Full Report
The Nmap Project has officially launched the highly anticipated Nmap 7.96, bringing a wealth of new features, performance upgrades, and bug fixes to the popular network scanning tool. As a fundamental utility for network discovery and security auditing, Nmap has been a go-to solution for security professionals, and version 7.96 makes it even more powerful. One of the standout features of Nmap 7.96 is the massive overhaul of its DNS resolution system. The new approach leverages parallel forward DNS lookups, speeding up the scanning process. For example, resolving one million website names to both IPv4 and IPv6 now takes just over an hour, a vast improvement from the previous method, which could take up to 49 hours. This improvement is especially beneficial when scanning large lists of hostnames, making Nmap more efficient and effective for network audits and vulnerability assessments. In addition to DNS resolution improvements, Nmap 7.96 introduces several upgrades to its underlying libraries. The updated versions of OpenSSL 3.0.16, Lua 5.4.7, libssh2 1.11.1, libpcap 1.10.5, and libpcre2 10.45 offer enhanced performance and greater compatibility with modern systems. These updates are crucial for security professionals who rely on Nmap for network reconnaissance and vulnerability assessment tasks. New and Improved Features with Nmap 7.96 Alongside these technical enhancements, Nmap 7.96 includes a host of new features designed to streamline the user experience and bolster its capabilities. NSE (Nmap Scripting Engine), a key part of Nmap, has received several new scripts. Notably, the mikrotik-routeros-version script queries MikroTik's WinBox router admin service to obtain RouterOS version information, while the mikrotik-routeros-username-brute script helps automate brute-force attacks against MikroTik routers using CVE-2024-54772. Another script, targets-ipv6-eui64, generates IPv6 target addresses from MAC addresses using the EUI-64 method. With these additions, the Nmap Scripting Engine continues to expand, bringing the total number of NSE scripts to 612. The update also introduces dark mode for Zenmap, Nmap's graphical user interface. This feature allows users to toggle dark mode through the "Profile->Toggle Dark Mode" setting or by configuring the window::dark_mode parameter in the zenmap.conf file. The new theme offers improved usability in low-light environments and reduces eye strain, particularly during extended scanning sessions. Ncat, another component of the Nmap suite, has also undergone improvements. It now features a new default mode for closing connections and introduces the "-q" option, which delays the program's exit after receiving an EOF (end of file) from standard input. Enhanced Scanning Capabilities The core functionality of Nmap 7.96 has been bolstered with several scanning improvements that make it even more efficient for security professionals. Key highlights include: Parallel DNS Resolution: Nmap now performs forward DNS lookups in parallel, drastically reducing scan times. This new method utilizes the same high-performance engine previously used for reverse DNS resolution. Custom Stub Resolver: Nmap continues to use its own custom DNS resolver, allowing it to perform multiple requests in parallel instead of relying on slower system DNS libraries. Flexible DNS Resolution Options: Users can fine-tune DNS resolution using various options such as -n (disable DNS), -R (always resolve), --system-dns (use system resolver), and --dns-servers (specify custom DNS servers). Improved DNS Parsing: The release also enhances domain name parsing, addressing issues with recursion and enforcing name length limits to prevent stack overflow vulnerabilities. These improvements not only speed up the scanning process but also enhance Nmap’s reliability when working with large-scale networks or domains. Bug Fixes and Compatibility Enhancements Nmap 7.96 also addresses several long-standing issues. Notably, it resolves problems with the IOCP Nsock engine on Windows, as well as a bug in TCP Connect scans (-sT) where ports were incorrectly labeled as "filtered" instead of "closed." Additionally, users can now scan IP protocol 255 and have the ability to specify target lists both from the command line and input files, a feature previously unavailable. Conclusion Nmap 7.96 introduces new improvements, offering faster scans and greater flexibility, especially for large-scale host discovery, while enhancing the functionality of the Nmap Scripting Engine (NSE) with new scripts that target specific vulnerabilities and automate tasks. The upgraded DNS resolution and parallel query handling further solidify Nmap as one of the fastest and most reliable tools for network security. This release continues the Nmap Project’s commitment to providing essential tools for network administrators, security auditors, and ethical hackers, with the latest version available for download in various formats from the official website.
Analysis Summary
# Tool/Technique: Nmap 7.96
## Overview
Nmap (Network Mapper) version 7.96 is a significant release focused on enhancing scanning speed, particularly for DNS resolution, and improving the functionality and reliability of its network discovery and security auditing capabilities. It incorporates updates to its core engine, the Nmap Scripting Engine (NSE), and bug fixes for common scanning operations.
## Technical Details
- Type: Tool
- Platform: Cross-platform (Linux, Windows, macOS, etc.)
- Capabilities: Network discovery, port scanning, service version detection, script execution (NSE), and enhanced DNS resolution.
- First Seen: May 8th, 2025 (Date of release information in the context)
## MITRE ATT&CK Mapping
As Nmap is a legitimate network utility often leveraged by both defenders and attackers, its mapping depends on its specific use case. When used for reconnaissance:
- **TA0043 - Reconnaissance**
- T1595 - Active Scanning
- T1595.002 - Internet Scan
- T1595.004 - Scan Infrastructure
## Functionality
### Core Capabilities
- **Faster DNS Scanning:** Introduction of parallel DNS query handling significantly speeds up network discovery, especially for large-scale scans involving extensive domain resolution.
- **Enhanced Command-Line Options for DNS:** Users can fine-tune DNS resolution using options like:
- `-n`: Disable DNS resolution entirely.
- `-R`: Always resolve target hostnames.
- `--system-dns`: Utilize the system's configured DNS resolver.
- `--dns-servers`: Specify custom DNS servers for resolution.
- **Improved Domain Name Parsing:** Enhanced handling of domain name recursion and enforcement of name length limits to prevent related stack overflow vulnerabilities.
- **Bug Fixes:** Resolution of issues in the IOCP Nsock engine on Windows and correction of TCP Connect scans (`-sT`) where closed ports were incorrectly labeled as "filtered."
### Advanced Features
- **Scripting Engine (NSE):** The release includes new scripts as part of the overall count (612 scripts mentioned), enhancing vulnerability detection and task automation capabilities.
- **Protocol Scanning:** Ability to scan IP protocol 255.
- **Target Specification Flexibility:** Users can now specify target lists via both command line arguments and input files simultaneously.
## Indicators of Compromise
*Note: As Nmap is a legitimate tool, IOCs relate to its specific usage configuration, not the tool itself, unless abused as part of a specific malware chain.*
- File Hashes: [Not provided in the context]
- File Names: nmap
- Registry Keys: [Not applicable]
- Network Indicators: DNS queries to specific internal/external recursive servers used during operation (defanged) - *Example: internal-dns[.]corp*
- Behavioral Indicators: High volume of connection attempts across a broad range of ports or hosts indicative of active scanning activity.
## Associated Threat Actors
Nmap is a dual-use tool. It is used ubiquitously by:
- Network Administrators
- Security Auditors (Penetration Testers)
- Ethical Hackers
- Malicious actors for network reconnaissance and vulnerability identification (various Ransomware groups, APTs).
## Detection Methods
- **Signature-based detection:** Signatures targeting the specific binary or known unusual command-line arguments used by Nmap (e.g., extensive use of non-default port/script flags).
- **Behavioral detection:** Monitoring systems for rapid, widespread port sweep attempts, high volumes of DNS queries initiated by the Nmap process, or connection patterns characteristic of active scanning (e.g., TCP SYN scans).
- **YARA rules:** YARA rules targeting known Nmap binaries or specific artifact patterns if the tool is deployed maliciously.
## Mitigation Strategies
- **Network Segmentation:** Limiting the scope of reconnaissance attempts by enforcing strict network segmentation.
- **Use of Firewalls/IDS/IPS:** Configure security devices to detect and alert on aggressive scanning patterns or unusual query volumes characteristic of Nmap usage.
- **Host Hardening:** Implementing application whitelisting to prevent unauthorized execution of tools like Nmap, especially on production or sensitive systems.
- **Monitoring DNS Resolution:** Monitoring internal DNS server logs for excessive lookups originating from unexpected internal hosts.
## Related Tools/Techniques
- Masscan (Known for extremely fast port scanning)
- ZMap (Network scanning tool designed for speed)
- Unicornscan