass_dns: warning: Unable to determine any DNS servers.” This was because the interface GUID comparison needed to be case-insensitive.
• [NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552! They are all listed at and the summaries are below:
  • cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270 services.
  • cics-user-enum brute-forces usernames for CICS users on TN3270 services.
  • fingerprint-strings will print the ASCII strings it finds in the service fingerprints that Nmap shows for unidentified services.
  • [GH#606] ip-geolocation-map-bing renders IP geolocation data as an image via Bing Maps API.
  • [GH#606] ip-geolocation-map-google renders IP geolocation data as an image via Google Maps API.
  • [GH#606] ip-geolocation-map-kml records IP geolocation data in a KML file for import into other mapping software
  • nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST and OHOST. Helpfully, nje-node-brute can now brute force both of those values.
  • [GH#557] ssl-cert-intaddr will search for private IP addresses in TLS certificate fields and extensions.
  • tn3270-screen shows the login screen from mainframe TN3270 Telnet services, including any hidden fields. The script is accompanied by the new tn3270 library.
  • tso-enum enumerates usernames for TN3270 Telnet services.
  • tso-brute brute-forces passwords for TN3270 Telnet services.
  • vtam-enum brute-forces VTAM application IDs for TN3270 services.
• [NSE][GH#518] Brute scripts are faster and more accurate. New feedback and adaptivity mechanisms in brute.lua help brute scripts use resources more efficiently, dynamically changing number of threads based on protocol messages like FTP 421 errors, network errors like timeouts, etc.
• [GH#353] New option –defeat-icmp-ratelimit dramatically reduces UDP scan times in exchange for labeling unresponsive (and possibly open) ports as “closed|filtered”. Ports which give a UDP protocol response to one of Nmap’s scanning payloads will be marked “open”.
• [NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that service at some point.
• [NSE][GH#606] New NSE library, geoip.lua, provides a common framework for storing and retrieving IP geolocation results.
• [Ncat] Restore the connection success message that Ncat prints with -v. This was accidentally suppressed when not using -z.
• [GH#316] Added scan resume from Nmap’s XML output. Now you can –resume a canceled scan from all 3 major output formats: -oN, -oG, and -oX.
• [Ndiff][GH#591] Fix a bug where hosts with the same IP but different hostnames were shown as changing hostnames between scans. Made sort of stable with regard to hostnames.
• [NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for TLS Server Name Indication extension. The argument overrides the default use of the host’s targetname.
• [GH#505] Updated Russian translation of Zenmap by Alexander Kozlov.
• [NSE][GH#588] Fix a crash in smb.lua when using smb-ls due to a floating-point number being passed to os.time (“bad argument”).
• [NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in mysql-brute and other scripts due to including a null terminator in the salt value. This bug affects Nmap 7.25BETA2 and later releases.
• The –open option now implies –defeat-rst-ratelimit. This may result in inaccuracies in the numbers of “Not shown:” closed and filtered ports, but only in situations where it also speeds up scan times.
• [NSE] Added known Diffie-Hellman parameters for haproxy, postfix, and IronPort to ssl-dh-params.
• Added service probe for ClamAV servers (clam), an open source antivirus engine used in mail scanning.
• Added service probe and UDP payload for Quick UDP Internet Connection (QUIC), a secure transport developed by Google and used with HTTP/2.
• [NSE] Enabled resolveall to run against any target provided as a hostname, so the resolveall.hosts script-arg is no longer required.
• [NSE] Revised script http-default-accounts in several ways [nnposter]:
  • Added 21 new fingerprints, plus broadened 5 to cover more variants.
  • [GH#577] It can now test systems that return status 200 for non-existent pages.
  • [GH#604] Implemented XML output. Layout of the classic text output has also changed, including reporting blank usernames or passwords as “”, instead of just empty strings.
  • Added CPE entries to individual fingerprints (where known). They are reported only in the XML output.
• [NSE][GH#573] Updated http.lua to allow processing of HTTP responses with malformed header names. Such header lines are still captured in the rawheader list but skipped otherwise.
• [GH#416] New service probe and match line for iperf3.
• [NSE][GH#555] Add Drupal to the set of web apps brute forced by http-form-brute.

Enjoy this new release and please do let us know if you find any problems!

cheers,
Fyodor