Nmap 6 Released

May 21, 2012—The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from https://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more! We recommend that all current users upgrade.

Contents:

  1. About Nmap
  2. Top 6 Improvements in Nmap 6
  3. Press
  4. Screen Shots
  5. Detailed Improvements
  6. Moving Forward (Future Plans)
  7. Acknowledgments
  8. Download and updates

About Nmap

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for network inventory, managing service upgrade schedules, monitoring host or service uptime, and many other tasks. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in a dozen movies, including The Matrix Reloaded, The Bourne Ultimatum. Girl with the Dragon Tattoo, and Die Hard 4. Nmap was released to the public in 1997 and has earned the trust of millions of users.

As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 6 is now available!

Top 6 Improvements in Nmap 6

Before we go into the detailed changes, here are the top 6 improvements in Nmap 6:

1. NSE Enhanced

The Nmap Scripting Engine (NSE) has exploded in popularity and capabilities. This modular system allows users to automate a wide variety of networking tasks, from querying network applications for configuration information to vulnerability detection and advanced host discovery. The script count has grown from 59 in Nmap 5 to 348 in Nmap 6, and all of them are documented and categorized in our NSE Documentation Portal. The underlying NSE infrastructure has improved dramatically as well. [More details]

2. Better Web Scanning

As the Internet has grown more web-centric, Nmap has developed web scanning capabilities to keep pace. When Nmap was first released in 1997, most of the network services offered by a server listened on individual TCP or UDP ports and could be found with a simple port scan. Now, applications are just as commonly accessed via URL path instead, all sharing a web server listening on a single port. Nmap now includes many techniques for enumerating those applications, as well as performing a wide variety of other HTTP tasks, from web site spidering to brute force authentication cracking. Technologies such as SSL encryption, HTTP pipelining, and caching mechanisms are well supported. [More details]

3. Full IPv6 Support

Given the exhaustion of available IPv4 addresses, the Internet community is trying to move to IPv6. Nmap has been a leader in the transition, offering basic IPv6 support since 2002. But basic support isn't enough, so we spent many months ensuring that Nmap version 6 contains full support for IP version 6. And we released it just in time for the World IPv6 Launch.

We've created a new IPv6 OS detection system, advanced host discovery, raw-packet IPv6 port scanning, and many NSE scripts for IPv6-related protocols. It's easy to use too—just specify the -6 argument along with IPv6 target IP addresses or DNS records. In addition, all of our web sites are now accessible via IPv6. For example, Nmap.org can be found at 2600:3c01::f03c:91ff:fe96:967c. [More details]

4. New Nping Tool

The newest member of the Nmap suite of networking and security tools is Nping, an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing full control over protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress testing, ARP poisoning, Denial of Service attacks, route tracing, etc. Nping's novel echo mode lets users see how packets change in transit between the source and destination hosts. That's a great way to understand firewall rules, detect packet corruption, and more. [More details]

5. Better Zenmap GUI & results viewer

While Nmap started out as a command-line tool and many (possibly most) users still use it that way, we've also developed an enhanced GUI and results viewer named Zenmap. One addition since Nmap 5 is a “filter hosts” feature which allows you to see only the hosts which match your criteria (e.g. Linux boxes, hosts running Apache, etc.) We've also localized the GUI to support five languages besides English. A new script selection interface helps you find and execute Nmap NSE scripts. It even tells you what arguments each script supports. [More details]

6. Faster scans

In Nmap's 15-year history, performance has always been a top priority. Whether scanning one target or a million, users want scans to run as fast as possible without sacrificing accuracy. Since Nmap 5 we've rewritten the traceroute system for higher performance and increased the allowed parallelism of the Nmap Scripting Engine and version detection subsystems. We also performed an intense memory audit which reduced peak consumption during our benchmark scan by 90%. We made many improvements to Zenmap data structures and algorithms as well so that it can now handle large enterprise scans with ease. [More details]


Press

Please mail Fyodor if you see (or write) reviews/articles on the Nmap 6 release. Here are the ones seen so far: Reasonably detailed (or with many comments) English articles:

Brief English mentions: SANS Internet Storm Center (ISC), Help Net Security, Linux Weekly News (LWN), Ethical Hacker Network, HD Moore, Darknet

Permission is granted for journalists (or anyone writing about this Nmap release) to use any of the text or screen shots on this page. For quotes, you can email Fyodor at [email protected]. Leave your phone number if you want a callback.

Screen Shots

Nmap 6 provides a wealth of information about remote systems, as shown in this sample scan against a machine we maintain for scan testing purposes (scanme.nmap.org):

Here is an example using Zenmap against a couple of production web servers (Nmap.org and Reddit):

Perhaps the most visually appealing aspect of Zenmap is its network topology mapper. Here it is being used to interactively explore the routes between a source machine and more than a dozen popular web sites:



Detailed Improvements

The Nmap Changelog describes more than 600 significant improvements since our last major release (5.00 in July 2009). Here are the highlights:

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. NSE was just beginning to take off with Nmap 5, and represents perhaps our proudest accomplishment in Nmap 6:

Web Scanning Improvements

As the Internet has grown more web-centric, Nmap has developed web scanning capabilities to keep pace. When Nmap was first released in 1997, most of the network services offered by a server listened on individual TCP or UDP ports and could be found with a simple port scan. Now, applications are just as commonly accessed via URL path instead, all sharing a web server listening on a single port. Nmap now includes many techniques for enumerating those applications, as well as performing a wide variety of other HTTP tasks, from web site spidering to brute force authentication cracking. Technologies such as SSL encryption, HTTP pipelining, and caching mechanisms are well supported. Nmap 6 offers many major improvements:

IPv6 Support

Given the exhaustion of available IPv4 addresses, the Internet community is trying to move to IPv6. Nmap has been a leader in the transition, offering basic IPv6 support since 2002. That included basic (connect) port scans, basic host discovery, version detection, and the Nmap Scripting Engine. But that's not enough, so we spent many months ensuring that Nmap version 6 contains full support for IP version 6. And we released it just in time for the World IPv6 Launch. It's easy to use too—just specify the -6 argument along with IPv6 target IP addresses or DNS records. Our new IPv6 support includes:

Zenmap graphical front-end and results viewer

Zenmap screenshot thumbnail

Zenmap is our cross-platform (Linux, Windows, Mac OS X, etc.) Nmap GUI and results viewer. It aims to provide advanced features for experienced Nmap users while also making Nmap easier for beginners to use. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later, or even compared with one another to see how they differ. Our network topology viewer allows for interactive exploration of a network scanned with Nmap. While Zenmap already existed in Nmap 5.00, we've made many improvements since then:

Performance Improvements

In Nmap's 15-year history, performance has always been a top priority. Whether scanning one target or a million, users want scans to run as fast as possible without sacrificing accuracy. Improvements since Nmap 5 include:

Nping packet generation and response analysis tool

Nping Logo

Nping is an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing users full control over protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress testing, ARP poisoning, Denial of Service attacks, route tracing, etc. Nping's novel echo mode let's users see how packets change in transit between the source and destination hosts. That's a great way to understand firewall rules, detect packet corruption, and more.

Nping has a very flexible and powerful command-line interface that grants users full control over generated packets. Features include:

For a much more detailed introduction, you can read the Nping documentation (man page).

Infrastructure Improvements

Keeping the Nmap project vibrant and productive (for developers and users) requires constant investment in our development. Our software and hardware from Nmap's early days in 1997 (or even Nmap 5 in 2009) just don't cut it any more. Improvements since Nmap 5 include:

Ncat

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.

Among Ncat’s vast number of features there is the ability to chain Ncats together, redirect both TCP and UDP ports to other sites, SSL support, and proxy connections via SOCKS4 or HTTP (CONNECT method) proxies (with optional proxy authentication as well). Some general principles apply to most applications and thus give you the capability of instantly adding networking support to software that would normally never support it.

We made a number of great improvements to Ncat in Nmap 6:

Portability Enhancements

We made dozens of portability changes to improve Nmap compilation and execution on Mac OS X 0.7, Solaris 9, 10, and 11; AIX 6.1 & 7.1; OpenSolaris; IBM ZLinux; Arch Linux, and many other platforms. Most of these are not listed here because you can read them by searching for your desired platform in the full CHANGELOG. But here are a few particularly interesting portability improvements:

Operating system detection

Thanks to fingerprint submissions from thousands of Nmap users around the world, our remote operating system detection system grew from 2,003 signatures in Nmap 5 to 3,572 now. These include the latest versions of Windows, Linux, and Mac OS X as well as more specialized entries such as oscilloscopes, ATM machines, employee timeclocks, DVRs, game consoles, and much more. Some of the newest fingerprints are for Apple iOS 5.01, OpenBSD 5.0, FreeBSD 9.0-PRERELEASE, and a ton of new WAPs, routers, and other devices.

In addition to more than 1,500 new fingerprints, we made several important performance improvements and bug fixes to the system.

Version detection

The days when we could assume what was running on an open port based on the port number are long gone. These days, folks commonly run services on the "wrong" port numbers in order to defeat filtering policies, hide traffic, or work around various networking problems. Fortunately, Nmap's version detection system is able to interrogate the service listening on the open port and tell you the service running as well as (in many cases) the application name and version number. Nmap 5 had an impressive 5,512 signatures matching 511 protocols, but Nmap 6 improves that to 8,165 signatures for 862 protocols!

Even more improvements

In addition to the pages of changes listed above, we made many improvements which defy simple categorization:

These are all just highlights from the full list of changes you can find in our CHANGELOG.

Moving Forward (Future Plans)

With this stable version out of the way, we are diving headfirst into the next development cycle. Many exciting features are in the queue, including:

You can read more of our short-term and longer-term plans from our public TODO list.

For the latest Insecure.Org and Nmap announcements, join the 98,875-member Nmap-hackers announcement list. Traffic rarely exceeds one message per month. subscribe here or read the archives at SecLists.Org. To participate in Nmap development, join the (high traffic) nmap-dev list. You can also follow us on Twitter or Facebook.

Acknowledgments

A free open source scanner as powerful as Nmap is only possible thanks to the help of hundreds of developers and other contributors. We would like to acknowledge and thank the many people who contributed ideas and/or code since Nmap 5.00. Special thanks go out to:

Aaron Leininger, Aleksandar Nikolic, Aleksey Tyurin, Alexander Rudakov, Alexandru, Ambarisha B., Andrew Orr, Ange Gutek, Ankur Nandwani, Arturo Busleiman, Bernd Stroessenreuther, Bill Pollock, Brandon Enright, Brendan Coles, Carlos Pantelides, Chad Loder, Chris Woodbury, Cirrus, Colin Rice, Daniel J. Luke, Daniel Miller, Daniel Roethlisberger, David Fifield, Diman Todorov, Djalal Harouni, Dmitry Levin, Doug Hoyte, Dražen Popović, Dr. Jesus, Duarte Silva, Eddie Bell, Eugene V. Alexeev, Felix Groebert, Ferdy Riphagen, Frederik Schwarzer, Fyodor, Gabriel Lawrence, Gisle Vanem, Gorjan Petrovski, Hani Benhabiles, HD Moore, Henri Doreau, Jah, Jason DePriest, Jeff Nathan, Jesse Burns, jlanthea, Joao Correa, John R. Bond, Josh Marlow, Jost Krieger, Kirubakaran, Kris Katterjohn, KX, Lance Spitzner, Lauren Friedman, Lauri Kokkonen, Leslie Hawthorn, Luis MartinGarcia, Mak Kolybabi, Marek Majkowski, Mark Heuse, Martin Holst Swende, Matt Foster, Matthew Boyle, Matthew Flanagan, Matt Selsky, Micah Hoffman, Michael Kohl, Michael Pattrick, Michael Schierl, Mikael Keri, Mike Frysinger, Mudge, Nick Nikolaou, Niteesh Kumar, Olivier M, Olli Hauer, Patrick Donnelly, Patrik Karlsson, Paulino Calderon, Pavel Kankovsky, Philip Pickering, Piotr Olma, Rebellis, Riccardo Cecolin, Richard Sammet, riemann, Rob Nicholls, Ron Bowes, Ron Meldau, Russ Tait Milne, Sebastian Dragomir, Sebastian Prengel, Shinnok, Solar Designer, Sven Klemm, Thomas Buchanan, Tillmann Werner, Tom Sellers, Toni Ruottu, Vasiliy Kulikov, Venkat Sanaka, Vikas Singhal, Vladz, Vlatko Kosturjak, William Pursell, Xu Weilin

We would also like to thank the thousands of people who have submitted OS and service/version fingerprints, as well as everyone who has found and reported bugs or suggested features.

Special thanks go to Google, who has sponsored 59 students (total over the last 8 years) to spend a summer working on Nmap as part of Google's Summer of Code program. This summer, we have an impressive team of five students who have already started work!

Download and Updates

Nmap is available for download from https://nmap.org/download.html in source and binary form. Nmap is free, open source software (license).

To learn about Nmap announcements as they happen, subscribe to nmap-hackers! It is a very low volume (7 messages in 2011), moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 98,875 current subscribers by submitting your e-mail address below. Maybe you'll be the one to take us to 100,000 members!


(or subscribe with custom options from the Nmap-hackers list info page.

Nmap-hackers is archived at SecLists.org and has an RSS feed. To participate in Nmap development, join the (high traffic) nmap-dev list as well.

You are also encouraged to join our Facebook page and follow our Twitter feed:

Direct questions or comments to Fyodor ([email protected]). Report any bugs as described here.