Nmap 6 Released

May 21, 2012—The Nmap Project is pleased to announcethe immediate, free availability of the Nmap Security Scanner version6.00 fromhttps://nmap.org/. It is theproduct of almost three years of work, 3,924 code commits, and morethan a dozen point releases since thebigNmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more! Werecommend that all current usersupgrade.

Contents:

About Nmap

Nmap (“Network Mapper”) is a free and open source(license) utility fornetwork discovery and security auditing. Many systems and networkadministrators also find it useful for networkinventory, managing service upgrade schedules, monitoring host orservice uptime, and many other tasks. Nmap uses raw IP packets in novel ways to determinewhat hosts are available on the network, what services (applicationname and version) those hosts are offering, what operating systems(and OS versions) they are running, what type of packetfilters/firewalls are in use, and dozens of other characteristics. Itwas designed to rapidly scan large networks, but works fine againstsingle hosts. Nmap runs on all major computer operating systems, andofficial binary packages are available for Linux, Windows, and Mac OSX. In addition to the classic command-line Nmap executable, the Nmapsuite includes an advanced GUI and results viewer(Zenmap), a flexible datatransfer, redirection, and debugging tool(Ncat), a utility forcomparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by LinuxJournal, Info World, LinuxQuestions.Org, and Codetalker Digest. Itwas even featured ina dozenmovies, includingThe Matrix Reloaded,The Bourne Ultimatum.Girl with the Dragon Tattoo, andDie Hard 4. Nmap was released to the public in 1997 and has earned the trust of millions of users.

As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 6 is now available!

Top 6 Improvements in Nmap 6

Before we go into thedetailed changes, hereare the top 6 improvements in Nmap 6:

1. NSE Enhanced

TheNmap ScriptingEngine (NSE) has exploded in popularity and capabilities. Thismodular system allows users to automate a wide variety of networkingtasks, from querying network applications for configurationinformation to vulnerability detection and advanced host discovery.The script count has grown from 59 in Nmap 5 to 348 in Nmap 6, and allof them are documented and categorized inourNSE DocumentationPortal. The underlying NSE infrastructure has improveddramatically as well. [More details]

2. Better Web Scanning

As the Internet has grown more web-centric, Nmap has developedweb scanning capabilities to keep pace. When Nmap was first releasedin 1997, most of the network services offered by a server listened onindividual TCP or UDP ports and could be found with a simple portscan. Now, applications are just as commonly accessed via URL pathinstead, all sharing a web server listening on a single port. Nmapnow includes many techniques for enumerating those applications, aswell as performing a wide variety of other HTTP tasks, from web sitespidering to brute force authentication cracking. Technologies suchas SSL encryption, HTTP pipelining, and caching mechanisms are wellsupported. [More details]

3. Full IPv6 Support

Given theexhaustion of available IPv4 addresses, the Internet community is trying to move toIPv6. Nmap has been a leader in the transition, offering basic IPv6 support since 2002. But basic support isn't enough, so we spent many months ensuring that Nmap version 6 contains full support for IP version 6. And we released it just in time for theWorld IPv6 Launch.

We've created a new IPv6 OS detection system, advanced hostdiscovery, raw-packet IPv6 port scanning, and many NSE scripts forIPv6-related protocols. It's easy to use too—just specify the-6 argument along with IPv6 target IP addresses or DNS records. Inaddition, all of our web sites are now accessible via IPv6. Forexample, Nmap.org can be foundat2600:3c01::f03c:91ff:fe96:967c. [More details]

4. New Nping Tool

The newest member of the Nmap suite of networking and security tools isNping, an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing full control over protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress testing, ARP poisoning, Denial of Service attacks, route tracing, etc. Nping's novelecho mode lets users see how packets change in transit between the source and destination hosts. That's a great way to understand firewall rules, detect packet corruption, and more. [More details]

5. Better Zenmap GUI & results viewer

While Nmap started out as a command-line tool and many (possibly most) users still use it that way, we've also developed an enhanced GUI and results viewer named Zenmap. One addition since Nmap 5 is a “filter hosts” feature which allows you to see only the hosts which match your criteria (e.g. Linux boxes, hosts running Apache, etc.) We've also localized the GUI to support five languages besides English. A newscript selection interface helps you find and execute Nmap NSE scripts. It even tells you what arguments each script supports. [More details]

6. Faster scans

In Nmap's 15-year history, performance has always been a toppriority. Whether scanning one target or a million, users want scansto run as fast as possible without sacrificing accuracy. Since Nmap 5we've rewritten the traceroute system for higher performance andincreased the allowed parallelism of the Nmap Scripting Engine andversion detection subsystems. We also performed an intense memoryaudit which reduced peak consumption during our benchmark scan by 90%.We made many improvements to Zenmap data structures and algorithms aswell so that it can now handle large enterprise scans with ease. [More details]

Press

Pleasemail Fyodor if you see (or write) reviews/articles on the Nmap 6 release. Here are the ones seen so far:Reasonably detailed (or with many comments) English articles:

Reddit:Nmap 6 released!
Hacker News:Nmap 6 released after three years of work
Slashdot:Nmap 6 Released Featuring Improved Scripting, Full IPv6 Support
Network World:New Nmap Probes IPv6 Networks
The H Open Source (Heise Online):Nmap now fully ready for IPv6
The Register:NMap 6.0 arrives: Fyodor’s finest since 2009
Linux ForYou:What’s New in Nmap 6
Internet Society:New Nmap Version 6 Provides Full IPv6 Support, Useful IPv6 Tools
Unixmem:Nmap reaches version 6
SecurityWeek:Nmap 6 Now Available With Enhancements, New Functions

Brief English mentions:SANS Internet Storm Center (ISC),Help Net Security,Linux Weekly News (LWN),Ethical Hacker Network,HD Moore,Darknet

Permission is granted for journalists (or anyone writing about thisNmap release) to use any of the text or screen shots on this page. For quotes, you can emailFyodor atfyodor@nmap.org. Leave your phone number if you want a callback.

Screen Shots

Nmap 6 provides a wealth of information about remote systems, as shown in this sample scan against a machine we maintain for scan testing purposes (scanme.nmap.org):

Here is an example using Zenmap against a couple of production web servers (Nmap.org andReddit):

Perhaps the most visually appealing aspect of Zenmap is itsnetwork topology mapper. Here it is being used to interactively explore the routes between a source machine and more than a dozen popular web sites:

Detailed Improvements

TheNmap Changelogdescribes more than 600 significant improvements since our last majorrelease(5.00 in July 2009).Here are the highlights:

TheNmap Scripting Engine(NSE) is one of Nmap's most powerful and flexible features. Itallows users to write (and share) simple scripts to automate a widevariety of networking tasks. Those scripts are then executed inparallel with the speed and efficiency you expect from Nmap. Users canrely on the growing and diverse set of scripts distributed with Nmap,or write their own to meet custom needs. NSE was just beginning totake off with Nmap 5, and represents perhaps our proudestaccomplishment in Nmap 6:

Script count has nearly sextupled from 59 to 348 scripts! Thefull list is too long to include here, but you can find them all attheNSE DocumentationPortal.
Information gathering is one of Nmap's prime features, so we added 44 new protocol information query scripts:
acarsd-info,address-info,amqp-info,backorifice-info,bitcoin-info,bitcoinrpc-info,broadcast-upnp-info,db2-das-info,drda-info,eap-info,epmd-info,ganglia-info,giop-info,hadoop-datanode-info,hadoop-jobtracker-info,hadoop-namenode-info,hadoop-secondary-namenode-info,hadoop-tasktracker-info,hbase-master-info,hbase-region-info,hddtemp-info,http-qnap-nas-info,ipv6-node-info,iscsi-info,maxdb-info,membase-http-info,memcached-info,mongodb-info,nat-pmp-info,ndmp-fs-info,netbus-info,ntp-info,openlookup-info,quake3-info,redis-info,riak-http-info,rpcap-info,socks-auth-info,stun-info,versant-info,vnc-info,voldemort-info,vuze-dht-info,xmpp-info
Some of our favorite new scripts don't send any traffic at all—they just interpret and present information discovered by other scripts or Nmap itself. These include:
- address-info shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available.
- creds-summary lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan.
- duplicates attempts to discover multihomed or IP aliased systems by analyzing and comparing information collected by other scripts (SSL certificates, SSH host keys, MAC addresses, and NetBIOS server names).
- reverse-index creates a reverse index at the end of scan output showing which hosts run a particular service.
- unusual-port compares the detected service on a port against the expected service for that port number (e.g. ssh on 22, http on 80) and reports deviations.
Nmap hastwo new NSE script scanning phases. The new pre-scanoccurs before Nmap starts scanning. Some of the initial pre-scanscripts use techniques like broadcast DNS service discovery or DNSzone transfers to enumerate hosts which can optionally be treated astargets. The other phase (post scan) runs after all of Nmap's scanningis complete. These can do things like print summaries of all the host-specific results or find correlations. For example,ssh-hostkey can now tell you at the end of the scan which IP addresses have duplicate SSH host keys (and thus may be different interfaces of the same machine) andreverse-index prints an index at the end of a scan showing which hosts have individual services (such as telnet or http) available.
Created anewtargetlibrary which allows scripts to add newly discovered targets toNmap's scanning queue. This allows Nmap to support a wide range oftarget acquisition techniques. 27 scripts can now use this feature:
bitcoin-getaddr,bittorrent-discovery,broadcast-db2-discover,broadcast-dropbox-listener,broadcast-ms-sql-discover,broadcast-ping,dns-brute,dns-srv-enum,dns-zone-transfer,hadoop-jobtracker-info,hadoop-namenode-info,hadoop-secondary-namenode-info,hbase-master-info,hbase-region-info,hostmap-bfk,iscsi-info,lltd-discovery,omp2-enum-targets,resolveall,snmp-interfaces,targets-asn,targets-ipv6-multicast-echo,targets-ipv6-multicast-invalid-dst,targets-ipv6-multicast-mld,targets-ipv6-multicast-slaac,targets-sniffer,targets-traceroute
We created a high speed authentication credential checking library for our protocol brute force password auditing scripts. We then added 48 new “brute” scripts, for a total of 53 (full list). Supported protocols range from extremely popular ones such asHTTP,FTP,MySQL,telnet,socks,andpop3to more obscure ones such asVMauthd,RPcap,Redis, andiSCSI.We even support brute force cracking of other security scanning andexploitation tools, includingMetasploit XML-RPC,Nessus,Nessus XML-RPC,Nexpose,andOpenVAS OTP.
Since brute force scripts are most effective with a quality password list, we created atop 5000 password database by cracking 635,546 passwords from theGawker compromise and combining those results with many other leaks such as RockYou, PHPBB, MySpace, etc.
We added acredentials storage library. This makes it easy for credentials passed in by the user or discovered by brute force scripts to then be used for deeper interrogation, and also allows for consistent reporting of discovered credentials.
Wediscovered a major directory traversal vulnerability in Apple AFP protocol andreleased a script for detecting and exploiting the problem
Added and then removed a mac-geolocation script which relied ona Google database to determine strikingly accurate GPS coordinates foranyone's wireless access point based on their MAC address. It wasvery powerful and arguably a little creepy. Google must have decidedthat the capability was too powerful as they discontinued the servicebefore our script was even two months old.
Added a newscript force feature. You can force scripts to run against target ports (even if the “wrong” service is detected) by placing a plus (+) in front of the script name passed to --script.
Added a new --script-args-file option which allows you to specify the name of a file containing all of your desired NSE script arguments. The arguments may be separated with commas or newlines and may be overridden by arguments specified on the command-line with --script-args.
Added ahost-based registry which only persists (for the given host) until all scripts have finished scanning that host. The normal registry saves information until it is deleted or the Nmap scan ends. That is a waste of memory for information which doesn't need to persist that long. Use the host based registry instead if you can.
Replaced our runlevel system for managing the order of script execution with amuch more powerful dependency system. This allows scripts to specify which other scripts they depend on (e.g. a brute force authentication script might depend on username enumeration scripts) and NSE manages the order. Dependencies only enforce ordering, they cannot pull in scripts which the user didn't specify.
A new --script-help option describes all scripts matching agiven specification. It accepts the same specification format as--script does. For example, try ‘nmap --script-help "default orhttp-*"’.
The script arguments which start with a script name(e.g. http-brute.hostname or afp-ls.maxfiles) can now accept theunqualified arguments as well (hostname, maxfiles). This lets you usethe generic version (“hostname”) when you want to affect multiplescripts, while using the qualified version to target individualscripts. If both are specified, the qualified version takes precedencefor that particular script. This works for library script argumentstoo (e.g. you can specify 'timelimit' rather than unpwdb.timelimit).
Created a newbroadcast script category for scripts which broadcast on the local network and discover information and/or potential target hosts from the responses. We already have 31 of them:
broadcast-avahi-dos,broadcast-db2-discover,broadcast-dhcp6-discover,broadcast-dhcp-discover,broadcast-dns-service-discovery,broadcast-dropbox-listener,broadcast-listener,broadcast-ms-sql-discover,broadcast-netbios-master-browser,broadcast-networker-discover,broadcast-novell-locate,broadcast-pc-anywhere,broadcast-pc-duo,broadcast-ping,broadcast-pppoe-discover,broadcast-rip-discover,broadcast-ripng-discover,broadcast-sybase-asa-discover,broadcast-upnp-info,broadcast-versant-locate,broadcast-wake-on-lan,broadcast-wpad-discover,broadcast-wsdd-discover,broadcast-xdmcp-discover,eap-info,lltd-discovery,targets-ipv6-multicast-echo,targets-ipv6-multicast-invalid-dst,targets-ipv6-multicast-mld,targets-ipv6-multicast-slaac,targets-sniffer
Added avulnerability management library for a consistent way of storing and reporting detected vulnerability information. So far we have 13 scripts using the library. Our current vulnerability script focus is on major, remotely exploitable pre-auth vulns. For example, we added scripts for the recent remote root vulnerability in Samba (samba-vuln-cve-2012-1182) and the code execution vulnerability in PHP-CGI (http-vuln-cve2012-1823).
NSE libraries allow scripts to share code, often to interact with a specific networking protocol. Nmap 6 adds 60 libraries, bringing the total up to 87. Here are the new ones:
afp,amqp,asn1,bitcoin,bittorrent,brute,citrixxml,creds,cvs,dhcp,dhcp6,dnsbl,dnssd,drda,eap,ftp,giop,httpspider,iax2,informix,iscsi,json,ldap,membase,mongodb,mssql,mysql,natpmp,ncp,ndmp,nrpc,omp2,pgsql,pppoe,proxy,redis,rmi,rpc,rpcap,rsync,rtsp,sasl,sip,smtp,socks,srvloc,sslcert,strict,stun,target,tftp,tns,upnp,versant,vnc,vulns,vuzedht,wsdd,xdmcp,xmpp

Increased the number of NSE scripts for scanning web servers from 6 to 54. Some of our favorite new scripts are:
- http-title simply determines the title of the root page of any web servers detected when scanning. It's the sort of trivial script which was easy to write and yet provides valuable insights on target hosts.
- http-backup-finder spiders a website and attempts to identify backup copies of discovered files by by requesting a number of different combinations of the filename (e.g. index.bak, index.html~, copy of index.html).
- http-enum enumerates directories used by popular web applications and servers by checking more than 2,000 URI paths. This is perhaps our closest analogue to port scanning the web.
- http-favicon grabs a site's favicon file (the tiny icon which is often shown in the URL bar while browsing) and checks whether it is from a known content management system or other application. We used it to scan hundreds of thousands of popular web servers as part of ourIcons of the Web project.
- http-grep spiders a web site attempting to find pages which match a given pattern.
- ssl-cert retrieves and prints a target server's SSL certificate.
Added a newhttpspider library which is used for recursively crawling web sites for information. New scripts using this functionality includehttp-backup-finder,http-email-harvest,http-grep,http-open-redirect, andhttp-unsafe-output-escaping.
The HTTP library now caches responses from http.get orhttp.head so that resources aren't requested multiple times during thesame Nmap run even if several scripts request them.
Added HTTP pipelining support to the HTTP library and and to the http-enum, http-userdir-enum, and sql-injection.nse scripts. Pipelining can increase speed dramatically for scripts which make many requests.
Server Name Indication (SNI) is now supported by Ncat and Nmap NSE, allowing them to connect to servers which run multiple SSL websites on one IP address. To enable this for NSE, the nmap.connect function has been changed to accept host and port tables (like those provided to the action function) in place of a string and a number.

Giventheexhaustionof available IPv4 addresses, the Internet community is trying tomove toIPv6. Nmaphas been a leader in the transition, offering basic IPv6 support since2002. That included basic (connect) port scans, basic host discovery,version detection, and the Nmap Scripting Engine. But that's notenough, so we spent many months ensuring that Nmap version 6 containsfull support for IP version 6. And we released it just in timefor theWorld IPv6Launch. It's easy to use too—just specify the -6 argumentalong with IPv6 target IP addresses or DNS records. Ournew IPv6 support includes:

Raw packet IPv6 port scanning is now supported. This allows for IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP discovery packets, etc.) and raw packet port scanning (SYN scan, UDP scan, ACK scan, and more). IPv6 protocol scan (-sO) is also supported, and we wrote an IPv6 traceroute implementation (--traceroute) too.
Added anIPv6 OS detection system! The new system utilizes many tests similar to IPv4, and also some IPv6-specific ones that we found to be particularly effective. And it uses a machine learning approach rather than the static classifier we use for IPv4. We hope to move some of the IPv6 innovations back to our IPv4 system if they work out well. The database is still very small, so please submit any fingerprints that Nmap gives you to the specified URL (as long as you are certain that you know what the target system is running). Usage and results output are basically the same as with IPv4, and the implementation isdocumented here. For an example, try running "nmap -6 -O scanme.nmap.org".
Since the IPv6 address spaces is too large to brute force scan in general (like we do with IPv4), we researched IPv6 host discovery techniques for finding all the machines on a local network. We ended up implementing the four techniques we found most effective. The are all implemented as NSE scripts which can simply print out discovered addresses or (if requested) add them to Nmap's target queue. Since each technique may discover a different set of hosts, we recommend using multiple techniques or even specify all four. Here they are:
- targets-ipv6-multicast-echo sends an ICMPv6 echo request packet to the all-nodes link-local multicast address (ff02::1). When ICMP echo response packets are received, collect the IPv6 addresses that they come from and mark those hosts as potential scan targets. This is a rather straightforward technique which uses the protocols as designed, and (just like using ICMPv4 echo request packets for host discover) it is quite effective.
- targets-ipv6-multicast-invalid-dstsends an ICMPv6 packet with an invalid extension header to theall-nodes link-local multicast address. Any hosts replying with anICMPv6 parameter problem packet can be marked as up and available forpotential scanning.
- targets-ipv6-multicast-mld attempts to discover available IPv6 hosts on the LAN by sending an MLD (multicast listener discovery) query to the link-local multicast address (ff02::1) and listening for any responses. The query's maximum response delay set to 0 to provoke hosts to respond immediately rather than waiting for other responses from their multicast group.
- targets-ipv6-multicast-slaac sends an ICMPv6 router acknowledgment packet with a random address prefix, causing hosts to begin stateless address auto-configuration (SLAAC) and send a solicitation for their newly configured address. We can then guess the remote addresses by combining the link-local prefix of the interface with the interface identifier in each of the received solicitations. An ordinary ICMPv6 neighbor discovery probe can then be used to verify that the guessed addresses are correct.
An example command to find all the IPv6 hosts on your local network using all four of these techniques in combination is: “nmap -v -n -sn --script targets-ipv6-\*”
Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4 ARP scan. It is the default ping type for local IPv6 networks.
Scanme.Nmap.Org (the system anyone is allowed to scan for testing purposes) is now dual-stacked (has an IPv6 address as well as IPv4) so you can scan it during IPv6 testing. We also added a DNS record for scanmeV6.nmap.org which is IPv6-only. So you can check if your current system can already handle IPv6 by trying to visitthe ipv6-only scanme site. You might be surprised! We have postedmore details here.
TheNmap.org website as well as sister sitesInsecure.Org,SecLists.Org, andSecTools.Org all have working IPv6 addresses now (dual stacked). For example, Nmap.org can be found at 2600:3c01::f03c:91ff:fe96:967c.
Ncat now supports IPV6 addresses by default without the -6 flag. Additionally Ncat listens on both ::1 and localhost when passed -l, or any other listening mode unless a specific listening address is supplied.

Zenmap is our cross-platform(Linux, Windows, Mac OS X, etc.) Nmap GUI and results viewer. It aimsto provide advanced features for experienced Nmap users while alsomaking Nmap easier for beginners to use. Frequently used scans can besaved as profiles to make them easy to run repeatedly. A commandcreator allows interactive creation of Nmap command lines. Scanresults can be saved and viewed later, or evencompared with one another to see how they differ. Ournetwork topology viewer allows for interactive exploration of a network scanned with Nmap. While Zenmapalready existed in Nmap 5.00, we've made many improvements since then:

Added a new script selection interface, allowing you to choose scripts and arguments from a list which includes descriptions of every available script. Just click the "Scripting" tab in the profile editor.
Localized most of the remaining strings in the GUI interface which were English-only. The actual textual Nmap results are still in English since Nmap, but the GUI is now almost fully localized. Supported translations (so far) are Brazilian Portuguese, French, German, Hungarian, and Russian. Instructions for switching to a different language or even for writing and contributing your own translation areavailable here.
After performing or loading a scan, you can now filter results to just the hosts you are interested in by pressing Ctrl+L (or the "Filter Hosts" button) to open the host filtering interface. This makes it easy to select just Linux hosts, or those running a certain version of Apache, or whatever interests you. You can easily modify the filter or remove it to see the whole scan again. This feature isdocumented here.
We made a ton of performance improvements, as documented in theperformance section of these release notes.

Nmap's --traceroute has been rewritten for better performance. Probes are sent in parallel to individual hosts, not just across all hosts as before. Trace consolidation is more sophisticated, allowing common traces to be identified sooner and fewer probes to be sent. The older traceroute could be very slow (taking minutes per target) if the target did not respond to the trace probes, and this new traceroute avoids that. In a trace of 110 hosts in a /24 over the Internet, the number of probes sent dropped 50% from 1565 to 743, and the time taken dropped 92% from 95 seconds to 7.6 seconds. Traceroute now uses an ICMP echo request probe if no working probes against the target were discovered during scanning.
Improved the Zenmap output viewer to show new output in constant time. Previously it would get slower and slower as the output grew longer, eventually making Zenmap appear to freeze with 100% CPU.
Greatly improved Zenmap's performance for large scans by benchmarking intensively and then re-coding dozens of slow parts. Time taken to load our benchmark file (a scan of just over a million IPs belonging to Microsoft corporation, with 74,293 hosts up) was reduced from hours to less than two minutes. Memory consumption decreased dramatically as well.
Improved OS detection performance by scaling congestion control increments by the response rate during OS scan, just as was done for port scan before.
Performed a memory consumption audit and made changes to dramatically reduce Nmap's footprint. This improves performance on all systems, but is particularly important when running Nmap on small embedded devices such as phones. Our intensive UDP scan benchmark saw peak memory usage decrease from 34MB to 6MB, while OS detection consumption was reduced from 67MB to 3MB. Full details wereposted here, and the highlights are:
- The size of the internal representation of nmap-os-db was reduced more than 90%. Peak memory consumption in our OS detection benchmark was reduced from 67MB to 3MB.
- The size of individual Port structures without service scan results was reduced about 70%.
- When a port receives no response, Nmap now avoids allocating a Port structure at all, so scans against filtered hosts can be light on memory.

Nping is an open source tool for network packet generation, responseanalysis and response time measurement. Nping can generate networkpackets for a wide range of protocols, allowing users full control over protocol headers. While Nping can be used as a simple pingutility to detect active hosts, it can also be used as a raw packet generatorfor network stack stress testing, ARP poisoning, Denial of Service attacks,route tracing, etc. Nping's novelecho mode let's users see how packets change in transit between the source and destination hosts. That's a great way to understand firewall rules, detect packet corruption, and more.

Nping has a very flexible and powerful command-line interface that grantsusers full control over generated packets. Features include:

Custom TCP, UDP, ICMP and ARP packet generation.
Support for multiple target host specification.
Support for multiple target port specification.
Unprivileged modes for non-root users.
Echo mode for advanced troubleshooting and discovery.
Support for Ethernet frame generation.
Support for IPv6 (currently experimental).
Runs on Linux, Mac OS and MS Windows.
Route tracing capabilities.
Highly customizable.
Free and open-source.

For a much more detailed introduction, you can read theNping documentation (man page).

Keeping the Nmap project vibrant and productive (for developers and users) requires constant investment in our development. Our software and hardware from Nmap's early days in 1997 (or even Nmap 5 in 2009) just don't cut it any more. Improvements since Nmap 5 include:

We set up a new Subversion (SVN) source code revision control server for the Nmap codebase. This one uses SSL for better security, WebDAV rather than svnserve for greater functionality, is hosted on a faster (virtual) machine, provides Nmap code history back to 1998 rather than 2005, and removes the need for the special "guest" username. The new server is athttps://svn.nmap.org/nmap and instructions on using it areavailable here.
Created a special wiki for Nmap development and community-generated documentation atSecWiki.Org.
One of the most successful pages on our newSecWiki.Org so far is ourNSE script ideas page. If you have a good idea, post it to the incoming section of the page. Or if you're in a script writing mood but don't know what to write, come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.
More than 3,000 Nmap users filled out a survey of theirfavorite (non-Nmap) tools, and we tabulated the results to launch anew version of our top tools siteatSecTools.Org. It now includesuser ratings and reviews, tracks release dates, offers searching andsorting, and even lets you nominate your own favorite tools. It'slike a frickin' Yelp for security tools!

Ncat is a feature-packednetworking utility which reads and writes data across networks fromthe command line. Ncat was written for the Nmap Project as amuch-improved reimplementation of thevenerableNetcat. Ituses both TCP and UDP for communication and is designed to be areliable back-end tool to instantly provide network connectivity toother applications and users. Ncat will not only work with IPv4 andIPv6 but provides the user with a virtually limitless number ofpotential uses.

Among Ncat’s vast number of features there is the ability to chainNcats together, redirect both TCP and UDP ports to other sites, SSLsupport, and proxy connections via SOCKS4 or HTTP (CONNECT method)proxies (with optional proxy authentication as well). Some generalprinciples apply to most applications and thus give you the capabilityof instantly adding networking support to software that would normallynever support it.

We made a number of great improvements to Ncat in Nmap 6:

Ncat now has configure-time ASCII art just like Nmap does:

            .       .            \`-"'"-'/             } 6 6 {            ==. Y ,==              /^^^\  .             /     \  )  Ncat: A modern interpretation of classic Netcat            (  )-(  )/            -""---""---   /           /   Ncat    \_/          (     ____           \_.=|____E

Created a portable version of ncat.exe that you can just drop onto Microsoft Windows systems without having to run any installer or copy over extra library files. See theNcat page for binary downloads and a link to build instructions.
Updated Ncat's SSL certificate store (ca-bundle.crt), primarily to remove the epic fail known as DigiNotar.
Implemented basic SCTP client functionality in client mode (server already exists). Only the default SCTP stream is used. This is also called TCP compatible mode. While it allows Ncat to be used for manually probing open SCTP ports, more complicated services making use of multiple streams or depending on specific message boundaries cannot be talked to successfully.
Implemented SSL over SCTP in both client (connect) and server (listen) modes.

We made dozens of portability changes to improve Nmap compilation and execution on Mac OS X 0.7, Solaris 9, 10, and 11; AIX 6.1 & 7.1; OpenSolaris; IBM ZLinux; Arch Linux, and many other platforms. Most of these are not listed here because you can read them by searching for your desired platform in thefull CHANGELOG. But here are a few particularly interesting portability improvements:

Our Mac OS X packages are now x86-only (rather than universal), reducing the download size from 30 MB to about 17. If you still need a PowerPC version (Apple stopped selling those machines in 2006), you can use Nmap 5.51 or 5.61TEST2 (available here).
Refactored the Nsock library to add the nsock-engines system. This allows system-specific scalable IO notification facilities to be used while maintaining the portable Nsock API. This initial version comes with an epoll-based engine for Linux and a select-based fallback engine for all other operating systems. Also added the --nsock-engine option to Nmap, Nping and Ncat to enforce use of a specific Nsock IO engine.
We no longer support Nmap on versions of Windows earlier than XP SP2. Even Microsoft no longer supports Windows versions that old. But if you must use Nmap on such systems anyway, we'veprovided some tips.

Thanks to fingerprint submissions from thousands of Nmap users around the world, ourremote operating system detection system grew from 2,003 signatures in Nmap 5 to 3,572 now. These include the latest versions of Windows, Linux, and Mac OS X as well as more specialized entries such as oscilloscopes, ATM machines, employee timeclocks, DVRs, game consoles, and much more. Some of the newest fingerprints are for Apple iOS 5.01, OpenBSD 5.0, FreeBSD 9.0-PRERELEASE, and a ton of new WAPs, routers, and other devices.

In addition to more than 1,500 new fingerprints, we made several important performance improvements and bug fixes to the system.

The days when we could assume what was running on an open port based on the port number are long gone. These days, folks commonly run services on the "wrong" port numbers in order to defeat filtering policies, hide traffic, or work around various networking problems. Fortunately, Nmap'sversion detection system is able to interrogate the service listening on the open port and tell you the service running as well as (in many cases) the application name and version number. Nmap 5 had an impressive 5,512 signatures matching 511 protocols, but Nmap 6 improves that to 8,165 signatures for 862 protocols!

In addition to the pages of changes listed above, we made many improvements which defy simple categorization:

Added Common Platform Enumeration (CPE, http://cpe.mitre.org/) output for OS and service versions. This is a standard way to identify operating systems and applications so that Nmap can better interoperate with other software. Nmap's own (generally more comprehensive) taxonomy/classification system is still supported as well. Some OS and version detection results don't have CPE entries yet. CPE entries show up in normal output with the headings "OS CPE" and "Service Info":
```
    OS CPE: cpe:/o:linux:kernel:2.6.39    Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
```
These also appear in XML output, which additionally has CPE entries for service versions.
Nmap now supports the old-school Gopher protocol thanks to our handygopher-ls NSE script. We even support Gopher over IPv6!
Enabled the ASLR and DEP security technologies for Nmap.exe, Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will set the /DYNAMICBASE and /NXCOMPAT flags in the PE header. Executables generated using py2exe or NSIS and third party binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support for DEP on XP SP3, using SetProcessDEPPolicy(), could still be implemented. [more details]
Nmap now determines the filesystem location it is being run from and that path is now included early in the search path for data files (such as nmap-services). This reduces the likelihood of needing to specify --datadir or getting data files from a different version of Nmap installed on the system. For full details, seethe docs.
Made the final IP address space assignment update as all available IPv4 address blocks have now been allocated to the regional registries. Our random IP generation (-iR) logic now only excludes the various reserved blocks. Thanks to Kris Katterjohn for years of regular updates to this function!
The -V and --version options now show the platform Nmap was compiled on, which features are compiled in, the version numbers of libraries it is linked against, and whether the libraries are the ones that come with Nmap or the operating system.
Dramatically improved nmap.xsl (used for converting Nmap XML output to pretty HTML). You can find the newest copy of the filehere andthis is an example of rendered output.
Ports are now considered open during a SYN scan if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as asimultaneous open or split handshake connection. The nmap-dev discussion threadstarts here.
When Nmap is passed a hostname such as google.com which resolves to several IP addresses, Nmap now prints each IP address. It still only scans the first one in the returned list unless you use the newresolveall NSE script.
Switched to -Pn and -sn as the preferred syntax for skipping ping scan and skipping port scan, respectively. Previously the -PN and -sP options were recommended. This establishes a more regular syntax for options that disable phases of a scan:
- -n disables reverse DNS
- -Pn disables host discovery (assumes all target hosts are up)
- -sn disables port scanning
We also felt that the old -sP ("ping scan") option was a bit misleading because current versions of Nmap can go much further (including -sC and --traceroute) even with port scans disabled. We will retain support for the previous option names for the foreseeable future.
Nmap now provides Christmas greetings and a reminder of Xmas scan (-sX) when run in verbose mode on December 25.
For some UDP ports, Nmap will now send a protocol-specific payload that is more likely to get a response than an empty packet is. This improves the effectiveness of probes to those ports for host discovery, and also makes an open port more likely to be classified open rather than open|filtered. The ports and payloads are defined in a newnmap-payloads. We now have payloads for 19 services including DNS (port 53), snmp (161), isakmp (500), NFS (2049), etc.
Nmap now prefers to display the hostname supplied by the user instead of the reverse-DNS name in most places. If a reverse DNS record exists, and it differs from the user-supplied name, it is printed like this:
```
Nmap scan report for www.google.com (74.125.53.103)rDNS record for 74.125.53.103: pw-in-f103.1e100.net
```
And in XML it looks like:
```
  <hostnames>    <hostname name="openbsd.org" type="user"/>    <hostname name="cvs.openbsd.org" type="PTR"/>  </hostnames>
```
TheNdiff man page was dramatically improved with examples and sample output. Ndiff is a handy tool for comparing two Nmap scans to find out about newly opened ports, service changes, etc.
Ndiff now shows changes in script (NSE) output for each target host (in both text output format and XML).
Nmap now generates IP addresses without duplicates (until you cycle through all the allowed IPs) in random target mode (-iR) thanks to a new collision-free 32-bit number generator in nbase_rnd.c. Details in their full mathematical glory areavailable here.

These are all just highlights from the full list of changes you canfind inour CHANGELOG.

Moving Forward (Future Plans)

With this stable version out of the way, we are diving headfirstinto the next development cycle. Many exciting features are in thequeue, including:

An updater system for obtaining the latest NSE scripts, OS fingerprint updates, and other improvements in near real time.
To improve the user experience, we're adding various browsertoolbars, search engine redirectors and associated adware to theWindows installer. Not! We'd neverpull a sleazy CNET Download.com tactic, but it emphasizeswhy you should download Nmap from the true source—Nmap.Org.
High speed port scanning through http or socks proxies (or chains of proxies)
Even moreNSE scripts to make the lives of network administrators and security practitioners easier. 348 scripts is impressive, but not enough.

You can read more of our short-term and longer-term plans fromourpublic TODO list.

For the latest Insecure.Org and Nmap announcements, join the98,875-member Nmap-hackers announcement list. Traffic rarelyexceeds one message per month.subscribe hereorread the archives at SecLists.Org. To participate in Nmapdevelopment, join the (high traffic)nmap-dev list. You can alsofollow us on Twitter orFacebook.

Acknowledgments

A free open source scanner as powerful as Nmap is only possiblethanks to the help of hundreds of developers and other contributors.We would like to acknowledge and thank the many people who contributedideas and/or code since Nmap 5.00. Special thanks go out to:

Aaron Leininger,Aleksandar Nikolic,Aleksey Tyurin,Alexander Rudakov,Alexandru,Ambarisha B.,Andrew Orr,Ange Gutek,Ankur Nandwani,Arturo Busleiman,Bernd Stroessenreuther,Bill Pollock,Brandon Enright,Brendan Coles,Carlos Pantelides,Chad Loder,Chris Woodbury,Cirrus,Colin Rice,Daniel J. Luke,Daniel Miller,Daniel Roethlisberger,David Fifield,Diman Todorov,Djalal Harouni,Dmitry Levin,Doug Hoyte,Dražen Popović,Dr. Jesus,Duarte Silva,Eddie Bell,Eugene V. Alexeev,Felix Groebert,Ferdy Riphagen,Frederik Schwarzer,Fyodor,Gabriel Lawrence,Gisle Vanem,Gorjan Petrovski,Hani Benhabiles,HD Moore,Henri Doreau,Jah,Jason DePriest,Jeff Nathan,Jesse Burns,jlanthea,Joao Correa,John R. Bond,Josh Marlow,Jost Krieger,Kirubakaran,Kris Katterjohn,KX,Lance Spitzner,Lauren Friedman,Lauri Kokkonen,Leslie Hawthorn,Luis MartinGarcia,Mak Kolybabi,Marek Majkowski,Mark Heuse,Martin Holst Swende,Matt Foster,Matthew Boyle,Matthew Flanagan,Matt Selsky,Micah Hoffman,Michael Kohl,Michael Pattrick,Michael Schierl,Mikael Keri,Mike Frysinger,Mudge,Nick Nikolaou,Niteesh Kumar,Olivier M,Olli Hauer,Patrick Donnelly,Patrik Karlsson,Paulino Calderon,Pavel Kankovsky,Philip Pickering,Piotr Olma,Rebellis,Riccardo Cecolin,Richard Sammet,riemann,Rob Nicholls,Ron Bowes,Ron Meldau,Russ Tait Milne,Sebastian Dragomir,Sebastian Prengel,Shinnok,Solar Designer,Sven Klemm,Thomas Buchanan,Tillmann Werner,Tom Sellers,Toni Ruottu,Vasiliy Kulikov,Venkat Sanaka,Vikas Singhal,Vladz,Vlatko Kosturjak,William Pursell,Xu Weilin

We would also like to thank the thousands of people whohave submitted OS and service/version fingerprints, as well aseveryone who has found and reported bugs or suggested features.

Special thanks go to Google, who has sponsored 59 students (total over the last 8 years) to spend a summer working on Nmap as part of Google'sSummer of Code program. This summer, we have animpressive team of five students who have already started work!

Download and Updates

Nmap is available for download fromhttps://nmap.org/download.htmlin source and binary form. Nmap is free, open source software (license).

To learn about Nmap announcements as they happen, subscribe to nmap-hackers!It is a very low volume (7 messages in 2011),moderated list for announcements about Nmap, Insecure.org, and relatedprojects. You can join the 98,875 current subscribers by submittingyour e-mail address below. Maybe you'll be the one to take us to 100,000 members!

Nmap-hackers is archived atSecLists.org and has anRSS feed. To participate in Nmapdevelopment, join the (high traffic)nmap-dev list as well.

You are also encouraged tojoin our Facebook page andfollow our Twitter feed:

Direct questions or comments to Fyodor(fyodor@nmap.org).Report any bugsasdescribed here.

Movatterモバイル変換