nmap 5 released

So here’s the news everyone, nmap v5 has been released, and it’s well worth upgrading.

Thanks to this one goes to Fyodor, HDM, and everyone else involved in getting to this point.

Here’s the release notes from insecure.org
The Nmap Changelog describes nearly 600 significant improvements since our last major release (4.50). Here are the highlights:

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. It existed in Nmap 4.50, but has been dramatically improved:

  • Every script has been improved, and the number of scripts has grown nearly 50% to 59.
  • Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmap to interrogate Windows machines much more completely. He added six NSE libraries (msrpc, msrpcperformance, msrpctypes, netbios, smb, and smbauth) and 14 scripts (p2p-conficker, smb-brute, smb-check-vulns, smb-enum-domains, smb-enum-processes, smb-enum-sessions, smb-enum-shares, smb-enum-users, smb-os-discovery, smb-pwdump, smb-security-mode, smb-server-stats, and smb-system-info). He also wrote a detailed paper on the new scripts.
  • Nmap was one of the first scanners to remotely detect the Conficker worm thanks to smb-check-vulns, and p2p-conficker.
  • Other new scripts include:
    asn-query—Maps IP addresses to autonomous system (AS) numbers.
    auth-spoof—Checks for an identd (auth) server which is spoofing its replies.
    banner—A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.
    dns-random-srcport—Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
    dns-random-txid—Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
    ftp-bounce—Checks to see if an FTP server allows port scanning using the FTP bounce method.
    http-iis-webdav-vuln—Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020.
    http-passwd—Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd using various traversal methods such as requesting ../../../../etc/passwd.
    imap-capabilities—Retrieves IMAP email server capabilities.
    mysql-info—Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.
    pop3-brute—Tries to log into a POP3 account by guessing usernames and passwords.
    pop3-capabilities—Retrieves POP3 email server capabilities.
    rpcinfo—Connects to portmapper and fetches a list of all registered programs.
    snmp-brute—Attempts to find an SNMP community string by brute force guessing.
    socks-open-proxy—Checks if an open socks proxy is running on the target.
    upnp-info—Attempts to extract system information from the UPnP service.
    whois—Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.
  • The set of new libraries is equally impressive. Modules are all listed here (scroll down to “Modules”).
  • Introduced the NSE Documentation Portal which documents every NSE script and library included with Nmap. It is generated from NSEDoc comments embedded in scripts. Scripts are available for download on this site as well. We also dramatically improved the NSE Guide.
  • NSE now supports run-time interaction so you know when it will complete, and the –host-timeout option so you can define when it completes. Support for -S (source IP address) and –ip-options has been added to the NSE and version detection subsystems.
  • Added Boolean Operators for –script. You may now use (“and”, “or”, or “not”) combined with categories, filenames, and wildcarded filenames to match a set of files. A new default category includes the scripts which run by default when NSE is requested.
  • NSE can now be used in combination with ping scan (e.g. “-sP –script”) so that you can execute host scripts without needing to perform a port scan.

Zenmap graphical front-end and results viewer

Zenmap is a cross-platform (Linux, Windows, Mac OS X, etc.) Nmap GUI and results viewer which supports all Nmap options. It aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. While Zenmap already existed in Nmap 4.50, it has improved dramatically since then:

  • While Nmap stands for “Network Mapper”, it hasn’t been able to actually draw you a map of the network—until now! The new Zenmap Network Topology feature provides an interactive, animated visualization of the hosts on a network and connections between them. The scan source is (initially) in the center, with other hosts on a series of concentric circles which represent the number of hops away they are from the source. Nodes are connected by lines representing discovered paths between them. Read the full details (and oogle the pretty pictures) in our article on Surfing the Network Topology. Topology views can be saved as a PNG, postscript, PDF, or SVG image.
  • The scan aggregation feature allows you to combine the results of many Nmap scans into one view. When one scan is finished, you may start another in the same window. Results of the new scan are seamlessly merged into one view.
  • Zenmap has been internationalized and translated by volunteers into four languages (French, German, Brazilian Portuguese, and Croatian). We have instructions on using an existing translation and we’re always looking for volunteers to translate Zenmap into your native language.
  • Overhauled the default list of scan profiles to provide a much more diverse and useful set of default profile options. If users don’t like any of these canned scan commands, they can easily create their own in the Profile Editor.
  • Added a context-sensitive help system to the Profile Editor. Mouse-over options to learn more about what they do and their argument syntax.
  • Added advanced search functionality to Zenmap so that you can locate previous scans using criteria such as which ports were open, keywords in the target names, OS detection results, etc. Try it out with Ctrl-F or “Tools->Search Scan Results”.
  • The “Compare Results” feature now uses our new Ndiff scan comparison tool.
  • And more: An animated throbber has been added to indicate that a scan is running, and a new cancel button lets you stop a scan in its track. The Nmap output window now scrolls automatically, and ports are colored based on open/closed state.
  • David wrote an exceptional users’ guide, which also became a chapter of Nmap Network Scanning.

Ncat data transfer, redirection, and debugging tool

.       .
} 6 6 {
==. Y ,==
/^^^  .
/       )
(  )-(  )/     _
-""---""---   /
/   Ncat    _/
(     ____

Nmap 5 introduces Ncat, a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks. Ncat is suitable for interactive use or as a network-connected back end for other tools. Ncat can:

  • Act as a simple TCP/UDP/SSL client for interacting with web servers, telnet servers, mail servers, and other TCP/IP network services. Often the best way to understand a service (for fixing problems, finding security flaws, or testing custom commands) is to interact with it using Ncat. This lets you you control every character sent and view the raw, unfiltered responses.
  • Act as a simple TCP/UDP/SSL server for offering services to clients, or simply to understand what existing clients are up to by capturing every byte they send.
  • Redirect or proxy TCP/UDP traffic to other ports or hosts. This can be done using simple redirection (everything sent to a port is automatically relayed somewhere else you specify in advance) or by acting as a SOCKS or HTTP proxy so clients specify their own destinations. In client mode, Ncat can connect to destinations through a chain of anonymous or authenticated proxies.
  • Run on all major operating systems. We distribute Linux, Windows, and Mac OS X binaries, and Ncat compiles on most other systems. A trusted tool must be available whenever you need it, no matter what computer you’re using.
  • Encrypt communication with SSL, and transport it over IPv4 or IPv6.
  • Act as a network gateway for execution of system commands, with I/O redirected to the network. It was designed to work like the Unix utility cat, but for the network.
  • Act as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server. This enables multiple machines hidden behind NAT gateways to communicate with each other, and also enables the simple Ncat chat mode.

These capabilities become even more powerful and versatile when combined.

Ncat is our modern reinvention of the venerable Netcat (nc) tool released by Hobbit in 1996. While Ncat is similar to Netcat in spirit, they don’t share any source code. Instead, Ncat makes use of Nmap’s well optimized and tested networking libraries. Compatibility with the original Netcat and some well known variants is maintained where it doesn’t conflict with Ncat’s enhancements or cause usability problems. Ncat adds many capabilities not found in Hobbit’s original nc, including SSL support, proxy connections, IPv6, and connection brokering. The original nc contained a simple port scanner, but we omitted that from Ncat because we have a preferred tool for that function.

Ncat is extensively documented in its Users’ Guide, man page, and home page.

Host discovery and port scanning performance and features

Nmap has been doing host discovery and port scanning since its release in ’97, but we continue to improve this core functionality. We’ve added many new features and dramatically improved performance! Here are the biggest enhancements since 4.50:

  • Nmap now scans the most common 1,000 ports by default in either protocol (UDP scan is still optional). These were determined by spending months scanning tens of millions of IPs on the Internet. This makes Nmap faster (used to scan 1,715 TCP ports by default) and yet more comprehensive since the smaller number of ports are better chosen.
  • Nmap fast scan (-F) now scans the top 100 ports by default in either protocol. This is a decrease from 1,276 (TCP) and 1,017 (UDP) in Nmap 4.68. Port scanning time with -F is generally an order of magnitude faster than before, making -F worthy of its “fast scan” moniker.
  • The –top-ports option lets you specify the number of ports you wish to scan in each protocol, and will pick the most popular ports for you based on the new frequency data. For both TCP and UDP, the top 10 ports gets you roughly half of the open ports. The top 1,000 (out of 65,536 possible) finds roughly 93% of the open TCP ports and more than 95% of the open UDP ports.
  • Added a new –min-rate option that allows specifying a minimum rate at which to send packets. This allows you to override Nmap’s congestion control algorithms and request that Nmap try to keep at least the rate you specify. A complementary –max-rate option was added as well. They are documented here.
  • Added SCTP port scanning support to Nmap. Stream control transmission protocol is a layer 4 protocol used mostly for telephony related applications. This brings the following new features:
    • SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK chunk, closed ones an ABORT chunk. This is the SCTP equivalent of a TCP SYN stealth scan.
    • SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent, closed ports return an ABORT chunk.
    • SCTP-specific IP protocol scan (-sO -p sctp).
    • SCTP-specific traceroute support (–traceroute).
    • The server scanme.csnc.ch has been set up for your SCTP scan testing pleasure. But note that SCTP doesn’t pass through most NAT devices.
  • David spent more than a month on algorithms to improve port scan performance while retaining or improving accuracy. The changes, described here, reduce our “benchmark scan time” (which involves many different scan types from many source networks to many targets) from 1879 seconds to 1321 without harming accuracy. That is a 30% time reduction! Fyodor made a number of performance improvements as well.
  • The host discovery (ping probe) defaults have been enhanced to include twice as many probes. The default is now “-PE -PS443 -PA80 -PP”. In exhaustive testing of 90 different probes, this emerged as the best four-probe combination, finding 14% more Internet hosts than the previous default, “-PE -PA80″. The default for non-root users is -PS80,443, replacing the previous default of -PS80. In addition, ping probes are now sent in order of effectiveness (-PE first) so that less effective probes may not have to be sent. ARP ping is still the default on local ethernet networks.
  • Fixed an integer overflow which prevented a target specification of “*.*.*.*” from working. Support for the CIDR /0 is now also available for those times you wish to scan the entire Internet.
  • When Nmap finds a probe during ping scan which elicits a response, it now saves that information for the port scan and later phases. It can then “ping” the host with that probe as necessary to collect timing information even if the host is not responding to the normal port scan packets. Previously, Nmap’s port scan timing pings could only use information gathered during that port scan itself. A number of other “port scan ping” system improvements were made at the same time to improve performance against firewalled hosts (full details).

Fyodor’s Nmap book

Fyodor released Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. It was briefly the #1 selling computer book on Amazon. More than half of the book is already free online.

A German translation is available from Open Source Press; Korean and Brazilian Portuguese translations are forthcoming.

Operating system detection

Thanks to fingerprint submissions from thousands of Nmap users around the world, the 2nd generation OS detection database has nearly doubled in size since 4.50 to 2,003 entries. These include the latest versions of Windows, Linux, and Mac OS X as well as more specialized entries such as oscilloscopes, ATM machines, employee timeclocks, DVRs, game consoles, and much more. Keep those submissions coming!

In addition to doubling the database size, we enhanced the OS detection engine and its tests to improve accuracy. For example, we added a new SEQ.CI test (IP ID sequence generation from closed TCP port) and removed the U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI tests.

Version detection

Nmap’s version detection system interrogates open ports to determine what service (e.g. http, smtp) is running and often the exact application name and version number. The version detection database grew by nearly a thousand signatures. It grew from 4,558 signatures representing 449 protocols in Nmap 4.50 to 5,512 signatures for 511 protocols in 5.00. You can read about Doug’s signature creation adventures here, here, and here. The service protocols with the most signatures are http (1,868), telnet (584), ftp (506), smtp (363), pop3 (209), http-proxy (136), ssh (123), imap (122), and irc (48). Among the protocols with just one signature are netrek, gopher-proxy, ncat-chat, and metasploit.

Ndiff scan comparison tool

The new Ndiff utility compares the results of two Nmap scans and describes the new/removed hosts, newly open/closed ports, changed operating systems, or application versions, etc. This makes it trivial to scan your networks on a regular basis and create a report (XML or text format) on all the changes. See the Ndiff man page and home page for more information. Ndiff is included in our binary packages and built by default, though you can prevent it from being built by specifying the –without-ndiff configure flag.

Here are excerpts from an Ndiff comparison between two scans for the Facebook network:

> ndiff -v facebook-vscan-1237136401.xml facebook-vscan-1237395601.xml
-Nmap 4.85BETA3 at 2009-03-15 10:00
+Nmap 4.85BETA4 at 2009-03-18 10:00

+arborvip.tfbnw.net (
+Host is up.
+Not shown: 100 filtered ports

www2.02.07.facebook.com (
Host is up.
Not shown: 98 filtered ports
-80/tcp  open  http     Apache httpd 1.3.41.fb2
+80/tcp  open  http     Apache httpd 1.3.41.fb1
443/tcp open  ssl/http Apache httpd 1.3.41.fb2

And here is a trivial cron script demonstrating how easy it is to scan a network daily and mail yourself the changes (and full results in this case):

date=`date "+%s"`
cd /hack/facebook/scripts/
nmap -T4 -F -sV -O --osscan-limit --osscanguess -oA facebook-${date} [netblocks] > /dev/null
ndiff facebook-old.xml facebook-${date}.xml > facebook-diff-${date}
cp facebook-${date}.xml facebook-old.xml
echo "n********** NDIFF RESULTS **********n"
cat facebook-vscan-diff-${date}
echo "n********** SCAN RESULTS **********n"
cat facebook-vscan-${date}.nmap

You could do a similar thing using Windows’ scheduled tasks.

IronGeek has created an Ndiff 5 introductory video demonstrating command-line Ndiff plus its use within Zenmap.

Documentation and web site improvements

While Nmap Network Scanning may be the most exciting documentation news for this release, we did make many other important web site and documentation changes:

  • Added German and Russian translations of the Nmap Reference Guide (Man Page). You can choose from all 16 available languages from the Nmap docs page.
  • Nmap has moved. Everything at http://insecure.org/nmap/ can now be found at http://nmap.org . That should save your fingers from a little bit of typing.
  • A copy of the Nmap public svn repository (/nmap, plus its zenmap, nsock, nbase, and ncat externals) is now available at http://nmap.org/svn/. We update this regularly, but it may be slightly behind the SVN version. It is particularly useful when you need to link to files in the tree, since browsers generally don’t handle svn:// repository links.

Portability enhancements

Nmap’s dramatic improvements are of little value if it doesn’t run on your system. Fortunately, portability has always been a high priority. Nmap 5.00 runs on all major operating systems, plus the Amiga. Portability improvements in this release include:

  • A Mac OS X Nmap/Zenmap installer is now available from the Nmap download page. It is rather straightforward, but detailed instructions are available anyway. As a universal installer, it works on both Intel and PPC Macs. It is distributed as a disk image file (.dmg) containing an mpkg package. The installed Nmap include OpenSSL support and also supports Authorization Services so that Zenmap can run as root when necessary.
  • Nmap’s special WinPcap installer now handles 64-bit Windows machines by installing the proper 64-bit npf.sys.
  • The Nmap installer was updated to handle the Windows 7 release candidate.
  • The Windows version of Nmap (both .zip and executable installer) now supports OpenSSL, as do the Linux RPM binaries we distribute. The UNIX source tarball has supported OpenSSL for years.
  • We now compile in IPv6 support on Windows. In order to use this, you need to have IPv6 set up. It is installed by default on Vista, but must be manually installed for XP.

Even more improvements

  • The compile-time Nmap ASCII dragon is now more ferocious thanks to better teeth alignment:
    (  )   /   _                 (
    |  (   ( .(               )                      _____
    `  `   )              (  ___                 / _
    (_`    +   . x  ( .            /   ____-----------/ (o)   _
    - .-               +  ;          (  O                           ____
    )        _____________  `                /
    (__                +- .( -'.-
  • The new –stats-every option takes a time interval that controls how often timing status updates are printed. It is useful when Nmap is run by another program as a subprocess, or if you just like frequent timing updates.
  • Completion time estimates provided in verbose mode or when you hit a key during scanning are now more accurate.
  • The nmap-dev and nmap-hackers mailing list RSS feeds at SecLists.Org now include message excerpts to make it easier to identify interesting messages and speed the process of reading through the list. Feeds for all other mailing lists archived at SecLists.Org have been similarly augmented (details).
  • Fixed an integer overflow in the scan progress meter. As an Nmap user, few things are more discouraging than seeing your estimated completion time rise so high that it goes negative.
  • Nmap’s output options (-oA, -oX, etc.) now support strftime()-like conversions in the filename. %H, %M, %S, %m, %d, %y, and %Y are all the same as in strftime(). %T is the same as %H%M%S, %R is the same as %H%M, and %D is the same as %m%d%y. So means that “-oX ‘scan-%T-%D.xml’” uses an XML file in the form of “scan-144840-121307.xml”.
  • Removed Brazilian poetry/lyrics from Zenmap source code (NmapOutputViewer.py). We’ve seen enough of it in the debug logs. “E nao se entrega, nao”. We also removed a code comment which declared /*WANKER ALERT!*/ for no good reason.
  • Nmap and Nmap-WinPcap silent installation now works on Windows. Nmap can be silently installed with the /S option to the installer. If you install Nmap from the zip file, you can install just WinPcap silently with the /S option to that installer.
  • –traceroute is now faster and more effective because it uses the timing ping probe saved from host discovery and port scanning. The timing ping probe is always the best probe Nmap knows about for eliciting a response from a target.
  • We now have a public TODO list describing our future plans and tasks which need work.
  • Google sponsored 6 college/grad students for Summer of Code 2009. They and their ongoing projects are introduced here.
  • Nmap now builds with the _FORTIFY_SOURCE=2 define. With modern versions of GCC, this adds extra buffer overflow protection and other security checks.
  • Nmap was discovered in its eighth movie. In the Russian film Khottabych, teenage hacker Gena uses Nmap (and telnet) to hack Microsoft. In response, MS sends a pretty female hacker to flush him out (more details and screen shots).
  • To better support users with attention deficit disorder, we created an Nmap Twitter feed. We still recommend that all users subscribe to the low-traffic nmap-hackers announcement mailing list.
  • Nmap won LinuxQuestions.Org Network Security Application of the Year for the sixth year in a row.
  • These release notes mostly discuss new features, but we also made many performance enhancements and fixed a large number of bugs which could lead to crashes, compilation failures, or other misbehavior.

These are just highlights from the full list of changes you can find in our CHANGELOG.

  • Pingback: Wampiryczny blog

  • http://hacking-websites.blogspot.com Vinoth

    Hey thank you I never knew there is a new version released from Insecure