NmapNetwork Mapper的简称，是一种广泛使用的开源工具，旨在进行网络发现和安全审计。由Gordon Lyon开发，Nmap被网络管理员、安全专业人员和黑客广泛用于扫描网络、识别主机和服务。它在网络清单、管理服务升级计划以及监控主机或服务的正常运行时间方面非常有效。

Nmap通过向目标主机发送特制的数据包并分析其响应来操作。此过程使其能够确定网络上各种设备的状态，包括哪些端口是打开的、运行了哪些服务以及使用了哪些操作系统。Nmap支持各种扫描技术，包括TCP连接、SYN扫描、UDP扫描和操作系统检测，从而进行彻底的网络分析。

Nmap 的一个关键特性是其脚本引擎 (NSE)，这使用户能够自动化任务，如检测漏洞、发现恶意软件和执行高级网络侦察。NSE 脚本是用 Lua 编写的，Lua 是一种轻量级编程语言，允许用户扩展 Nmap 的功能，并根据他们的特定需求自定义扫描。

Nmap支持多个平台，包括Windows、macOS和Linux，使其可供不同操作系统的用户使用。其强大的功能和易用性使Nmap成为网络安全评估的重要工具，也是许多网络安全工具包的基本组成部分。

关键功能：

• 主机发现：查找网络上的活动主机。
• 端口扫描：扫描开放端口以查看哪些服务正在运行。
• 服务版本检测：识别开放端口上的软件版本。
• 操作系统检测：检测主机的操作系统和设备类型。
• Nmap Scripting Engine (NSE)：使用脚本执行漏洞检测和自动化等任务。
• 防火墙规避：在扫描过程中绕过防火墙和安全系统。
• 灵活输出：支持多种结果格式，如文本、XML和HTML。
• 隐形扫描：悄无声息地扫描以避免被安全系统检测到。
• IPv6支持：与IPv4和IPv6网络兼容。
• GUI (Zenmap)：提供图形界面以便于使用。

• [NSE] Add ssl-heartbleed script to detect the Heartbleed bug in OpenSSL
• [NSE] Fixed an error-handling bug in socks-open-proxy that caused it to fail when scanning a SOCKS4-only proxy.
• [NSE] Improved ntp-info script to handle underscores in returned data.
• [NSE] Add quake1-info script for retrieving server and player information from Quake 1 game servers. Reports potential DoS amplification factor.
• [NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and other character sets to Unicode code points. Scripts that previously just added or skipped nulls in UTF-16 data can use this to support non-ASCII characters.
• When doing a ping scan (-sn), the --open option will prevent down hosts from being shown when -v is specified. This aligns with similar output for other scan types.
• [Ncat] Added support for socks5 and corresponding regression tests.
• [NSE] Add http-ntlm-info script for getting server information from Web servers that require NTLM authentication.
• Added TCP support to dns.lua.
• Added safe fd_set operations. This makes nmap fail gracefully instead of crashing when the number of file descriptors grows over FD_SETSIZE.
• [NSE] Added tls library for functions related to SSLv3 and TLS messages. Existing ssl-enum-ciphers, ssl-date, and tls-nextprotoneg scripts were updated to use this library.
• [NSE] Add sstp-discover script to discover Microsoft's Secure Socket Tunnelling Protocol
• [NSE] Added unittest library and NSE script for adding unit tests to NSE libraries. See unittest.lua for examples, and run `nmap --script=unittest --script-args=unittest.run -d` to run the tests.
• Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release)
• Added version detection signatures and probes for a bunch of Android remote mouse/keyboard servers, including AndroMouse, AirHID, Wifi-mouse, and RemoteMouse.
• [NSE] Added allseeingeye-info for gathering information from games using this query protocol. A version detection probe was also added.
• [NSE] Add freelancer-info to gather information about the Freelancer game server. Also added a related version detection probe and UDP protocol payload for detecting the service.
• [Ncat] Fixed compilation when --without-liblua is specified in configure (an #include needed an ifdef guard).
• [NSE] Add http-server-header script to grab the Server header as a last-ditch effort to get a software version. This can't be done as a softmatch because of the need to match non-HTTP services that obey some HTTP requests.
• [NSE] Add rfc868-time script to get the date and time from an RFC 868 Time server.
• [NSE] Add weblogic-t3-info script that detects the T3 RMI protocol used by Oracle/BEA Weblogic. Extracts the Weblogic version, as well
• Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on FreeBSD >9 .Likely affected other *BSDs. Handled by skipping these non-network addresses.
• Fixed a bug with UDP checksum calculation. When the UDP checksum is zero (0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid ambiguity with +0, which indicates no checksum was calculated. This affected UDP on IPv4 only.
• [NSE] Removed a fixed value (28428) which was being set for the Request ID in the snmpWalk library function; a value based on nmap.clock_ms will now be set instead.
• [NSE] Add http-iis-short-name-brute script that detects Microsoft IIS servers vulnerable to a file/folder name disclosure and a denial of service vulnerability. The script obtains the "shortnames" of the files and folders in the webroot folder.
• Idle scan now supports IPv6. IPv6 packets don't usually come with fragments identifiers like IPv4 packets do, so new techniques had to be developed to make idle scan possible.
• [NSE] Add http-dlink-backdoor script that detects DLink routers with firmware backdoor allowing admin access over HTTP interface.
• The ICMP ID of ICMP probes is now matched against the sent ICMP ID, to reduce the chance of false matches.
• [NSE] Made telnet-brute support multiple parallel guessing threads, reuse connections, and support password-only logins.
• [NSE] Made the table returned by ssh1.fetch_host_key contain a "key" element, like that of ssh2.fetch_host_key. This fixed a crash in the ssh-hostkey script. The "key" element of ssh2.fetch_host_key now is base64-encoded, to match the format used by the known_hosts file.
• [Nsock] Handle timers and timeouts via a priority queue (using a heap) for improved performance. Nsock now only iterates over events which are completed or expired instead of inspecting the entire event set at each iteration.
• [NSE] Update dns-cache-snoop script to use a new list of top 50 domains rather than a 2010 list.
• [NSE] Added the qconn-exec script , which tests the QNX QCONN service for remote command execution.
• [Zenmap] Fixed a crash that would happen when you entered a search term starting with a colon: "AttributeError: 'FilteredNetworkInventory' object has no attribute 'match_'".
• [Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR and NCAT_LOCAL_PORT environment variables being set in all --*-exec child processes.