Nmap is now the default tool to discover services running on a remotely connected system. None of us really need any introduction to this very popular “network mapper“. The Linux man page describes it as:
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Nmap is included in multiple security toolkits now-a-days. A list of some of the toolkits embedding this tool can be found here. The reason behind this post was the release of Nmap version 7.50!
Most notably, this version includes Ncap 0.92, which uses newer APIs for better performance and compatibility, including Windows 10 support. Loopback packet capture and injection, raw wireless sniffing for beacon frames, and extra security features such as requiring Administrator access were also added with this release. This release also includes more than 300 new service detection fingerprints, improvements to Nmap’s family of related tools such as Ncat. In all, this network mapper detects 1193 protocols from ApacheMQ, bro, and clickhouse to jmon, SLMP, and zookeeper! This release also improves the Nmap Scripting Engine.
New Nmap Scripting Engine scripts:
This release has the following new NSE scripts:
- broadcast-ospf2-discover: Discovers OSPF 2 routers and neighbors. OSPFv2 authentication is supported by Emiliano Ticci.
- cics-info: Checks IBM TN3270 services for CICS transaction services and extracts useful information by Soldier of Fortran.
- cics-user-brute: Does brute-force enumeration of CICS usernames on IBM TN3270 services by Soldier of Fortran.
- http-cookie-flags: Checks HTTP session cookies for HTTPOnly and Secure flags by Steve Benson.
- http-security-headers: Checks for the HTTP response headers related to security given in OWASP Secure Headers Project, giving a brief description of the header and its configuration value by Vinamra Bhatia, Ícaro Torres.
- http-vuln-cve2017-5638: Checks for the RCE bug in Apache Struts2 by Seth Jackson.
- http-vuln-cve2017-5689: Detects a privilege escalation vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT) capable systems by Andrew Orr.
- http-vuln-cve2017-1001000: Detects a privilege escalation vulnerability in WordPress 4.7.0 and 4.7.1 (CVE-2017-1001000)by Vinamra Bhatia.
- impress-remote-discover: Attempts to pair with the LibreOffice Impress presentation remote service and extract version info. Pairing is PIN-protected, and the script can optionally brute-force the PIN. New service probe and match line also added by Jeremy Hiebert.
- smb-double-pulsar-backdoor: Detects the Shadow Brokers-leaked Double Pulsar backdoor in Windows SMB servers by Andrew Orr.
- smb-vuln-cve-2017-7494: Detects the “SambaCry” remote code execution vulnerability affecting Samba versions 3.5.0 and greater with writable shares. by Wong Wai Tuck.
- smb-vuln-ms17-010: Detects a critical remote code execution vulnerability affecting SMBv1 servers in Microsoft Windows systems (MS17-010). The script also reports patched systems by Paulino Calderon.
- tls-ticketbleed: Checks for the Ticketbleed vulnerability (CVE-2016-9244) in F5 BIG-IP appliances by Mak Kolybabi.
- vmware-version: Queries VMWare SOAP API for version and product information. Submitted in 2011, this was mistakenly turned into a service probe that was unable to elicit any matches by Aleksey Tyurin.
Additionally, new service probes and matches for Apache HBase and Hadoop MapReduce were also added. A complete change log can be found here.
Latest stable sources and Windows installers: nmap-7.50.tar.bz2/nmap-7.50-setup.exe can be downloaded here.