Nmap 5.00 Released

July 16, 2009 -- Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from https://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this.

Considering all the changes, we consider this the most important Nmap release since 1997, and we recommend that all current users upgrade.

About Nmap

Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in eight movies, including The Matrix Reloaded, Die Hard 4, and The Bourne Ultimatum.

As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 5.00 is now available!

Top 5 Improvements in Nmap 5

Before we go into the detailed changes, here are the top 5 improvements in Nmap 5:

  1. The new Ncat tool aims to be your Swiss Army Knife for data transfer, redirection, and debugging. We released a whole users' guide detailing security testing and network administration tasks made easy with Ncat.

  2. The addition of the Ndiff scan comparison tool completes Nmap's growth into a whole suite of applications which work together to serve network administrators and security practitioners. Ndiff makes it easy to automatically scan your network daily and report on any changes (systems coming up or going down or changes to the software services they are running). The other two tools now packaged with Nmap itself are Ncat and the much improved Zenmap GUI and results viewer.

  3. Nmap performance has improved dramatically. We spent last summer scanning much of the Internet and merging that data with internal enterprise scan logs to determine the most commonly open ports. This allows Nmap to scan fewer ports by default while finding more open ports. We also added a fixed-rate scan engine so you can bypass Nmap's congestion control algorithms and scan at exactly the rate (packets per second) you specify.

  4. We released Nmap Network Scanning, the official Nmap guide to network discovery and security scanning. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. More than half the book is available in the free online edition.
  5. The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. All existing scripts have been improved, and 32 new ones added. New scripts include a whole bunch of MSRPC/NetBIOS attacks, queries, and vulnerability probes; open proxy detection; whois and AS number lookup queries; brute force attack scripts against the SNMP and POP3 protocols; and many more. All NSE scripts and modules are described in the new NSE documentation portal.

News articles and reviews

Please mail Fyodor if you see (or write) reviews/articles on the Nmap 5.00 release. Here are the ones seen so far: Reasonably detailed (or with many comments) English articles:

Brief mentions: Wireshark.Org, Securiteam, Dark Reading, Linux Today, CGISecurity.Com, Security4All, Help Net Security, Red Gecko, Peter Van Eeckhoutte, Security Database, Owl Linux, Priveon Labs

Non-English articles:
Arabic: Linux AC, iSecur1ty.org
Czech: ABC Linuxu, Root.cz
Chinese: Solidot, Netsecurity.51cto.com
Dutch: Tweakers.net, Security.nl
French: Silicon.fr, LinuxFR.org
German: Golem.de, Heise online, Pro-Linux.de, PC Welt, Menzer.net, Secorvo Security News (PDF)
Russian: OpenNet.ru, Xakep.ru, Linux.org.ru
Spanish: Viva Linux, Barrapunto, menéame, Linux Maya, Iniqua, A por Linux, Portal Chileno de Seguridad Informatica
Others: Version 2 (Danish), hup.hu (Hungarian), BR-Linux.Org (Portuguese), IDG.se (Swedish)

Journalists (anyone writing about the Nmap release) are welcome to use any of the text or screen shots on this page.

Example run and screen shots

Nmap 5.00 provides a wealth of information about remote systems, as shown in this sample scan:

# nmap -A -T4 scanme.nmap.org 207.68.200.30

Starting Nmap 5.00 ( https://nmap.org ) at 2009-07-13 16:22 PDT
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 994 filtered ports
PORT      STATE  SERVICE VERSION
22/tcp    open   ssh     OpenSSH 4.3 (protocol 2.0)
|  ssh-hostkey: 1024 03:5f:d3:9d:95:74:8a:d0:8d:70:17:9a:bf:93:84:13 (DSA)
|_ 2048 fa:af:76:4c:b0:f4:4b:83:a4:6e:70:9f:a1:ec:51:0c (RSA)
53/tcp    open   domain  ISC BIND 9.3.4
70/tcp    closed gopher
80/tcp    open   http    Apache httpd 2.2.2 ((Fedora))
|_ html-title: Go ahead and ScanMe!
113/tcp   closed auth
31337/tcp closed Elite
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)

Interesting ports on 207.68.200.30:
Not shown: 991 filtered ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.0.6001
88/tcp    open  kerberos-sec Microsoft Windows kerberos-sec
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds Microsoft Windows 2003 microsoft-ds
464/tcp   open  kpasswd5?
49158/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49175/tcp open  msrpc        Microsoft Windows RPC
Running: Microsoft Windows 2008|Vista

Host script results:
|  smb-os-discovery: Windows Server (R) 2008 Enterprise 6001 Service Pack 1
|  LAN Manager: Windows Server (R) 2008 Enterprise 6.0
|  Name: MSAPPLELAB\APPLELAB2K8
|_ System time: 2009-07-13 16:17:07 UTC-7
|  nbstat: NetBIOS name: APPLELAB2K8, NetBIOS user: , NetBIOS MAC: 00:1a:a0:9a:a3:96
|  Name: APPLELAB2K8<00>      Flags: 
|_ Name: MSAPPLELAB<00>       Flags: 

TRACEROUTE (using port 135/tcp)
HOP RTT    ADDRESS
[Cut first 8 lines for brevity]
9   36.88  ge-10-0.hsa1.Seattle1.Level3.net (4.68.105.6)
10  36.61  unknown.Level3.net (209.245.176.2)
11  41.21  207.68.200.30

Nmap done: 2 IP addresses (2 hosts up) scanned in 120.26 seconds
# (Note: some output was modified to fit results on screen)

Here are some Nmap and Zenmap 5.00 screen shots (click thumbnails for full resolution):


Classic command-line Nmap

Zenmap's new network topology graphing mode

Zenmap showing all discovered HTTP services

Zenmap displaying Nmap output


Change details

The Nmap Changelog describes nearly 600 significant improvements since our last major release (4.50). Here are the highlights:

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. It existed in Nmap 4.50, but has been dramatically improved:

Zenmap graphical front-end and results viewer

Zenmap is a cross-platform (Linux, Windows, Mac OS X, etc.) Nmap GUI and results viewer which supports all Nmap options. It aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. While Zenmap already existed in Nmap 4.50, it has improved dramatically since then:

Ncat data transfer, redirection, and debugging tool

  .       .       
  \`-"'"-'/       
   } 6 6 {        
  ==. Y ,==       
    /^^^\  .      
   /     \  )     
  (  )-(  )/     _
  -""---""---   / 
 /   Ncat    \_/  
(     ____        
 \_.=|____E       

Nmap 5 introduces Ncat, a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks. Ncat is suitable for interactive use or as a network-connected back end for other tools. Ncat can:

These capabilities become even more powerful and versatile when combined.

Ncat is our modern reinvention of the venerable Netcat (nc) tool released by Hobbit in 1996. While Ncat is similar to Netcat in spirit, they don't share any source code. Instead, Ncat makes use of Nmap's well optimized and tested networking libraries. Compatibility with the original Netcat and some well known variants is maintained where it doesn't conflict with Ncat's enhancements or cause usability problems. Ncat adds many capabilities not found in Hobbit's original nc, including SSL support, proxy connections, IPv6, and connection brokering. The original nc contained a simple port scanner, but we omitted that from Ncat because we have a preferred tool for that function.

Ncat is extensively documented in its Users' Guide, man page, and home page.

Host discovery and port scanning performance and features

Nmap has been doing host discovery and port scanning since its release in '97, but we continue to improve this core functionality. We've added many new features and dramatically improved performance! Here are the biggest enhancements since 4.50:

Fyodor's Nmap book

Fyodor released Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. It was briefly the #1 selling computer book on Amazon. More than half of the book is already free online.

A German translation is available from Open Source Press; Korean and Brazilian Portuguese translations are forthcoming.

Operating system detection

Thanks to fingerprint submissions from thousands of Nmap users around the world, the 2nd generation OS detection database has nearly doubled in size since 4.50 to 2,003 entries. These include the latest versions of Windows, Linux, and Mac OS X as well as more specialized entries such as oscilloscopes, ATM machines, employee timeclocks, DVRs, game consoles, and much more. Keep those submissions coming!

In addition to doubling the database size, we enhanced the OS detection engine and its tests to improve accuracy. For example, we added a new SEQ.CI test (IP ID sequence generation from closed TCP port) and removed the U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI tests.

Version detection

Nmap's version detection system interrogates open ports to determine what service (e.g. http, smtp) is running and often the exact application name and version number. The version detection database grew by nearly a thousand signatures. It grew from 4,558 signatures representing 449 protocols in Nmap 4.50 to 5,512 signatures for 511 protocols in 5.00. You can read about Doug's signature creation adventures here, here, and here. The service protocols with the most signatures are http (1,868), telnet (584), ftp (506), smtp (363), pop3 (209), http-proxy (136), ssh (123), imap (122), and irc (48). Among the protocols with just one signature are netrek, gopher-proxy, ncat-chat, and metasploit.

Ndiff scan comparison tool

The new Ndiff utility compares the results of two Nmap scans and describes the new/removed hosts, newly open/closed ports, changed operating systems, or application versions, etc. This makes it trivial to scan your networks on a regular basis and create a report (XML or text format) on all the changes. See the Ndiff man page and home page for more information. Ndiff is included in our binary packages and built by default, though you can prevent it from being built by specifying the --without-ndiff configure flag.

Here are excerpts from an Ndiff comparison between two scans for the Facebook network:

> ndiff -v facebook-vscan-1237136401.xml facebook-vscan-1237395601.xml
-Nmap 4.85BETA3 at 2009-03-15 10:00
+Nmap 4.85BETA4 at 2009-03-18 10:00

+arborvip.tfbnw.net (69.63.179.23):
+Host is up.
+Not shown: 100 filtered ports

 www2.02.07.facebook.com (69.63.180.12):
 Host is up.
 Not shown: 98 filtered ports
 PORT    STATE SERVICE  VERSION
-80/tcp  open  http     Apache httpd 1.3.41.fb2
+80/tcp  open  http     Apache httpd 1.3.41.fb1
 443/tcp open  ssl/http Apache httpd 1.3.41.fb2

And here is a trivial cron script demonstrating how easy it is to scan a network daily and mail yourself the changes (and full results in this case):

#!/bin/sh
date=`date "+%s"`
cd /hack/facebook/scripts/
nmap -T4 -F -sV -O --osscan-limit --osscanguess -oA facebook-${date} [netblocks] > /dev/null
ndiff facebook-old.xml facebook-${date}.xml > facebook-diff-${date}
cp facebook-${date}.xml facebook-old.xml
echo "\n********** NDIFF RESULTS **********\n"
cat facebook-vscan-diff-${date}
echo "\n********** SCAN RESULTS **********\n"
cat facebook-vscan-${date}.nmap

You could do a similar thing using Windows' scheduled tasks.

IronGeek has created an Ndiff 5 introductory video demonstrating command-line Ndiff plus its use within Zenmap.

Documentation and web site improvements

While Nmap Network Scanning may be the most exciting documentation news for this release, we did make many other important web site and documentation changes:

Portability enhancements

Nmap's dramatic improvements are of little value if it doesn't run on your system. Fortunately, portability has always been a high priority. Nmap 5.00 runs on all major operating systems, plus the Amiga. Portability improvements in this release include:

Even more improvements

These are just highlights from the full list of changes you can find in our CHANGELOG.

Moving Forward

With this stable version out of the way, we are diving headfirst into the next development cycle. Many exciting features are in the queue, including:

You can read more of our short-term and longer-term plans from our public TODO list.

For the latest Insecure.Org and Nmap announcements, join the 68,000-member Nmap-hackers announcement list. Traffic rarely exceeds one message per month. subscribe here or read the archives at SecLists.Org. To participate in Nmap development, join the (high traffic) nmap-dev list. You can also follow us on Twitter.

Acknowledgments

A free open source scanner as powerful as Nmap is only possible thanks to the help of hundreds of developers and other contributors. We would like to acknowledge and thank the many people who contributed ideas and/or code since Nmap 4.50. Special thanks go out to:

4N9e Gutek, Aaron Leininger, Adriano Monteiro Marques, Allison Randal, Andrew J. Bennieston, Andy Lutomirski, Angico, Arturo Buanzo, Arturo Buanzo Busleiman, Benson Kalahar, Bill Pollock, Brandon Enright, Brian Hatch, Busleiman, Chad Loder, Chris Clements, Chris Gibson, Chris Leick,, Daniel Roethlisberger, David Fifield, David Moore, Diman Todorov, Diman Todorov,, Dinu Gherman, Doug Hoyte, Dragos Ruiu, Dudi Itzhakov, Eddie Bell, Emma Jane Hogbin, Fabio Pedretti, Felix Leder, Gisle Vanem, Gisle Vanem,, Guilherme Polo, Guz Alexander, HD Moore, Henri Doreau, Henri Doreau,, Henry Gebhardt, Ithilgore, Jabra, Jah, James Messer, Jason DePriest, Jeff Nathan, Jesse Burns, Joao Correa, Joao Medeiros, Josh Marlow, Jurand Nogiec, Kris Katterjohn, Lamont Jones, Lance Spitzner, Leslie Hawthorn, Lionel Cons, Marius Sturm, Martin Macok, Matt Selsky, Max Schubert, Michael Pattrick, Michal Januszewski, Mike Frysinger, Mixter, Nathan Bills, Patrick Donnelly, Philip Pickering, Pieter Bowman, Rainer Müller, Raven Alder, Robert Mead, Rob Nicholls, Ron Bowes, Sebastián García, Simple Nomad, Solar Designer, Stephan Fijneman, Steve Christensen, Sven Klemm, Tedi Heriyanto, Thomas Buchanan, Thorsten Holz, Tillmann Werner, Tim Adam, Tom Duffy, Tom Sellers, Trevor Bain, Tyler Reguly, Valerie Aurora, van Hauser, Venkat Sanaka, Vlad Alexa, Vladimir Mitrovic, Vlatko Kosturjak, Will Cladek, William McVey, Zhao Lei

We would also like to thank the thousands of people who have submitted OS and service/version fingerprints, as well as everyone who has found and reported bugs or suggested features.

Download and Updates

Nmap is available for download from https://nmap.org/download.html in source and binary form. Nmap is free, open source software (license).

To learn about Nmap announcements as they happen, subscribe to nmap-hackers! It is a very low volume (7 messages in 2008), moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 65,000 current subscribers by submitting your e-mail address here:


(or subscribe with custom options from the Nmap-hackers list info page.

Nmap-hackers is archived at Seclists.org and has an RSS feed. You can also follow the Nmap Twitter feed.

Brandon Enright and UCSD have generously mirrored the Nmap binaries to handle the deluge of traffic expected as users download this release.

Direct questions or comments to Fyodor ([email protected]) . Report any bugs as described here.