NmapNmap，全名為 Network Mapper，是一個廣泛使用的開源工具，專為網路發現和安全審計而設計。由 Gordon Lyon 開發，Nmap 被網路管理員、安全專家和駭客用來掃描網路、識別主機和服務。它在網路資產盤點、管理服務升級時間表及監控主機或服務的運行時間方面非常有效。

Nmap 通過向目標主機發送特製的數據包並分析其響應來運行。這個過程使其能夠確定網絡上各種設備的狀態，包括哪些端口是開放的、哪些服務在運行，以及正在使用哪些作業系統。Nmap 支持各種掃描技術，包括 TCP 連接、SYN 掃描、UDP 掃描和作業系統檢測，允許進行全面的網絡分析。

Nmap 的一個關鍵特性是其腳本引擎 (NSE)，可以讓用戶自動執行檢測漏洞、發現惡意軟體以及進行高級網路偵查等任務。NSE 腳本是用 Lua 編寫的，一種輕量級的程式語言，使用戶能夠擴展 Nmap 的功能並根據其具體需求自訂掃描。

Nmap 支援多個平台，包括 Windows、macOS 和 Linux，讓不同操作系統的使用者都能夠使用。其強大的功能和易用性使 Nmap 成為網路安全評估的重要工具，以及許多網路安全工具包的基本組件。

主要功能：

• 主機發現：在網路上尋找在線的主機。
• 端口掃描：掃描開放的端口以查看正在運行的服務。
• 服務版本檢測：識別開放端口上的軟體版本。
• 操作系統檢測：檢測主機的操作系統和設備類型。
• Nmap Scripting Engine (NSE)：使用腳本進行漏洞檢測和自動化等任務。
• 防火牆規避：在掃描過程中繞過防火牆和安全系統。
• 靈活輸出：支持多種結果格式，如文字、XML和HTML。
• 隱形掃描：安靜地掃描以避免被安全系統偵測。
• IPv6 支援：可同時使用 IPv4 和 IPv6 網絡。
• GUI (Zenmap)：提供圖形介面以便更容易使用。

• [NSE] Add ssl-heartbleed script to detect the Heartbleed bug in OpenSSL
• [NSE] Fixed an error-handling bug in socks-open-proxy that caused it to fail when scanning a SOCKS4-only proxy.
• [NSE] Improved ntp-info script to handle underscores in returned data.
• [NSE] Add quake1-info script for retrieving server and player information from Quake 1 game servers. Reports potential DoS amplification factor.
• [NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and other character sets to Unicode code points. Scripts that previously just added or skipped nulls in UTF-16 data can use this to support non-ASCII characters.
• When doing a ping scan (-sn), the --open option will prevent down hosts from being shown when -v is specified. This aligns with similar output for other scan types.
• [Ncat] Added support for socks5 and corresponding regression tests.
• [NSE] Add http-ntlm-info script for getting server information from Web servers that require NTLM authentication.
• Added TCP support to dns.lua.
• Added safe fd_set operations. This makes nmap fail gracefully instead of crashing when the number of file descriptors grows over FD_SETSIZE.
• [NSE] Added tls library for functions related to SSLv3 and TLS messages. Existing ssl-enum-ciphers, ssl-date, and tls-nextprotoneg scripts were updated to use this library.
• [NSE] Add sstp-discover script to discover Microsoft's Secure Socket Tunnelling Protocol
• [NSE] Added unittest library and NSE script for adding unit tests to NSE libraries. See unittest.lua for examples, and run `nmap --script=unittest --script-args=unittest.run -d` to run the tests.
• Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release)
• Added version detection signatures and probes for a bunch of Android remote mouse/keyboard servers, including AndroMouse, AirHID, Wifi-mouse, and RemoteMouse.
• [NSE] Added allseeingeye-info for gathering information from games using this query protocol. A version detection probe was also added.
• [NSE] Add freelancer-info to gather information about the Freelancer game server. Also added a related version detection probe and UDP protocol payload for detecting the service.
• [Ncat] Fixed compilation when --without-liblua is specified in configure (an #include needed an ifdef guard).
• [NSE] Add http-server-header script to grab the Server header as a last-ditch effort to get a software version. This can't be done as a softmatch because of the need to match non-HTTP services that obey some HTTP requests.
• [NSE] Add rfc868-time script to get the date and time from an RFC 868 Time server.
• [NSE] Add weblogic-t3-info script that detects the T3 RMI protocol used by Oracle/BEA Weblogic. Extracts the Weblogic version, as well
• Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on FreeBSD >9 .Likely affected other *BSDs. Handled by skipping these non-network addresses.
• Fixed a bug with UDP checksum calculation. When the UDP checksum is zero (0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid ambiguity with +0, which indicates no checksum was calculated. This affected UDP on IPv4 only.
• [NSE] Removed a fixed value (28428) which was being set for the Request ID in the snmpWalk library function; a value based on nmap.clock_ms will now be set instead.
• [NSE] Add http-iis-short-name-brute script that detects Microsoft IIS servers vulnerable to a file/folder name disclosure and a denial of service vulnerability. The script obtains the "shortnames" of the files and folders in the webroot folder.
• Idle scan now supports IPv6. IPv6 packets don't usually come with fragments identifiers like IPv4 packets do, so new techniques had to be developed to make idle scan possible.
• [NSE] Add http-dlink-backdoor script that detects DLink routers with firmware backdoor allowing admin access over HTTP interface.
• The ICMP ID of ICMP probes is now matched against the sent ICMP ID, to reduce the chance of false matches.
• [NSE] Made telnet-brute support multiple parallel guessing threads, reuse connections, and support password-only logins.
• [NSE] Made the table returned by ssh1.fetch_host_key contain a "key" element, like that of ssh2.fetch_host_key. This fixed a crash in the ssh-hostkey script. The "key" element of ssh2.fetch_host_key now is base64-encoded, to match the format used by the known_hosts file.
• [Nsock] Handle timers and timeouts via a priority queue (using a heap) for improved performance. Nsock now only iterates over events which are completed or expired instead of inspecting the entire event set at each iteration.
• [NSE] Update dns-cache-snoop script to use a new list of top 50 domains rather than a 2010 list.
• [NSE] Added the qconn-exec script , which tests the QNX QCONN service for remote command execution.
• [Zenmap] Fixed a crash that would happen when you entered a search term starting with a colon: "AttributeError: 'FilteredNetworkInventory' object has no attribute 'match_'".
• [Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR and NCAT_LOCAL_PORT environment variables being set in all --*-exec child processes.