"If your goal is to understand your network from a 40,000-foot view,
then Windows port scanning tools will suffice. But if you're serious
about your security and looking for the holes that crackers will find,
then take the time to install a Linux box and use nmap." --
Info World
General
Information
nmap is a utility for port scanning large networks, although it
works fine for single hosts. The guiding philosophy for the creation
of nmap was TMTOWTDI (There's More Than One Way To Do It). This is
the Perl slogan, but it is equally
applicable to scanners. Sometimes you need speed, other times you may
need stealth. In some cases, bypassing firewalls may be required.
Not to mention the fact that you may want to scan different protocols
(UDP, TCP, ICMP, etc.). You just can't do all this with one scanning
mode. And you don't want to have 10 different scanners around, all
with different interfaces and capabilities. Thus I incorporated
virtually every scanning technique I know into nmap. Specifically,
nmap supports:
Vanilla TCP connect() scanning,
TCP SYN (half open) scanning,
TCP FIN, Xmas, or NULL (stealth) scanning,
TCP ftp proxy (bounce attack) scanning
SYN/FIN scanning using IP fragments (bypasses some packet
filters),
nmap also supports a number of performance and reliability features
such as dynamic delay time calculations, packet timeout and
retransmission, parallel port scanning, detection of down hosts via
parallel pings. Nmap also offers flexible target and port specification,
decoy scanning, determination of TCP sequence predictability characteristics,
and output to machine parseable or human readable log files.
New
Nmap now has a moderated discussion list (nmap-hackers@insecure.org) where people can send patches
and which I plan to use to announce new versions and beta releases. To subscribe, send a blank email to nmap-hackers-subscribe@insecure.org or insert your email address below.
The mailing list also has a web
archive available for perusal.
Nmap 2.54BETA3 is now available. See the download section to download this DEVELOPMENT
release. Changes can be found in the included CHANGELOG file.
Nmap 2.53 is now
available. There are also Linux/x86 RPMs for core nmap and for nmapfe, the
graphical front end. We also have a press release announcing this
new version.
Here are the most important changes since 2.12 (the previous stable
version).
The NmapFE graphical X-Window (GTK+) front end by Zach Smith (now
maintained by Fyodor) is included. A KDE front end by Ian Zepp is
available at http://www.edotorg.org/kde/kmap/
Nmap now contains almost 500 contributed TCP/IP fingerprints for
remote operating system detection (see
http://www.insecure.org/nmap/nmap-fingerprinting-article.html )
Added direct (bypasses portmapper) SunRPC scanning to determine
what RPC program is listening on a particular TCP or UDP port.
Almost 200 RPC services are supported.
Added sophisticated timing controls to give the user much more
control over Nmap's speed and timeouts. Users can specify canned
modes ( like "polite" or "aggressive") or manipulate individual
timing parameters directly.
Added ACK scanning and Window scanning for stealthy scanning of
heavily firewalled hosts.
Portability fixes: V. 2.50 is well supported on Linux (X86, Sparc,
Alpha, PowerPC, and Merced/Itanium), Free/Net/OpenBSD, and Solaris.
It has been reported to work on many other UNIX systems.
New resume option allows scans to be stopped and continued later
Many speed optimizations, especially with regard to scanning hosts
behind restrictive packet filters and firewalls.
Interactive mode enhances privacy and can add convenience
Numerous improvements to machine parseable & human readable output
New options allow host scan order randomization, logfile appending,
random target host selection, script kiddie output, etc.
Dozens of bug fixes and helpful tweaks.
For information on earlier changes, see the CHANGELOG file in the Nmap
source distribution.
Interested in how nmap uses TCP/IP fingerprinting for remote OS
detection? I put my Phrack 54 article on the subject up here.
I will be speaking at the CanSecWest security conference May
10-12 in Vancouver, Canada.
Documentation
The primary documentation is in man page form (HTML translation). I also wrote an article about nmap and port scanning in general which is available here. It is an HTMLized and updated version
of the original Phrack article where
nmap was first introduced. Note that some of the nmap flags
mentioned in the article have been changed (and others added). The
man page should be completely up to date. Users have contributed
translations of the man page to Spanish, French,
Russian,
and Lithuanian.
For those of you want to get started now and don't have time
to read the whole man page and article, brief
usage information is available. This is the same information as
you get by typing nmap -h on the command line. Also you
should definately take two minutes to read the examples section of the
man page.
Lamont Granquist wrote a clear and useful guide to getting started
with nmap.
Antonio Aneiros <aneiros@ctv.es> has created a Spanish
translation of the man page. The actual man page (not a HTML version)
is available here.
Portability
Nmap works well with most common UNIX operating systems. The
primary focus of Nmap development is on free operating systems such as
Linux, FreeBSD, NetBSD, and OpenBSD). Nmap is also reasonably well
supported under Solaris, IRIX, and BSDI. Many people have reported
success with various versions of SunOS, HP-UX, AIX, Digital UNIX, and
Cray UNICOS.
There are currently no plans to port Nmap to Win95/98/NT. I
suggest an upgrade to one of the many supported operating systems.
Note that Linux, FreeBSD, OpenBSD, and NetBSD are all free for
download and run on pretty much any PC (as well as other platforms) so
there are few good reasons not to just install one (or all) of them.
Of course if you really want a Windows version, you are
welcome to port Nmap (please send me diffs). The only reason IRIX and
Solaris are supported is that generous users ported them and sent me
the changes. Nmap comes with source code to give you the ultimate
flexibility in making it suit your needs.
Downloading nmap
Nmap and NmapFE (the graphical X Window front end) are available in several versions and formats:
For greater portability, nmap now utilizes the Lawrence Berkeley
National Laboratory Network Research Group packet capturing libraries
(libpcap 0.4a6). I have modified this slightly to fix minor bugs in the Linux
portion.
Nmap in the news
Nmap has received a lot of press lately. Here are links to relevant
stories (some of which I don't fully agree with). If you see Nmap
featured in other articles, please let
me know.
Journalists: please let me know before you publish
articles about Nmap. I would be happy to review them and point out
any inaccuracies or provide pointers to other resources that might help.
the
SANS Intrusion Detection FAQ [local copy] includes a page by John Green (of the
US Naval Surface Warfare Center) describing the capabilities of Nmap.
He concludes that:
The intelligence that can be garnered by using nmap is
extensive. It provides all the information that is needed for a
well-informed, full-fledged, precisely targeted assault on a
network. Such an attack would have a high probability of success, and
would likely go unnoticed by organizations that lack intrusion
detection capabilities.
Perhaps the most versatile and widely-used tool for penetration
testing today. Offering a wide range of port-scanning techniques, this
utility will report which ports are open, who owns each process, which
service is typically assigned to the port, the probability of a TCP
sequence prediction attack, and more. Another useful feature of nmap
is its ability to remotely "fingerprint" a machine's operating
system. This utility has become the penetration tester's Swiss Army
Knife.
"The Art and Detection of Port Scanning" is an
introductory article which focuses on Nmap and appeard in Sys
Admin Magazine in November 1998. I haven't found a online link to
it. My prior Phrack 51 article entitled "The Art of Port Scanning" gives a more
technical overview anyway.
"Diary of
a hack attack" -- Network World, January 10, 2000. Discusses the activities of a professional security auditor. "Hacker Bob prefers network mapping (nmap) ... it's a port scanner on steroids." [ local copy]
SANS Broadcast: What
the Hackers Know About You III - 3/2/99 is an hour long interview
with H. D. Moore (developer of nlog, the database interface to nmap)
and John Green, member of the Shadow Intrusion Detection Team about
Nmap & NLog. Sadly, it is not available in any open format (like MP3).
The Spring 1999 issue of 2600 has an article called
"Network Scanning with Nmap". Someone OCR'd it and sent me a copy.
Here is the unformatted text.
Note that the options and flags he mentions are for a very old
version of nmap and aren't very relevant to nmap 2.X.
Nmap related projects
Some people have been working on extensions to nmap which
add new features or benefit it with other improvements. Here are
the projects I am aware of (mail me if you have others):
Zach Smith <key@aye.net> has created a really cool GTK+ front end
for Nmap called NmapFE. NmapFE is now
included with the latest beta distributions of Nmap, but for the very
latest warez, pick it up from Zach's site. [ screenshot ]
Ian Zepp <icszepp@islc.net> has created another excellent
Nmap front end, this time with Qt along with KDE integration. It is
called kmap
[ screenshot ]
Alexandre Sagala has created an alternative Qt/KDE frontend called
KNmap [ screenshot ]
Joshua Grubman <jg@false.net> has created this
extremely cool Network Tool
which is a CGI form allowing you to conduct OS scans, traceroutes, and
other tests on arbitrary machines. This is a great anti-spam
resource!
The Churche of the Swimming
Elephant has created an online tool that allows you
to scan yourself with Nmap (among many other things). Just click the
"Scan" button at the very bottom of the page to scan yourself.
Izar Tarandach <izar@netect.com> is
working on a really cool 'visual nmap' which provides a TCL/TK GUI on
top of nmap. His latest version is available here. Remember to configure your nmap location in
the program (if it is not in /usr/local/bin)
Ajax <ajax@mobis.com> has modified a version of Nmap to
allow simple application-level vulnerability checks to be easily added
to nmap (via an exploits.dat file). He calls this modified program
vulnmap and it is available on his projects
page.
Jay Freeman (saurik) (saurik@saurik.com) has created Nmap+V -- a
-- patch that allows Nmap to capture version numbers for numerous
services.
HD Moore has also created Spidermap, a
coordinated network scanning tool which can scans by running many Nmap
processes in parallel.
Alek O. Komarnitsky (alek@komar.org) has created nmap-web, a simple Perl/CGI
script(s) you install on your web server which allows you to submit nmap
commands (and receive the responses) through a web interface. This is
especially oriented toward "white-hat" Sysadmins trying to figure out what
ports are open and what versions of programs are running.
rain.forest.puppy <rfpuppy@iname.com> has written 'nmap stubs' in C and Perl which execute nmap and parse the output (allowing you to invoke nmap functionality from your C programs and perl scripts).The home page for this project is http://www.angio.net/security/rfp.
James W. Abendschan <jwa@jammed.com> has written a very useful CGI for accepting nmap OS fingerprint submissions and sending them to the fingerprint maintainer (me). I have modified this script slightly and added it to the nmap site (here).
Ajax <ajax@mobis.com>
has written some patches to nmap which allow nmap to do some
vulnerability scanning checks using a small sample vulnerability
database he has created. The patches (to nmap 2.01 at the time of
this writing) are available at http://www.mobis.com/ajax/code/nmap.
Vacuum <vacuum@technotronic.com>
has created Winfingerprint, an
application that uses SMB to determine OS, shares, users, and other
information about Windows machines on a network (Note: this
scanner currently only runs on Windows NT).
Yasholomew Yashinski <yashy@euphoria.yashy.com> sent in this
eggdrop bot script which sits on a channel and
port-scans channel users who request it and then msg's them the results.
John Rumpelein <jmr@jmrtech.com> has created a port scan database giving a readout of everyone who scans his machine and demonstrating trends.
Justin Beech <jb@dslreports.com> has created Secure-Me, an
automated security scan using Nmap and a few other tools. You can choose from free or commercial versions of the scanner.
Thomas Reinke <reinke@e-softinc.com> and other folks from
E-softinc.com has created a commercial service called webscan. They will scan you with Nmap
on a regular basis and mail you results. Unfortunately they charge up to $5000 USD/year for this service, so poor hackers should stick with cron.
Another commercial nmap-based web scanning application is Hacker Whacker. They charge
up to $300 per year.
Propaganda
Nmap is free software, meaning we cannot afford advertising campaigns
or a marketing department. Nmaps growth is thus dependant on grass
roots linking and recommendations by users like you. If you find Nmap
useful, we would always appreciate a link on your page. We have also
created some graphics you can use to link this page. If you are
artistically inclined, we welcome contributions of new banners,
buttons, etc. Please try and use the normal 486x60 size for banners.
This next matching banner/button set is from EuroBoy <euroboy@ourhost.net>
The next two are from Vasi <vasi@i.am> followed by one from Twigman <twigman@ultra.net.au>:
The following banner was created by i_amgod@geocities.com:
And here is one from mouse@pop3.mx3.redestb.es :
I created this when Linux.com generously offered free banner ads
Linux.com ended up using this (Don't ask me where it came from :) ...
Other
scanning resources
Prior to writing nmap, I spent a lot of time with other scanners
exploring the Internet and various private networks. I have used many
of the top scanners available today, including strobe by Julian
Assange, netcat by *Hobbit*, stcp by Uriel Maimon, pscan by Pluvius,
ident-scan by Dave Goldsmith, and the SATAN tcp/udp scanners by Wietse
Venema. These are all excellent scanners! In fact, I ended up
hacking most of them to support the best features of the others.
Finally I decided to write a whole new scanner, rather than rely on
hacked versions of a dozen different scanners in my /usr/local/sbin.
But you can still learn a lot from these other scanners, and maybe you
will find them useful:
Strobe -- An excellent TCP
connect() scanner by Julian Assange. It is quite fast and runs
on many different platforms.
ident-scan -- This is mostly a
"proof of concept" scanner to demonstrate reverse ident scanning. It
was written by Dave Goldsmith
and was the inspiration for the -I (ident) mode of
nmap.
FTP bounce attack Hobbit's original short paper on the
ftp bounce attack which is used in nmap. Note that this was from July 1995 and this problem is *STILL* prevalent on our networks. Note that the problem was
already pretty well known at the time of this writing.
CERT ftp bounce advisory Hey, what
do you know! 2.5 years after Hobbit's paper (and 3 months after nmap was
released), CERT finally discovers the bounce attack and writes an advisory
about it. This is actually pretty quick by CERT standards. On February 25 1985, Robert T. Morris described a TCP sequencing attack. The CERT advisory came
on January 23, 1995, almost 10 years later! I have many other examples of
CERT incompetence, but CERT-bashing is beyond the scope of this page.
Thanks to
The many people who have sent in useful feedback about nmap.
Lamont Granquist <lamontg@u.washington.edu> for
autoconfing nmap and porting it to several systems that I didn't have
access to. Nmap would not be NEARLY as portable without his help. Lamont
also sent in a number of patches to work around verious issues with
Solaris, IRIX, and others.
Bdale Garbee <bdale@gag.com> is the maintainer of the nmap
package for Debian GNU/Linux.
David O'Brien <obrien@FreeBSD.org> is the maintainer
of the nmap package for FreeBSD. He has made nmap
available in package format at ftp.freeBSD.org.
I run FreeBSD on one of my machines at work and it an amazing
operating system.
//Stany <stany@notbsd.org> for providing major
assitance in making nmap run well on Solaris.
Anthony For finding and fixing a number of portability issues in IRIX, Solaris 2.51, BSDI, etc. Damn this guy has a well-equipped lab :).
Arve Kjoelen <akjoele@siue.edu> for single-handedly writing
the initial FreeBSD port.
Solar Designer <solar@false.com> for testing out some early code and for contributing many great ideas which have been incorporated into nmap. If you wish to DETECT port scans from programs such as nmap I recommend his Scanlogd port scan detector. Be sure and read the article prior to installing it! He also has written many other goodies -- see his security tools site for more info.
van Hauser <vh@reptile.rug.ac.be> for putting nmap through
some grueling tests which fleshed out a few bugs. You might also be
interested in van Hauser's useful system prober which utilizes nmap
and comes as part of his
Unix Hacking tools package.
Matthew Franz <mdfranz@txdirect.net> for creating the excellent Trinux Linux floppy distribution. It contains Nmap along with a bunch of other cool network tools.
Marc <marc@sniff.ct-net.de> for submitting patches to
correct byte order peculiarities in some versions of BSD.
Coder <coder@reptile.rug.ac.be> for helping test nmap since
before it was ever released and providing loads of feedback.
Steve McCanne, Craig Leres, and Van Jacobson of the Lawrence
Berkeley National Laboratory Network Research Group for writing the
packet capturing library nmap uses (libpcap). This allows nmap to
be much more portable than it would be otherwise. Note that the version which comes with nmap is modified slightly (by me).
Klaus Steding-Jessen <jessen@ahand.unicamp.br> for
submitting a patch to version 1.25 to skip the initial ping test.
This has been incorporated into later releases of nmap. I implemented
his patch in my own way, so bugs are still my fault.
Everyone who contributed OS fingerprints -- you can find them in the nmap-os-fingerprints file distributed with nmap.
Miscellaneous
Well, that is about all I have to say about nmap. If you
have questions or comments, I would appreciate email at
fyodor@dhp.com.
In case you feel like surfing a little more, I have several other
pages that might be of interest. For example a compendium of more
than 400 security holes indexed by OS and date. I also have collected
a number of useful papers, articles, and web sites on security. You
can reach everything from my main page.