Nmap 7.60 released: SSH support, SMB2/SMB3 improvements, 14 more scripts

Nmap is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

nmap 7.60

What’s important

Nmap scripts can now perform brute force SSH password cracking, query servers about what auth methods and public keys they accept, and even log in using known or discovered credentials to execute arbitrary commands. Nmap 7.60 includes four scripts to start out with, and it opens the door to many more future capabilities.

The latest version also comes with 14 new NSE scripts, and a bunch of great SMB2/SMB3 improvements. It also includes our new Npcap 0.93 which resolves an issue where the Microsoft Windows 10 Creators Update was breaking Npcap and impairing Nmap functionality.

All changes since Nmap 7.50

Here is the full list of significant changes since Nmap 7.50:

  • Updated the bundled Npcap from 0.91 to 0.93, fixing several issues with installation and compatibility with the Windows 10 Creators Update.
  • NSE scripts now have complete SSH support via libssh2, including password brute-forcing and running remote commands.
  • Added 14 NSE scripts from 6 authors, bringing the total up to 579!
  • Removed smbv2-enabled, which was incompatible with the new SMBv2/3 improvements. It was fully replaced by the smb-protocols script.
  • Added Datagram TLS (DTLS) support to Ncat in connect (client) mode with –udp –ssl. Also added Application Layer Protocol Negotiation (ALPN) support with the –ssl-alpn option.
  • Updated the default ciphers list for Ncat and the secure ciphers list for Nsock to use “!aNULL:!eNULL” instead of “!ADH”. With the addition of ECDH ciphersuites, anonymous ECDH suites were being allowed.
  • Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup Exec Agent 15 or 16.
  • Added new SMB2/3 library and related scripts.
  • Added wildcard detection to dns-brute. Only hostnames that resolve to unique addresses will be listed.
  • FTP scripts like ftp-anon and ftp-brute now correctly handle TLS-protected FTP services and use STARTTLS when necessary.
  • Function url.escape no longer encodes so-called “unreserved” characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
  • Function http.pipeline_go no longer assumes that persistent connections are supported on HTTP 1.0 target (unless the target explicitly declares otherwise), as per RFC 7230.
  • The HTTP response object has a new member, version, which contains the HTTP protocol version string returned by the server, e.g. “1.0”.
  • Fix handling of the objectSID Active Directory attribute by ldap.lua.
  • Fix line endings in the list of Oracle SIDs used by oracle-sid-brute. Carriage Return characters were being sent in the connection packets, likely resulting in failure of the script.
  • http-useragent-checker now checks for changes in HTTP status (usually 403 Forbidden) in addition to redirects to indicate forbidden User Agents.