Nmap is een programma voor het verkennen en controleren van een netwerk. Het is ontworpen om zonder vertragingen een groot netwerk te scannen en werkt ook zonder problemen op een enkele host. Het programma maakt gebruik van 'raw ip packets' om actieve hosts en informatie over de beschikbare services te achterhalen. Het wordt gebundeld met NSE, waarmee je scripts kunt gebruiken voor het detecteren van beveiligingslekken, wat idee betreft vergelijkbaar met Nessus of OpenVAS. Daarnaast wordt het gebundeld met Zenmap, waarmee een visuele topologie van de gedetecteerde netwerkomgeving gegenereerd wordt, en met Ncat, waarmee je netwerkverkeer kunt onderscheppen, analyseren, aanpassen enzovoort. Meer informatie over de mogelijkheden is te vinden op deze pagina. De ontwikkelaars hebben Nmap 7.50 uitgebracht, voorzien van de volgende aankondiging op de mailinglijst:
Nmap 7.50 Released! 14 new NSE scripts, 300+ fingerprints, new Npcap, and more
Dear Nmap Community:
The Nmap project is delighted to announce the release of Nmap 7.50! It is our first big release since last December and has hundreds of improvements that we hope you will enjoy.
One of the things we have been worked the hardest on recently is our Npcap packet capturing driver and library for Windows (https://nmap.org/npcap/). It is a replacement for WinPcap, which served us well for many years, but is no longer maintained. Npcap uses newer APIs for better performance and compatibility, including Windows 10 support. We also added loopback packet capture and injection, raw wireless sniffing for beacon frames and such, and extra security features such as requiring Administrator access. Nmap 7.50 ships with Nmap 0.92 (released yesterday) and you can read about all the improvements since 0.78 (which shipped with Nmap 7.40) at https://github.com/nmap/npcap/blob/master/CHANGELOG.md.
Another priority for Nmap 7.50 was improving our Nmap Scripting Engine. For example, we were one of the first scanners to release a detection script for the MS17-010 vulnerability exploited by the Wannacry ransomeware and we hope it helped many people prevent infection. We also developed scripts for the more recent Sambacry bug (CVE 2017-7494) and other vulns as well as quite a few new information gathering scripts to support Nmap's core network discovery mission.
This release also includes more than 300 new service detection fingerprints, improvements to Nmap's family of related tools such as Ncat, and dozens of other enhancements and bug fixes all listed below. And we plan to keep the good stuff coming this summer, as our team of 4 GSoC students plus their mentors are already hard at work (http://seclists.org/nmap-announce/2017/2).
Nmap 7.50 source code and binary packages for Linux, Windows, and Mac are available for free download from the usual spot: https://nmap.org/download.html
If you find any bugs in this release, please let us know on the Nmap Dev list or bug tracker as described at https://nmap.org/book/man-bugs.html.
Here is the full list of significant changes since Nmap 7.40:
Enjoy this new release and please do let us know if you find any problems!
- [Windows] Updated the bundled Npcap from 0.78 to 0.92, with several bugfixes for WiFi connectivity problems and stability issues.
- Integrated all of your service/version detection fingerprints submitted from September to March (855 of them). The signature count went up 2.9% to 11,418. We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon, slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140
- [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
- [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors. OSPFv2 authentication is supported.
- [GH#671] cics-info checks IBM TN3270 services for CICS transaction services and extracts useful information.
- [GH#671] cics-user-brute does brute-force enumeration of CICS usernames on IBM TN3270 services.
- [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and Secure flags.
- http-security-headers checks for the HTTP response headers related to security given in OWASP Secure Headers Project, giving a brief description of the header and its configuration value.
- [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache Struts2.
- [GH#876] http-vuln-cve2017-5689 detects a privilege escalation vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT) capable systems.
- http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000)
- [GH#713] impress-remote-discover attempts to pair with the LibreOffice Impress presentation remote service and extract version info. Pairing is PIN-protected, and the script can optionally brute-force the PIN. New service probe and match line also added.
- [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked Double Pulsar backdoor in Windows SMB servers.
- smb-vuln-cve-2017-7494 detects the "SambaCry" remote code execution vulnerability affecting Samba versions 3.5.0 and greater with writable shares.
- smb-vuln-ms17-010 detects a critical remote code execution vulnerability affecting SMBv1 servers in Microsoft Windows systems (ms17-010). The script also reports patched systems.
- [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability (CVE-2016-9244) in F5 BIG-IP appliances.
- vmware-version queries VMWare SOAP API for version and product information. Submitted in 2011, this was mistakenly turned into a service probe that was unable to elicit any matches.
- [Ncat] A series of changes and fixes based on feedback from the Red Hat community:
- [GH#157] Ncat will now continue trying to connect to each resolved address for a hostname before declaring the connection refused, allowing it to fallback from IPv6 to IPv4 or to connect to names that use DNS failover.
- The --no-shutdown option now also works in connect mode, not only in listen mode.
- Made -i/--idle-timeout not cause Ncat in server mode to close while waiting for an initial connection. This was also causing -i to interfere with the HTTP proxy server mode.
- [GH#773] Ncat in server mode properly handles TLS renegotiations and other situations where SSL_read returns a non-fatal error. This was causing SSL-over-TCP connections to be dropped.
- Enable --ssl-ciphers to be used with Ncat in client mode, not only in server (listen) mode.
- [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use fully qualified paths. SMB scripts now work against all modern versions of Microsoft Windows.
- [NSE] smb library's share_get_list now properly uses anonymous connections first before falling back authenticating as a known user.
- New service probes and matches for Apache HBase and Hadoop MapReduce.
- Extended Memcached service probe and added match for Apache ZooKeeper.
- [NSE] New script argument "vulns.short" will reduce vulns library script output to a single line containing the target name or IP, the vulnerability state, and the CVE ID or title of the vulnerability.
- [NSE][GH#862] SNMP scripts will now take a community string provided like `--script-args creds.snmp=private`, which previously did not work because it was interpreted as a username.
- [NSE] Resolved several issues in the default HTTP redirect rules:
- [GH#826] A redirect is now cancelled if the original URL contains embedded credentials
- [GH#829] A redirect test is now more careful in determining whether a redirect destination is related to the original host
- [GH#830] A redirect is now more strict in avoiding possible redirect loops
- [NSE][GH#766] The HTTP Host header will now include the port unless it is the default one for a given scheme.
- [NSE] The HTTP response object has a new member, fragment, which contains a partially received body (if any) when the overall request fails to complete.
- [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which are silently ignored (in accordance with RFC 6265). Unrecognized attributes were previously causing HTTP requests with such cookies to fail.
- [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted whitespace in the cookie value (which is allowed per RFC 6265).
- [NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie header that has an extraneous trailing semicolon.
- [NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated with option any_af. As an added benefit, option any_af is now available for all connections via comm.lua, not just HTTP requests.
- [NSE][GH#781] There is a new common function, url.get_default_port(), to obtain the default port number for a given scheme.
- [NSE][GH#833] Function url.parse() now returns the port part as a number, not a string.
- No longer allow ICMP Time Exceeded messages to mark a host as down during host discovery. Running traceroute at the same time as Nmap was causing interference.
- [NSE][GH#807] Fixed a JSON library issue that was causing long integers to be expressed in the scientific/exponent notation.
- [NSE] Fixed several potential hangs in NSE scripts that used receive_buf(pattern), which will not return if the service continues to send data that does not match pattern. A new function in match.lua, pattern_limit, is introduced to limit the number of bytes consumed while searching for the pattern.
- [Nsock] Handle any and all socket connect errors the same: raise as an Nsock error instead of fatal. This prevents Nmap and Ncat from quitting with "Strange error from connect:"
- [NSE] Added several commands to redis-info to extract listening addresses, connected clients, active channels, and cluster nodes.
- [NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting changes at the source site (www.robtex.com).
- [NSE][GH#620][GH#715] Added 8 new http-enum fingerprints for Hadoop infrastructure components.
- [NSE][GH#629] Added two new fingerprints to http-default-accounts (APC Management Card, older NetScreen ScreenOS)
- [NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS probe due to a string escaping mixup.
- [NSE][GH#694] ike-version now outputs information about supported attributes and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was submitted by Alexis La Goutte.
- [GH#700] Enabled support for TLS SNI on the Windows platform.
- [GH#649] New service probe and match lines for the JMON and RSE services of IBM Explorer for z/OS.
- Removed a duplicate service probe for Memcached added in 2011 (the original probe was added in 2008) and reported as duplicate in 2013.
- New service probe and match line for NoMachine NX Server remote desktop.
- [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap was installed to /Applications/Applications/Zenmap.app instead of /Applications/Zenmap.app.
- [Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary directory is found.
- [Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option, which was added in Nmap 7.10. Previously, this was treated the same as not specifying -v at all.
- [GH#630] Updated or removed some OpenSSL library calls that were deprecated in OpenSSL 1.1.
- [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys
- [NSE][GH#627] Fixed script hang in several brute scripts due to the "threads" script-arg not being converted to a number. Error message was "nselib/brute.lua:1188: attempt to compare number with string"