Nmap Fingerprint Databases: 7 Core Libraries, NSE Extensions & Version Evolution
Nmap (Network Mapper) is the most widely used open-source network scanning and security auditing tool in the world. Its core identification capabilities rely on seven built-in fingerprint databases that cover operating systems, service versions, protocols, ports, MAC vendors, RPC programs, and NSE script extensions. As of the latest release Nmap 7.99 (March 26, 2026), these databases have evolved into one of the most comprehensive and active fingerprint identification ecosystems in the cybersecurity field.
Understanding the structure and working principles of these fingerprint databases will not only help you use Nmap more effectively but also enable you to customize fingerprint rules when needed and even contribute new fingerprint data to the community.
Nmap Fingerprint Identification System Overview
Nmap’s fingerprint identification capabilities are built on seven core data files, all prefixed with nmap-. The table below summarizes the key metrics of these seven databases:
| Database | File Name | Trigger Option | Data Volume |
|---|---|---|---|
| OS Fingerprints | nmap-os-db | -O, -A | 6,036+ fingerprints |
| Service/Version Signatures | nmap-service-probes | -sV, -A | 12,089+ signatures |
| Known Ports List | nmap-services | Default scan | 1,000+ port mappings |
| SunRPC Program Numbers | nmap-rpc | -sV (RPC Grinding) | ~140 program numbers |
| MAC Address Vendors | nmap-mac-prefixes | Local Ethernet detection | 30,000+ OUI records |
| IP Protocol Numbers | nmap-protocols | -sO | ~140 protocols |
| NSE Scripting Engine | scripts/*.nse | -sC, --script | 600+ scripts (14 categories) |
These seven databases work together to form Nmap’s complete fingerprint identification pipeline, from the network layer to the application layer. The following flowchart illustrates the core fingerprint identification process:
flowchart TD
A["Send Probe<br/>Packets"] --> B["Collect<br/>Responses"]
B --> C{"Match Against<br/>Fingerprint DBs"}
C --> D["nmap-os-db<br/>OS Fingerprints"]
C --> E["nmap-service-probes<br/>Service Signatures"]
C --> F["nmap-services<br/>Port Mapping"]
D --> G["Identification<br/>Result"]
E --> G
F --> G
style A fill:#FF9800,color:#000
style B fill:#2196F3,color:#fff
style C fill:#9C27B0,color:#fff
style D fill:#4CAF50,color:#fff
style E fill:#4CAF50,color:#fff
style F fill:#4CAF50,color:#fff
style G fill:#2196F3,color:#fffNmap first sends carefully crafted probe packets to the target, collects response data, then matches against the OS fingerprint database, service signature database, and port mapping table sequentially, ultimately producing a comprehensive identification result. Each database handles a specific identification dimension, complementing one another.
OS Fingerprint Database: nmap-os-db
nmap-os-db is the core database for Nmap’s OS detection feature, used with the -O option for remote operating system identification. It contains thousands of fingerprint blocks, each recording how a different operating system responds to Nmap’s specialized probe packets.
| Attribute | Description |
|---|---|
| File Name | nmap-os-db |
| Trigger Option | -O (OS detection), -A (aggressive mode) |
| Fingerprint Count | 6,036+ (336 new in 7.95, continuously updated in 7.99) |
| Data Format | Each block contains Fingerprint, Class, CPE lines and SEQ/OPS/WIN/ECN/T1-T7/U1/IE response test data |
| Supported Systems | Linux, Windows, macOS, FreeBSD, OpenBSD, iOS, Android, embedded systems, network devices (routers/switches/firewalls/IoT), game consoles, etc. |
| 7.95 Additions | iOS 15 & 16, macOS Ventura & Monterey, Linux 6.1, OpenBSD 7.1, lwIP 2.2, etc. |
| Online Version | https://svn.nmap.org/nmap/nmap-os-db |
How It Works
Nmap sends a series of specially crafted TCP/UDP/ICMP probe packets to the target, then compares the target’s responses against the fingerprints in nmap-os-db. The matching is based on the following key characteristics:
- TCP ISN Sequence (SEQ): Initial sequence number generation pattern (random increment, time-based, etc.)
- TCP Option Support (OPS): Different operating systems support significantly different sets of TCP options
- IP ID Sequence Generation (IPID): Incrementing, random, zero-value, and other patterns
- TCP Timestamp Handling (TS): Whether timestamps are supported and their precision
- Abnormal Flag Combination Response (ECN/T1-T7): Response behavior to abnormal TCP flag combinations
- ICMP Response Characteristics (U1/IE): Response differences to ICMP probes
Fingerprint Format Example
| |
Each fingerprint block begins with a Fingerprint line, followed by a Class line (OS classification) and a CPE line (Common Platform Enumeration identifier). The core test data includes SEQ (sequence analysis), OPS (TCP options), WIN (window size), ECN (Explicit Congestion Notification), T1-T7 (seven TCP probes), U1 (UDP probe), and IE (ICMP probe) test groups.
Service Version Detection Database: nmap-service-probes
nmap-service-probes is the core database for Nmap’s service and version detection, used with the -sV option. It contains a large number of custom probe requests and expected response matching rules that can identify the specific service program and version running on an open port.
| Attribute | Description |
|---|---|
| File Name | nmap-service-probes |
| Trigger Option | -sV (version detection), -A (aggressive mode) |
| Signature Count | 12,089+ (1.4% growth in 7.95, 9 new softmatches) |
| Recognized Protocols | 1,246+ protocols |
| Data Format | Contains Exclude, Probe, match, softmatch directives |
| Probe Types | NULL probe (banner grabbing), TCP probes, UDP probes, SSL probes, generic probes, etc. |
| 7.95 New Protocols | grpc, mysqlx, essnet, remotemouse, tuya, etc. |
| Online Version | https://svn.nmap.org/nmap/nmap-service-probes |
How It Works
Nmap’s service version detection proceeds through multiple stages:
- NULL Probe: First sends an empty probe packet to attempt banner grabbing
- Port-Specific Probe: Sends protocol-specific probe packets based on the port number (e.g., HTTP requests to port 80)
- Regex Matching: Compares returned data against regex matching rules in
nmap-service-probes - Post-Processing: Applies RPC grinding, SSL tunnel detection, and other post-processing techniques
- Output: Finally outputs service name, version number, additional information, and CPE identifier
Supported Protocol Types
nmap-service-probes supports over 1,246 protocols. Here are some representative ones:
afp bitcoin caldav dhcp dns ftp grpc http imap ipp ldap mongodb mqtt mysql mysqlx nfs ntp pop3 postgresql rdp redis remotemouse rpc rsync sip smb smtp snmp ssh ssl telnet tuya vnc xmpp xml-rpc yiff zebra essnet
Probe and Match Format
The nmap-service-probes file structure includes the following key directives:
Exclude: Excludes specific ports to avoid unnecessary probingProbe: Defines probe requests, including protocol type, probe string, and probe namematch: Defines matching rules using regular expressions to extract service name, version, and other information from responsessoftmatch: Soft matching rules that provide partial match information
Known Ports List: nmap-services
nmap-services is a registry of port numbers to service names, with each line containing the service name, port number/protocol, and port frequency value. The file was originally based on the IANA-assigned port list but has been augmented over the years with many additional ports, including those commonly used by trojans, worms, and other malware.
| Attribute | Description |
|---|---|
| File Name | nmap-services |
| Function | Port number ↔ service name mapping with port open frequency |
| Data Format | Three tab-separated columns: service_name port/protocol frequency |
| Data Source | IANA port registry + community contributions |
| Default Scan | Nmap scans the top 1,000 most frequent ports by default |
| Format Compatible | Compatible with /etc/services format |
Example Content
| |
The port frequency value reflects the probability of that port being open on the internet. Nmap scans the top 1,000 most frequent ports by default to balance scan speed and coverage.
Auxiliary Fingerprint Databases
In addition to the three core databases above, Nmap relies on four auxiliary fingerprint databases for specific identification scenarios.
SunRPC Program Number Mapping: nmap-rpc
nmap-rpc maps SunRPC program numbers to their corresponding program names, used exclusively for the RPC Grinding feature in Nmap’s version detection. The format is identical to the Unix system’s /etc/rpc file.
| RPC Program Name | Program Number | Description |
|---|---|---|
rpcbind | 100000 | Portmapper / RPC binding service |
rstatd | 100001 | Remote status monitoring |
rusersd | 100002 | Remote user list |
nfs | 100003 | Network File System |
ypserv | 100004 | NIS (Yellow Pages) service |
mountd | 100005 | NFS mount daemon |
rpc.operd | 100080 | Sun Online-Backup |
MAC Address Vendor Prefixes: nmap-mac-prefixes
nmap-mac-prefixes maps the OUI (first 3 bytes) of a MAC address to the device manufacturer name. When the target host is on a local Ethernet network, Nmap can read the MAC address from the packet header and query this table to roughly identify the device type.
| Attribute | Description |
|---|---|
| File Name | nmap-mac-prefixes |
| Data Format | Two columns: 6-digit hex OUI vendor_name |
| Data Source | IEEE OUI registry |
| Record Count | Over 30,000 OUI records |
| Update Frequency | Updated with Nmap releases, reflecting latest IEEE OUI assignments |
Example content:
| |
IP Protocol Number List: nmap-protocols
nmap-protocols maps the 1-byte protocol number in the IP header to the protocol name, used for IP protocol scanning (-sO). This file defines fewer than 140 protocols, with data sourced from IANA.
| Protocol Number | Protocol Name | Description |
|---|---|---|
| 0 | hopopt | IPv6 Hop-by-Hop Option |
| 1 | icmp | Internet Control Message Protocol |
| 2 | igmp | Internet Group Management |
| 6 | tcp | Transmission Control Protocol |
| 17 | udp | User Datagram Protocol |
| 47 | gre | Generic Routing Encapsulation |
| 50 | esp | Encapsulating Security Payload |
| 89 | ospf | Open Shortest Path First |
| 132 | sctp | Stream Control Transmission Protocol |
NSE Scripting Engine and Script Database
The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful extensibility features, with over 600 Lua scripts organized into 14 functional categories. These scripts effectively form Nmap’s “advanced fingerprinting” capability, covering vulnerability detection, brute-forcing, service enumeration, information gathering, and more.
| File/Directory | Description |
|---|---|
scripts/*.nse | NSE Lua script files, 600+ total |
scripts/script.db | Script category cache file (plain text), generated by --script-updatedb |
nselib/*.lua | NSE extension library modules, e.g., shortport.lua, stdnse.lua, http.lua |
Complete NSE Script Category List
| Category | Name | Description | Risk Level |
|---|---|---|---|
auth | Authentication | Handles authentication credentials, bypass detection | Medium |
broadcast | Broadcast | LAN broadcast discovery for DHCP/DNS/SQLServer services | Low |
brute | Brute Force | Brute-force attacks on HTTP/SNMP/SSH/FTP and other common services | High |
default | Default | Scripts executed by default with -sC or -A | Low |
discovery | Discovery | Network information gathering: SMB enumeration, SNMP queries, directory enumeration | Medium |
dos | Denial of Service | Denial of Service attack testing scripts | Very High |
exploit | Exploit | Active exploitation of known security vulnerabilities | Very High |
external | External Service | Scripts that depend on third-party external services | Medium |
fuzzer | Fuzzing | Sends random/malformed data to discover vulnerabilities | High |
intrusive | Intrusive | High-risk scripts that may crash the target or corrupt data | High |
malware | Malware | Detects if the target is infected with malware or has backdoors | Medium |
safe | Safe | Low-risk scripts that do not affect the target | Low |
version | Version | Enhanced service/version detection (works with -sV) | Low |
vuln | Vulnerability | Detects known vulnerabilities (e.g., CVE-related) | Medium-High |
Representative Fingerprint-Related Scripts
| Script Name | Category | Function |
|---|---|---|
http-enum | discovery, intrusive, vuln | Enumerates web application directories using Nikto-like fingerprint files |
banner | safe, discovery | Grabs service banner information |
smb-os-discovery | default, safe, discovery | Identifies Windows OS version via SMB protocol |
ssh-hostkey | default, safe | Retrieves SSH host key fingerprints |
ssl-cert | default, safe, discovery | Retrieves SSL/TLS certificate information |
http-headers | discovery, safe | Retrieves HTTP response header information |
http-title | default, safe, discovery | Retrieves web page title |
ftp-anon | default, safe, auth | Detects FTP anonymous login |
vulners | vuln, safe, external | Detects known vulnerabilities via vulners.com |
http-waf-detect | discovery, intrusive | Detects Web Application Firewalls (WAF) |
mysql-info | default, safe, discovery | Retrieves MySQL server information |
redis-info | discovery, safe | Retrieves Redis server information |
smtp-commands | discovery, safe | Enumerates SMTP supported commands |
New ICS Scripts in 7.95
Nmap 7.95 introduced 4 new NSE scripts from the DINA community, specifically designed for querying industrial control systems:
| Script Name | Function |
|---|---|
hartip-info | Reads Highway Addressable Remote Transducer device information via HART-IP protocol |
iec61850-mms | Queries IEC 61850 devices using Manufacturing Message Specification requests |
multicast-profinet-discovery | Sends PROFINET DCP Identify All multicast messages and prints responses |
profinet-cm-lookup | Queries DCERPC endpoint mapper exposed via PNIO-CM service |
Fingerprint Database Version Evolution
Nmap’s fingerprint databases evolve continuously, with each major release incorporating substantial amounts of new fingerprint data. The following table summarizes recent major version updates:
| Version | Release Date | Fingerprint-Related Updates |
|---|---|---|
| Nmap 7.99 | 2026-03-26 | Integrated numerous latest IPv4 and IPv6 OS fingerprints and dozens of updated service fingerprints. Upgraded OpenSSL 3.0.19, libpcap 1.10.6, libpcre2 10.47, liblinear 2.50, zlib 1.3.2. Npcap upgraded to 1.87. |
| Nmap 7.98 | 2025-08-21 | Security fix (CVE-2025-43715). Upgraded OpenSSL 3.0.17, Lua 5.4.8. Npcap upgraded to 1.83. |
| Nmap 7.97 | 2025-05-12 | Bug-fix only (Zenmap non-Latin charset crash fix, parallel forward DNS resolver fix, false positive detection fix). No fingerprint integration. |
| Nmap 7.96 | 2025-05-01 | Complete DNS resolver rewrite with parallel forward DNS lookup support. Introduced dark mode. |
| Nmap 7.95 | 2024-04-23 | Major fingerprint update: Processed 6,500+ community-submitted fingerprints. OS fingerprints grew by 336 to 6,036. Service signatures grew 1.4% to 12,089. Recognized protocols increased to 1,246. Added 4 ICS-related NSE scripts. |
| Nmap 7.94 | 2023-05-19 | Continued integration of community-submitted OS and service fingerprints. Upgraded NPSL to v0.95. |
File Paths and Customization
Default Installation Paths
| Installation Method | Data File Path |
|---|---|
| Source compilation | /usr/local/share/nmap/ |
| Linux RPM package | /usr/share/nmap/ |
| Kali Linux | /usr/share/nmap/ |
| Windows | C:\Program Files (x86)\Nmap\ |
| macOS (Homebrew) | /usr/local/share/nmap/ or /opt/homebrew/share/nmap/ |
Custom Data Files
Advanced users can use custom data files with the following options:
--datadir <directory>: Specify a custom data file directory--servicedb <file>: Specify a customnmap-servicesfile--versiondb <file>: Specify a customnmap-service-probesfile
Note: It is strongly recommended to upgrade to the latest Nmap version rather than replacing data files individually. Mixing old and new versions can lead to confusion in the fingerprint submission process and compatibility is not guaranteed.
Submitting Fingerprint Contributions
When Nmap cannot identify an operating system or service, it automatically generates a fingerprint and displays a submission URL. Users can contribute in the following ways:
- OS Fingerprints: Submit following the Nmap official documentation guidelines
- Service Fingerprints: Refer to the service detection community contribution guide
- Submission Email:
[email protected]
The greatest strength of Nmap’s fingerprint databases lies in their active community contribution mechanism — every unrecognized fingerprint can be fed back to the development team through Nmap’s built-in submission functionality, enabling the database to continuously cover the latest operating systems, devices, and services. Nmap 7.95 integrated over 6,500 community-submitted fingerprints in a single release, fully demonstrating the vitality of this ecosystem.
Summary
Nmap’s seven fingerprint databases form a layered, collaborative identification system. From the low-level OS fingerprint database (nmap-os-db) to the application-layer service version detection (nmap-service-probes), from port mapping (nmap-services) to MAC vendor identification (nmap-mac-prefixes), and further to RPC program numbers (nmap-rpc), IP protocol numbers (nmap-protocols), and NSE script extensions — each database plays an irreplaceable role in Nmap’s identification pipeline.
Understanding the structure and working principles of these databases not only helps you use Nmap more effectively for network scanning and security auditing but also enables you to customize fingerprint rules when needed and contribute new fingerprint data to the community. As network technology continues to evolve, Nmap’s fingerprint databases keep pace, making it essential for every cybersecurity professional to stay informed about these databases.