Author Topic: Nmap 7.90 released  (Read 2525 times)

0 Members and 1 Guest are viewing this topic.


  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2654
Nmap 7.90 released
« on: October 06, 2020, 09:55:12 AM »
A new version of Nmap, the popular network scanner, is available:

- Download latest Nmap for Windows @ Geeks3D
- Download Nmap @

Nmap logo

o [Windows] Npcap has acheived the milestone 1.00 release, which makes its
  debut in this release of Nmap. There have been 17 public Npcap releases
  since the Npcap version 0.9982 included with Nmap 7.80. These include
  dozens of performance improvements, bug fixes, and feature enhancements
  described at

o Integrated over 800 service/version detection fingerprints submitted since
  August 2017. The signature count went up 1.8% to 11,878, including 17 new
  softmatches.  We now detect 1237 protocols from airmedia-audio, banner-ivu,
  and control-m to insteon-plm, pi-hole-stats, and ums-webviewer.  A
  significant number of submissions remain to be integrated in the next

o Integrated over 330 of the most-frequently-submitted IPv4 OS fingerprints
  since August 2017. Added 26 fingerprints, bringing the new total to 5,678.
  Additions include iOS 12 & 13, macOS Catalina & Mojave, Linux 5.4, FreeBSD
  13, and more.

o Integrated all 67 of your IPv6 OS fingerprint submissions from August 2017 to
  September 2020. Added new groups for FreeBSD 12, Linux 5.4, and Windows 10,
  and consolidated several weak groups to improve classification accuracy.

o [NSE] Added 3 NSE scripts, from 2 authors, bringing the total up to 601!
  They are all listed at, and the summaries are

  + dicom-brute attempts to brute force the called Application Entity Title
    of DICOM servers. [Paulino Calderon]

  + dicom-ping discovers DICOM servers and determines if any Application
    Entity Title is allowed to connect. [Paulino Calderon]

  + uptime-agent-info collects system information from an Idera Uptime
    Infrastructure Monitor agent. [Daniel Miller]

o [GH#1834] Addressed over 250 code quality issues identified by,
  improving our code quality score from "C" to "A+"

o Released Npcap OEM Edition. For more than 20 years, the Nmap Project has
  been funded by selling licenses for companies to distribute Nmap with their
  products, along with commercial support. Hundreds of commercial products
  now use Nmap for network discovery tasks like port scanning, host
  discovery, OS detection, service/version detection, and of course the Nmap
  Scripting Engine (NSE). Until now, they have just used standard Nmap, but
  we have now released an OEM edition customized for use within other Windows
  software. Nmap OEM contains the OEM version of our Npcap driver, which
  allows for silent installation. It also removes the Zenmap GUI, which
  dramatically decreases the installer size. And it reports itself as Nmap
  OEM so customers know it's a properly licensed Nmap. See for more details. We might create OEM builds for Linux
  and Mac depending on demand, but for now licensees on those platforms
  should continue shipping normal Nmap. We will be reaching out to all
  existing licensees with Nmap OEM access credentials, but any licensees who
  want to start using Nmap OEM immediately can email

o Upgraded the Nmap license form a sort of hacked-up version of GPLv2 to a
  cleaner and better organized version (still based on GPLv2) now called the
  Nmap Public Source License to avoid confusion. See
  for more details and annotated license text. This NPSL project was started
  in 2006 (community discussion here: and then it lost momentum for 7
  years until it was restarted in 2013
  ( and then we got distracted by
  development again. We still have some ideas for improving the NPSL, but
  it's already much better than the current license, so we're applying NPSL
  Version 0.92 to the code now and can make improvements later if
  needed. This does not change the license of previous Nmap releases.

o Removed nmap-update. This program was intended to provide a way to update
  data files and NSE scripts, but the infrastructure was never fielded. It
  depended on Subversion version control and would have required maintaining
  separate versions of NSE scripts for compatibility.

o Removed the silent-install command-line option (/S) from the Windows
  installer. It causes several problems and there were no objections when we
  proposed removing it in 2016 (
  It will remain in Nmap OEM since its main use was for customers who
  redistribute Nmap with other software. If anyone else has a strong need
  for an Nmap silent installer, please contact and we'll see
  what we can do.

o [GH#1860] 23 new UDP payloads and dozens more default ports for existing
  payloads developed for Rapid7's InsightVM scan engine. These speed up and
  ensure detection of open UDP services. [Paul Miseiko, Rapid7]

o Added a UDP payload for STUN (Session Traversal Utilities for NAT).
  [David Fifield]

o [NSE] Fixed an off-by-one bug in the stun.lua library that prevented
  parsing a server response. [David Fifield]

o [GH#2051] Restrict Nmap's search path for scripts and data files.
  NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
  searched on Windows, where it was previously defined as C:\Nmap .
  Additionally, the --script option will not interpret names as directory names
  unless they are followed by a '/'. [Daniel Miller]

o [GH#1764] Fix an assertion failure when unsolicited ARP response is received:
    nmap: void Target::stopTimeOutClock(const timeval*): Assertion `htn.toclock_running == true' failed.

o [NSE] New outlib library consolidates functions related to NSE output,
  both string formatting conventions and structured output. [Daniel Miller]

o [NSE] New dicom library implements the DICOM protocol used for
  storing and transfering medical images. [Paulino Calderon]

o [GH#92] Fix a regression in ARP host discovery left over from the move from
  massping to ultra_scan in Nmap 4.22SOC8 (2007) that sometimes resulted in
  missing ARP responses from targets near the end of a scan. Accuracy and speed
  are both improved. [Daniel Miller]

o [GH#2051] Restrict Nmap's search path for scripts and data files.
  NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
  searched on Windows, where it was previously defined as C:\Nmap .
  Additionally, the --script option will not interpret names as directory names
  unless they are followed by a '/'. [Daniel Miller]

o [GH#2126] Fix the "iocp" Nsock engine for Windows to be able to correctly
  handle PCAP read events. This engine is now the default for Windows, which
  should greatly improve performance over the previous default, the "poll"
  engine. [Daniel Miller]

o [GH#2050] Reduced CPU usage of OS scan by 50% by avoiding string copy
  operations and removing undocumented fingerprint syntax unused in nmap-os-db
  ('&' and '+' in expressions). [Daniel Miller]

o [GH#1859] Allow multiple UDP payloads to be specified for a port in
  nmap-payloads. If the first payload does not get a response, the remaining
  payloads are tried round-robin. [Paul Miseiko, Rapid7]

o [GH#1616] New option --discovery-ignore-rst tells Nmap to ignore TCP RST
  responses when determining if a target is up. Useful when firewalls are
  spoofing RST packets. [Tom Sellers, Rapid7]

o [Ncat][GH#2087][GH#1927][GH#1928][GH#1974] It is now possible to override
  the value of TLS SNI via --ssl-servername [Hank Leininger, nnposter]

o [GH#2104] Fixed parsing of TCP options which would hang (infinite loop) if an
  option had an explicit length of 0. Affects Nmap 7.80 only.
  [Daniel Miller, Imed Mnif]

o [NSE][GH#1460] Script ssh2-enum-algos would fail if the server initiated
  the key exchange before completing the protocol version exchange
  [Scott Ellis, nnposter]

o [NSE][GH#2105] Fetching of SSH2 keys might fail because of key exchange
  confusion [nnposter]

o [NSE][GH#2098] Performance of script afp-ls has been dramatically improved

o [NSE][GH#2091] Parsing of AFP FPGetFileDirParms and
  FPEnumerateExt2FPEnumerateExt2 responses was not working correctly [nnposter]

o [NSE][GH#2089] Eliminated false positives in script http-shellshock caused by
  simple reflection of HTTP request data [Anders Kaseorg]

o [NSE][GH#1473] SNMP scripts are now enabled on non-standard ports where SNMP
  has been detected [usd-markus, nnposter]

o [NSE][GH#2084] MQTT library was using incorrect position when parsing
  received responses [tatulea]

o [NSE][GH#2086] IPMI library was using incorrect position when parsing
  received responses [Star Salzman]

o [NSE][GH#2086] Scripts ipmi-brute and deluge-rpc-brute were not capturing
  successfully brute-forced credentials [Star Salzman]

o Allow resuming IPv6 scans with --resume. The address parsing was assuming IPv4
  addresses, leading to "Unable to parse ip" error. In a related fix, MAC addresses
  will not be parsed as IP addresses when resuming from XML. [Daniel Miller]

o [GH#1622][GH#2068] Fix reverse-DNS handling of PTR records that are not lowercase.
  Nmap was failing to identify reverse-DNS names when the DNS server delivered
  them like ".IN-ADDR.ARPA". [Lucas Nussbaum, Richard Schütz, Daniel Miller]

o [NSE][GH#1999][GH#2005] IKE library was not properly populating the protocol
  number in aggressive mode requests. [luc-x41]

o [GH#1963] Added service fingerprinting for MySQL 8.x, Microsoft SQL
  Server 2019, MariaDB, and CrateDB. Updated PostreSQL coverage and
  added specific detection of recent versions running in Docker. [Tom Sellers]

o New XML output "hosthint" tag emitted during host discovery when a target is
  found to be up. This gives earlier notification than waiting for the
  hostgroup to finish all scan phases. [Paul Miseiko]

o [GH#917] New UDP payloads for GPRS Tunneling Protocol (GTP) on ports 2123,
  2152, and 3386. [Guillaume Teissier]

o [NSE][GH#1825] SSH scripts now run on several ports likely to be SSH based on
  empirical data from, as well as the netconf-ssh service.
  [Lim Shi Min Jonathan, Daniel Miller]

o [Zenmap][GH#1777] Stop creating a debugging output file 'tmp.txt' on the
  desktop in macOS. [Roland Linder]

o [Nping] Address build failure under libc++ due to "using namespace std;" in
  several headers, resulting in conflicting definitions of bind(). Reported by
  StormBytePP and Rosen Penev. [Daniel Miller]

o [Ncat][GH#1868] Fix a fatal error when connecting to a Linux VM socket with
  verbose output enabled. [Stefano Garzarella]

o [Ncat][GH#2060] Proxy credentials can be alternatively passed onto Ncat by
  setting environment variable NCAT_PROXY_AUTH, which reduces the risk of the
  credentials getting captured in process logs. [nnposter]

o [NSE][GH#1723] Fixed a crash on Windows when processing a GZIP-encoded HTTP
  body. [Daniel Miller]

o Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities.

o Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API.

o [GH#1717][GH#1718] Processing of IP address CIDR blocks was not working
  correctly on ppc64, ppc64le, and s390x architectures. [rfrohl, nnposter]

o [Windows] Add support for the new loopback behavior in Npcap 0.9983 and
  later. This enables Nmap to scan localhost on Windows without needing the
  Npcap Loopback Adapter to be installed, which was a source of problems for
  some users.  [Daniel Miller]

o [NSE] MS SQL library has improved version resolution, from service pack level
  to individual cumulative updates [nnposter]

o [NSE][GH#2077] With increased verbosity, script http-default-accounts now
  reports matched target fingerprints even if no default credentials were found

o [NSE][GH#2063] IPP request object conversion to string was not working
  correctly [nnposter]

o [NSE][GH#2063] IPP response parser was not correctly processing
  end-of-attributes-tag [nnposter]

o [NSE] Script cups-info was failing due to erroneous double-decoding
  of the IPP printer status [nnposter]

o [NSE][GH#2010] Oracle TNS parser was incorrectly unmarshalling DALC byte
  arrays [nnposter]

o [NSE] The password hashing function for Oracle 10g was not working correctly
  for non-alphanumeric characters [nnposter]

o [NSE] Virtual host probing list, vhosts-full.lst, was missing numerous
  entries present in vhosts-default.lst [nnposter]

o [NSE][GH#1931][GH#1932] Script http-grep was not correctly calculating Luhn
  checksum [Colleen Li, nnposter]

o [NSE][GH#1838] Scripts dhcp-discover and broadcast-dhcp-discover now support
  new argument "mac" to force a specific client MAC address [nnposter]

o [NSE] Code improvements in RPC Dump, benefitting NFS-related scripts

o [NSE] RPC code was using incorrect port range, which was causing some calls,
  such as NFS mountd, to fail intermittently [nnposter]

o [NSE][GH#1876] XML output from script ssl-cert now includes RSA key modulus
  and exponent [nnposter]

o [NSE][GH#1837] Nmap no longer crashes when SMB scripts, such as smb-ls, call
  smb.find_files [nnposter]

o [NSE][GH#1802] The MongoDB library was causing errors when assembling protocol
  payloads. [nnposter]

o [NSE][GH#1781][GH#1796] The RTSP library was not correctly generating request
  strings. [nnposter]

o [NSE][GH#1706] VNC handshakes were failing with insert position out of bounds
  error. [nnposter]

o [NSE][GH#1720] Function marshall_dom_sid2 in library msrpctypes was not
  correctly populating ID Authority. [nnposter]

o [NSE][GH#1720] Unmarshalling functions in library msrpctypes were attempting
  arithmetic on a nil argument. [Ivan Ivanov, nnposter]

o [NSE][GH#1720] Functions lsa_lookupnames2 and lsa_lookupsids2 in library
  msrpc were incorrectly referencing function strjoin when called with debug
  level 2 or higher. [Ivan Ivanov]

o [NSE][GH#1755][GH#2096] Added HTTP default account fingerprints for Tomcat
  Host Manager and Dell iDRAC9. [Clément Notin]

o [NSE][GH#1476][GH#1707] A MS-SMB spec non-compliance in Samba was causing
  protocol negotiation to fail with data string too short error.
  [Clément Notin, nnposter]

o [NSE][GH#1480][GH#1713][GH#1714] A bug in SMB library was causing scripts to
  fail with bad format argument error. [Ivan Ivanov]

o [NSE][GH#1665] The HTTP library no longer crashes when code requests digest
  authentication but the server does not provide the necessary authentication
  header. [nnposter]

o [NSE] Fixed a bug in http-wordpress-users.nse that could cause
  extraneous output to be captured as part of a username. [Duarte Silva]