December 13, 2007 -- Insecure.Org is pleased to announce the
immediate, free availability of the Nmap Security Scanner version 4.50
from http://nmap.org/. Nmap
was first released in 1997, so this release celebrates our 10th
This is the first stable release since 4.20 (more than a year ago),
and the first major release since 4.00 almost two years ago. Dozens
of development releases led up to this. Major new features since 4.00
include the Zenmap
cross-platform GUI, 2nd Generation OS
Detection, the Nmap
Scripting Engine, a rewritten host discovery system, performance
optimization, advanced traceroute functionality, TCP and IP options
support, and and nearly 1,500 new version detection signatures. More than 300 other
improvements were made as well.
Nmap (“Network Mapper”) is a free and open source (license) utility for
network exploration or security auditing. Many systems and network
administrators also find it useful for tasks such as network
inventory, managing service upgrade schedules, and monitoring host or
service uptime. Nmap uses raw IP packets in novel ways to determine
what hosts are available on the network, what services (application
name and version) those hosts are offering, what operating systems
(and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics. It
was designed to rapidly scan large networks, but works fine against
single hosts. Nmap runs on all major computer operating systems, and
both console and graphical versions are available. Nmap downloads and documentation are available from Insecure.Org/nmap/.
Nmap has been named “Security Product of the Year” by Linux
Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It
has also been praised in hundreds of magazine and newspaper articles, from Wired, the BBC, and Heise to Securityfocus and Linux Weekly News. At least five movies have featured Nmap, including
The Bourne Ultimatum,
The Matrix Reloaded,
Battle Royale, and, uhh,
HaXXXor: No Longer Floppy (NSFW). Screens shots of Nmap in all of these movies are available on our news page. Nmap has become quite the movie star!
As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 4.50 is now available!
Nmap has undergone hundreds of important changes since our last major
release (4.00 in January
2006) and we recommend that all current users upgrade. The Nmap Changelog describes 320 improvements since 4.00 in more than 1,500 lines. Here are the highlights:
Other changes to enjoy in Nmap 4.50:
Zenmap graphical front-end and results viewer
- Zenmap is a cross-platform (tested on Linux, Windows, Mac OS X)
GUI which supports all Nmap options. It allows easier
browsing, searching, sorting, and saving of Nmap results. Zenmap replaces
the venerable but dated NmapFE, which was the default Nmap GUI for
more than 8 years. View screenshots and (limited) documentation at
the new Zenmap page. Zenmap is included with most of the Nmap 4.50 packages on the Nmap download page.
2nd Generation OS Detection
- Nmap revolutionized OS
detection when the feature was first released in October 1998, and it
served us well for more than 9 years as the database grew to 1,684
fingerprints. The new 2nd
generation system incorporates everything we learned during those
years and has proven itself more effective and accurate. The new
database has 1,085 signatures, ranging from the 2Wire 11701HG wireless ADSL
modem to the ZyXEL ZyWall 2 Plus firewall. In addition to more than
500 general purpose OS fingerprints, it contains 94 switches, 92
printers, 81 WAPs, 63 broadband routers, 31 firewalls, 19 VoIP phones,
16 webcams, 8 cell phones, and more. We currently only have
fingerprints for 1 ATM machine and 2 game consoles. The new system is
Nmap Scripting Engine
- Nmap has been praised for many things, but not extensibility. The
Nmap Scripting Engine
helps change that by allowing users to write (and share) simple
scripts to automate a wide variety of networking tasks. Those scripts
are then executed in parallel with the speed and efficiency you expect
from Nmap. Users can rely on the growing and diverse set of scripts
distributed with Nmap, or write their own to meet custom needs. Nmap
4.50 includes 40 scripts ranging from simple (showHTMLTitle,
ripeQuery) to more complex (netbios-smb-os-discovery, SQLInject,
bruteTelnet). An NSE library system (NSELib) allows common functions and extensions to be written in Lua or C. NSE can efficiently handle normal TCP or UDP sockets, or read and write raw packets using Libpcap. The system and API are extensively documented. You can try NSE (along with other features) out by adding the -A option to your Nmap command-line.
Performance and accuracy improvements
- We have made a number of improvements to enhance Nmap performance
and accuracy. Not only were the host discovery and OS detection
systems completely replaced, but we improved the port scanning
algorithms in the process. We also optimized the configure scripts
and removed a lot of dead code to improve compile times and reduce the
distribution size. Despite all the changes in two years and 42
releases since version 4.00, the bzip2-compressed Nmap source tarball
has only grown from 2 megabytes to 3 megabytes. Even in these days
where gigabytes of ram and a terabyte of hard drive space are common
on personal computers, we keep Nmap lean so it continues to function
well on more limited devices such as One
Laptop Per Child machines (Nmap developers purchased at least 3
already for testing) and PDAs. Another performance boost came from
ignoring certain rate-limited ICMP error messages in cases such as SYN
scan where the ICMP error means the same as the lack of any response does
Version detection enhancements
- The Nmap version
detection system has continued to flourish. It allows Nmap to
determine the service listening on a port using protocol communication
rather than making assumptions based on port number. In
addition to the service name, the system can also often deduce other
information such as application name, version number, device type,
operating system, and more. The DB has grown more than 40% since 4.00
to 4,542 signatures representing 449 services. The service protocols
with the most signatures are http (1,473), telnet (459), ftp (423),
smtp (327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc
(46) and nntp (44). The version detection service is extensively
Host discovery (ping scanning) system rewritten
- The old host discovery system (massping()) was removed and the
primary port scanning engine (ultra_scan()) augmented to support host
discovery. The new system is more accurate, and in some cases faster.
We removed the artificial limits on the number of ports and protocols
(such as -PS arguments) which can be used for discovery. A new IP
protocol ping type (-PO) was added which sends IP headers with your
specified protocol numbers in the hope of eliciting a response.
- There were hundreds of bug and portability fixes to keep Nmap working on all the popular operating systems and prevent crashes or other misbehavior. These are all detailed in the Nmap Changelog.
We have also been proactive about discovering and fixing bugs before users encounter them. Static code analysis company Coverity generously offered to scan the Nmap code base for flaws and it identified about a dozen potential issues which we fixed. We have also been using the open source Valgrind utility to identify bugs.
- To cultivate a professional image, we long ago capitalized all
references to God in error message text and also reworded all
instances of “fucked up” to “borked”. We
have now also changed this warning message: “TCP/IP
fingerprinting (for OS scan) requires root privileges. Sorry,
dude.” A woman reported that it was “highly offensive
and sexist”, that “times have changed and many women now use
your software”, and “a sexist remark like the one above
should have no place in software.”
--reason explains why a port is open/closed/filtered
- The new --reason option adds a column to the Nmap port state table which explains why Nmap assigned a port status. For example, a port could be listed as “filtered” because no response was received, or because an ICMP network unreachable message was received. With --reason, you can find out which was the case without digging through --packet-trace logs.
Advanced traceroute support
- Nmap now offers a --traceroute option which uses Nmap data to determine which sort of packets are most likely to slip through the target network and produce useful results. The system is well optimized for speed and bandwidth efficiency, and the clever output system avoids repeating the same initial hops for each target system. The -A option now includes traceroute.
Public Subversion (SVN) repository
- While some formerly open source programs are becomming more proprietary, Nmap continues to open up with a public Subversion (SVN) source code repository. All users can now check out the latest Nmap in-development code, and several developers now have commit access so sending patches to Fyodor is no longer a bottleneck. We have posted Instructions for using the Nmap SVN repository.
TCP and IP Options
- Nmap now supports IP options with the new --ip-options flag. You
can specify any options in hex, or use “R” (record route), “T”
(record timestamp), “U” (record route & timestamp), “S [route]”
(strict source route), or “L [route]” (loose source route). Specify
--packet-trace to display IP options of responses. For
further information and examples, see this post.
TCP options are now reported by --packet-trace too.
Added the --open option, which causes Nmap to show only open ports.
Ports in the states “open|closed” and “unfiltered” might be open, so
those are shown unless the host has an overwhelming number of them.
The --scanflags option now also accepts “ECE”, “CWR”, “ALL” and “NONE” as arguments.
The new --servicedb and --versiondb options let you
specify a custom Nmap services (port to port number translation and
port frequency) file or version detection database.
In verbose mode, Nmap now reports where it obtains data files (such as
IP Protocol scan (-sO) now sends proper protocol headers for TCP, UDP, ICMP, and IGMP.
Updated Nmap's data files to contain the latest service port numbers, Ethernet mac address prefix (OUI) assignments, IP address allocation data, IP protocol numbers, and more.
Updated to recent releases of Nmap dependency libraries Winpcap, Libpcap, Libdnet, and LibPCRE as well as the latest Autoconf support scripts.
Improved nmap.xsl, which is used to transform Nmap XML output into pretty HTML reports.
Added the --unprivileged option, which is the opposite of --privileged.
It tells Nmap to treat the user as lacking network raw socket and
sniffing privileges. This is useful for testing, debugging, or when
the raw network functionality of your operating system is somehow
The Windows executable installer now gives users the option of applying TCP performance tweaks to the Registry.
Nmap now allows multiple ignored port states. If a 65K-port scan
had, 64K filtered ports, 1K closed ports, and a few dozen open ports,
Nmap used to list the dozen open ones among a thousand lines of closed
ports. Now Nmap will give reports like “Not shown: 64330 filtered
ports, 1000 closed ports” or “All 2051 scanned ports on 192.168.0.69
are closed (1051) or filtered (1000)”, and omit all of those ports
from the table. Open ports are never ignored.
Windows compilation now supports the free Microsoft Visual C++ 2005 Express edition, so you don't have to pay for Visual Studio Pro. We also automated the build system with a Makefile in the mswin32 directory so releases can be built without even having to open Visual C++.
Google sponsored 16 student developers since the Nmap 4.00 release to spend a summer working on Nmap. Those students implemented many of the improvements described in this release. You can read about our Summer of Code successes in our 2006 results and 2007 results pages.
Hundreds of other features, bug fixes, and portability
enhancements described at http://nmap.org/changelog.html. The changelog describes 320 improvements im more than 1,500 lines since version 4.00.
With this stable version out of the way, we plan to dive headfirst
into the next development cycle. Many exciting features are in the
queue, including a fixed-rate packet sending engine (so you can tell
Nmap to ignore its normal timing algorithms and simply specify the
number of probes to send per second) and port frequency statistics (so
you can tell Nmap to scan just the 100 most common TCP or UDP ports).
We also plan to work on infrastructure, potentially adding an Nmap
wiki and bug tracker, while continuing to enhance the mailing list
archives at SecLists.Org. We also plan to stabilize, extend, and improve all of the new features. For example, we could use many more NSE scripts and 2nd generation OS detection fingerprints.
For the latest Insecure.Org and Nmap announcements, join the
51,000-member low-traffic moderated Nmap-hackers list. Traffic rarely
exceeds one message per month. Subscribe at http://cgi.insecure.org/mailman/listinfo/nmap-hackers,
or you can read the archives at SecLists.Org. To participate in Nmap
development, join the (high traffic) nmap-dev list at http://cgi.insecure.org/mailman/listinfo/nmap-dev.
Nmap is available for download from http://nmap.org/
in source and binary form. Nmap is free, open source software (license).
Direct questions or comments to firstname.lastname@example.org . Report any bugs as described at http://nmap.org/man/man-bugs.html
A free open source scanner as powerful as Nmap is only possible thanks to the help of hundreds of developers and other contributors. We would like to acknowledge and
thank the many people who contributed ideas and/or code since Nmap 4.00. Special thanks go out to:
Adam Vartanian, Adriano Monteiro Marques, Alan Jones, Alex
Prinsier, Allison Randal, Andrew Lutomirsky, Arturo Buanzo Busleiman,
Benjamin Erb, Bill Pollock, Brandon Enright, Brian Hatch, Chad Loder,
Chris Gibson, Christophe Thil, Christoph J. Thompson, Craig Humphrey,
Dan Griffin, Daniel Roethlisberger, Dave Marcher, David Fifield, Diman Todorov, Dmitry V. Levin, Doug Hoyte, Eddie Bell, Fyodor, Ganga Bhavani, HD Moore, Hypatia, Jah, Jake Appelbaum, Jake Schneider, James “Professor” Messer, Jason DePriest, Jeff Nathan, Jesse Burns, João Medeiros, Jochen Voss, Joerg Sonnenberger, Jon Passki, Joshua Abraham, Judy Novak, Juergen Schmidt, J.W. Hoogervorst,
Kris Katterjohn, Kurt Grutzmacher, KX, Lamont Jones, Lance Spitzner,
Leigh Honeywell, Lei Zhao, Lionel Cons, Luis A. Bastiao, MadHat Unspecific, Makoto Shiotsuki, Marek Majkowski, Martin Roesch, Matthew Boyle, Matthew Watchinski, Matt Selsky, Michal Luczaj, Noise, Olivier Meyer, Peter O'Gorman, Peter VanEeckhoutte, Raven Alder, Richard van den Berg, Robert E. Lee, Robert Millan, Robyn Wagner, Rohan Sheth,
Scott Worley, Sean Swift, Sebastian Garcia, Seth Miller, Shane & Jenny Walters, Simple Nomad, Sina Bahram, Solar Designer, Stephanie Wen, Stoiko Ivanov, Ted Kremenek, Thomas Buchanan, Tibor Csogor, Tom Sellers, Tony Doan, Tor Houghton, van Hauser, Window Snyder, Zakharov Mikhail, and Zapphire
And of course we would also like to thank the thousands of people
who have submitted OS and service/version fingerprints, as well as
everyone who has found and reported bugs or suggested features.
For further information, see http://insecure.org/.