This is the first stable release since 4.20 (more than a year ago),
and the first major release since 4.00 almost two years ago. Dozens
of development releases led up to this. Major new features since 4.00
include the Zenmap
cross-platform GUI, 2nd Generation OS
Detection, the Nmap
Scripting Engine, a rewritten host discovery system, performance
optimization, advanced traceroute functionality, TCP and IP options
support, and and nearly 1,500 new version detection signatures. More than 300 other
improvements were made as well.
Nmap (“Network Mapper”) is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available. Nmap downloads and documentation are available from Insecure.Org/nmap/.
Nmap has been named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It has also been praised in hundreds of magazine and newspaper articles, from Wired, the BBC, and Heise to Securityfocus and Linux Weekly News. At least five movies have featured Nmap, including The Bourne Ultimatum, The Matrix Reloaded, The Listening, Battle Royale, and, uhh, HaXXXor: No Longer Floppy (NSFW). Screens shots of Nmap in all of these movies are available on our news page. Nmap has become quite the movie star!
As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 4.50 is now available!
Nmap has undergone hundreds of important changes since our last major release (4.00 in January 2006) and we recommend that all current users upgrade. The Nmap Changelog describes 320 improvements since 4.00 in more than 1,500 lines. Here are the highlights:
Zenmap graphical front-end and results viewer
- Zenmap is a cross-platform (tested on Linux, Windows, Mac OS X) GUI which supports all Nmap options. It allows easier browsing, searching, sorting, and saving of Nmap results. Zenmap replaces the venerable but dated NmapFE, which was the default Nmap GUI for more than 8 years. View screenshots and (limited) documentation at the new Zenmap page. Zenmap is included with most of the Nmap 4.50 packages on the Nmap download page.
2nd Generation OS Detection
- Nmap revolutionized OS detection when the feature was first released in October 1998, and it served us well for more than 9 years as the database grew to 1,684 fingerprints. The new 2nd generation system incorporates everything we learned during those years and has proven itself more effective and accurate. The new database has 1,085 signatures, ranging from the 2Wire 11701HG wireless ADSL modem to the ZyXEL ZyWall 2 Plus firewall. In addition to more than 500 general purpose OS fingerprints, it contains 94 switches, 92 printers, 81 WAPs, 63 broadband routers, 31 firewalls, 19 VoIP phones, 16 webcams, 8 cell phones, and more. We currently only have fingerprints for 1 ATM machine and 2 game consoles. The new system is extensively documented.
Nmap Scripting Engine
- Nmap has been praised for many things, but not extensibility. The Nmap Scripting Engine helps change that by allowing users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. Nmap 4.50 includes 40 scripts ranging from simple (showHTMLTitle, ripeQuery) to more complex (netbios-smb-os-discovery, SQLInject, bruteTelnet). An NSE library system (NSELib) allows common functions and extensions to be written in Lua or C. NSE can efficiently handle normal TCP or UDP sockets, or read and write raw packets using Libpcap. The system and API are extensively documented. You can try NSE (along with other features) out by adding the -A option to your Nmap command-line.
Performance and accuracy improvements
- We have made a number of improvements to enhance Nmap performance and accuracy. Not only were the host discovery and OS detection systems completely replaced, but we improved the port scanning algorithms in the process. We also optimized the configure scripts and removed a lot of dead code to improve compile times and reduce the distribution size. Despite all the changes in two years and 42 releases since version 4.00, the bzip2-compressed Nmap source tarball has only grown from 2 megabytes to 3 megabytes. Even in these days where gigabytes of ram and a terabyte of hard drive space are common on personal computers, we keep Nmap lean so it continues to function well on more limited devices such as One Laptop Per Child machines (Nmap developers purchased at least 3 already for testing) and PDAs. Another performance boost came from ignoring certain rate-limited ICMP error messages in cases such as SYN scan where the ICMP error means the same as the lack of any response does anyway.
Version detection enhancements
- The Nmap version detection system has continued to flourish. It allows Nmap to determine the service listening on a port using protocol communication rather than making assumptions based on port number. In addition to the service name, the system can also often deduce other information such as application name, version number, device type, operating system, and more. The DB has grown more than 40% since 4.00 to 4,542 signatures representing 449 services. The service protocols with the most signatures are http (1,473), telnet (459), ftp (423), smtp (327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46) and nntp (44). The version detection service is extensively documented.
Host discovery (ping scanning) system rewritten
- The old host discovery system (massping()) was removed and the primary port scanning engine (ultra_scan()) augmented to support host discovery. The new system is more accurate, and in some cases faster. We removed the artificial limits on the number of ports and protocols (such as -PS arguments) which can be used for discovery. A new IP protocol ping type (-PO) was added which sends IP headers with your specified protocol numbers in the hope of eliciting a response.
- There were hundreds of bug and portability fixes to keep Nmap working on all the popular operating systems and prevent crashes or other misbehavior. These are all detailed in the Nmap Changelog.
We have also been proactive about discovering and fixing bugs before users encounter them. Static code analysis company Coverity generously offered to scan the Nmap code base for flaws and it identified about a dozen potential issues which we fixed. We have also been using the open source Valgrind utility to identify bugs.
- To cultivate a professional image, we long ago capitalized all references to God in error message text and also reworded all instances of “fucked up” to “borked”. We have now also changed this warning message: “TCP/IP fingerprinting (for OS scan) requires root privileges. Sorry, dude.” A woman reported that it was “highly offensive and sexist”, that “times have changed and many women now use your software”, and “a sexist remark like the one above should have no place in software.”
--reason explains why a port is open/closed/filtered
- The new --reason option adds a column to the Nmap port state table which explains why Nmap assigned a port status. For example, a port could be listed as “filtered” because no response was received, or because an ICMP network unreachable message was received. With --reason, you can find out which was the case without digging through --packet-trace logs.
Advanced traceroute support
- Nmap now offers a --traceroute option which uses Nmap data to determine which sort of packets are most likely to slip through the target network and produce useful results. The system is well optimized for speed and bandwidth efficiency, and the clever output system avoids repeating the same initial hops for each target system. The -A option now includes traceroute.
Public Subversion (SVN) repository
- While some formerly open source programs are becomming more proprietary, Nmap continues to open up with a public Subversion (SVN) source code repository. All users can now check out the latest Nmap in-development code, and several developers now have commit access so sending patches to Fyodor is no longer a bottleneck. We have posted Instructions for using the Nmap SVN repository.
TCP and IP Options
- Nmap now supports IP options with the new --ip-options flag. You can specify any options in hex, or use “R” (record route), “T” (record timestamp), “U” (record route & timestamp), “S [route]” (strict source route), or “L [route]” (loose source route). Specify --packet-trace to display IP options of responses. For further information and examples, see this post. TCP options are now reported by --packet-trace too.
Added the --open option, which causes Nmap to show only open ports. Ports in the states “open|closed” and “unfiltered” might be open, so those are shown unless the host has an overwhelming number of them.
The --scanflags option now also accepts “ECE”, “CWR”, “ALL” and “NONE” as arguments.
The new --servicedb and --versiondb options let you specify a custom Nmap services (port to port number translation and port frequency) file or version detection database.
In verbose mode, Nmap now reports where it obtains data files (such as nmap-services) from.
IP Protocol scan (-sO) now sends proper protocol headers for TCP, UDP, ICMP, and IGMP.
Updated Nmap's data files to contain the latest service port numbers, Ethernet mac address prefix (OUI) assignments, IP address allocation data, IP protocol numbers, and more.
Updated to recent releases of Nmap dependency libraries Winpcap, Libpcap, Libdnet, and LibPCRE as well as the latest Autoconf support scripts.
Improved nmap.xsl, which is used to transform Nmap XML output into pretty HTML reports.
Added the --unprivileged option, which is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful for testing, debugging, or when the raw network functionality of your operating system is somehow broken.
The Windows executable installer now gives users the option of applying TCP performance tweaks to the Registry.
Nmap now allows multiple ignored port states. If a 65K-port scan had, 64K filtered ports, 1K closed ports, and a few dozen open ports, Nmap used to list the dozen open ones among a thousand lines of closed ports. Now Nmap will give reports like “Not shown: 64330 filtered ports, 1000 closed ports” or “All 2051 scanned ports on 192.168.0.69 are closed (1051) or filtered (1000)”, and omit all of those ports from the table. Open ports are never ignored.
Windows compilation now supports the free Microsoft Visual C++ 2005 Express edition, so you don't have to pay for Visual Studio Pro. We also automated the build system with a Makefile in the mswin32 directory so releases can be built without even having to open Visual C++.
Google sponsored 16 student developers since the Nmap 4.00 release to spend a summer working on Nmap. Those students implemented many of the improvements described in this release. You can read about our Summer of Code successes in our 2006 results and 2007 results pages.
Hundreds of other features, bug fixes, and portability enhancements described at http://nmap.org/changelog.html. The changelog describes 320 improvements im more than 1,500 lines since version 4.00.
With this stable version out of the way, we plan to dive headfirst into the next development cycle. Many exciting features are in the queue, including a fixed-rate packet sending engine (so you can tell Nmap to ignore its normal timing algorithms and simply specify the number of probes to send per second) and port frequency statistics (so you can tell Nmap to scan just the 100 most common TCP or UDP ports). We also plan to work on infrastructure, potentially adding an Nmap wiki and bug tracker, while continuing to enhance the mailing list archives at SecLists.Org. We also plan to stabilize, extend, and improve all of the new features. For example, we could use many more NSE scripts and 2nd generation OS detection fingerprints.
For the latest Insecure.Org and Nmap announcements, join the 51,000-member low-traffic moderated Nmap-hackers list. Traffic rarely exceeds one message per month. Subscribe at http://cgi.insecure.org/mailman/listinfo/nmap-hackers, or you can read the archives at SecLists.Org. To participate in Nmap development, join the (high traffic) nmap-dev list at http://cgi.insecure.org/mailman/listinfo/nmap-dev.
A free open source scanner as powerful as Nmap is only possible thanks to the help of hundreds of developers and other contributors. We would like to acknowledge and thank the many people who contributed ideas and/or code since Nmap 4.00. Special thanks go out to:
Adam Vartanian, Adriano Monteiro Marques, Alan Jones, Alex Prinsier, Allison Randal, Andrew Lutomirsky, Arturo Buanzo Busleiman, Benjamin Erb, Bill Pollock, Brandon Enright, Brian Hatch, Chad Loder, Chris Gibson, Christophe Thil, Christoph J. Thompson, Craig Humphrey, Dan Griffin, Daniel Roethlisberger, Dave Marcher, David Fifield, Diman Todorov, Dmitry V. Levin, Doug Hoyte, Eddie Bell, Fyodor, Ganga Bhavani, HD Moore, Hypatia, Jah, Jake Appelbaum, Jake Schneider, James “Professor” Messer, Jason DePriest, Jeff Nathan, Jesse Burns, João Medeiros, Jochen Voss, Joerg Sonnenberger, Jon Passki, Joshua Abraham, Judy Novak, Juergen Schmidt, J.W. Hoogervorst, Kris Katterjohn, Kurt Grutzmacher, KX, Lamont Jones, Lance Spitzner, Leigh Honeywell, Lei Zhao, Lionel Cons, Luis A. Bastiao, MadHat Unspecific, Makoto Shiotsuki, Marek Majkowski, Martin Roesch, Matthew Boyle, Matthew Watchinski, Matt Selsky, Michal Luczaj, Noise, Olivier Meyer, Peter O'Gorman, Peter VanEeckhoutte, Raven Alder, Richard van den Berg, Robert E. Lee, Robert Millan, Robyn Wagner, Rohan Sheth, Scott Worley, Sean Swift, Sebastian Garcia, Seth Miller, Shane & Jenny Walters, Simple Nomad, Sina Bahram, Solar Designer, Stephanie Wen, Stoiko Ivanov, Ted Kremenek, Thomas Buchanan, Tibor Csogor, Tom Sellers, Tony Doan, Tor Houghton, van Hauser, Window Snyder, Zakharov Mikhail, and Zapphire
And of course we would also like to thank the thousands of people who have submitted OS and service/version fingerprints, as well as everyone who has found and reported bugs or suggested features.
For further information, see http://insecure.org/.