December 13, 2007 -- Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 4.50 from http://nmap.org/. Nmap was first released in 1997, so this release celebrates our 10th anniversary.

This is the first stable release since 4.20 (more than a year ago), and the first major release since 4.00 almost two years ago. Dozens of development releases led up to this. Major new features since 4.00 include the Zenmap cross-platform GUI, 2nd Generation OS Detection, the Nmap Scripting Engine, a rewritten host discovery system, performance optimization, advanced traceroute functionality, TCP and IP options support, and and nearly 1,500 new version detection signatures. More than 300 other improvements were made as well.

ABOUT NMAP:

Nmap (“Network Mapper”) is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available. Nmap downloads and documentation are available from Insecure.Org/nmap/.

Nmap has been named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It has also been praised in hundreds of magazine and newspaper articles, from Wired, the BBC, and Heise to Securityfocus and Linux Weekly News. At least five movies have featured Nmap, including The Bourne Ultimatum, The Matrix Reloaded, The Listening, Battle Royale, and, uhh, HaXXXor: No Longer Floppy (NSFW). Screens shots of Nmap in all of these movies are available on our news page. Nmap has become quite the movie star!

As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 4.50 is now available!

CHANGES:

Nmap has undergone hundreds of important changes since our last major release (4.00 in January 2006) and we recommend that all current users upgrade. The Nmap Changelog describes 320 improvements since 4.00 in more than 1,500 lines. Here are the highlights:

Zenmap graphical front-end and results viewer

Zenmap is a cross-platform (tested on Linux, Windows, Mac OS X) GUI which supports all Nmap options. It allows easier browsing, searching, sorting, and saving of Nmap results. Zenmap replaces the venerable but dated NmapFE, which was the default Nmap GUI for more than 8 years. View screenshots and (limited) documentation at the new Zenmap page. Zenmap is included with most of the Nmap 4.50 packages on the Nmap download page.

2nd Generation OS Detection

Nmap revolutionized OS detection when the feature was first released in October 1998, and it served us well for more than 9 years as the database grew to 1,684 fingerprints. The new 2nd generation system incorporates everything we learned during those years and has proven itself more effective and accurate. The new database has 1,085 signatures, ranging from the 2Wire 11701HG wireless ADSL modem to the ZyXEL ZyWall 2 Plus firewall. In addition to more than 500 general purpose OS fingerprints, it contains 94 switches, 92 printers, 81 WAPs, 63 broadband routers, 31 firewalls, 19 VoIP phones, 16 webcams, 8 cell phones, and more. We currently only have fingerprints for 1 ATM machine and 2 game consoles. The new system is extensively documented.

Nmap Scripting Engine

Nmap has been praised for many things, but not extensibility. The Nmap Scripting Engine helps change that by allowing users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. Nmap 4.50 includes 40 scripts ranging from simple (showHTMLTitle, ripeQuery) to more complex (netbios-smb-os-discovery, SQLInject, bruteTelnet). An NSE library system (NSELib) allows common functions and extensions to be written in Lua or C. NSE can efficiently handle normal TCP or UDP sockets, or read and write raw packets using Libpcap. The system and API are extensively documented. You can try NSE (along with other features) out by adding the -A option to your Nmap command-line.

Performance and accuracy improvements

We have made a number of improvements to enhance Nmap performance and accuracy. Not only were the host discovery and OS detection systems completely replaced, but we improved the port scanning algorithms in the process. We also optimized the configure scripts and removed a lot of dead code to improve compile times and reduce the distribution size. Despite all the changes in two years and 42 releases since version 4.00, the bzip2-compressed Nmap source tarball has only grown from 2 megabytes to 3 megabytes. Even in these days where gigabytes of ram and a terabyte of hard drive space are common on personal computers, we keep Nmap lean so it continues to function well on more limited devices such as One Laptop Per Child machines (Nmap developers purchased at least 3 already for testing) and PDAs. Another performance boost came from ignoring certain rate-limited ICMP error messages in cases such as SYN scan where the ICMP error means the same as the lack of any response does anyway.

Version detection enhancements

The Nmap version detection system has continued to flourish. It allows Nmap to determine the service listening on a port using protocol communication rather than making assumptions based on port number. In addition to the service name, the system can also often deduce other information such as application name, version number, device type, operating system, and more. The DB has grown more than 40% since 4.00 to 4,542 signatures representing 449 services. The service protocols with the most signatures are http (1,473), telnet (459), ftp (423), smtp (327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46) and nntp (44). The version detection service is extensively documented.

Host discovery (ping scanning) system rewritten

The old host discovery system (massping()) was removed and the primary port scanning engine (ultra_scan()) augmented to support host discovery. The new system is more accurate, and in some cases faster. We removed the artificial limits on the number of ports and protocols (such as -PS arguments) which can be used for discovery. A new IP protocol ping type (-PO) was added which sends IP headers with your specified protocol numbers in the hope of eliciting a response.

Bug fixes

There were hundreds of bug and portability fixes to keep Nmap working on all the popular operating systems and prevent crashes or other misbehavior. These are all detailed in the Nmap Changelog.

We have also been proactive about discovering and fixing bugs before users encounter them. Static code analysis company Coverity generously offered to scan the Nmap code base for flaws and it identified about a dozen potential issues which we fixed. We have also been using the open source Valgrind utility to identify bugs.

Political correctness

To cultivate a professional image, we long ago capitalized all references to God in error message text and also reworded all instances of “fucked up” to “borked”. We have now also changed this warning message: “TCP/IP fingerprinting (for OS scan) requires root privileges. Sorry, dude.” A woman reported that it was “highly offensive and sexist”, that “times have changed and many women now use your software”, and “a sexist remark like the one above should have no place in software.”

--reason explains why a port is open/closed/filtered

The new --reason option adds a column to the Nmap port state table which explains why Nmap assigned a port status. For example, a port could be listed as “filtered” because no response was received, or because an ICMP network unreachable message was received. With --reason, you can find out which was the case without digging through --packet-trace logs.

Advanced traceroute support

Nmap now offers a --traceroute option which uses Nmap data to determine which sort of packets are most likely to slip through the target network and produce useful results. The system is well optimized for speed and bandwidth efficiency, and the clever output system avoids repeating the same initial hops for each target system. The -A option now includes traceroute.

Public Subversion (SVN) repository

While some formerly open source programs are becomming more proprietary, Nmap continues to open up with a public Subversion (SVN) source code repository. All users can now check out the latest Nmap in-development code, and several developers now have commit access so sending patches to Fyodor is no longer a bottleneck. We have posted Instructions for using the Nmap SVN repository.

TCP and IP Options

Nmap now supports IP options with the new --ip-options flag. You can specify any options in hex, or use “R” (record route), “T” (record timestamp), “U” (record route & timestamp), “S [route]” (strict source route), or “L [route]” (loose source route). Specify --packet-trace to display IP options of responses. For further information and examples, see this post. TCP options are now reported by --packet-trace too.
Other changes to enjoy in Nmap 4.50:

MOVING FORWARD:

With this stable version out of the way, we plan to dive headfirst into the next development cycle. Many exciting features are in the queue, including a fixed-rate packet sending engine (so you can tell Nmap to ignore its normal timing algorithms and simply specify the number of probes to send per second) and port frequency statistics (so you can tell Nmap to scan just the 100 most common TCP or UDP ports). We also plan to work on infrastructure, potentially adding an Nmap wiki and bug tracker, while continuing to enhance the mailing list archives at SecLists.Org. We also plan to stabilize, extend, and improve all of the new features. For example, we could use many more NSE scripts and 2nd generation OS detection fingerprints.

For the latest Insecure.Org and Nmap announcements, join the 51,000-member low-traffic moderated Nmap-hackers list. Traffic rarely exceeds one message per month. Subscribe at http://cgi.insecure.org/mailman/listinfo/nmap-hackers, or you can read the archives at SecLists.Org. To participate in Nmap development, join the (high traffic) nmap-dev list at http://cgi.insecure.org/mailman/listinfo/nmap-dev.

DOWNLOAD:

Nmap is available for download from http://nmap.org/ in source and binary form. Nmap is free, open source software (license).

Direct questions or comments to fyodor@insecure.org . Report any bugs as described at http://nmap.org/man/man-bugs.html

ACKNOWLEDGMENTS:

A free open source scanner as powerful as Nmap is only possible thanks to the help of hundreds of developers and other contributors. We would like to acknowledge and thank the many people who contributed ideas and/or code since Nmap 4.00. Special thanks go out to:

Adam Vartanian, Adriano Monteiro Marques, Alan Jones, Alex Prinsier, Allison Randal, Andrew Lutomirsky, Arturo Buanzo Busleiman, Benjamin Erb, Bill Pollock, Brandon Enright, Brian Hatch, Chad Loder, Chris Gibson, Christophe Thil, Christoph J. Thompson, Craig Humphrey, Dan Griffin, Daniel Roethlisberger, Dave Marcher, David Fifield, Diman Todorov, Dmitry V. Levin, Doug Hoyte, Eddie Bell, Fyodor, Ganga Bhavani, HD Moore, Hypatia, Jah, Jake Appelbaum, Jake Schneider, James “Professor” Messer, Jason DePriest, Jeff Nathan, Jesse Burns, João Medeiros, Jochen Voss, Joerg Sonnenberger, Jon Passki, Joshua Abraham, Judy Novak, Juergen Schmidt, J.W. Hoogervorst, Kris Katterjohn, Kurt Grutzmacher, KX, Lamont Jones, Lance Spitzner, Leigh Honeywell, Lei Zhao, Lionel Cons, Luis A. Bastiao, MadHat Unspecific, Makoto Shiotsuki, Marek Majkowski, Martin Roesch, Matthew Boyle, Matthew Watchinski, Matt Selsky, Michal Luczaj, Noise, Olivier Meyer, Peter O'Gorman, Peter VanEeckhoutte, Raven Alder, Richard van den Berg, Robert E. Lee, Robert Millan, Robyn Wagner, Rohan Sheth, Scott Worley, Sean Swift, Sebastian Garcia, Seth Miller, Shane & Jenny Walters, Simple Nomad, Sina Bahram, Solar Designer, Stephanie Wen, Stoiko Ivanov, Ted Kremenek, Thomas Buchanan, Tibor Csogor, Tom Sellers, Tony Doan, Tor Houghton, van Hauser, Window Snyder, Zakharov Mikhail, and Zapphire

And of course we would also like to thank the thousands of people who have submitted OS and service/version fingerprints, as well as everyone who has found and reported bugs or suggested features.

For further information, see http://insecure.org/.