Nmap 6 Released
May 21, 2012—The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from https://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more! We recommend that all current users upgrade.
Contents:
- About Nmap
- Top 6 Improvements in Nmap 6
- Press
- Screen Shots
- Detailed Improvements
- Moving Forward (Future Plans)
- Acknowledgments
- Download and updates
About Nmap
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for network inventory, managing service upgrade schedules, monitoring host or service uptime, and many other tasks. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in a dozen movies, including The Matrix Reloaded, The Bourne Ultimatum. Girl with the Dragon Tattoo, and Die Hard 4. Nmap was released to the public in 1997 and has earned the trust of millions of users.
As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 6 is now available!
Top 6 Improvements in Nmap 6
Before we go into the detailed changes, here are the top 6 improvements in Nmap 6:
- 1. NSE Enhanced
-
The Nmap Scripting Engine (NSE) has exploded in popularity and capabilities. This modular system allows users to automate a wide variety of networking tasks, from querying network applications for configuration information to vulnerability detection and advanced host discovery. The script count has grown from 59 in Nmap 5 to 348 in Nmap 6, and all of them are documented and categorized in our NSE Documentation Portal. The underlying NSE infrastructure has improved dramatically as well. [More details]
- 2. Better Web Scanning
-
As the Internet has grown more web-centric, Nmap has developed web scanning capabilities to keep pace. When Nmap was first released in 1997, most of the network services offered by a server listened on individual TCP or UDP ports and could be found with a simple port scan. Now, applications are just as commonly accessed via URL path instead, all sharing a web server listening on a single port. Nmap now includes many techniques for enumerating those applications, as well as performing a wide variety of other HTTP tasks, from web site spidering to brute force authentication cracking. Technologies such as SSL encryption, HTTP pipelining, and caching mechanisms are well supported. [More details]
- 3. Full IPv6 Support
-
Given the exhaustion of available IPv4 addresses, the Internet community is trying to move to IPv6. Nmap has been a leader in the transition, offering basic IPv6 support since 2002. But basic support isn't enough, so we spent many months ensuring that Nmap version 6 contains full support for IP version 6. And we released it just in time for the World IPv6 Launch.
We've created a new IPv6 OS detection system, advanced host discovery, raw-packet IPv6 port scanning, and many NSE scripts for IPv6-related protocols. It's easy to use too—just specify the -6 argument along with IPv6 target IP addresses or DNS records. In addition, all of our web sites are now accessible via IPv6. For example, Nmap.org can be found at
2600:3c01::f03c:91ff:fe96:967c . [More details] - 4. New Nping Tool
-
The newest member of the Nmap suite of networking and security tools is Nping, an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing full control over protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress testing, ARP poisoning, Denial of Service attacks, route tracing, etc. Nping's novel echo mode lets users see how packets change in transit between the source and destination hosts. That's a great way to understand firewall rules, detect packet corruption, and more. [More details]
- 5. Better Zenmap GUI & results viewer
-
While Nmap started out as a command-line tool and many (possibly most) users still use it that way, we've also developed an enhanced GUI and results viewer named Zenmap. One addition since Nmap 5 is a “filter hosts” feature which allows you to see only the hosts which match your criteria (e.g. Linux boxes, hosts running Apache, etc.) We've also localized the GUI to support five languages besides English. A new script selection interface helps you find and execute Nmap NSE scripts. It even tells you what arguments each script supports. [More details]
- 6. Faster scans
-
In Nmap's 15-year history, performance has always been a top priority. Whether scanning one target or a million, users want scans to run as fast as possible without sacrificing accuracy. Since Nmap 5 we've rewritten the traceroute system for higher performance and increased the allowed parallelism of the Nmap Scripting Engine and version detection subsystems. We also performed an intense memory audit which reduced peak consumption during our benchmark scan by 90%. We made many improvements to Zenmap data structures and algorithms as well so that it can now handle large enterprise scans with ease. [More details]
Press
Please mail Fyodor if you see (or write) reviews/articles on the Nmap 6 release. Here are the ones seen so far: Reasonably detailed (or with many comments) English articles:
- Reddit: Nmap 6 released!
- Hacker News: Nmap 6 released after three years of work
- Slashdot: Nmap 6 Released Featuring Improved Scripting, Full IPv6 Support
- Network World: New Nmap Probes IPv6 Networks
- The H Open Source (Heise Online): Nmap now fully ready for IPv6
- The Register: NMap 6.0 arrives: Fyodor’s finest since 2009
- Linux ForYou: What’s New in Nmap 6
- Internet Society: New Nmap Version 6 Provides Full IPv6 Support, Useful IPv6 Tools
- Unixmem: Nmap reaches version 6
- SecurityWeek: Nmap 6 Now Available With Enhancements, New Functions
Brief English mentions: SANS Internet Storm Center (ISC), Help Net Security, Linux Weekly News (LWN), Ethical Hacker Network, HD Moore, Darknet
Permission is granted for journalists (or anyone writing about this
Nmap release) to use any of the text or screen shots on this page. For quotes, you can email Fyodor at [email protected]. Leave your phone number if you want a callback.
Screen Shots
Nmap 6 provides a wealth of information about remote systems, as shown in this sample scan against a machine we maintain for scan testing purposes (scanme.nmap.org):
Here is an example using Zenmap against a couple of production web servers (Nmap.org and Reddit):
Perhaps the most visually appealing aspect of Zenmap is its network topology mapper. Here it is being used to interactively explore the routes between a source machine and more than a dozen popular web sites:
Detailed Improvements
The Nmap Changelog describes more than 600 significant improvements since our last major release (5.00 in July 2009). Here are the highlights:
Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. NSE was just beginning to take off with Nmap 5, and represents perhaps our proudest accomplishment in Nmap 6:
Script count has nearly sextupled from 59 to 348 scripts! The full list is too long to include here, but you can find them all at the NSE Documentation Portal.
Information gathering is one of Nmap's prime features, so we added 44 new protocol information query scripts:
acarsd-info, address-info, amqp-info, backorifice-info, bitcoin-info, bitcoinrpc-info, broadcast-upnp-info, db2-das-info, drda-info, eap-info, epmd-info, ganglia-info, giop-info, hadoop-datanode-info, hadoop-jobtracker-info, hadoop-namenode-info, hadoop-secondary-namenode-info, hadoop-tasktracker-info, hbase-master-info, hbase-region-info, hddtemp-info, http-qnap-nas-info, ipv6-node-info, iscsi-info, maxdb-info, membase-http-info, memcached-info, mongodb-info, nat-pmp-info, ndmp-fs-info, netbus-info, ntp-info, openlookup-info, quake3-info, redis-info, riak-http-info, rpcap-info, socks-auth-info, stun-info, versant-info, vnc-info, voldemort-info, vuze-dht-info, xmpp-info
Some of our favorite new scripts don't send any traffic at all—they just interpret and present information discovered by other scripts or Nmap itself. These include:
- address-info shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available.
- creds-summary lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.
- duplicates attempts to discover multihomed or IP aliased systems by analyzing and comparing information collected by other scripts (SSL certificates, SSH host keys, MAC addresses, and NetBIOS server names).
- reverse-index creates a reverse index at the end of scan output showing which hosts run a particular service.
- unusual-port compares the detected service on a port against the expected service for that port number (e.g. ssh on 22, http on 80) and reports deviations.
Nmap has two new NSE script scanning phases. The new pre-scan occurs before Nmap starts scanning. Some of the initial pre-scan scripts use techniques like broadcast DNS service discovery or DNS zone transfers to enumerate hosts which can optionally be treated as targets. The other phase (post scan) runs after all of Nmap's scanning is complete. These can do things like print summaries of all the host-specific results or find correlations. For example, ssh-hostkey can now tell you at the end of the scan which IP addresses have duplicate SSH host keys (and thus may be different interfaces of the same machine) and reverse-index prints an index at the end of a scan showing which hosts have individual services (such as telnet or http) available.
Created a new target library which allows scripts to add newly discovered targets to Nmap's scanning queue. This allows Nmap to support a wide range of target acquisition techniques. 27 scripts can now use this feature:
bitcoin-getaddr, bittorrent-discovery, broadcast-db2-discover, broadcast-dropbox-listener, broadcast-ms-sql-discover, broadcast-ping, dns-brute, dns-srv-enum, dns-zone-transfer, hadoop-jobtracker-info, hadoop-namenode-info, hadoop-secondary-namenode-info, hbase-master-info, hbase-region-info, hostmap-bfk, iscsi-info, lltd-discovery, omp2-enum-targets, resolveall, snmp-interfaces, targets-asn, targets-ipv6-multicast-echo, targets-ipv6-multicast-invalid-dst, targets-ipv6-multicast-mld, targets-ipv6-multicast-slaac, targets-sniffer, targets-traceroute
We created a high speed authentication credential checking library for our protocol brute force password auditing scripts. We then added 48 new “brute” scripts, for a total of 53 (full list). Supported protocols range from extremely popular ones such as HTTP, FTP, MySQL, telnet, socks, and pop3 to more obscure ones such as VMauthd, RPcap, Redis, and iSCSI. We even support brute force cracking of other security scanning and exploitation tools, including Metasploit XML-RPC, Nessus, Nessus XML-RPC, Nexpose, and OpenVAS OTP.
Since brute force scripts are most effective with a quality password list, we created a top 5000 password database by cracking 635,546 passwords from the Gawker compromise and combining those results with many other leaks such as RockYou, PHPBB, MySpace, etc.
We added a credentials storage library. This makes it easy for credentials passed in by the user or discovered by brute force scripts to then be used for deeper interrogation, and also allows for consistent reporting of discovered credentials.
We discovered a major directory traversal vulnerability in Apple AFP protocol and released a script for detecting and exploiting the problem
Added and then removed a mac-geolocation script which relied on a Google database to determine strikingly accurate GPS coordinates for anyone's wireless access point based on their MAC address. It was very powerful and arguably a little creepy. Google must have decided that the capability was too powerful as they discontinued the service before our script was even two months old.
Added a new script force feature. You can force scripts to run against target ports (even if the “wrong” service is detected) by placing a plus (+) in front of the script name passed to --script.
Added a new --script-args-file option which allows you to specify the name of a file containing all of your desired NSE script arguments. The arguments may be separated with commas or newlines and may be overridden by arguments specified on the command-line with --script-args.
Added a host-based registry which only persists (for the given host) until all scripts have finished scanning that host. The normal registry saves information until it is deleted or the Nmap scan ends. That is a waste of memory for information which doesn't need to persist that long. Use the host based registry instead if you can.
Replaced our runlevel system for managing the order of script execution with a much more powerful dependency system. This allows scripts to specify which other scripts they depend on (e.g. a brute force authentication script might depend on username enumeration scripts) and NSE manages the order. Dependencies only enforce ordering, they cannot pull in scripts which the user didn't specify.
A new --script-help option describes all scripts matching a given specification. It accepts the same specification format as --script does. For example, try ‘nmap --script-help "default or http-*"’.
The script arguments which start with a script name (e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the unqualified arguments as well (hostname, maxfiles). This lets you use the generic version (“hostname”) when you want to affect multiple scripts, while using the qualified version to target individual scripts. If both are specified, the qualified version takes precedence for that particular script. This works for library script arguments too (e.g. you can specify 'timelimit' rather than unpwdb.timelimit).
Created a new broadcast script category for scripts which broadcast on the local network and discover information and/or potential target hosts from the responses. We already have 31 of them:
broadcast-avahi-dos, broadcast-db2-discover, broadcast-dhcp6-discover, broadcast-dhcp-discover, broadcast-dns-service-discovery, broadcast-dropbox-listener, broadcast-listener, broadcast-ms-sql-discover, broadcast-netbios-master-browser, broadcast-networker-discover, broadcast-novell-locate, broadcast-pc-anywhere, broadcast-pc-duo, broadcast-ping, broadcast-pppoe-discover, broadcast-rip-discover, broadcast-ripng-discover, broadcast-sybase-asa-discover, broadcast-upnp-info, broadcast-versant-locate, broadcast-wake-on-lan, broadcast-wpad-discover, broadcast-wsdd-discover, broadcast-xdmcp-discover, eap-info, lltd-discovery, targets-ipv6-multicast-echo, targets-ipv6-multicast-invalid-dst, targets-ipv6-multicast-mld, targets-ipv6-multicast-slaac, targets-sniffer
Added a vulnerability management library for a consistent way of storing and reporting detected vulnerability information. So far we have 13 scripts using the library. Our current vulnerability script focus is on major, remotely exploitable pre-auth vulns. For example, we added scripts for the recent remote root vulnerability in Samba (samba-vuln-cve-2012-1182) and the code execution vulnerability in PHP-CGI (http-vuln-cve2012-1823).
NSE libraries allow scripts to share code, often to interact with a specific networking protocol. Nmap 6 adds 60 libraries, bringing the total up to 87. Here are the new ones:
afp, amqp, asn1, bitcoin, bittorrent, brute, citrixxml, creds, cvs, dhcp, dhcp6, dnsbl, dnssd, drda, eap, ftp, giop, httpspider, iax2, informix, iscsi, json, ldap, membase, mongodb, mssql, mysql, natpmp, ncp, ndmp, nrpc, omp2, pgsql, pppoe, proxy, redis, rmi, rpc, rpcap, rsync, rtsp, sasl, sip, smtp, socks, srvloc, sslcert, strict, stun, target, tftp, tns, upnp, versant, vnc, vulns, vuzedht, wsdd, xdmcp, xmpp
Web Scanning Improvements
As the Internet has grown more web-centric, Nmap has developed web scanning capabilities to keep pace. When Nmap was first released in 1997, most of the network services offered by a server listened on individual TCP or UDP ports and could be found with a simple port scan. Now, applications are just as commonly accessed via URL path instead, all sharing a web server listening on a single port. Nmap now includes many techniques for enumerating those applications, as well as performing a wide variety of other HTTP tasks, from web site spidering to brute force authentication cracking. Technologies such as SSL encryption, HTTP pipelining, and caching mechanisms are well supported. Nmap 6 offers many major improvements:
Increased the number of NSE scripts for scanning web servers from 6 to 54. Some of our favorite new scripts are:
- http-title simply determines the title of the root page of any web servers detected when scanning. It's the sort of trivial script which was easy to write and yet provides valuable insights on target hosts.
- http-backup-finder spiders a website and attempts to identify backup copies of discovered files by by requesting a number of different combinations of the filename (e.g. index.bak, index.html~, copy of index.html).
- http-enum enumerates directories used by popular web applications and servers by checking more than 2,000 URI paths. This is perhaps our closest analogue to port scanning the web.
- http-favicon grabs a site's favicon file (the tiny icon which is often shown in the URL bar while browsing) and checks whether it is from a known content management system or other application. We used it to scan hundreds of thousands of popular web servers as part of our Icons of the Web project.
- http-grep spiders a web site attempting to find pages which match a given pattern.
- ssl-cert retrieves and prints a target server's SSL certificate.
Added a new httpspider library which is used for recursively crawling web sites for information. New scripts using this functionality include http-backup-finder, http-email-harvest, http-grep, http-open-redirect, and http-unsafe-output-escaping.
The HTTP library now caches responses from http.get or http.head so that resources aren't requested multiple times during the same Nmap run even if several scripts request them.
Added HTTP pipelining support to the HTTP library and and to the http-enum, http-userdir-enum, and sql-injection.nse scripts. Pipelining can increase speed dramatically for scripts which make many requests.
Server Name Indication (SNI) is now supported by Ncat and Nmap NSE, allowing them to connect to servers which run multiple SSL websites on one IP address. To enable this for NSE, the nmap.connect function has been changed to accept host and port tables (like those provided to the action function) in place of a string and a number.
IPv6 Support
Given the exhaustion of available IPv4 addresses, the Internet community is trying to move to IPv6. Nmap has been a leader in the transition, offering basic IPv6 support since 2002. That included basic (connect) port scans, basic host discovery, version detection, and the Nmap Scripting Engine. But that's not enough, so we spent many months ensuring that Nmap version 6 contains full support for IP version 6. And we released it just in time for the World IPv6 Launch. It's easy to use too—just specify the -6 argument along with IPv6 target IP addresses or DNS records. Our new IPv6 support includes:
Raw packet IPv6 port scanning is now supported. This allows for IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP discovery packets, etc.) and raw packet port scanning (SYN scan, UDP scan, ACK scan, and more). IPv6 protocol scan (-sO) is also supported, and we wrote an IPv6 traceroute implementation (--traceroute) too.
Added an IPv6 OS detection system! The new system utilizes many tests similar to IPv4, and also some IPv6-specific ones that we found to be particularly effective. And it uses a machine learning approach rather than the static classifier we use for IPv4. We hope to move some of the IPv6 innovations back to our IPv4 system if they work out well. The database is still very small, so please submit any fingerprints that Nmap gives you to the specified URL (as long as you are certain that you know what the target system is running). Usage and results output are basically the same as with IPv4, and the implementation is documented here. For an example, try running "nmap -6 -O scanme.nmap.org".
Since the IPv6 address spaces is too large to brute force scan in general (like we do with IPv4), we researched IPv6 host discovery techniques for finding all the machines on a local network. We ended up implementing the four techniques we found most effective. The are all implemented as NSE scripts which can simply print out discovered addresses or (if requested) add them to Nmap's target queue. Since each technique may discover a different set of hosts, we recommend using multiple techniques or even specify all four. Here they are:
- targets-ipv6-multicast-echo sends an ICMPv6 echo request packet to the all-nodes link-local multicast address (ff02::1). When ICMP echo response packets are received, collect the IPv6 addresses that they come from and mark those hosts as potential scan targets. This is a rather straightforward technique which uses the protocols as designed, and (just like using ICMPv4 echo request packets for host discover) it is quite effective.
- targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with an invalid extension header to the all-nodes link-local multicast address. Any hosts replying with an ICMPv6 parameter problem packet can be marked as up and available for potential scanning.
- targets-ipv6-multicast-mld attempts to discover available IPv6 hosts on the LAN by sending an MLD (multicast listener discovery) query to the link-local multicast address (ff02::1) and listening for any responses. The query's maximum response delay set to 0 to provoke hosts to respond immediately rather than waiting for other responses from their multicast group.
- targets-ipv6-multicast-slaac sends an ICMPv6 router acknowledgment packet with a random address prefix, causing hosts to begin stateless address auto-configuration (SLAAC) and send a solicitation for their newly configured address. We can then guess the remote addresses by combining the link-local prefix of the interface with the interface identifier in each of the received solicitations. An ordinary ICMPv6 neighbor discovery probe can then be used to verify that the guessed addresses are correct.
An example command to find all the IPv6 hosts on your local network using all four of these techniques in combination is: “nmap -v -n -sn --script targets-ipv6-\*”
Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4 ARP scan. It is the default ping type for local IPv6 networks.
Scanme.Nmap.Org (the system anyone is allowed to scan for testing purposes) is now dual-stacked (has an IPv6 address as well as IPv4) so you can scan it during IPv6 testing. We also added a DNS record for scanmeV6.nmap.org which is IPv6-only. So you can check if your current system can already handle IPv6 by trying to visit the ipv6-only scanme site. You might be surprised! We have posted more details here.
The Nmap.org website as well as sister sites Insecure.Org, SecLists.Org, and SecTools.Org all have working IPv6 addresses now (dual stacked). For example, Nmap.org can be found at 2600:3c01::f03c:91ff:fe96:967c.
Ncat now supports IPV6 addresses by default without the -6 flag. Additionally Ncat listens on both ::1 and localhost when passed -l, or any other listening mode unless a specific listening address is supplied.
Zenmap graphical front-end and results viewer
Zenmap is our cross-platform (Linux, Windows, Mac OS X, etc.) Nmap GUI and results viewer. It aims to provide advanced features for experienced Nmap users while also making Nmap easier for beginners to use. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later, or even compared with one another to see how they differ. Our network topology viewer allows for interactive exploration of a network scanned with Nmap. While Zenmap already existed in Nmap 5.00, we've made many improvements since then:
Added a new script selection interface, allowing you to choose scripts and arguments from a list which includes descriptions of every available script. Just click the "Scripting" tab in the profile editor.
Localized most of the remaining strings in the GUI interface which were English-only. The actual textual Nmap results are still in English since Nmap, but the GUI is now almost fully localized. Supported translations (so far) are Brazilian Portuguese, French, German, Hungarian, and Russian. Instructions for switching to a different language or even for writing and contributing your own translation are available here.
After performing or loading a scan, you can now filter results to just the hosts you are interested in by pressing Ctrl+L (or the "Filter Hosts" button) to open the host filtering interface. This makes it easy to select just Linux hosts, or those running a certain version of Apache, or whatever interests you. You can easily modify the filter or remove it to see the whole scan again. This feature is documented here.
We made a ton of performance improvements, as documented in the performance section of these release notes.
Performance Improvements
In Nmap's 15-year history, performance has always been a top priority. Whether scanning one target or a million, users want scans to run as fast as possible without sacrificing accuracy. Improvements since Nmap 5 include:
Nmap's --traceroute has been rewritten for better performance. Probes are sent in parallel to individual hosts, not just across all hosts as before. Trace consolidation is more sophisticated, allowing common traces to be identified sooner and fewer probes to be sent. The older traceroute could be very slow (taking minutes per target) if the target did not respond to the trace probes, and this new traceroute avoids that. In a trace of 110 hosts in a /24 over the Internet, the number of probes sent dropped 50% from 1565 to 743, and the time taken dropped 92% from 95 seconds to 7.6 seconds. Traceroute now uses an ICMP echo request probe if no working probes against the target were discovered during scanning.
Improved the Zenmap output viewer to show new output in constant time. Previously it would get slower and slower as the output grew longer, eventually making Zenmap appear to freeze with 100% CPU.
Greatly improved Zenmap's performance for large scans by benchmarking intensively and then re-coding dozens of slow parts. Time taken to load our benchmark file (a scan of just over a million IPs belonging to Microsoft corporation, with 74,293 hosts up) was reduced from hours to less than two minutes. Memory consumption decreased dramatically as well.
Improved OS detection performance by scaling congestion control increments by the response rate during OS scan, just as was done for port scan before.
Performed a memory consumption audit and made changes to dramatically reduce Nmap's footprint. This improves performance on all systems, but is particularly important when running Nmap on small embedded devices such as phones. Our intensive UDP scan benchmark saw peak memory usage decrease from 34MB to 6MB, while OS detection consumption was reduced from 67MB to 3MB. Full details were posted here, and the highlights are:
- The size of the internal representation of nmap-os-db was reduced more than 90%. Peak memory consumption in our OS detection benchmark was reduced from 67MB to 3MB.
- The size of individual Port structures without service scan results was reduced about 70%.
- When a port receives no response, Nmap now avoids allocating a Port structure at all, so scans against filtered hosts can be light on memory.
Nping packet generation and response analysis tool
Nping is an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing users full control over protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress testing, ARP poisoning, Denial of Service attacks, route tracing, etc. Nping's novel echo mode let's users see how packets change in transit between the source and destination hosts. That's a great way to understand firewall rules, detect packet corruption, and more.
Nping has a very flexible and powerful command-line interface that grants users full control over generated packets. Features include:
- Custom TCP, UDP, ICMP and ARP packet generation.
- Support for multiple target host specification.
- Support for multiple target port specification.
- Unprivileged modes for non-root users.
- Echo mode for advanced troubleshooting and discovery.
- Support for Ethernet frame generation.
- Support for IPv6 (currently experimental).
- Runs on Linux, Mac OS and MS Windows.
- Route tracing capabilities.
- Highly customizable.
- Free and open-source.
For a much more detailed introduction, you can read the Nping documentation (man page).
Infrastructure Improvements
Keeping the Nmap project vibrant and productive (for developers and users) requires constant investment in our development. Our software and hardware from Nmap's early days in 1997 (or even Nmap 5 in 2009) just don't cut it any more. Improvements since Nmap 5 include:
We set up a new Subversion (SVN) source code revision control server for the Nmap codebase. This one uses SSL for better security, WebDAV rather than svnserve for greater functionality, is hosted on a faster (virtual) machine, provides Nmap code history back to 1998 rather than 2005, and removes the need for the special "guest" username. The new server is at https://svn.nmap.org/nmap and instructions on using it are available here.
Created a special wiki for Nmap development and community-generated documentation at SecWiki.Org.
One of the most successful pages on our new SecWiki.Org so far is our NSE script ideas page. If you have a good idea, post it to the incoming section of the page. Or if you're in a script writing mood but don't know what to write, come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.
More than 3,000 Nmap users filled out a survey of their favorite (non-Nmap) tools, and we tabulated the results to launch a new version of our top tools site at SecTools.Org. It now includes user ratings and reviews, tracks release dates, offers searching and sorting, and even lets you nominate your own favorite tools. It's like a frickin' Yelp for security tools!
Ncat
Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.
Among Ncat’s vast number of features there is the ability to chain Ncats together, redirect both TCP and UDP ports to other sites, SSL support, and proxy connections via SOCKS4 or HTTP (CONNECT method) proxies (with optional proxy authentication as well). Some general principles apply to most applications and thus give you the capability of instantly adding networking support to software that would normally never support it.
We made a number of great improvements to Ncat in Nmap 6:
Ncat now has configure-time ASCII art just like Nmap does:
. . \`-"'"-'/ } 6 6 { ==. Y ,== /^^^\ . / \ ) Ncat: A modern interpretation of classic Netcat ( )-( )/ -""---""--- / / Ncat \_/ ( ____ \_.=|____E
Created a portable version of ncat.exe that you can just drop onto Microsoft Windows systems without having to run any installer or copy over extra library files. See the Ncat page for binary downloads and a link to build instructions.
Updated Ncat's SSL certificate store (ca-bundle.crt), primarily to remove the epic fail known as DigiNotar.
Implemented basic SCTP client functionality in client mode (server already exists). Only the default SCTP stream is used. This is also called TCP compatible mode. While it allows Ncat to be used for manually probing open SCTP ports, more complicated services making use of multiple streams or depending on specific message boundaries cannot be talked to successfully.
Implemented SSL over SCTP in both client (connect) and server (listen) modes.
Portability Enhancements
We made dozens of portability changes to improve Nmap compilation and execution on Mac OS X 0.7, Solaris 9, 10, and 11; AIX 6.1 & 7.1; OpenSolaris; IBM ZLinux; Arch Linux, and many other platforms. Most of these are not listed here because you can read them by searching for your desired platform in the full CHANGELOG. But here are a few particularly interesting portability improvements:
Our Mac OS X packages are now x86-only (rather than universal), reducing the download size from 30 MB to about 17. If you still need a PowerPC version (Apple stopped selling those machines in 2006), you can use Nmap 5.51 or 5.61TEST2 (available here).
Refactored the Nsock library to add the nsock-engines system. This allows system-specific scalable IO notification facilities to be used while maintaining the portable Nsock API. This initial version comes with an epoll-based engine for Linux and a select-based fallback engine for all other operating systems. Also added the --nsock-engine option to Nmap, Nping and Ncat to enforce use of a specific Nsock IO engine.
We no longer support Nmap on versions of Windows earlier than XP SP2. Even Microsoft no longer supports Windows versions that old. But if you must use Nmap on such systems anyway, we've provided some tips.
Operating system detection
Thanks to fingerprint submissions from thousands of Nmap users around the world, our remote operating system detection system grew from 2,003 signatures in Nmap 5 to 3,572 now. These include the latest versions of Windows, Linux, and Mac OS X as well as more specialized entries such as oscilloscopes, ATM machines, employee timeclocks, DVRs, game consoles, and much more. Some of the newest fingerprints are for Apple iOS 5.01, OpenBSD 5.0, FreeBSD 9.0-PRERELEASE, and a ton of new WAPs, routers, and other devices.
In addition to more than 1,500 new fingerprints, we made several important performance improvements and bug fixes to the system.
Version detection
The days when we could assume what was running on an open port based on the port number are long gone. These days, folks commonly run services on the "wrong" port numbers in order to defeat filtering policies, hide traffic, or work around various networking problems. Fortunately, Nmap's version detection system is able to interrogate the service listening on the open port and tell you the service running as well as (in many cases) the application name and version number. Nmap 5 had an impressive 5,512 signatures matching 511 protocols, but Nmap 6 improves that to 8,165 signatures for 862 protocols!
Even more improvements
In addition to the pages of changes listed above, we made many improvements which defy simple categorization:
Added Common Platform Enumeration (CPE, http://cpe.mitre.org/) output for OS and service versions. This is a standard way to identify operating systems and applications so that Nmap can better interoperate with other software. Nmap's own (generally more comprehensive) taxonomy/classification system is still supported as well. Some OS and version detection results don't have CPE entries yet. CPE entries show up in normal output with the headings "OS CPE" and "Service Info":
OS CPE: cpe:/o:linux:kernel:2.6.39 Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
These also appear in XML output, which additionally has CPE entries for service versions.Nmap now supports the old-school Gopher protocol thanks to our handy gopher-ls NSE script. We even support Gopher over IPv6!
Enabled the ASLR and DEP security technologies for Nmap.exe, Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will set the /DYNAMICBASE and /NXCOMPAT flags in the PE header. Executables generated using py2exe or NSIS and third party binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support for DEP on XP SP3, using SetProcessDEPPolicy(), could still be implemented. [more details]
Nmap now determines the filesystem location it is being run from and that path is now included early in the search path for data files (such as nmap-services). This reduces the likelihood of needing to specify --datadir or getting data files from a different version of Nmap installed on the system. For full details, see the docs.
Made the final IP address space assignment update as all available IPv4 address blocks have now been allocated to the regional registries. Our random IP generation (-iR) logic now only excludes the various reserved blocks. Thanks to Kris Katterjohn for years of regular updates to this function!
The -V and --version options now show the platform Nmap was compiled on, which features are compiled in, the version numbers of libraries it is linked against, and whether the libraries are the ones that come with Nmap or the operating system.
Dramatically improved nmap.xsl (used for converting Nmap XML output to pretty HTML). You can find the newest copy of the file here and this is an example of rendered output.
Ports are now considered open during a SYN scan if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection. The nmap-dev discussion thread starts here.
When Nmap is passed a hostname such as google.com which resolves to several IP addresses, Nmap now prints each IP address. It still only scans the first one in the returned list unless you use the new resolveall NSE script.
Switched to -Pn and -sn as the preferred syntax for skipping ping scan and skipping port scan, respectively. Previously the -PN and -sP options were recommended. This establishes a more regular syntax for options that disable phases of a scan:
- -n disables reverse DNS
- -Pn disables host discovery (assumes all target hosts are up)
- -sn disables port scanning
We also felt that the old -sP ("ping scan") option was a bit misleading because current versions of Nmap can go much further (including -sC and --traceroute) even with port scans disabled. We will retain support for the previous option names for the foreseeable future.
Nmap now provides Christmas greetings and a reminder of Xmas scan (-sX) when run in verbose mode on December 25.
For some UDP ports, Nmap will now send a protocol-specific payload that is more likely to get a response than an empty packet is. This improves the effectiveness of probes to those ports for host discovery, and also makes an open port more likely to be classified open rather than open|filtered. The ports and payloads are defined in a new nmap-payloads. We now have payloads for 19 services including DNS (port 53), snmp (161), isakmp (500), NFS (2049), etc.
Nmap now prefers to display the hostname supplied by the user instead of the reverse-DNS name in most places. If a reverse DNS record exists, and it differs from the user-supplied name, it is printed like this:
Nmap scan report for www.google.com (74.125.53.103) rDNS record for 74.125.53.103: pw-in-f103.1e100.net
And in XML it looks like:<hostnames> <hostname name="openbsd.org" type="user"/> <hostname name="cvs.openbsd.org" type="PTR"/> </hostnames>
The Ndiff man page was dramatically improved with examples and sample output. Ndiff is a handy tool for comparing two Nmap scans to find out about newly opened ports, service changes, etc.
Ndiff now shows changes in script (NSE) output for each target host (in both text output format and XML).
Nmap now generates IP addresses without duplicates (until you cycle through all the allowed IPs) in random target mode (-iR) thanks to a new collision-free 32-bit number generator in nbase_rnd.c. Details in their full mathematical glory are available here.
These are all just highlights from the full list of changes you can find in our CHANGELOG.
Moving Forward (Future Plans)
With this stable version out of the way, we are diving headfirst into the next development cycle. Many exciting features are in the queue, including:
An updater system for obtaining the latest NSE scripts, OS fingerprint updates, and other improvements in near real time.
To improve the user experience, we're adding various browser toolbars, search engine redirectors and associated adware to the Windows installer. Not! We'd never pull a sleazy CNET Download.com tactic, but it emphasizes why you should download Nmap from the true source—Nmap.Org.
High speed port scanning through http or socks proxies (or chains of proxies)
Even more NSE scripts to make the lives of network administrators and security practitioners easier. 348 scripts is impressive, but not enough.
You can read more of our short-term and longer-term plans from our public TODO list.
For the latest Insecure.Org and Nmap announcements, join the 98,875-member Nmap-hackers announcement list. Traffic rarely exceeds one message per month. subscribe here or read the archives at SecLists.Org. To participate in Nmap development, join the (high traffic) nmap-dev list. You can also follow us on Twitter or Facebook.
Acknowledgments
A free open source scanner as powerful as Nmap is only possible thanks to the help of hundreds of developers and other contributors. We would like to acknowledge and thank the many people who contributed ideas and/or code since Nmap 5.00. Special thanks go out to:
Aaron Leininger, Aleksandar Nikolic, Aleksey Tyurin, Alexander Rudakov, Alexandru, Ambarisha B., Andrew Orr, Ange Gutek, Ankur Nandwani, Arturo Busleiman, Bernd Stroessenreuther, Bill Pollock, Brandon Enright, Brendan Coles, Carlos Pantelides, Chad Loder, Chris Woodbury, Cirrus, Colin Rice, Daniel J. Luke, Daniel Miller, Daniel Roethlisberger, David Fifield, Diman Todorov, Djalal Harouni, Dmitry Levin, Doug Hoyte, Dražen Popović, Dr. Jesus, Duarte Silva, Eddie Bell, Eugene V. Alexeev, Felix Groebert, Ferdy Riphagen, Frederik Schwarzer, Fyodor, Gabriel Lawrence, Gisle Vanem, Gorjan Petrovski, Hani Benhabiles, HD Moore, Henri Doreau, Jah, Jason DePriest, Jeff Nathan, Jesse Burns, jlanthea, Joao Correa, John R. Bond, Josh Marlow, Jost Krieger, Kirubakaran, Kris Katterjohn, KX, Lance Spitzner, Lauren Friedman, Lauri Kokkonen, Leslie Hawthorn, Luis MartinGarcia, Mak Kolybabi, Marek Majkowski, Mark Heuse, Martin Holst Swende, Matt Foster, Matthew Boyle, Matthew Flanagan, Matt Selsky, Micah Hoffman, Michael Kohl, Michael Pattrick, Michael Schierl, Mikael Keri, Mike Frysinger, Mudge, Nick Nikolaou, Niteesh Kumar, Olivier M, Olli Hauer, Patrick Donnelly, Patrik Karlsson, Paulino Calderon, Pavel Kankovsky, Philip Pickering, Piotr Olma, Rebellis, Riccardo Cecolin, Richard Sammet, riemann, Rob Nicholls, Ron Bowes, Ron Meldau, Russ Tait Milne, Sebastian Dragomir, Sebastian Prengel, Shinnok, Solar Designer, Sven Klemm, Thomas Buchanan, Tillmann Werner, Tom Sellers, Toni Ruottu, Vasiliy Kulikov, Venkat Sanaka, Vikas Singhal, Vladz, Vlatko Kosturjak, William Pursell, Xu Weilin
We would also like to thank the thousands of people who have submitted OS and service/version fingerprints, as well as everyone who has found and reported bugs or suggested features.
Special thanks go to Google, who has sponsored 59 students (total over the last 8 years) to spend a summer working on Nmap as part of Google's Summer of Code program. This summer, we have an impressive team of five students who have already started work!
Download and Updates
Nmap is available for download from https://nmap.org/download.html in source and binary form. Nmap is free, open source software (license).
To learn about Nmap announcements as they happen, subscribe to nmap-hackers! It is a very low volume (7 messages in 2011), moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 98,875 current subscribers by submitting your e-mail address below. Maybe you'll be the one to take us to 100,000 members!
Nmap-hackers is archived at SecLists.org and has an RSS feed. To participate in Nmap development, join the (high traffic) nmap-dev list as well.
You are also encouraged to join our Facebook page and follow our Twitter feed:
Direct questions or comments to Fyodor
([email protected]).
Report any bugs
as described here.