Software update: Nmap 4.85 beta 9

Nmap is a program for exploring and monitoring a network. It is designed to scan a large network without delays, and also runs smoothly on a single host. The program uses so-called ‘raw ip packets’ to retrieve active hosts and information about the available services. More information about the possibilities can be found at this page. The developers have released a new beta version that includes a major update to the OS detection database. The version number is pinned to 4.85 beta 9 and has the following list of changes:

Nmap 4.85BETA9

  • Integrated all of your 1,156 of your OS detection submissions and your 50 corrections since January 8. Please keep them coming! The second generation OS detection DB has grown 14% to more than 2,000 fingerprints! That’s more than we ever had with the first system. The 243 new fingerprints include Microsoft Windows 7 beta, Linux 2.6.28, and much more. See [David]
  • [Ncat] A whole lot of work was done by David to improve SSL security and functionality:
    • Ncat now does certificate domain and trust validation against trusted certificate lists if you specify –ssl-verify.
    • [Ncat] To enable SSL certificate verification on systems whose default trusted certificate stores aren’t easily usable by OpenSSL, we install a set of certificates extracted from Windows in the file ca-bundle.crt. The trusted contents of this file are added to whatever default trusted certificates the operating system may provide. [David]
    • Ncat now automatically generates a temporary keypair and certificate in memory when you request it to act as an SSL server but you don’t specify your own key using –ssl-key and –ssl-cert options. [David]
    • [Ncat] In SSL mode, Ncat now always uses secure connections, meaning that it uses only good ciphers and doesn’t use SSLv2. Certificates can optionally be verified with the –ssl-verify and –ssl-trustfile options. Nsock provides the option of making SSL connections that prioritize either speed or security; Ncat uses security while version detection and NSE continue to use speed. [David]
  • [NSE] Added Boolean Operators for –script. You may now use (“and”, “or”, or “not”) combined with categories, filenames, and wildcarded filenames to match a set files. Parenthetical subexpressions are allowed for precedence too. For example, you can now run:
    nmap –script “(default or safe or intrusive) and not http-*”
    For more details, see [Patrick]
  • [Ncat] The HTTP proxy server now works on Windows too. [David]
  • [Zenmap] The command wizard has been removed. The profile editor has the same capabilities with a better interface that doesn’t require clicking through many screens. The profile editor now has its own “Scan” button that lets you run an edited command line immediately without saving a new profile. The profile editor now comes up showing the current command rather than being blank. [David]
  • [Zenmap] Added an small animated throbber which indicates that a scan is still running (similar in concept to the one on the upper-right Firefox corner which animates while a page is loading). [David]
  • Regenerate script.db to remove references to non-existent smb-check-vulns-2.nse. This caused the following error messages when people used the –script=all option: “nse_main.lua:319: smb-check-vulns-2.nse is not a file!” The script.db entries are now sorted again to make diffs easier to read. [David,Patrick]
  • Fixed –script-updatedb on Windows–it was adding bogus backslashes preceding file names in the generated script.db. Reported by Michael Patrick at, and fixed by Jah. The error message was also improved.
  • The official Windows binaries are now compiled with MS Visual C++ 2008 Express Edition SP1 rather than the RTM version. We also now distribute the matching SP1 version of the MS runtime components (vcredist_x86.exe). A number of compiler warnings were fixed too. [Fyodor,David]
  • Fixed a bug in the new NSE Lua core which caused it to round fractional runlevel values ​​to the next integer. This could cause dependency problems for the smb-* scripts and others which rely on floating point runlevel values ​​(eg that smb-brute at runlevel 0.5 will run before smb-system-info at the default runlevel of 1).
  • The SEQ.CI OS detection test introduced in 4.85BETA4 now has some examples in nmap-os-db and has been assigned a MatchPoints value of 50. [David]
  • [Ncat] When using –send-only, Ncat will now close the network connection and terminate after receiving EOF on standard input. This is useful for, say, piping a file to a remote ncat where you don’t care to wait for any response. [Daniel Roethlisberger]
  • [Ncat] Fix hostname resolution on BSD systems where a recently fixed libc bug caused getaddrinfo(3) to fail unless a socket type hint is provided. Patch originally provided by Hajimu Umemoto of FreeBSD. [Daniel Roethlisberger]
  • [NSE] Fixed bug in the DNS library which caused the error message “nselib/dns.lua:54: ‘for’ limit must be a number”. [Jah]
  • Fixed Solaris 10 compilation by renaming a yield structure which conflicted with a yield function declared in unistd.h on that platform. [Pieter Bowman, Patrick]
  • [Ncat] Minor code cleanup of Ncat memory allocation and string duplication calls. [Ithilgore]
  • Fixed a bug which could cause -iR to only scan the first host group and then terminate prematurely. The problem related to the way hosts are counted by o.numhosts_scanned. [David]
  • Fixed a bug in the script so that, in the cases where it calls su, it uses the proper -c option rather than -C. [Michal Januszewski, Henry Gebhardt]
  • Overhaul the NSE documentation “Usage and Examples” section and add many more examples: [David]
  • [NSE] Made hexify in take an unsigned char * to work around an assertion in Visual C++ in Debug mode. The isprint, isalpha, etc. functions from ctype.h have an assertion that the value of the character passed in is = 128, it is cast to an unsigned int, making it a large positive number and failing the assertion. This is the same thing that was reported in, in regard to non-ASCII characters in nmap-mac-prefixes. [David]
  • [NSE] Fixed a segmentation fault which could occur in scripts which use the NSE pcap library. The problem was reported by Lionel Cons and fixed by Patrick.
  • [NSE] Port script start/finish debug messages now show the target port number as well as the host/IP. [Jah]
  • Updated IANA assignment IP list for random IP (-iR) generation. [Kris]
  • [NSE] Fixed http.table_argument so that user-supplied HTTP headers are now properly sent in HTTP requests. [Jah]

Version number 4.85 beta 9
Release status beta
Operating systems Windows 2000, Linux, BSD, Windows XP, macOS, OS/2, Solaris, UNIX, Windows Server 2003, Windows XP x64, Windows Server 2003 x64, Windows Vista, Windows Vista x64, Windows Server 2008
Website Nmap
License type GPL