Nmap Fingerprint Databases: 7 Core Libraries, NSE Extensions & Version Evolution

Nmap (Network Mapper) is the most widely used open-source network scanning and security auditing tool in the world. Its core identification capabilities rely on seven built-in fingerprint databases that cover operating systems, service versions, protocols, ports, MAC vendors, RPC programs, and NSE script extensions. As of the latest release Nmap 7.99 (March 26, 2026), these databases have evolved into one of the most comprehensive and active fingerprint identification ecosystems in the cybersecurity field.

Understanding the structure and working principles of these fingerprint databases will not only help you use Nmap more effectively but also enable you to customize fingerprint rules when needed and even contribute new fingerprint data to the community.

Nmap Fingerprint Identification System Overview

Nmap’s fingerprint identification capabilities are built on seven core data files, all prefixed with nmap-. The table below summarizes the key metrics of these seven databases:

DatabaseFile NameTrigger OptionData Volume
OS Fingerprintsnmap-os-db-O, -A6,036+ fingerprints
Service/Version Signaturesnmap-service-probes-sV, -A12,089+ signatures
Known Ports Listnmap-servicesDefault scan1,000+ port mappings
SunRPC Program Numbersnmap-rpc-sV (RPC Grinding)~140 program numbers
MAC Address Vendorsnmap-mac-prefixesLocal Ethernet detection30,000+ OUI records
IP Protocol Numbersnmap-protocols-sO~140 protocols
NSE Scripting Enginescripts/*.nse-sC, --script600+ scripts (14 categories)

These seven databases work together to form Nmap’s complete fingerprint identification pipeline, from the network layer to the application layer. The following flowchart illustrates the core fingerprint identification process:

mermaid
flowchart TD
    A["Send Probe<br/>Packets"] --> B["Collect<br/>Responses"]
    B --> C{"Match Against<br/>Fingerprint DBs"}
    C --> D["nmap-os-db<br/>OS Fingerprints"]
    C --> E["nmap-service-probes<br/>Service Signatures"]
    C --> F["nmap-services<br/>Port Mapping"]
    D --> G["Identification<br/>Result"]
    E --> G
    F --> G

    style A fill:#FF9800,color:#000
    style B fill:#2196F3,color:#fff
    style C fill:#9C27B0,color:#fff
    style D fill:#4CAF50,color:#fff
    style E fill:#4CAF50,color:#fff
    style F fill:#4CAF50,color:#fff
    style G fill:#2196F3,color:#fff

Nmap first sends carefully crafted probe packets to the target, collects response data, then matches against the OS fingerprint database, service signature database, and port mapping table sequentially, ultimately producing a comprehensive identification result. Each database handles a specific identification dimension, complementing one another.

OS Fingerprint Database: nmap-os-db

nmap-os-db is the core database for Nmap’s OS detection feature, used with the -O option for remote operating system identification. It contains thousands of fingerprint blocks, each recording how a different operating system responds to Nmap’s specialized probe packets.

AttributeDescription
File Namenmap-os-db
Trigger Option-O (OS detection), -A (aggressive mode)
Fingerprint Count6,036+ (336 new in 7.95, continuously updated in 7.99)
Data FormatEach block contains Fingerprint, Class, CPE lines and SEQ/OPS/WIN/ECN/T1-T7/U1/IE response test data
Supported SystemsLinux, Windows, macOS, FreeBSD, OpenBSD, iOS, Android, embedded systems, network devices (routers/switches/firewalls/IoT), game consoles, etc.
7.95 AdditionsiOS 15 & 16, macOS Ventura & Monterey, Linux 6.1, OpenBSD 7.1, lwIP 2.2, etc.
Online Versionhttps://svn.nmap.org/nmap/nmap-os-db

How It Works

Nmap sends a series of specially crafted TCP/UDP/ICMP probe packets to the target, then compares the target’s responses against the fingerprints in nmap-os-db. The matching is based on the following key characteristics:

  • TCP ISN Sequence (SEQ): Initial sequence number generation pattern (random increment, time-based, etc.)
  • TCP Option Support (OPS): Different operating systems support significantly different sets of TCP options
  • IP ID Sequence Generation (IPID): Incrementing, random, zero-value, and other patterns
  • TCP Timestamp Handling (TS): Whether timestamps are supported and their precision
  • Abnormal Flag Combination Response (ECN/T1-T7): Response behavior to abnormal TCP flag combinations
  • ICMP Response Characteristics (U1/IE): Response differences to ICMP probes

Fingerprint Format Example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
Fingerprint Linux 2.6.17 - 2.6.24
Class Linux | Linux | 2.6.X | general purpose
SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)
OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)
WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)
ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)
T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)
T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=N%T=3B-45%TG=40%CD=S)

Each fingerprint block begins with a Fingerprint line, followed by a Class line (OS classification) and a CPE line (Common Platform Enumeration identifier). The core test data includes SEQ (sequence analysis), OPS (TCP options), WIN (window size), ECN (Explicit Congestion Notification), T1-T7 (seven TCP probes), U1 (UDP probe), and IE (ICMP probe) test groups.

Service Version Detection Database: nmap-service-probes

nmap-service-probes is the core database for Nmap’s service and version detection, used with the -sV option. It contains a large number of custom probe requests and expected response matching rules that can identify the specific service program and version running on an open port.

AttributeDescription
File Namenmap-service-probes
Trigger Option-sV (version detection), -A (aggressive mode)
Signature Count12,089+ (1.4% growth in 7.95, 9 new softmatches)
Recognized Protocols1,246+ protocols
Data FormatContains Exclude, Probe, match, softmatch directives
Probe TypesNULL probe (banner grabbing), TCP probes, UDP probes, SSL probes, generic probes, etc.
7.95 New Protocolsgrpc, mysqlx, essnet, remotemouse, tuya, etc.
Online Versionhttps://svn.nmap.org/nmap/nmap-service-probes

How It Works

Nmap’s service version detection proceeds through multiple stages:

  1. NULL Probe: First sends an empty probe packet to attempt banner grabbing
  2. Port-Specific Probe: Sends protocol-specific probe packets based on the port number (e.g., HTTP requests to port 80)
  3. Regex Matching: Compares returned data against regex matching rules in nmap-service-probes
  4. Post-Processing: Applies RPC grinding, SSL tunnel detection, and other post-processing techniques
  5. Output: Finally outputs service name, version number, additional information, and CPE identifier

Supported Protocol Types

nmap-service-probes supports over 1,246 protocols. Here are some representative ones:

afp bitcoin caldav dhcp dns ftp grpc http imap ipp ldap mongodb mqtt mysql mysqlx nfs ntp pop3 postgresql rdp redis remotemouse rpc rsync sip smb smtp snmp ssh ssl telnet tuya vnc xmpp xml-rpc yiff zebra essnet

Probe and Match Format

The nmap-service-probes file structure includes the following key directives:

  • Exclude: Excludes specific ports to avoid unnecessary probing
  • Probe: Defines probe requests, including protocol type, probe string, and probe name
  • match: Defines matching rules using regular expressions to extract service name, version, and other information from responses
  • softmatch: Soft matching rules that provide partial match information

Known Ports List: nmap-services

nmap-services is a registry of port numbers to service names, with each line containing the service name, port number/protocol, and port frequency value. The file was originally based on the IANA-assigned port list but has been augmented over the years with many additional ports, including those commonly used by trojans, worms, and other malware.

AttributeDescription
File Namenmap-services
FunctionPort number ↔ service name mapping with port open frequency
Data FormatThree tab-separated columns: service_name port/protocol frequency
Data SourceIANA port registry + community contributions
Default ScanNmap scans the top 1,000 most frequent ports by default
Format CompatibleCompatible with /etc/services format

Example Content

1
2
3
4
5
ssh     22/tcp    0.182286    # Secure Shell Login
telnet  23/tcp    0.221265
smtp    25/tcp    0.131314    # Simple Mail Transfer
http    80/tcp    0.484143    # World Wide Web HTTP
https   443/tcp   0.323559    # Secure HTTP

The port frequency value reflects the probability of that port being open on the internet. Nmap scans the top 1,000 most frequent ports by default to balance scan speed and coverage.

Auxiliary Fingerprint Databases

In addition to the three core databases above, Nmap relies on four auxiliary fingerprint databases for specific identification scenarios.

SunRPC Program Number Mapping: nmap-rpc

nmap-rpc maps SunRPC program numbers to their corresponding program names, used exclusively for the RPC Grinding feature in Nmap’s version detection. The format is identical to the Unix system’s /etc/rpc file.

RPC Program NameProgram NumberDescription
rpcbind100000Portmapper / RPC binding service
rstatd100001Remote status monitoring
rusersd100002Remote user list
nfs100003Network File System
ypserv100004NIS (Yellow Pages) service
mountd100005NFS mount daemon
rpc.operd100080Sun Online-Backup

MAC Address Vendor Prefixes: nmap-mac-prefixes

nmap-mac-prefixes maps the OUI (first 3 bytes) of a MAC address to the device manufacturer name. When the target host is on a local Ethernet network, Nmap can read the MAC address from the packet header and query this table to roughly identify the device type.

AttributeDescription
File Namenmap-mac-prefixes
Data FormatTwo columns: 6-digit hex OUI vendor_name
Data SourceIEEE OUI registry
Record CountOver 30,000 OUI records
Update FrequencyUpdated with Nmap releases, reflecting latest IEEE OUI assignments

Example content:

1
2
3
4
006017 Tokimec
006018 Stellar ONE
00601D Lucent Technologies
00601E Softlab

IP Protocol Number List: nmap-protocols

nmap-protocols maps the 1-byte protocol number in the IP header to the protocol name, used for IP protocol scanning (-sO). This file defines fewer than 140 protocols, with data sourced from IANA.

Protocol NumberProtocol NameDescription
0hopoptIPv6 Hop-by-Hop Option
1icmpInternet Control Message Protocol
2igmpInternet Group Management
6tcpTransmission Control Protocol
17udpUser Datagram Protocol
47greGeneric Routing Encapsulation
50espEncapsulating Security Payload
89ospfOpen Shortest Path First
132sctpStream Control Transmission Protocol

NSE Scripting Engine and Script Database

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful extensibility features, with over 600 Lua scripts organized into 14 functional categories. These scripts effectively form Nmap’s “advanced fingerprinting” capability, covering vulnerability detection, brute-forcing, service enumeration, information gathering, and more.

File/DirectoryDescription
scripts/*.nseNSE Lua script files, 600+ total
scripts/script.dbScript category cache file (plain text), generated by --script-updatedb
nselib/*.luaNSE extension library modules, e.g., shortport.lua, stdnse.lua, http.lua

Complete NSE Script Category List

CategoryNameDescriptionRisk Level
authAuthenticationHandles authentication credentials, bypass detectionMedium
broadcastBroadcastLAN broadcast discovery for DHCP/DNS/SQLServer servicesLow
bruteBrute ForceBrute-force attacks on HTTP/SNMP/SSH/FTP and other common servicesHigh
defaultDefaultScripts executed by default with -sC or -ALow
discoveryDiscoveryNetwork information gathering: SMB enumeration, SNMP queries, directory enumerationMedium
dosDenial of ServiceDenial of Service attack testing scriptsVery High
exploitExploitActive exploitation of known security vulnerabilitiesVery High
externalExternal ServiceScripts that depend on third-party external servicesMedium
fuzzerFuzzingSends random/malformed data to discover vulnerabilitiesHigh
intrusiveIntrusiveHigh-risk scripts that may crash the target or corrupt dataHigh
malwareMalwareDetects if the target is infected with malware or has backdoorsMedium
safeSafeLow-risk scripts that do not affect the targetLow
versionVersionEnhanced service/version detection (works with -sV)Low
vulnVulnerabilityDetects known vulnerabilities (e.g., CVE-related)Medium-High
Script NameCategoryFunction
http-enumdiscovery, intrusive, vulnEnumerates web application directories using Nikto-like fingerprint files
bannersafe, discoveryGrabs service banner information
smb-os-discoverydefault, safe, discoveryIdentifies Windows OS version via SMB protocol
ssh-hostkeydefault, safeRetrieves SSH host key fingerprints
ssl-certdefault, safe, discoveryRetrieves SSL/TLS certificate information
http-headersdiscovery, safeRetrieves HTTP response header information
http-titledefault, safe, discoveryRetrieves web page title
ftp-anondefault, safe, authDetects FTP anonymous login
vulnersvuln, safe, externalDetects known vulnerabilities via vulners.com
http-waf-detectdiscovery, intrusiveDetects Web Application Firewalls (WAF)
mysql-infodefault, safe, discoveryRetrieves MySQL server information
redis-infodiscovery, safeRetrieves Redis server information
smtp-commandsdiscovery, safeEnumerates SMTP supported commands

New ICS Scripts in 7.95

Nmap 7.95 introduced 4 new NSE scripts from the DINA community, specifically designed for querying industrial control systems:

Script NameFunction
hartip-infoReads Highway Addressable Remote Transducer device information via HART-IP protocol
iec61850-mmsQueries IEC 61850 devices using Manufacturing Message Specification requests
multicast-profinet-discoverySends PROFINET DCP Identify All multicast messages and prints responses
profinet-cm-lookupQueries DCERPC endpoint mapper exposed via PNIO-CM service

Fingerprint Database Version Evolution

Nmap’s fingerprint databases evolve continuously, with each major release incorporating substantial amounts of new fingerprint data. The following table summarizes recent major version updates:

VersionRelease DateFingerprint-Related Updates
Nmap 7.992026-03-26Integrated numerous latest IPv4 and IPv6 OS fingerprints and dozens of updated service fingerprints. Upgraded OpenSSL 3.0.19, libpcap 1.10.6, libpcre2 10.47, liblinear 2.50, zlib 1.3.2. Npcap upgraded to 1.87.
Nmap 7.982025-08-21Security fix (CVE-2025-43715). Upgraded OpenSSL 3.0.17, Lua 5.4.8. Npcap upgraded to 1.83.
Nmap 7.972025-05-12Bug-fix only (Zenmap non-Latin charset crash fix, parallel forward DNS resolver fix, false positive detection fix). No fingerprint integration.
Nmap 7.962025-05-01Complete DNS resolver rewrite with parallel forward DNS lookup support. Introduced dark mode.
Nmap 7.952024-04-23Major fingerprint update: Processed 6,500+ community-submitted fingerprints. OS fingerprints grew by 336 to 6,036. Service signatures grew 1.4% to 12,089. Recognized protocols increased to 1,246. Added 4 ICS-related NSE scripts.
Nmap 7.942023-05-19Continued integration of community-submitted OS and service fingerprints. Upgraded NPSL to v0.95.

File Paths and Customization

Default Installation Paths

Installation MethodData File Path
Source compilation/usr/local/share/nmap/
Linux RPM package/usr/share/nmap/
Kali Linux/usr/share/nmap/
WindowsC:\Program Files (x86)\Nmap\
macOS (Homebrew)/usr/local/share/nmap/ or /opt/homebrew/share/nmap/

Custom Data Files

Advanced users can use custom data files with the following options:

  • --datadir <directory>: Specify a custom data file directory
  • --servicedb <file>: Specify a custom nmap-services file
  • --versiondb <file>: Specify a custom nmap-service-probes file

Note: It is strongly recommended to upgrade to the latest Nmap version rather than replacing data files individually. Mixing old and new versions can lead to confusion in the fingerprint submission process and compatibility is not guaranteed.

Submitting Fingerprint Contributions

When Nmap cannot identify an operating system or service, it automatically generates a fingerprint and displays a submission URL. Users can contribute in the following ways:

  • OS Fingerprints: Submit following the Nmap official documentation guidelines
  • Service Fingerprints: Refer to the service detection community contribution guide
  • Submission Email: [email protected]

The greatest strength of Nmap’s fingerprint databases lies in their active community contribution mechanism — every unrecognized fingerprint can be fed back to the development team through Nmap’s built-in submission functionality, enabling the database to continuously cover the latest operating systems, devices, and services. Nmap 7.95 integrated over 6,500 community-submitted fingerprints in a single release, fully demonstrating the vitality of this ecosystem.

Summary

Nmap’s seven fingerprint databases form a layered, collaborative identification system. From the low-level OS fingerprint database (nmap-os-db) to the application-layer service version detection (nmap-service-probes), from port mapping (nmap-services) to MAC vendor identification (nmap-mac-prefixes), and further to RPC program numbers (nmap-rpc), IP protocol numbers (nmap-protocols), and NSE script extensions — each database plays an irreplaceable role in Nmap’s identification pipeline.

Understanding the structure and working principles of these databases not only helps you use Nmap more effectively for network scanning and security auditing but also enables you to customize fingerprint rules when needed and contribute new fingerprint data to the community. As network technology continues to evolve, Nmap’s fingerprint databases keep pace, making it essential for every cybersecurity professional to stay informed about these databases.