#Nmap Network Scanning Preface Request for Comments TCP/IP Reference Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Technology Used to Create This Book Home page logo IFRAME: http://g.adspeed.net/ad.php?do=html&zid=14678&wd=728&ht=90&target=_top i * Nmap Security Scanner + Intro + Ref Guide + Install Guide + Download + Changelog + Book + Docs * Security Lists + Nmap Hackers + Nmap Dev + Bugtraq + Full Disclosure + Pen Test + Basics + More * Security Tools + Pass crackers + Sniffers + Vuln Scanners + Web scanners + Wireless + Exploitation + Packet crafters * Site News * Advertising * About/Contact * ________________ Site Search * Exploit World * Sponsors: / Acknowledgements Prev  Preface  Next _________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ Acknowledgements When I first floated the idea of writing an Nmap book to the nmap-hackers mailing list, I was inundated with suggestions and offers to help. This outpouring of enthusiasm convinced me to proceed. My complete naivety about how much work was involved also contributed to my decision. It has been quite an undertaking, but what kept me going chapter by chapter was a private review group called the nmap-writers. They provided invaluable feedback, advice, and detailed review notes throughout the process. In particular, I would like to thank the following people: * David Fifield is listed first (everyone else is alphabetical) because he was a tremendous help during the book writing process. He solved a number of technical DocBook problems, created many of the final illustrations from my terrible drafts, dramatically improved the index, helped with proofreading, and even wrote Chapter 12, Zenmap GUI Users' Guide. * Matt Baxter allowed the use of his beautiful TCP/IP header diagrams (in the section called âTCP/IP Referenceâ). Several other diagrams in this book were done in that style to match. * Saurabh Bhasin contributed detailed feedback on a regular basis. * Mark Brewis could always be counted on for good advice. * Ellen Colombo was a big help from the beginning. * Patrick Donnelly helped improve Chapter 9, Nmap Scripting Engine. * Brandon Enright printed out the whole book and reviewed it chapter by chapter. * Brian Hatch has always been a big help. * Loren Heal was a continual source of ideas. * Lee âMadHatâ Heath wrote the section called âMadHat in Wonderlandâ and also an early version of the section called âGrepable Output (-oG)â. * Dan Henage provided advice and proofread numerous chapters. * Tor Houghton reviewed every chapter, probably giving me more feedback than anyone else. * Doug Hoyte documented the many Nmap features he added, and also handled most of the book indexing. * Marius Huse Jacobsen reviewed many chapters, providing detailed feedback. * Kris Katterjohn performed thorough reviews of several chapters. * Eric Krosnes sent useful technical review feedback and also regularly nagged me about book progress. This was helpful since I didn't have a traditional editor to do so. * Vlad Alexa Mancini created the Nmap eye logo for the cover (and the Nmap web site). * Michael Naef kindly reviewed many chapters. * Bill Pollock of No Starch Press was always happy to provide advice and answer book publishing questions based on his decades of experience. * David Pybus was one of the most frequent contributors of ideas and proofreading. * Tyler Reguly helped by reviewing multiple chapters just when it was most needed. * Chuck Sterling provided both high level advice and detailed proofreading of several chapters. * Anders Thulin provided detailed reviews of many chapters. * Bennett Todd sent dozens of suggestions. * Diman Todorov wrote an initial draft of Chapter 9, Nmap Scripting Engine. * Catherine Tornabene read many chapters and sent extremely detailed feedback. Technology Used to Create This Book As an author of open source tools myself, I'm a big believer in their power and capability. So I made an effort to use them wherever possible in creating this book. I wasn't about to write it in Microsoft Word and then handle layout with Adobe FrameMaker! Nmap Network Scanning was written with the GNU Emacs text editor in the DocBook XML format. The free online chapters are created from the XML using Norman Walsh's XSL Stylesheets and the xsltproc XSL processor. The print version also uses Norman's stylesheets and xsltproc, but the output is to the XSL-FO format. An XSL-FO processor is then used to build a PDF. I would like to use Apache FOP for this, but a footnote-related bug prevents this, so I switched to the RenderX XEP Engine. XEP is proprietary, but at least it runs on Linux. I hope to switch back to FOP after the footnote bug is fixed. Cover layout was done with Scribus and (due to printing company format requirements) Adobe InDesign. Raster graphics for the cover and internal illustrations were created with The Gimp, while Inkscape was used for vector graphics. Subversion was used for revision control and the free web chapters are serviced by Apache httpd. Prev  Up  Next Request for Comments Home  TCP/IP Reference [ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ] ____________________________________________________________ Site Search Nmap Network Scanning Nmap Network Scanning Legal Notices The Full DTD Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Purpose The Full DTD Appendix A. Nmap XML Output DTD Prev    Next Table of Contents Purpose The Full DTD Purpose This document type definition (DTD) is used by XML parsers to validate Nmap XML output. The latest version is always available at http://nmap.org/data/nmap.dtd. While it is primarily intended for programmatic use, it is included here due to its value in helping humans interpret Nmap XML output. The DTD defines the legal elements of the format, and often enumerates the attributes and values they can take on. Using the DTD is discussed further in the section called âXML Output (-oX)â. Prev    Next Legal Notices Home  The Full DTD Nmap Network Scanning Preface Intended Audience and Organization Other Resources Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Conventions Conventions Nmap output is used throughout this book to demonstrate principles and features. The output is often edited to cut out lines which are irrelevant to the point being made. The dates/times and version numbers printed by Nmap are generally removed as well, since some readers find them distracting. Sensitive information such as hostnames, IP addresses, and MAC addresses may be changed or removed. Other information may be cut or lines wrapped so that they fit on a printed page. Similar editing is done for the output of other applications. Example 1 gives a glimpse at Nmap's capabilities while also demonstrating output formatting. Example 1. A typical Nmap scan # nmap -A -T4 scanme.nmap.org Starting Nmap ( http://nmap.org ) Interesting ports on scanme.nmap.org (64.13.134.52): Not shown: 994 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp closed smtp 53/tcp open domain ISC BIND 9.3.4 70/tcp closed gopher 80/tcp open http Apache httpd 2.2.2 ((Fedora)) |_ HTML title: Go ahead and ScanMe! 113/tcp closed auth Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.20-1 (Fedora Core 5) TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS [Cut first seven hops for brevity] 8 10.59 so-4-2-0.mpr3.pao1.us.above.net (64.125.28.142) 9 11.00 metro0.sv.svcolo.com (208.185.168.173) 10 9.93 scanme.nmap.org (64.13.134.52) Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds Special formatting is provided for certain tokens, such as filenames and application commands. Table 1 demonstrates the most common formatting conventions. Table 1. Formatting style conventions Token type Example literal string I get much more excited by ports in the open state than those reported as closed or filtered. Command-line options One of the coolest, yet least understood Nmap options is --packet-trace. Filenames Follow the -iL option with the input filename such as C:\net\dhcp-leases.txt or /home/h4x/hosts-to-pwn.lst. Emphasis Using Nmap from your work or school computer to attack banks and military targets is a bad idea. Application commands Trinity scanned the Matrix with the command nmap -v -sS -O 10.2.2.2. Replaceable variables Let be the machine running Nmap and be microsoft.com. Prev  Up  Next Intended Audience and Organization Home  Other Resources Nmap Network Scanning Chapter 14. Understanding and Customizing Nmap Data Files IP Protocol Number List: nmap-protocols Using Customized Data Files Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Files Related to Scripting Prev  Chapter 14. Understanding and Customizing Nmap Data Files  Next Files Related to Scripting The scripts used by the Nmap Scripting Engine may be considered another kind of data file. Scripts are stored in a scripts subdirectory of one of the directories listed in the section called âUsing Customized Data Filesâ. The name of each script file ends in .nse. For all the details on scripts see Chapter 9, Nmap Scripting Engine. All of the files in the script directory are executable scripts, except for one: script.db. This file is a plain-text cache of which categories each script belongs to. It should not be edited directly; use the --script-updatedb option instead. Each of NSE's extension modules (see the section called âNSE Librariesâ) is stored in one of two places. Pure Lua extensions are kept in the nselib subdirectory of the Nmap data directory, normally the same one scripts is in. This is where modules like shortport and stdnse are kept, in files whose names end in .lua. Prev  Up  Next IP Protocol Number List: nmap-protocols Home  Using Customized Data Files Nmap Network Scanning Chapter 14. Understanding and Customizing Nmap Data Files Files Related to Scripting Chapter 15. Nmap Reference Guide Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Using Customized Data Files Using Customized Data Files Any or all of the Nmap data files may be replaced with versions customized to the user's liking. They can only be replaced in wholeâyou can not specify changes that will be merged with the original files at runtime. When Nmap looks for each file, it searches by name in many directories and selects the first one found. This is the analogous to the way your Unix shell finds programs you ask to execute by searching through the directories in your PATH one at a time in order. The following list gives the Nmap directory search order. It shows that an nmap-services found in the directory specified by --datadir will be used in preference to one found in ~/.nmap/ because the former is searched first. Nmap data file directory search order 1. If --datadir option was specified, check the directory given as its argument. 2. If the NMAPDIR environmental variable is set, check that directory. 3. If Nmap is not running on Windows, search in ~/.nmap of the user running Nmap. It tries the real user ID's home directory, and then the effective UID's if they differ. 4. If Nmap is running on Windows, check the directory in which the Nmap binary resides. 5. Check the compiled-in NMAPDATADIR directory. That value is defined to c:\nmap on Windows, and <$prefix>/share/nmap on Unix. <$prefix> is /usr/local for the default source build and /usr for the Linux RPMs. The <$prefix> can be changed by giving ./configure the --prefix option when compiling the source. 6. As a last resort, the current working directory of your shell (.) is tried. This is done last for the same security reasons that . should not appear first on your shell execution PATH. On a shared system, a malicious user could place bogus data files in a shared directory such as /tmp. Those files could be malformed, causing Nmap to complain and exit, or they could cause Nmap to skip important ports. If Nmap tried . first, other users who happened to run Nmap in that shared directory would get the bogus versions. This could also happen by accident if you inadvertently ran Nmap in a directory that happened to have a file named nmap-services (or one of the other ones). Users who really want Nmap to try the current directory early may set the environment variable NMAPDIR to . at their own risk. This list shows the many choices users have when deciding how to replace a file with their own customized version. The option I usually recommend is to place the customized files in a special directory named appropriately for the change. For example, an nmap-services stripped to contain just the hundred most common ports could be placed in ~/nmap-fewports. Then specify this directory with the --datadir option. This ensures that the customized files are only used intentionally. Since the Nmap output-to-file formats include the Nmap command-line used, you will know which files were used when reviewing the logs later. Another option is to simply edit the original in NMAPDATADIR. This is rarely recommended, as the edited file will likely be overwritten the next time Nmap is upgraded. Additionally, this makes it hard to use the original files if you suspect that your replacements are causing a problem. This also makes it difficult to compare your version with the original to recall what you changed. A third option is to place the customized files in your Unix ~/.nmap directory. Of course you should only insert files that you have changed. The others will still be retrieved from NMAPDATADIR as usual. This is very convenient, as Nmap will use the customized files implicitly whenever you run it. That can be a disadvantage as well. Users sometimes forget the files exist. When they upgrade Nmap to a version with newer data files, the old copies in ~/.nmap will still be used, reducing the quality of results. Setting the NMAPDIR environment variable to the directory with files is another alternative. This can be useful when testing a new version of Nmap. Suppose you obtain Nmap version 4.68, notice the huge list of changes, and decide to test it out before replacing your current known-working version. You might compile it in ~/src/nmap-4.68, but execute it there and Nmap tries to read the data files from /usr/local/share/nmap. Those are the old versions, since Nmap 4.68 has not yet been installed. Simply set NMAPDIR to ~/src/nmap-4.68, test to your heart's content, and then perform the make install. A disadvantage to using NMAPDIR regularly is that the directory name is not recorded in Nmap output files like it is when --datadir is used instead. Prev  Up  Next Files Related to Scripting Home  Chapter 15. Nmap Reference Guide Nmap Network Scanning Nmap Network Scanning Grepable Output (-oG) Well Known Port List: nmap-services Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Introduction Well Known Port List: nmap-services Version Scanning DB: nmap-service-probes SunRPC Numbers: nmap-rpc Nmap OS Detection DB: nmap-os-db UDP payloads: nmap-payloads MAC Address Vendor Prefixes: nmap-mac-prefixes IP Protocol Number List: nmap-protocols Files Related to Scripting Using Customized Data Files Chapter 14. Understanding and Customizing Nmap Data Files Prev    Next Introduction Well Known Port List: nmap-services Version Scanning DB: nmap-service-probes SunRPC Numbers: nmap-rpc Nmap OS Detection DB: nmap-os-db UDP payloads: nmap-payloads MAC Address Vendor Prefixes: nmap-mac-prefixes IP Protocol Number List: nmap-protocols Files Related to Scripting Using Customized Data Files Introduction Nmap relies on seven data files for port scanning and other operations, all of which have names beginning with nmap-. One example is nmap-services, a registry of port names to their corresponding port number and protocol. The others, which this chapter describes one by one, are nmap-service-probes (version detection probe database), nmap-rpc (SunRPC program name to number database for direct RPC scanning), nmap-os-db (OS detection database), nmap-mac-prefixes (ethernet MAC address prefix (OUI) to vendor lookup table), and nmap-protocols (list of IP protocols for protocol scan). Additionally this chapter covers certain files related to scripting with the Nmap Scripting Engine. The source distribution installs these files in /usr/local/share/nmap/ and the official Linux RPMs put them in /usr/share/nmap/. Other distributions may install them elsewhere. The latest versions of these files are kept at http://nmap.org/data/, though it is strongly recommended that users upgrade to the most recent Nmap version rather than grabbing newer data files à la carte. There are no guarantees that newer files will work with older versions of Nmap (though they almost always do), and the resulting Frankenstein versions of Nmap can confuse the operating system and service fingerprint submission process. Most users never change the data files, but it can be handy for advanced users who might want to add a version fingerprint or port assignment for a custom daemon running at their company. This section provides a description of each file and how they are commonly changed. The general mechanism for replacing Nmap data files with custom versions is then discussed. A couple of the files don't relate to port scanning directly, but they are all discussed here for convenience. Prev    Next Grepable Output (-oG) Home  Well Known Port List: nmap-services Nmap Network Scanning Nmap Network Scanning Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 12. Zenmap GUI Users' Guide Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index OS Spoofing Chapter 11. Defenses Against Nmap Prev    Next Sorry, but this section or chapter of the Nmap book (Nmap Network Scanning) is not currently available in the free online editionâonly in the printed book version (more book information or buy on Amazon). OS Spoofing Prev    Next Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Home  Chapter 12. Zenmap GUI Users' Guide Nmap Network Scanning Nmap Network Scanning Implementation Details Chapter 11. Defenses Against Nmap Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index DNS proxying MAC Address Spoofing Source Port Manipulation A practical example: bypassing default Snort 2.2.0 rules Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Prev    Next DNS proxying MAC Address Spoofing Source Port Manipulation A practical example: bypassing default Snort 2.2.0 rules Prev    Next Implementation Details Home  Chapter 11. Defenses Against Nmap Nmap Network Scanning Chapter 1. Getting Started with Nmap Legal Issues Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index The History and Future of Nmap Prev  Chapter 1. Getting Started with Nmap  Next The History and Future of Nmap Many ancient and well loved security tools, such as Netcat, tcpdump, and John the Ripper, haven't changed much over the years. Others, including Nessus, Wireshark, Cain and Abel, and Snort have been under constant development since the day they were released. Nmap is in that second category. It was released as a simple Linux-only port scanner in 1997. Over the next 10+ years it sprouted a myriad of valuable features, including OS detection, version detection, the Nmap Scripting Engine, a Windows port, a graphical user interface, and more. This section provides a timeline of the most important events over a decade of Nmap history, followed by brief predictions on the future of Nmap. For all significant Nmap changes (thousands of them), read the Nmap Changelog. Old releases of Nmap can be found at http://nmap.org/dist/, and ancient versions at http://nmap.org/dist-old/. * September 1, 1997 â Nmap is first released in Phrack Magazine Issue 51, article 11. It doesn't have a version number because new releases aren't planned. Nmap is about 2,000 lines long, and compilation is as simple as gcc -O6 -o nmap nmap.c -lm. * September 5, 1997 â Due to popular demand, a slightly modified version of the Phrack code is released, calling itself version 1.25. The gzipped tarball is 28KB. Version 1.26 (48KB) is released 19 days later. * January 11, 1998 â Insecure.Org is registered and Nmap moves there from its previous home at the DataHaven Project ISP. * March 14, 1998 â Renaud Deraison writes to inform me that he is writing a security scanner, and asks if he can use some Nmap source code. Of course I say yes. Nine days later he sends me a pre-release version of Nessus, noting that it âis designed for sysadmins, not 3l33t H4ck3rZâ. * September 1, 1998 â Inspired by Nmap's first anniversary, I begin work on adding remote OS detection for the upcoming Nmap 2.00. On October 7 I release the first private beta version to a handful of top Nmap developers. We quietly work on this for several months. * December 12, 1998 â Nmap version 2.00 is publicly released, introducing Nmap OS detection for the first time. An article describing the techniques was released in Phrack 54, Article 9. By this point Nmap is broken up into many files, consists of about 8,000 lines of code, is kept in a private CVS revision control system, and the tarball size is 275KB. The nmap-hackers mailing list is started, and later grows to more than 55,000 members. * April 11, 1999 â Nmap 2.11BETA1 is released. This is the first version to contain a graphical user interface as an alternative to the traditional command-line usage. The bundled Unix-only GUI named NmapFE was originally written by Zach Smith. Some people like it, but most prefer command-line execution. * April 28, 2000 â Nmap 2.50 is released. By this point the tarball has grown to 461KB. This release includes timing modes such as -T aggressive, direct SunRPC scanning, and Window and ACK scan methods. * May 28, 2000 â Gerhard Rieger sends a message to the nmap-dev list describing a new âprotocol scanâ he has developed for Nmap, and he even includes a patch. This is so cool that I release Nmap 2.54BETA1 with his patch less than 12 hours later. * December 7, 2000 â Nmap 2.54BETA16 is released as the first official version to compile and run on Microsoft Windows. The Windows porting work was done by Ryan Permeh and Andy Lutomirski. * July 9, 2001 â The Nmap IP ID idle scan is introduced with Nmap 2.54BETA26. A paper describing the technique is released concurrently. This extremely cool (though not always practical) scan technique is described in the section called âTCP Idle Scan (-sI)â. * July 25, 2002 â I quit my job at Netscape/AOL and start my dream job working on Nmap full time. * July 31, 2002 â Nmap 3.00 is released. The tarball is 922K. This release includes Mac OS X support, XML output, and uptime detection. * August 28, 2002 â Nmap is converted from C to C++ and IPv6 supported is added as part of the Nmap 3.10ALPHA1 release. * May 15, 2003 â Nmap is featured in the movie The Matrix Reloaded, where Trinity uses it (followed by a real SSH exploit) to hack a power station and save the world. This leads to more publicity for Nmap than it had ever seen before or has seen since then. Details and screen shots are available at http://nmap.org/movies.html. * July 21, 2003 â I finish a first implementation of Nmap service/version detection (Chapter 7, Service and Application Version Detection) and release it to a couple dozen top Nmap developers and users as Nmap 3.40PVT1. That is followed up by 16 more private releases over the next couple months as we improve the system and add signatures. * September 16, 2003 â Nmap service detection is finally released publicly as part of Nmap 3.45. A detailed paper is released concurrently. * February 20, 2004 â Nmap 3.50 is released. The tarball is now 1,571KB. SCO Corporation is banned from redistributing Nmap because they refuse to comply with the GPL. They have to rebuild their Caldera release ISOs to remove Nmap. This release includes the packet tracing and UDP ping options. It also includes the OS classification system which classifies each of the hundreds of detected operating systems by vendor name, operating system name, OS generation, and device type. * August 31, 2004 â The core Nmap port scanning engine is rewritten for Nmap 3.70. The new engine, named ultra_scan features dramatically improved algorithms and parallelization support to improve both accuracy and speed. The differences are particularly dramatic for hosts behind strict firewalls. * June 25, 2005 â Google sponsors 10 college and graduate students to work on Nmap full time for the summer as part of Google's Summer of Code initiative. Projects include a second generation OS detection system (Zhao Lei), a new cross-platform GUI named Umit (Adriano Monteiro Marques), and many other cool projects described at http://seclists.org/nmap-hackers/2005/8. * September 8, 2005 â Nmap gains raw ethernet frame sending support with the release of version 3.90. This allows for ARP scanning (see the section called âARP Scan (-PR)â) and MAC address spoofing as well as evading the raw IP packet ban introduced by Microsoft in Windows XP SP2. * January 31, 2006 â Nmap 4.00 is released. The tarball is now 2,388KB. This release includes runtime interaction to provide on-demand completion estimates, a Windows executable installer, NmapFE updates to support GTK2, and much more. * May 24, 2006 â Google sponsors 10 more Nmap summer developers as part of their SoC program. Zhao and Adriano return as part of 2006 SoC to further develop their respective projects. Diman Todorov is sponsored to help develop the Nmap Scripting Engines. These and seven other talented students and their projects are described at http://seclists.org/nmap-hackers/2006/9. * June 24, 2006 â After two years of development and testing, the 2nd generation OS detection system is integrated into Nmap 4.20ALPHA1. This new system is based on everything we've learned and the new ideas we've conceived since the 1st generation system debuted 8 years earlier. After a bit of time to grow the DB, the new system proves much more accurate and granular than the old one. It is described in Chapter 8, Remote OS Detection. * December 10, 2006 â The Nmap Scripting Engine is released as part of Nmap 4.21ALPHA1. NSE allows users to write (and share) simple scripts to automate a wide variety of networking tasks. The system is a huge success, and is described in Chapter 9, Nmap Scripting Engine. * December 20, 2006 â Nmap's Subversion source code repository opens to the public. Until this time, only a handful of developers had access to the private source repository. Everyone else had to wait for releases. Now everyone can follow Nmap development day by day. There is even an nmap-svn mailing list providing real-time change notification by email. Details are provided in the section called âObtaining Nmap from the Subversion (SVN) Repositoryâ. * May 28, 2007 â Google sponsors six summer Nmap developers as part of their SoC program. Meanwhile, Adriano's Umit GUI for Nmap is approved as an independent program for SoC sponsorship. Among the sponsored students was David Fifield, who continued long after the summer ended and became one of Nmap's top developers. The Nmap students and their projects are listed at http://seclists.org/nmap-hackers/2007/3. * June 27, 2007 â Die Hard 4: Live Free or Die Hard is released in theaters. It includes a brief scene of hacker Matthew Farrell (Justin Long) demonstrating his Nmap skills. Then he leaves his computer to join Bruce Willis in fighting a diabolical terrorist mastermind. One week later, The Bourne Ultimatum is released and also contains an Nmap scene! The CIA uses Nmap in this movie to hack a newspaper's mail server and read the email of a reporter they assassinated (nice guys)! Screen shots of Nmap movie cameos are all available on the Nmap movies page. * July 8, 2007 â The Umit graphical front end is improved and integrated into the Nmap 4.22SOC1 release for testing. Umit is later renamed to Zenmap, and the venerable NmapFE GUI is removed. Zenmap is covered in Chapter 12, Zenmap GUI Users' Guide. * December 13, 2007 â Nmap 4.50 is released to celebrate Nmap's 10th anniversary! * June 1, 2008 â Nmap 4.65 is released and includes, for the first time, an executable Mac OS X installer. The Nmap source tarball is now four megabytes. This release includes 41 NSE scripts, 1,307 OS fingerprints, and 4,706 version detection signatures. * August 18, 2008 â The Nmap project completes its fourth Summer of Code, with our highest success percentage ever (six out of seven sponsored students). They greatly improved Zenmap, the Nmap Scripting Engine, OS detection, and Ncat, as described at http://seclists.org/nmap-dev/2008/q4/193. * September 8, 2008 â Nmap 4.75 is released with almost 100 significant improvements over 4.68. These include the Zenmap network topology and scan aggregation features (see Chapter 12, Zenmap GUI Users' Guide). It also includes port-frequency data from my Worldscan project, which I presented at Black Hat and Defcon in August. While it is easy to catalogue the history of Nmap, the future is uncertain. Nmap didn't start off with any grand development plan, and most of the milestones in the preceding timeline were not planned more than a year in advance. Instead of trying to predict the shape of the Internet and networking way out in the future, I closely study where it is now and decide what will be most useful for Nmap now and in the near future. So I have no idea where Nmap will be 10 years from now, though I expect it to be as popular and vibrant as ever. The Nmap community is large enough that we will be able to guide Nmap wherever it needs to go. Nmap has faced curve balls before, such as the sudden removal of raw packet support in Windows XP SP2, dramatic changes in network filtering practices and technology, and the slow emergence of IPv6. Each of those required significant changes to Nmap, and we'll have to do the same to embrace or at least cope with networking changes in the future. While the 10-year plan is up in the air, the coming year is easier to predict. As exciting as big new features are, they won't be a focus. None of us want to see Nmap get bloated and disorganized. So this will be a year of consolidation. The Zenmap and NSE systems are not as mature as the rest of Nmap, so improving these is a big priority. New NSE scripts are great because they extend Nmap's functionality without the stability risks of incorporating new source code into Nmap proper. Meanwhile, Zenmap needs usability and stability improvements, as well as better results visualization. Another focus is the Nmap web site, which will become more useful and dynamic. A web discussion system, Nmap demo site, and wiki are planned. Nmap may also grow in its ability to handle web scanning. When Nmap was first developed, different services were often provided as separate daemons identified by the port number they listen on. Now, many new services simply run over HTTP and are identified by a URL path name rather than port number. Scanning for known URL paths is similar in many ways to port scanning (and to the SunRPC scanning which Nmap has also done for many years). Nmap already does some web scanning using the Nmap Scripting Engine (see Chapter 9, Nmap Scripting Engine), but it would be faster and more efficient if basic support was built into Nmap itself. Some of the coolest Nmap features in the past, such as OS detection and version scanning, were developed in secret and given a surprise release. You can expect more of these in coming years because they are so much fun! Prev  Up  Next Legal Issues Home  Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Nmap Network Scanning Nmap Network Scanning Removing Nmap Chapter 4. Port Scanning Overview Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index ARP Scan (-PR) DNS Resolution Specifying Target Hosts and Networks List Scan (-sL) Chapter 3. Host Discovery (âPing Scanningâ) Prev    Next ARP Scan (-PR) DNS Resolution Specifying Target Hosts and Networks List Scan (-sL) Prev    Next Removing Nmap Home  Chapter 4. Port Scanning Overview Nmap Network Scanning Chapter 5. Port Scanning Techniques and Algorithms Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Idle Scan Step by Step Finding a Working Idle Scan Zombie Host Executing an Idle Scan Idle Scan Implementation Algorithms TCP Idle Scan (-sI) Prev  Chapter 5. Port Scanning Techniques and Algorithms  Next TCP Idle Scan (-sI) [Note] Note Volunteers have translated this section into Spanish and Portuguese (Brazil) In 1998, security researcher Antirez (who also wrote the hping2 tool frequently used in this book) posted to the Bugtraq mailing list an ingenious new port scanning technique. Idle scan, as it has become known, allows for completely blind port scanning. Attackers can actually scan a target without sending a single packet to the target from their own IP address! Instead, a clever side-channel attack allows for the scan to be bounced off a dumb âzombie hostâ. Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker. Besides being extraordinarily stealthy, this scan type permits discovery of IP-based trust relationships between machines. While idle scanning is more complex than any of the techniques discussed so far, you don't need to be a TCP/IP expert to understand it. It can be put together from these basic facts: * One way to determine whether a TCP port is open is to send a SYN (session establishment) packet to the port. The target machine will respond with a SYN/ACK (session request acknowledgment) packet if the port is open, and RST (reset) if the port is closed. This is the basis of the previously discussed SYN scan. * A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored. * Every IP packet on the Internet has a fragment identification number (IP ID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe. By combining these traits, it is possible to scan a target network while forging your identity so that it looks like an innocent zombie machine did the scanning. Idle Scan Step by Step Fundamentally, an idle scan consists of three steps that are repeated for each port: 1. Probe the zombie's IP ID and record it. 2. Forge a SYN packet from the zombie and send it to the desired port on the target. Depending on the port state, the target's reaction may or may not cause the zombie's IP ID to be incremented. 3. Probe the zombie's IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1. After this process, the zombie's IP ID should have increased by either one or two. An increase of one indicates that the zombie hasn't sent out any packets, except for its reply to the attacker's probe. This lack of sent packets means that the port is not open (the target must have sent the zombie either a RST packet, which was ignored, or nothing at all). An increase of two indicates that the zombie sent out a packet between the two probes. This extra packet usually means that the port is open (the target presumably sent the zombie a SYN/ACK packet in response to the forged SYN, which induced a RST packet from the zombie). Increases larger than two usually signify a bad zombie host. It might not have predictable IP ID numbers, or might be engaged in communication unrelated to the idle scan. Even though what happens with a closed port is slightly different from what happens with a filtered port, the attacker measures the same result in both cases, namely, an IP ID increase of 1. Therefore it is not possible for the idle scan to distinguish between closed and filtered ports. When Nmap records an IP ID increase of 1 it marks the port closed|filtered. For those wanting more detail, the following three diagrams show exactly what happens in the three cases of an open, closed, and filtered port. The actors in each are: [idle-scan-attacker.png]  the attacker, [idle-scan-zombie.png]  the zombie, and [idle-scan-target.png]  the target. Figure 5.1. Idle scan of an open port Step 1: The attacker sends a SYN/ACK to the zombie. The zombie, not expecting the SYN/ACK, sends back a RST, disclosing its IP ID. Step 2: The target sends a SYN/ACK in response to the SYN that appears to come from the zombie. The zombie, not expecting it, sends back a RST, incrementing its IP ID in the process. The zombie's IP ID has increased by two since step 1, so the port is open! Figure 5.2. Idle scan of a closed port Step 1: The attacker sends a SYN/ACK to the zombie. The zombie, not expecting the SYN/ACK, sends back a RST, disclosing its IP ID. This step is always the same. Step 2: The target sends a RST (the port is closed) in response to the SYN that appears to come from the zombie. The zombie ignores the unsolicited RST, leaving it IP ID unchanged. Step 3: The zombie's IP ID has increased by only one since step 1, so the port is not open. Figure 5.3. Idle scan of a filtered port Step 1: Just as in the other two cases, the attacker sends a SYN/ACK to the zombie. The zombie disclosed its IP ID. Step 2: The target, obstinately filtering its port, ignores the SYN that appears to come from the zombie. The zombie, unaware that anything has happened, does not increment its IP ID. Step 3: The zombie's IP ID has increased by only 1 since step 1, so the port is not open. From the attacker's point of view this filtered port is indistinguishable from a closed port. Idle scan is the ultimate stealth scan. Nmap offers decoy scanning (-D) to help users shield their identity, but that (unlike idle scan) still requires an attacker to send some packets to the target from his real IP address in order to get scan results back. One upshot of idle scan is that intrusion detection systems will generally send alerts claiming that the zombie machine has launched a scan against them. So it can be used to frame some other party for a scan. Keep this possibility in mind when reading alerts from your IDS. A unique advantage of idle scan is that it can be used to defeat certain packet filtering firewalls and routers. IP source address filtering is a common (though weak) security mechanism for limiting machines that may connect to a sensitive host or network. For example, a company database server might only allow connections from the public web server that accesses it. Or a home user might only allow SSH (interactive login) connections from his work machines. A more disturbing scenario occurs when some company bigwig demands that network administrators open a firewall hole so he can access internal network resources from his home IP address. This can happen when executives are unwilling or unable to use secure VPN alternatives. Idle scanning can sometimes be used to map out these trust relationships. The key factor is that idle scan results list open ports from the zombie host's perspective. A normal scan against the aforementioned database server might show no ports open, but performing an idle scan while using the web server's IP as the zombie could expose the trust relationship by showing the database-related service ports as open. Mapping out these trust relationships can be very useful to attackers for prioritizing targets. The web server discussed above may seem mundane to an attacker until she notices its special database access. A disadvantage to idle scanning is that it takes far longer than most other scan types. Despite the optimized algorithms described in the section called âIdle Scan Implementation Algorithmsâ, A 15-second SYN scan could take 15 minutes or more as an idle scan. Another issue is that you must be able to spoof packets as if they are coming from the zombie and have them reach the target machine. Many ISPs (particularly dialup and residential broadband providers) now implement egress filtering to prevent this sort of packet spoofing. Higher end providers (such as colocation and T1 services) are much less likely to do this. If this filtering is in effect, Nmap will print a quick error message for every zombie you try. If changing ISPs is not an option, you might try using another IP on the same ISP network. Sometimes the filtering only blocks spoofing of IP addresses that are outside the range used by customers. Another challenge with idle scan is that you must find a working zombie host, as described in the next section. Finding a Working Idle Scan Zombie Host The first step in executing an IP ID idle scan is to find an appropriate zombie. It needs to assign IP ID packets incrementally on a global (rather than per-host it communicates with) basis. It should be idle (hence the scan name), as extraneous traffic will bump up its IP ID sequence, confusing the scan logic. The lower the latency between the attacker and the zombie, and between the zombie and the target, the faster the scan will proceed. When an idle scan is attempted, Nmap tests the proposed zombie and reports any problems with it. If one doesn't work, try another. Enough Internet hosts are vulnerable that zombie candidates aren't hard to find. Since the hosts need to be idle, choosing a well-known host such as www.yahoo.com or google.com will almost never work. A common approach is to simply execute a Nmap ping scan of some network. You could use Nmap's random IP selection mode (-iR), but that is likely to result in far away zombies with substantial latency. Choosing a network near your source address, or near the target, produces better results. You can try an idle scan using each available host from the ping scan results until you find one that works. As usual, it is best to ask permission before using someone's machines for unexpected purposes such as idle scanning. We didn't just choose a printer icon to represent a zombie in our illustrations to be funnyâsimple network devices often make great zombies because they are commonly both underused (idle) and built with simple network stacks which are vulnerable to IP ID traffic detection. Performing a port scan and OS identification (-O) on the zombie candidate network rather than just a ping scan helps in selecting a good zombie. As long as verbose mode (-v) is enabled, OS detection will usually determine the IP ID sequence generation method and print a line such as âIP ID Sequence Generation: Incrementalâ. If the type is given as Incremental or Broken little-endian incremental, the machine is a good zombie candidate. That is still no guarantee that it will work, as Solaris and some other systems create a new IP ID sequence for each host they communicate with. The host could also be too busy. OS detection and the open port list can also help in identifying systems that are likely to be idle. Another approach to identifying zombie candidates is the run the ipidseq NSE script against a host. This script probes a host to classify its IP ID generation method, then prints the IP ID classification much like the OS detection does. Like most NSE scripts, ipidseq.nse can be run against many hosts in parallel, making it another good choice when scanning entire networks looking for suitable hosts. While identifying a suitable zombie takes some initial work, you can keep re-using the good ones. Executing an Idle Scan Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest. Example 5.1 shows an example of Ereet scanning the Recording Industry Association of America by bouncing an idle scan off an Adobe machine named Kiosk. Example 5.1. An idle scan against the RIAA # nmap -Pn -p- -sI kiosk.adobe.com www.riaa.com Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental Interesting ports on 208.225.90.120: (The 65522 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 25/tcp open smtp 80/tcp open http 111/tcp open sunrpc 135/tcp open loc-srv 443/tcp open https 1027/tcp open IIS 1030/tcp open iad1 2306/tcp open unknown 5631/tcp open pcanywheredata 7937/tcp open unknown 7938/tcp open unknown 36890/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 2594.47 seconds From the scan above, we learn that the RIAA is not very security conscious (note the open PC Anywhere, portmapper, and Legato nsrexec ports). Since they apparently have no firewall, it is unlikely that they have an IDS. But if they do, it will show kiosk.adobe.com as the scan culprit. The -Pn option prevents Nmap from sending an initial ping packet to the RIAA machine. That would have disclosed Ereet's true address. The scan took a long time because -p- was specified to scan all 65K ports. Don't try to use kiosk for your scans, as it has already been removed. By default, Nmap forges probes to the target from the source port 80 of the zombie. You can choose a different port by appending a colon and port number to the zombie name (e.g. -sI kiosk.adobe.com:113). The chosen port must not be filtered from the attacker or the target. A SYN scan of the zombie should show the port in the open or closed state. Idle Scan Implementation Algorithms While the section called âIdle Scan Step by Stepâ describes idle scan at the fundamental level, the Nmap implementation is far more complex. Key differences are parallelism for quick execution and redundancy to reduce false positives. Parallelizing idle scan is trickier than with other scan techniques due to indirect method of deducing port states. If Nmap sends probes to many ports on the target and then checks the new IP ID value of the zombie, the number of IP ID increments will expose how many target ports are open, but not which ones. This isn't actually a major problem, as the vast majority of ports in a large scan will be closed|filtered. Since only open ports cause the IP ID value to increment, Nmap will see no intervening increments and can mark the whole group of ports as closed|filtered. Nmap can scan groups of up to 100 ports in parallel. If Nmap probes a group then finds that the zombie IP ID has increased times, there must be open ports among that group. Nmap then finds the open ports with a binary search. It splits the group into two and separately sends probes to each. If a subgroup shows zero open ports, that group's ports are all marked closed|filtered. If a subgroup shows one or more open ports, it is divided again and the process continues until those ports are identified. While this technique adds complexity, it can reduce scan times by an order of magnitude over scanning just one port at a time. Reliability is another major idle scanning concern. If the zombie host sends packets to any unrelated machines during the scan, its IP ID increments. This causes Nmap to think it has found an open port. Fortunately, parallel scanning helps here too. If Nmap scans 100 ports in a group and the IP ID increase signals two open ports, Nmap splits the group into two fifty-port subgroups. When Nmap does an IP ID scan on both subgroups, the total zombie IP ID increase better be two again! Otherwise, Nmap will detect the inconsistency and rescan the groups. It also modifies group size and scan timing based on the detected reliability rate of the zombie. If Nmap detects too many inconsistent results, it will quit and ask the user to provide a better zombie. Sometimes a packet trace is the best way to understand complex algorithms and techniques such as these. Once again, the Nmap --packet-trace makes these trivial to produce when desired. The remainder of this section provides an annotated packet trace of an actual seven port idle scan. The IP addresses have been changed to Attacker, Zombie, and Target and some irrelevant aspects of the trace lines (such as TCP window size) have been removed for clarity. Attacker# nmap -sI Zombie -Pn -p20-25,110 -r --packet-trace -v Target -Pn is necessary for stealth, otherwise ping packets would be sent to the target from Attacker's real address. Version scanning would also expose the true address, and so -sV is not specified. The -r option (turns off port randomization) is only used to make this example easier to follow. Nmap firsts tests Zombie's IP ID sequence generation by sending six SYN/ACK packets to it and analyzing the responses. This helps Nmap immediately weed out bad zombies. It is also necessary because some systems (usually Microsoft Windows machines, though not all Windows boxes do this) increment the IP ID by 256 for each packet sent rather than by one. This happens on little-endian machines when they don't convert the IP ID to network byte order (big-endian). Nmap uses these initial probes to detect and work around this problem. SENT (0.0060s) TCP Attacker:51824 > Zombie:80 SA id=35996 SENT (0.0900s) TCP Attacker:51825 > Zombie:80 SA id=25914 SENT (0.1800s) TCP Attacker:51826 > Zombie:80 SA id=39591 RCVD (0.1550s) TCP Zombie:80 > Attacker:51824 R id=15669 SENT (0.2700s) TCP Attacker:51827 > Zombie:80 SA id=43604 RCVD (0.2380s) TCP Zombie:80 > Attacker:51825 R id=15670 SENT (0.3600s) TCP Attacker:51828 > Zombie:80 SA id=34186 RCVD (0.3280s) TCP Zombie:80 > Attacker:51826 R id=15671 SENT (0.4510s) TCP Attacker:51829 > Zombie:80 SA id=27949 RCVD (0.4190s) TCP Zombie:80 > Attacker:51827 R id=15672 RCVD (0.5090s) TCP Zombie:80 > Attacker:51828 R id=15673 RCVD (0.5990s) TCP Zombie:80 > Attacker:51829 R id=15674 Idlescan using zombie Zombie (Zombie:80); Class: Incremental This test demonstrates that the zombie is working fine. Every IP ID was an increase of one over the previous one. So the system appears to be idle and vulnerable to IP ID traffic detection. These promising results are still subject to the next test, in which Nmap spoofs four packets to Zombie as if they are coming from Target. Then it probes the zombie to ensure that the IP ID increased. If it hasn't, then it is likely that either the attacker's ISP is blocking the spoofed packets or the zombie uses a separate IP ID sequence counter for each host it communicates with. Both are common occurrences, so Nmap always performs this test. The last-known Zombie IP ID was 15674, as shown above. SENT (0.5990s) TCP Target:51823 > Zombie:80 SA id=1390 SENT (0.6510s) TCP Target:51823 > Zombie:80 SA id=24025 SENT (0.7110s) TCP Target:51823 > Zombie:80 SA id=15046 SENT (0.7710s) TCP Target:51823 > Zombie:80 SA id=48658 SENT (1.0800s) TCP Attacker:51987 > Zombie:80 SA id=27659 RCVD (1.2290s) TCP Zombie:80 > Attacker:51987 R id=15679 The four spoofed packets coupled with the probe from Attacker caused the Zombie to increase its IP ID from 15674 to 15679. Perfect! Now the real scanning begins. Remember that 15679 is the latest Zombie IP ID. Initiating Idlescan against Target SENT (1.2290s) TCP Zombie:80 > Target:20 S id=13200 SENT (1.2290s) TCP Zombie:80 > Target:21 S id=3737 SENT (1.2290s) TCP Zombie:80 > Target:22 S id=65290 SENT (1.2290s) TCP Zombie:80 > Target:23 S id=10516 SENT (1.4610s) TCP Attacker:52050 > Zombie:80 SA id=33202 RCVD (1.6090s) TCP Zombie:80 > Attacker:52050 R id=15680 Nmap probes ports 20-23. Then it probes Zombie and finds that the new IP ID is 15680, only one higher than the previous value of 15679. There were no IP ID increments in between those two known packets, meaning ports 20-23 are probably closed|filtered. It is also possible that a SYN/ACK from a Target port has simply not arrived yet. In that case, Zombie has not responded with a RST and thus its IP ID has not incremented. To ensure accuracy, Nmap will try these ports again later. SENT (1.8510s) TCP Attacker:51986 > Zombie:80 SA id=49278 RCVD (1.9990s) TCP Zombie:80 > Attacker:51986 R id=15681 Nmap probes again because four tenths of a second has gone by since the last probe it sent. The Zombie (if not truly idle) could have communicated with other hosts during this period, which would cause inaccuracies later if not detected here. Fortunately, that has not happened: the next IP ID is 15681 as expected. SENT (2.0000s) TCP Zombie:80 > Target:24 S id=23928 SENT (2.0000s) TCP Zombie:80 > Target:25 S id=50425 SENT (2.0000s) TCP Zombie:80 > Target:110 S id=14207 SENT (2.2300s) TCP Attacker:52026 > Zombie:80 SA id=26941 RCVD (2.3800s) TCP Zombie:80 > Attacker:52026 R id=15684 Nmap probes ports 24, 25, and 110 then queries the Zombie IP ID. It has jumped from 15681 to 15684. It skipped 15682 and 15683, meaning that two of those three ports are likely open. Nmap cannot tell which two are open, and it could also be a false positive. So Nmap drills down deeper, dividing the scan into subgroups. SENT (2.6210s) TCP Attacker:51867 > Zombie:80 SA id=18869 RCVD (2.7690s) TCP Zombie:80 > Attacker:51867 R id=15685 SENT (2.7690s) TCP Zombie:80 > Target:24 S id=30023 SENT (2.7690s) TCP Zombie:80 > Target:25 S id=47253 SENT (3.0000s) TCP Attacker:51979 > Zombie:80 SA id=12077 RCVD (3.1480s) TCP Zombie:80 > Attacker:51979 R id=15687 The first subgroup is ports 24 and 25. The IP ID jumps from 15685 to 15687, meaning that one of these two ports is most likely open. Nmap tries the divide and conquer approach again, probing each port separately. SENT (3.3910s) TCP Attacker:51826 > Zombie:80 SA id=32515 RCVD (3.5390s) TCP Zombie:80 > Attacker:51826 R id=15688 SENT (3.5390s) TCP Zombie:80 > Target:24 S id=47868 SENT (3.7710s) TCP Attacker:52012 > Zombie:80 SA id=14042 RCVD (3.9190s) TCP Zombie:80 > Attacker:52012 R id=15689 A port 24 probe shows no jump in the IP ID. So that port is not open. From the results so far, Nmap has tentatively determined: * Ports 20-23 are closed|filtered * Two of the ports 24, 25, and 110 are open * One of the ports 24 and 25 are open * Port 24 is closed|filtered Stare at this puzzle long enough and you'll find only one solution: ports 25 and 110 are open while the other five are closed|filtered. Using this logic, Nmap could cease scanning and print results now. It used to do so, but that produced too many false positive open ports when the Zombie wasn't truly idle. So Nmap continues scanning to verify its results: SENT (4.1600s) TCP Attacker:51858 > Zombie:80 SA id=6225 RCVD (4.3080s) TCP Zombie:80 > Attacker:51858 R id=15690 SENT (4.3080s) TCP Zombie:80 > Target:25 S id=35713 SENT (4.5410s) TCP Attacker:51856 > Zombie:80 SA id=28118 RCVD (4.6890s) TCP Zombie:80 > Attacker:51856 R id=15692 Discovered open port 25/tcp on Target SENT (4.6900s) TCP Zombie:80 > Target:110 S id=9943 SENT (4.9210s) TCP Attacker:51836 > Zombie:80 SA id=62254 RCVD (5.0690s) TCP Zombie:80 > Attacker:51836 R id=15694 Discovered open port 110/tcp on Target Probes of ports 25 and 110 show that they are open, as we deduced previously. SENT (5.0690s) TCP Zombie:80 > Target:20 S id=8168 SENT (5.0690s) TCP Zombie:80 > Target:21 S id=36717 SENT (5.0690s) TCP Zombie:80 > Target:22 S id=4063 SENT (5.0690s) TCP Zombie:80 > Target:23 S id=54771 SENT (5.3200s) TCP Attacker:51962 > Zombie:80 SA id=38763 RCVD (5.4690s) TCP Zombie:80 > Attacker:51962 R id=15695 SENT (5.7910s) TCP Attacker:51887 > Zombie:80 SA id=61034 RCVD (5.9390s) TCP Zombie:80 > Attacker:51887 R id=15696 Just to be sure, Nmap tries ports 20-23 again. A Zombie IP ID query shows no sequence jump. On the off chance that a SYN/ACK from Target to Zombie came in late, Nmap tries another IP ID query. This again shows no open ports. Nmap is now sufficiently confident with its results to print them. The Idlescan took 5 seconds to scan 7 ports. Interesting ports on Target: PORT STATE SERVICE 20/tcp closed|filtered ftp-data 21/tcp closed|filtered ftp 22/tcp closed|filtered ssh 23/tcp closed|filtered telnet 24/tcp closed|filtered priv-mail 25/tcp open smtp 110/tcp open pop3 Nmap finished: 1 IP address (1 host up) scanned in 5.949 seconds For complete details on the Nmap idle scan implementation, read idle_scan.cc from the Nmap source code distribution. While port scanning is a clever abuse of predictable IP ID sequences, they can be exploited for many other purposes as well. Examples are peppered throughout this book, particularly in Chapter 10, Detecting and Subverting Firewalls and Intrusion Detection Systems. Prev  Up  Next Chapter 5. Port Scanning Techniques and Algorithms Home  Chapter 6. Optimizing Nmap Performance Nmap Network Scanning Nmap Network Scanning The Full DTD Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Index Prev    Index Options summary of options, Options Summary, Options Summary --adler32, Firewall/IDS Evasion and Spoofing --allports, Exclude Directive, Service and Version Detection --append-output, Controlling Output Type, Output --badsum, Firewall/IDS Evasion and Spoofing --confdir (Zenmap option>, Options Summary --data-length, Host Discovery, Firewall/IDS Evasion and Spoofing no effect in OS detection, Sequence generation (SEQ, OPS, WIN, and T1), Firewall/IDS Evasion and Spoofing --datadir, Well Known Port List: nmap-services, SunRPC Numbers: nmap-rpc, Using Customized Data Files, Miscellaneous Options --defeat-rst-ratelimit, Timing and Performance --dns-servers, Host Discovery --exclude, Target Specification --excludefile, Target Specification --file (Zenmap option>, Options Summary --fuzzy (see --osscan-guess) --help, Miscellaneous Options --help (Zenmap option>, Options Summary --host-timeout, Timing and Performance --iflist, Output --initial-rtt-timeout, Timing and Performance --ip-options, Firewall/IDS Evasion and Spoofing --log-errors, Handling Error and Warning Messages, Output --max-hostgroup, Timing and Performance --max-os-tries, Usage and Examples, OS Detection --max-parallelism, Timing and Performance --max-rate, Timing and Performance --max-retries, Timing and Performance --max-rtt-timeout, Timing and Performance example of, Manipulating XML Output with Perl --max-scan-delay, Timing and Performance --min-hostgroup, Timing and Performance --min-parallelism, Timing and Performance --min-rate, Timing and Performance --min-rtt-timeout, Timing and Performance --mtu, Firewall/IDS Evasion and Spoofing --nmap (Zenmap option>, Options Summary --no-stylesheet, Creating HTML Reports, Output --open, Output --osscan-guess, Usage and Examples, OS Matching Algorithms, Dealing with Misidentified and Unidentified Hosts, OS Detection --osscan-limit, Usage and Examples, OS Detection --packet-trace, Enabling Packet Tracing, Output example of, Idle Scan Implementation Algorithms, Enabling Packet Tracing --port-ratio, Port Specification and Scan Order --privileged, Miscellaneous Options --profile (Zenmap option>, Options Summary --randomize-hosts, Firewall/IDS Evasion and Spoofing --reason, Output implied by -d, Output --release-memory, Miscellaneous Options --resume, Resuming Aborted Scans, Output --scan-delay, Timing and Performance --scanflags, Port Scanning Techniques --script, Usage and Examples, Command-line Arguments, Script Selection, Initialization Phase, Nmap Scripting Engine (NSE) --script-args, Usage and Examples, Command-line Arguments, Nmap Scripting Engine (NSE) example of, Arguments to Scripts, Complete Examples --script-trace, Usage and Examples, Command-line Arguments, Nmap Scripting Engine (NSE) example of, Complete Examples --script-updatedb, Usage and Examples, Command-line Arguments, Files Related to Scripting, Nmap Scripting Engine (NSE) --send-eth, Firewall/IDS Evasion and Spoofing, Miscellaneous Options implied by --spoof-mac, Firewall/IDS Evasion and Spoofing --send-ip, Miscellaneous Options --servicedb, Well Known Port List: nmap-services, Miscellaneous Options --source-port, Firewall/IDS Evasion and Spoofing --spoof-mac, Information Passed to a Script, Firewall/IDS Evasion and Spoofing --stats-every, Output --stylesheet, Creating HTML Reports, Output --system-dns, Host Discovery --target (Zenmap option>, Options Summary --top-ports, Port Specification and Scan Order --traceroute, An Overview of the âTopologyâ Tab, Searching Saved Results, Host Discovery --ttl, Firewall/IDS Evasion and Spoofing --unprivileged, Miscellaneous Options --verbose, Controlling Verbosity of Output --verbose (Zenmap option>, Options Summary --version, Miscellaneous Options example of, Testing Whether Nmap is Already Installed --version-all, Technique Described, Probe Selection and Rarity, Service and Version Detection --version-intensity, Technique Described, Probe Selection and Rarity, Service and Version Detection --version-light, Technique Described, Probe Selection and Rarity, Service and Version Detection --version-trace, Technique Demonstrated, Service and Version Detection example of, Technique Demonstrated --versiondb, Miscellaneous Options --webxml, Creating HTML Reports, Output -6, Miscellaneous Options -A, Version Scanning DB: nmap-service-probes, Miscellaneous Options example of, Avatar Online, Introduction, Usage and Examples, RPC Grinding, Description features enabled by, Usage and Examples, Command-line Arguments, Miscellaneous Options -b, Port Scanning Techniques -D, TCP Idle Scan (-sI), Firewall/IDS Evasion and Spoofing -d, Enabling Debugging Output, Output example of, Technique Demonstrated, Enabling Debugging Output giving more than once, Enabling Debugging Output, Enabling Packet Tracing, Output -e, Firewall/IDS Evasion and Spoofing -F, Port Specification and Scan Order -f, Firewall/IDS Evasion and Spoofing giving twice, Firewall/IDS Evasion and Spoofing -f (Zenmap option> (see --file) -g, Firewall/IDS Evasion and Spoofing -h, Miscellaneous Options -h (Zenmap option> (see --help) -iL, Target Specification randomizing hosts with, Firewall/IDS Evasion and Spoofing -iR, Finding a Working Idle Scan Zombie Host, Target Specification example of, Status field, Target Specification, Examples -n, Host Discovery -n (Zenmap option> (see --nmap) -O, Usage and Examples, Seq Index field, Nmap OS Detection DB: nmap-os-db, OS Detection example of, Usage and Examples, Examples to identify idle scan zombie candidates, Finding a Working Idle Scan Zombie Host -oA, Controlling Output Type, Output example of, Avatar Online in Zenmap, Output Files -oG, MadHat in Wonderland, Grepable Output (-oG), Output example of, Grepable Output (-oG), Status field, Examples -oN, Handling Error and Warning Messages, Normal Output (-oN), Output example of, Normal Output (-oN) -oS, $crIpT kIddI3 0uTPut (-oS), Output example of, $crIpT kIddI3 0uTPut (-oS) -oX, XML Output (-oX), Output example of, XML Output (-oX), Examples -p, Port Specification and Scan Order example of, Idle Scan Implementation Algorithms, Examples -p (Zenmap option> (see --profile) -P0, Host Discovery (see also -Pn) -PA, Host Discovery -PE, Host Discovery -PM, Host Discovery -Pn, Host Discovery with idle scan, Executing an Idle Scan, Idle Scan Implementation Algorithms -PN, Host Discovery -PO, Host Discovery -PP, Host Discovery -PR, Host Discovery -PS, Host Discovery example of, Avatar Online, Target Specification -PU, Host Discovery -PY, Host Discovery -r, Port Specification and Scan Order example of, Idle Scan Implementation Algorithms -R, Host Discovery -S, Firewall/IDS Evasion and Spoofing -sA, Port Scanning Techniques -sC, Usage and Examples, Command-line Arguments, Nmap Scripting Engine (NSE) example of, Introduction -sF, Port Scanning Techniques -sI, TCP Idle Scan (-sI), Port Scanning Techniques example of, Executing an Idle Scan, Idle Scan Implementation Algorithms -sL, Grepable Output Fields, Host Discovery example of, Avatar Online, Status field -sM, Port Scanning Techniques -sn, Grepable Output Fields, Host Discovery example of, Enabling Packet Tracing -sN, Port Scanning Techniques -sO, Grepable Output Fields, Protocols field, Port Scanning Techniques example of, Protocols field -sP, Host Discovery (see also -sn) -sR, RPC Grinding, Ports field, Service and Version Detection -sS, Is Unauthorized Port Scanning a Crime?, Port Scanning Techniques example of, Avatar Online, Target Specification, Examples -sT, Is Unauthorized Port Scanning a Crime?, Port Scanning Techniques -sU, Port Scanning Techniques -sV, Usage and Examples, Command-line Arguments, Version Scanning DB: nmap-service-probes, Service and Version Detection example of, Technique Demonstrated, SSL Post-processor Notes -sW, Port Scanning Techniques -sX, Port Scanning Techniques -sY, Port Scanning Techniques -sZ, Port Scanning Techniques -T, Timing and Performance -t (Zenmap option> (see --target) -T0 (see paranoid timing template) -T1 (see sneaky timing template) -T2 (see polite timing template) -T3 (see normal timing template) -T4 (see aggressive timing template) -T5 (see insane timing template) -v, Finding a Working Idle Scan Zombie Host, Controlling Verbosity of Output, Output example of, Usage and Examples, Controlling Verbosity of Output, Examples extra output enabled by, Controlling Verbosity of Output, Controlling Verbosity of Output giving more than once, Controlling Verbosity of Output, Output implied by -d, Enabling Debugging Output -V, Miscellaneous Options -v (Zenmap option> (see --verbose) A A (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2âT7), TCP acknowledgment number (A) A scan, Comparing Results a: (Zenmap search criterion, short for after:), Searching Saved Results acceptable use policy, Is Unauthorized Port Scanning a Crime? ACK ping, Host Discovery ACK scan, Port Scanning Techniques âactionâ script variable, Action, Information Passed to a Script, The Mechanism adaptive retransmission (see retransmission) address ranges, Avatar Online, Target Specification Adler32 checksum, Firewall/IDS Evasion and Spoofing after: (Zenmap search criterion), Searching Saved Results aggregated results (Zenmap), Scan Aggregation, The âScansâ tab, An Overview of the âTopologyâ Tab aggressive (-T4) timing template, Avatar Online, Timing and Performance âAggressive OS guesses:â, Usage and Examples AmigaOS, installing on, Amiga, HP-UX, IRIX, and Other Platforms Antirez, TCP Idle Scan (-sI) Apple Developer Connection, Compile Nmap from source code Apple Mac OS X (see Mac OS X) apt-get, Debian Linux and Derivatives such as Ubuntu ARIN (American Registry for Internet Numbers), Avatar Online ARP ping, Host Discovery âauthâ script category, Script Categories auth service, Dealing with Misidentified and Unidentified Hosts, Script Writing Tutorial auth-owners script, The Head âauthorâ script variable, author Field , Example Script: finger.nse authorized users (see privileged users) B B scan, Comparing Results b: (Zenmap search criterion, short for before:), Searching Saved Results before: (Zenmap search criterion), Searching Saved Results Bell, Eddie, Example Script: finger.nse binary packages, If You Encounter Compilation Problems bit NSE module, Adding C Modules to Nselib black hat, Is Unauthorized Port Scanning a Crime? blind TCP spoofing, Usage and Examples, Decoding the Subject Fingerprint Format, Seq Index field Boolean expressions in script selection, Script Selection, Nmap Scripting Engine (NSE) broken IP ID increment, IP ID sequence generation algorithm (TI, CI, II) BSDs, FreeBSD / OpenBSD / NetBSD bugs, reporting, Bugs C Casorran, Diego, Amiga, HP-UX, IRIX, and Other Platforms âcategoriesâ script variable, categories Field, The Head CC (OS detection response test), TCP explicit congestion notification (ECN), Explicit congestion notification (CC) CD (OS detection response test), ICMP echo (IE), ICMP response code (CD) CFLAGS, Environment Variables cfp: (Zenmap search criterion, short for closed|filtered:), Host Filtering, Searching Saved Results changelog, The History and Future of Nmap, Testing Whether Nmap is Already Installed, Author cheats (version detection), Cheats and Fallbacks checksums, Firewall/IDS Evasion and Spoofing and OS detection, Integrity of returned probe IP checksum value (RIPCK) of RST data, TCP RST data checksum (RD) Christensen, Steven, Sun Solaris CI (OS detection response test), IP ID sequence generation algorithm (TI, CI, II) CIDR (Classless Inter-Domain Routing), Avatar Online, Is Unauthorized Port Scanning a Crime?, Target Specification Classless Inter-Domain Routing (see CIDR) closed port state, Avatar Online, Host Filtering, Searching Saved Results, Description, Port Scanning Basics closed: (Zenmap search criterion), Host Filtering, Searching Saved Results closed|filtered port state, Idle Scan Step by Step, Idle Scan Implementation Algorithms, Host Filtering, Searching Saved Results, Description, Port Scanning Basics closed|filtered: (Zenmap search criterion), Host Filtering, Searching Saved Results command-line options of Nmap, Options Summary, Options Summary of Zenmap, Command-line Options comparing results (Zenmap), Comparing Results, Comparing Results compilation, Unix Compilation and Installation from Source Code problems with, If You Encounter Compilation Problems Computer Fraud and Abuse Act, Is Unauthorized Port Scanning a Crime? Computer Misuse Act, Is Unauthorized Port Scanning a Crime? configure directives, Configure Directives connect scan, Port Scanning Techniques copyright, Introduction, Nmap Copyright, Nmap Copyright and Licensing of scripts, license Field country code, Zenmap in Your Language cp: (Zenmap search criterion, short for closed:), Host Filtering, Searching Saved Results crashing targets, Can Port Scanning Crash the Target Computer/Networks?, No Warranty CRC32C checksum, Firewall/IDS Evasion and Spoofing CT (SCAN line test), Decoding the SCAN line of a subject fingerprint CU (SCAN line test), Decoding the SCAN line of a subject fingerprint CXXFLAGS, Environment Variables Cygwin, Command-line Zip Binaries, Compile from Source Code D D (SCAN line test), Decoding the SCAN line of a subject fingerprint d// (device type) version detection field, match Directive, Device Types d: (Zenmap search criterion, short for date:), Searching Saved Results data files, Understanding and Customizing Nmap Data Files, Understanding and Customizing Nmap Data Files customizing, Using Customized Data Files, Using Customized Data Files directory search order, Command-line Arguments, Using Customized Data Files, Nmap Scripting Engine (NSE) used by Zenmap, Files Used by Zenmap, Files Used by Zenmap database, output to, Output to a Database date: (Zenmap search criterion), Searching Saved Results DC (SCAN line test), Decoding the SCAN line of a subject fingerprint Debian, Configure Directives Debian, installing on, Debian Linux and Derivatives such as Ubuntu debugging, Enabling Debugging Output, Output (see also -d) Zenmap, Error Output decoys, TCP Idle Scan (-sI), Firewall/IDS Evasion and Spoofing which scans use, Service and Version Detection default ports, Port Specification and Scan Order âdefaultâ script category, Script Categories, The Head DEFAULT_PROTO_PROBE_PORT_SPEC, Host Discovery DEFAULT_SCTP_PROBE_PORT_SPEC, Host Discovery DEFAULT_TCP_PROBE_PORT_SPEC, Host Discovery DEFAULT_UDP_PROBE_PORT_SPEC, Host Discovery defending against Nmap, Defenses Against Nmap denial of service, Exploit Chronology deny by default, Avatar Online (see also filtered port state) âdependenciesâ script variable, dependencies Field âdescriptionâ script variable, description Field, The Head, Example Script: finger.nse device type (OS detection), Device and OS classification (Class lines), Device Types âDevice type:â, Usage and Examples DF (OS detection response test), IP don't fragment bit (DF) DFI (OS detection response test), ICMP echo (IE), Don't fragment (ICMP) (DFI) diff (see comparing results) digests, cryptographic, Verifying the Integrity of Nmap Downloads dir: (Zenmap search modifier), Searching Saved Results âdiscoveryâ script category, Script Categories disk image (Mac OS X), Executable Installer DLI (retired OS detection response test), Retired Tests .dmg (Mac OS X disk image), Executable Installer DNS records as source of information, Host Discovery document type definition (DTD), XML Output (-oX), Purpose downloading, Testing Whether Nmap is Already Installed, Downloading Nmap DS (SCAN line test), Decoding the SCAN line of a subject fingerprint DTD (see document type definition) E âEasyâ TCP sequence generation class, Usage and Examples ECN (see explicit congestion notification) ECN (OS fingerprint category line), TCP explicit congestion notification (ECN) egress filtering, TCP Idle Scan (-sI) environment variables in configuration, Environment Variables environment.plist, Zenmap in Your Language Ereet, Executing an Idle Scan estimating scan time, Controlling Verbosity of Output exceptions in NSE, Exception Handling, The Mechanism Exclude directive (nmap-service-probes), Technique Described, Exclude Directive, Putting It All Together, Service and Version Detection excluding targets, Target Specification explicit congestion notification (ECN), TCP explicit congestion notification (ECN), Explicit congestion notification (CC), Enabling Packet Tracing export control, United States Export Control âexternalâ script category, Script Categories F F (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2âT7), TCP flags (F) fallback directive (nmap-service-probes), fallback Directive fallbacks (version detection), Technique Described, Cheats and Fallbacks family (OS detection), Device and OS classification (Class lines) fast scan (see -F) Fedora (Linux distribution) installing on, with RPM, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora) installing on, with Yum, Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum Felix (penetration tester), Avatar Online filtered port state, Avatar Online, Host Filtering, Searching Saved Results, Description, Port Scanning Basics filtered: (Zenmap search criterion), Host Filtering, Searching Saved Results filtering, Host Filtering (see also host filtering in Zenmap) FIN scan, Port Scanning Techniques finger script, Example Script: finger.nse fingerprint (see OS fingerprint and service fingerprint) Fingerprint (nmap-os-db), Free-form OS description (Fingerprint line), Device and OS classification (Class lines) fingerprinting (see version detection, OS detection) Fink, Third-party Packages firewalls bypassing, TCP Idle Scan (-sI), Detecting and Subverting Firewalls and Intrusion Detection Systems, Firewall/IDS Evasion and Spoofing, Firewall/IDS Evasion and Spoofing fisheye, Fisheye controls foreign languages (see translations) âFormidableâ TCP sequence generation class, Usage and Examples four-way handshake, Host Discovery fp: (Zenmap search criterion, short for filtered:), Host Filtering, Searching Saved Results fragmentation DF bit, IP don't fragment bit (DF) not used in OS detection, IP Fragmentation FreeBSD, installing on, FreeBSD Binary Package and Source Ports Instructions FTP bounce scan, Port Scanning Techniques âfuzzerâ script category, Script Categories G G (SCAN line test), Decoding the SCAN line of a subject fingerprint GCD (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP ISN greatest common divisor (GCD) General Public License (see GNU General Public License) generation (OS detection), Device and OS classification (Class lines) gettext, Creating a new translation .gnmap filename extension, Controlling Output Type GNU General Public License, Introduction, The History and Future of Nmap, Nmap Copyright and Licensing GomoR, Passive Fingerprinting âGood luck!â TCP sequence generation class, Usage and Examples Google Summer of Code, The History and Future of Nmap, History GPL (see GNU General Public License) graphical user interface (see Zenmap) grepable output, MadHat in Wonderland, Grepable Output (-oG), Grepable Output (-oG), Output comments in, Grepable Output (-oG), Output deprecation of, XML Output (-oX), Grepable Output (-oG) fields of, Grepable Output Fields parsing, Parsing Grepable Output on the Command Line resuming from, Resuming Aborted Scans GUI (see Zenmap) H h// (hostname) version detection field, match Directive hashes, cryptographic, Verifying the Integrity of Nmap Downloads Hazel, Philip, Third-Party Software âHost Detailsâ scan results tab, The âHost Detailsâ tab host discovery, The Phases of an Nmap Scan, Host Discovery (âPing Scanningâ), Host Discovery (âPing Scanningâ), Host Discovery, Host Discovery disabling, Host Discovery with idle scan, Executing an Idle Scan, Idle Scan Implementation Algorithms âhostruleâ script variable, Port and Host Rules, Matching Scripts with Targets HP-UX, installing on, Amiga, HP-UX, IRIX, and Other Platforms hping2, TCP Idle Scan (-sI), Timing and Performance HTML from XML output, Creating HTML Reports, Output I i// (info) version detection field, match Directive ICMP destination unreachable, TCP/IP Fingerprinting Methods Supported by Nmap, Unused port unreachable field nonzero (UN) ICMP echo, TCP/IP Fingerprinting Methods Supported by Nmap, ICMP echo (IE), Host Discovery ICMP ping, Host Discovery idle scan, TCP Idle Scan (-sI), TCP Idle Scan (-sI), Port Scanning Techniques advantages of, TCP Idle Scan (-sI) disadvantages of, TCP Idle Scan (-sI) example, Executing an Idle Scan finding zombies, TCP Idle Scan (-sI) implementation, Idle Scan Implementation Algorithms IE (OS fingerprint category line), ICMP echo (IE), Retired Tests II (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), IP ID sequence generation algorithm (TI, CI, II) inroute: (Zenmap search criterion), Host Filtering, Searching Saved Results insane (-T5) timing template, Timing and Performance installation, Obtaining, Compiling, Installing, and Removing Nmap, Obtaining, Compiling, Installing, and Removing Nmap from source code, Unix Compilation and Installation from Source Code interactive output, Handling Error and Warning Messages, Interactive Output, Output interface, Firewall/IDS Evasion and Spoofing (see also -e) internationalization (see localization) Internet Assigned Numbers Authority (IANA) assigned ports list, Well Known Port List: nmap-services Internet service providers (ISPs) acceptable use policy, Is Unauthorized Port Scanning a Crime? and port scanning, Legal Issues, Is Unauthorized Port Scanning a Crime? filtering, TCP Idle Scan (-sI) intrusion detection systems evading, Port Scanning Techniques, Timing and Performance, Firewall/IDS Evasion and Spoofing, Firewall/IDS Evasion and Spoofing intrusion prevention systems, Firewall/IDS Evasion and Spoofing (see also intrusion detection systems) âintrusiveâ script category, Script Categories IP ID, TCP Idle Scan (-sI), Returned probe IP ID value (RID) IP ID sequence generation, Usage and Examples, IP ID sequence generation algorithm (TI, CI, II) classes, Finding a Working Idle Scan Zombie Host IP options, Firewall/IDS Evasion and Spoofing IP protocol ping, Host Discovery IP protocol scan, Port Scanning Techniques IPL (OS detection response test), UDP (U1), IP total length (IPL) iptables, Host Discovery, Firewall/IDS Evasion and Spoofing IPv6, Miscellaneous Options limitations of, Host Discovery IPv6 tunnel broker, Miscellaneous Options ir: (Zenmap search criterion, short for inroute:), Host Filtering, Searching Saved Results IRIX, installing on, Amiga, HP-UX, IRIX, and Other Platforms ISO 3166, Zenmap in Your Language ISO 639, Zenmap in Your Language ISPs (see Internet service providers) ISR (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP ISN counter rate (ISR) J Jones, LaMont, Debian Linux and Derivatives such as Ubuntu â(JUST GUESSING)â, Usage and Examples, When Nmap Guesses Wrong K Kaminsky, Dan, Introduction keys, cryptographic, Verifying the Integrity of Nmap Downloads keyword search in Zenmap, Host Filtering, Searching Saved Results L LANG environment variable, Zenmap in Your Language language code, Zenmap in Your Language LDFLAGS, Environment Variables legal advice, Is Unauthorized Port Scanning a Crime? legal issues, Legal Issues, Can Port Scanning Crash the Target Computer/Networks? Lei, Zhao, The History and Future of Nmap libdnet, Information Passed to a Script, Third-Party Software libpcap, Raw packet network I/O, Third-Party Software libssl-dev package, Configure Directives license (see copyright) âlicenseâ script variable, license Field , Example Script: finger.nse LINGUAS environment variable, Environment Variables Linux compiling on, Unix Compilation and Installation from Source Code installing on, with apt-get, Debian Linux and Derivatives such as Ubuntu list scan, Avatar Online, The Phases of an Nmap Scan, Host Discovery loading scan results, Saving and Loading Scan Results locale, Zenmap in Your Language localization, Zenmap in Your Language, Zenmap in Your Language loopback interface, Windows .lua filename extension, Files Related to Scripting Lua programming language, Introduction, Lua Base Language, Nmap Scripting Engine (NSE), Third-Party Software (see also Nmap Scripting Engine) LuaDoc, Writing Script Documentation (NSEDoc) .luadoc filename extension, Writing Script Documentation (NSEDoc) luaL_register, Adding C Modules to Nselib Lutomirski, Andy, The History and Future of Nmap, Windows M M (SCAN line test), Decoding the SCAN line of a subject fingerprint MAC address, Information Passed to a Script, MAC Address Vendor Prefixes: nmap-mac-prefixes, Firewall/IDS Evasion and Spoofing Mac OS X, Apple Mac OS X, Apple Mac OS X compiling on, Compile from Source Code executable installer, Executable Installer installing from third-party packages, Third-party Packages running Nmap on, Executing Nmap on Mac OS X machine output (see grepable output) MacPorts, Third-party Packages MadHat, MadHat in Wonderland, Grepable Output (-oG) Maimon scan, Port Scanning Techniques Maimon, Uriel, Port Scanning Techniques âmalwareâ script category, Script Categories man page (see reference guide) Mandrake (Linux distribution) Marques, Adriano Monteiro, The History and Future of Nmap, History match directive (nmap-service-probes), match Directive, Putting It All Together MatchPoints (nmap-os-db), OS Matching Algorithms Matrix, the, Saving the Human Race, The History and Future of Nmap ME (decoy address), Firewall/IDS Evasion and Spoofing Medeiros, Joãa Paulo S., An Overview of the âTopologyâ Tab âMediumâ TCP sequence generation class, Usage and Examples Metasploit, Introduction Microsoft Windows (see Windows) Mitnick, Kevin, Usage and Examples Mizrahi, Avi, Is Unauthorized Port Scanning a Crime? Moran, Jay, Introduction Moulton, Scott, Is Unauthorized Port Scanning a Crime? mutexes in NSE, Thread Mutexes MySQL, Output to a Database N Ndiff, Comparing Results Nessus, The History and Future of Nmap NetBSD, installing on, NetBSD Binary Package Instructions network distance, Usage and Examples, IP initial time-to-live (T), Decoding the SCAN line of a subject fingerprint network inventory, Network inventory and support network inventory (Zenmap), Scan Aggregation Network Mapper (see Nmap) Nmap birthday of, Controlling Verbosity of Output checking if installed, Testing Whether Nmap is Already Installed description of, Description history of, The History and Future of Nmap, The History and Future of Nmap uses of, Introduction .nmap directory, Command-line Arguments, Using Customized Data Files, Nmap Scripting Engine (NSE), Miscellaneous Options .nmap filename extension, Controlling Output Type nmap NSE module, Lua Base Language, Nmap API, Nmap API âNmap Outputâ scan results tab, The âNmap Outputâ tab Nmap Project Signing Key, Verifying the Integrity of Nmap Downloads Nmap Scripting Engine (NSE), The Phases of an Nmap Scan, Nmap Scripting Engine, Nmap Scripting Engine, Nmap Scripting Engine (NSE), Nmap Scripting Engine (NSE) API, Nmap API C modules, Adding C Modules to Nselib documentation in, Writing Script Documentation (NSEDoc), Writing Script Documentation (NSEDoc) for version detection, Nmap Scripting Engine Integration implementation, Implementation Details library, Script Language list of modules, NSE Libraries list of scripts, NSE Scripts modules, Files Related to Scripting parts of, Script Language sample scripts, Version Detection Using NSE, Example Script: finger.nse tutorial, Script Writing Tutorial, Script Writing Tutorial nmap-dev mailing list, The History and Future of Nmap, If You Encounter Compilation Problems, Amiga, HP-UX, IRIX, and Other Platforms, Fingerprinting Methods Avoided by Nmap, Creating a new translation, Enabling Debugging Output, Timing and Performance, Output, Bugs nmap-diff, MadHat in Wonderland nmap-hackers mailing list, Is Unauthorized Port Scanning a Crime?, The History and Future of Nmap, Port Scanning Techniques nmap-mac-prefixes, MAC Address Vendor Prefixes: nmap-mac-prefixes, MAC Address Vendor Prefixes: nmap-mac-prefixes excerpt, MAC Address Vendor Prefixes: nmap-mac-prefixes nmap-os-db, Response Tests, Understanding an Nmap Fingerprint, Nmap OS Detection DB: nmap-os-db, Nmap OS Detection DB: nmap-os-db, OS Detection custom modifications, Modifying the nmap-os-db Database Yourself excerpts, Decoding the Reference Fingerprint Format, Device and OS classification (Class lines), OS Matching Algorithms, Nmap OS Detection DB: nmap-os-db nmap-payloads, UDP payloads: nmap-payloads, UDP payloads: nmap-payloads excerpts, UDP payloads: nmap-payloads nmap-protocols, IP Protocol Number List: nmap-protocols excerpt, IP Protocol Number List: nmap-protocols nmap-report, MadHat in Wonderland nmap-rpc, RPC Grinding, SunRPC Numbers: nmap-rpc comments in, SunRPC Numbers: nmap-rpc excerpt, SunRPC Numbers: nmap-rpc nmap-service-probes, nmap-service-probes File Format, nmap-service-probes File Format, Version Scanning DB: nmap-service-probes, Version Scanning DB: nmap-service-probes, Service and Version Detection comments in, nmap-service-probes File Format complete example, Putting It All Together excerpt, Version Scanning DB: nmap-service-probes nmap-services, Introduction, Usage and Examples, Well Known Port List: nmap-services, Well Known Port List: nmap-services, Service and Version Detection comments in, Well Known Port List: nmap-services excerpt, Well Known Port List: nmap-services nmap.h, Host Discovery, Firewall/IDS Evasion and Spoofing nmap.xsl, Creating HTML Reports, Output Nmap::Parser, Manipulating XML Output with Perl, Manipulating XML Output with Perl, Output Nmap::Scanner, Manipulating XML Output with Perl, Manipulating XML Output with Perl, Output NMAPDATADIR, Command-line Arguments, Using Customized Data Files, Nmap Scripting Engine (NSE) NMAPDIR environment variable, Command-line Arguments, Using Customized Data Files, Nmap Scripting Engine (NSE), Miscellaneous Options NmapFE, The History and Future of Nmap, Command-line and Graphical Interfaces nmap_command_path, Comparing Results, The nmap Executable, Sections of zenmap.conf NMAP_PRIVILEGED environment variable, Miscellaneous Options NMAP_UNPRIVILEGED environment variable, Miscellaneous Options âNo exact OS matches for hostâ, Usage and Examples non-controversial scanning, Is Unauthorized Port Scanning a Crime?, Can Port Scanning Crash the Target Computer/Networks? non-standard ports, Service and Version Detection normal (-T3) timing template, Timing and Performance normal output, Introduction, Normal Output (-oN), Normal Output (-oN), Output and Zenmap comparison, Comparing Results differences from interactive output, Controlling Verbosity of Output, Handling Error and Warning Messages, Normal Output (-oN) NSE (see Nmap Scripting Engine) .nse filename extension, Files Related to Scripting NSEDoc, Writing Script Documentation (NSEDoc), Writing Script Documentation (NSEDoc) for C modules, Writing Script Documentation (NSEDoc) Nsock, Nmap API, Raw packet network I/O NULL probe (version detection), Technique Described, Probe Directive cheat, Cheats and Fallbacks implicit fallback to, fallback Directive NULL scan, Port Scanning Techniques O O (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP explicit congestion notification (ECN), TCP options (O, O1âO6) o// (OS) version detection field, match Directive O1âO6 (OS detection response tests), Sequence generation (SEQ, OPS, WIN, and T1), TCP options (O, O1âO6) o: (Zenmap search criterion, short for option:), Searching Saved Results ofp: (Zenmap search criterion, short for open|filtered:), Host Filtering, Searching Saved Results old releases, The History and Future of Nmap op: (Zenmap search criterion, short for open:), Host Filtering, Searching Saved Results open port state, Avatar Online, Technique Described, Port and Host Rules, Matching Scripts with Targets, Host Filtering, Searching Saved Results, Description, Port Scanning Basics open source, Community Contributions, Source Code Availability and Community Contributions Open Source Security Testing Methodology Manual (OSSTMM), Is Unauthorized Port Scanning a Crime? open: (Zenmap search criterion), Host Filtering, Searching Saved Results OpenBSD, installing on, OpenBSD Binary Packages and Source Ports Instructions OpenSSL, SSL Post-processor Notes, Third-Party Software disabling, Configure Directives linking exception, Nmap Copyright and Licensing packages required for, Configure Directives openssl NSE module, Adding C Modules to Nselib openssl-devel, Configure Directives open|filtered port state, Technique Described, Port and Host Rules, Matching Scripts with Targets, Host Filtering, Searching Saved Results, Description, Port Scanning Basics open|filtered: (Zenmap search criterion), Host Filtering, Searching Saved Results operating system detection (see OS detection) OPS (OS fingerprint category line), Sequence generation (SEQ, OPS, WIN, and T1) option: (Zenmap search criterion), Searching Saved Results organizationally unique identifier (OUI), MAC Address Vendor Prefixes: nmap-mac-prefixes, Firewall/IDS Evasion and Spoofing (see also nmap-mac-prefixes) âOS details:â, Usage and Examples OS detection, The Phases of an Nmap Scan, Remote OS Detection, Remote OS Detection, OS Detection, OS Detection 2nd generation, Introduction category lines, Probes Sent, Probes Sent classifications, Device and OS classification (Class lines) effects of packet filters, Dealing with Misidentified and Unidentified Hosts matching algorithms, OS Matching Algorithms probes sent, Probes Sent, Probes Sent reasons for, Reasons for OS Detection response tests, Response Tests, Response Tests using version detection, match Directive, Usage and Examples OS fingerprint displaying with -d, Usage and Examples explained, Understanding an Nmap Fingerprint reference fingerprint, Decoding the Reference Fingerprint Format, Nmap OS Detection DB: nmap-os-db test expressions in, Test expressions subject fingerprint, Usage and Examples, Decoding the Subject Fingerprint Format submission of, When Nmap Fails to Find a Match and Prints a Fingerprint os: (Zenmap search criterion), Host Filtering, Searching Saved Results OSSTMM (see Open Source Security Testing Methodology Manual) OT (SCAN line test), Decoding the SCAN line of a subject fingerprint OUI (see organizationally unique identifier) output redirecting, Handling Error and Warning Messages to stdout with -, Controlling Output Type, Normal Output (-oN), $crIpT kIddI3 0uTPut (-oS), XML Output (-oX), Grepable Output (-oG), Output output formats, Nmap Output Formats, Nmap Output Formats, Output, Output grepable (see grepable output) interactive (see interactive output) normal (see normal output) scR1pT kIddI3 (see scR1pT kIddI3 output) summary of, Controlling Output Type the importance of clear output, Introduction XML (see XML output) P P (SCAN line test), Decoding the SCAN line of a subject fingerprint $P() version detection helper function, match Directive p// (product name) version detection field, match Directive p0f, Passive Fingerprinting packet tracing (see --packet-trace) parallelism in idle scan, Idle Scan Implementation Algorithms in NSE, Script Execution paranoid (-T0) timing template, Can Port Scanning Crash the Target Computer/Networks?, Timing and Performance passive OS fingerprinting, Passive Fingerprinting PATH environment variable, Testing Whether Nmap is Already Installed, The nmap Executable, Using Customized Data Files additional directories searched by Zenmap, The nmap Executable Path on Windows, Executing Nmap on Windows payloads, protocol-specific (see protocol-specific payloads) PCRE (see Perl Compatible Regular Expressions) penetration testing, Introduction, Output to a Database Avatar Online example, Avatar Online, Avatar Online permission for, Is Unauthorized Port Scanning a Crime? performance, Optimizing Nmap Performance, Timing and Performance, Timing and Performance Perl Compatible Regular Expressions (PCRE), match Directive, Third-Party Software Permeh, Ryan, The History and Future of Nmap, Windows Persaud, Anthony, Manipulating XML Output with Perl PGP signatures, Verifying the Integrity of Nmap Downloads Phrack, The History and Future of Nmap, Port Scanning Techniques ping scan, Host Discovery PING_GROUP_SZ, Firewall/IDS Evasion and Spoofing polite (-T2) timing template, Can Port Scanning Crash the Target Computer/Networks?, Timing and Performance PORT column, Well Known Port List: nmap-services port frequency, Well Known Port List: nmap-services port scan disabling with -sn, Host Discovery port scanning, The Phases of an Nmap Scan algorithms, Port Scanning Techniques and Algorithms port specification, Port Specification and Scan Order wildcards in, Port Specification and Scan Order port states closed (see closed port state) closed|filtered (see closed|filtered port state) filtered (see filtered port state) ignored (not shown), Sorting by Service, Ignored State field open (see open port state) open|filtered (see open|filtered port state) unfiltered (see unfiltered port state) port zero, Port Specification and Scan Order portmapper, RPC Grinding âportruleâ script variable, Port and Host Rules, The Rule, Example Script: finger.nse, Matching Scripts with Targets ports âinterestingâ, Description âPorts / Hostsâ scan results tab, The âPorts / Hostsâ tab ports directive (nmap-service-probes), ports and sslports Directives, Putting It All Together pr: (Zenmap search criterion, short for profile:), Searching Saved Results printers, version detection exclusion of, Exclude Directive private addresses, Decoding the SCAN line of a subject fingerprint privileged users, Executing Nmap on Windows, Executing Nmap on Mac OS X, Host Discovery, Port Scanning Techniques, Miscellaneous Options proactive scanning, The Profile Editor probable ports in version detection, Technique Described Probe directive (nmap-service-probes), Probe Directive, Putting It All Together probe string (version detection), Technique Described, Probe Directive profile editor (Zenmap), The Profile Editor profile: (Zenmap search criterion), Searching Saved Results profiles (see Zenmap: scan profiles) protocol-specific payloads, UDP payloads: nmap-payloads (see also nmap-payloads) disabling with --data-length, Firewall/IDS Evasion and Spoofing IP, Host Discovery, Firewall/IDS Evasion and Spoofing UDP, Host Discovery, Port Scanning Techniques, Firewall/IDS Evasion and Spoofing proxies effect on OS detection, Usage and Examples HTTP, Avatar Online Q Q (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP explicit congestion notification (ECN), TCP miscellaneous quirks (Q) R R (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2âT7), Responsiveness (R) RadialNet, An Overview of the âTopologyâ Tab random targets, Target Specification randomization of hosts, Firewall/IDS Evasion and Spoofing randomization of ports, Port Specification and Scan Order rarity directive (nmap-service-probes), rarity Directive, Putting It All Together rarity of version detection probes, Technique Described, Probe Selection and Rarity rate limiting, Port Scanning Techniques, Timing and Performance raw packets, Host Discovery, Port Scanning Techniques in NSE, Raw packet network I/O raw sockets, Miscellaneous Options RD (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2âT7), TCP RST data checksum (RD) reason reporting (see --reason) recent scans database, The Recent Scans Database recent_scans.txt, Per-user Configuration Files record route IP option, Firewall/IDS Evasion and Spoofing record timestamp IP option, Firewall/IDS Evasion and Spoofing Red Hat, Configure Directives Red Hat (Linux distribution) reference guide (man page), Nmap Reference Guide, Nmap Reference Guide registry (NSE), The Registry, Initialization Phase regular expressions, Technique Described, match Directive (see also Perl Compatible Regular Expressions) for syntax highlighting in Zenmap, Sections of zenmap.conf removal, Removing Nmap resuming scans, Resuming Aborted Scans, Output retired OS detection tests, Retired Tests retransmission, Timing and Performance reverse DNS, Avatar Online, The Phases of an Nmap Scan, Introduction, Searching Saved Results disabling with -n, Host Discovery RFC 792, Host Discovery RFC 950, Host Discovery RID (OS detection response test), UDP (U1), Returned probe IP ID value (RID) omission of, Returned probe IP ID value (RID), Decoding the Subject Fingerprint Format Rieger, Gerhard, The History and Future of Nmap, Port Scanning Techniques RIPCK (OS detection response test), UDP (U1), Integrity of returned probe IP checksum value (RIPCK) RIPL (OS detection response test), UDP (U1), Returned probe IP total length value (RIPL) RND (decoy address), Firewall/IDS Evasion and Spoofing RPC, Technique Described bypassing filtered portmapper port (see RPC grinder) RPC grinder, Introduction, Usage and Examples, RPC Grinding, RPC Grinding, SunRPC Numbers: nmap-rpc, Service and Version Detection RPC scan (see RPC grinder) rpcbind, Usage and Examples, RPC Grinding rpcinfo, RPC Grinding RPM, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora), Removing Nmap installing from, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora) RUCK (OS detection response test), UDP (U1), Integrity of returned probe UDP checksum (RUCK) RUD (OS detection response test), UDP (U1), Integrity of returned UDP data (RUD) RUL (retired OS detection response test), Retired Tests rules in NSE (see âportruleâ and âhostruleâ) runlevel, dependencies Field, Matching Scripts with Targets âRunning:â, Usage and Examples runtime interaction, Runtime Interaction S S (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2âT7), TCP sequence number (S) âsafeâ script category, Script Categories, The Head saving scan results, Saving and Loading Scan Results Saxon, Saving a Permanent HTML Report SCAN (subject OS fingerprint line), Decoding the Subject Fingerprint Format, Decoding the SCAN line of a subject fingerprint scan profiles (see Zenmap: scan profiles) Scanlogd, Firewall/IDS Evasion and Spoofing scanme.nmap.org, Is Unauthorized Port Scanning a Crime?, Target Specification Scanrand, Introduction âScansâ scan results tab, The âScansâ tab scan_profile.usp, Per-user Configuration Files Schubert, Max, Manipulating XML Output with Perl SCO Corporation, The History and Future of Nmap script arguments, Arguments to Scripts, Nmap Scripting Engine (NSE) (see also --script-args) script categories, Script Categories script database (see script.db) script dependencies, dependencies Field scR1pT kIddI3 output, $crIpT kIddI3 0uTPut (-oS), Output script kiddies, Saving the Human Race, Controlling Output Type, Port Scanning Techniques script names, examples of, Introduction script selection, Script Selection script.db, Command-line Arguments, Initialization Phase, Files Related to Scripting, Nmap Scripting Engine (NSE) (see also --script-updatedb) scripting (see Nmap Scripting Engine) scripts, location of, Command-line Arguments, Files Related to Scripting, Nmap Scripting Engine (NSE) SCTP checksum, Firewall/IDS Evasion and Spoofing SCTP COOKIE ECHO scan, Port Scanning Techniques SCTP INIT ping, Host Discovery SCTP INIT scan, Port Scanning Techniques SEQ (OS fingerprint category line), Sequence generation (SEQ, OPS, WIN, and T1) SERVICE column, Well Known Port List: nmap-services service detection (see version detection) service fingerprint, Introduction, Technique Described example of, Submit Service Fingerprints submission of, Introduction, Community Contributions âService Info:â, Introduction, Usage and Examples service: (Zenmap search criterion), Host Filtering, Searching Saved Results setuid, why Nmap shouldn't be, Inappropriate Usage Shimomura, Tsutomu, Usage and Examples SI (retired OS detection response test), Retired Tests SinFP, Passive Fingerprinting smb-brute.nse, dependencies Field smb-os-discovery.nse, dependencies Field Smith, Zach, The History and Future of Nmap sneaky (-T1) timing template, Can Port Scanning Crash the Target Computer/Networks?, Timing and Performance social engineering, Social engineering sockets in NSE, Connect-style network I/O soft match (version detection), Technique Described softmatch directive (nmap-service-probes), softmatch Directive, Putting It All Together Solar Designer, Firewall/IDS Evasion and Spoofing Solaris, installing on, Sun Solaris Song, Dug, Third-Party Software source address filtering, TCP Idle Scan (-sI) source code, Unix Compilation and Installation from Source Code advantages of, Unix Compilation and Installation from Source Code source port number, Firewall/IDS Evasion and Spoofing source routing, Firewall/IDS Evasion and Spoofing SP (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP ISN sequence predictability index (SP) spoofed packets, Idle Scan Step by Step, Idle Scan Implementation Algorithms, Dealing with Misidentified and Unidentified Hosts spoofing MAC address, Firewall/IDS Evasion and Spoofing spoofing source address, Firewall/IDS Evasion and Spoofing SS (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), Shared IP ID sequence Boolean (SS) SSL, ports and sslports Directives (see also sslports directive) in version detection, Usage and Examples, Technique Described, SSL Post-processor Notes, Service and Version Detection tunneling, Technique Described sslports directive (nmap-service-probes), ports and sslports Directives standard error, Controlling Output Type, Output standard output, Avatar Online, Controlling Output Type, Controlling Verbosity of Output, Interactive Output, XML Output (-oX), Output stderr (see standard error) stdout (see standard output) strftime conversions in filenames, Output Files, Controlling Output Type, Output strict.lua, Hacking NSE Libraries stylesheet, Creating HTML Reports, Output submission of OS corrections, When Nmap Guesses Wrong submission of OS fingerprints, When Nmap Fails to Find a Match and Prints a Fingerprint submission of service corrections, Submit Database Corrections submission of service fingerprints, Introduction, Community Contributions, Service and Version Detection $SUBST() version detection helper function, match Directive Subversion, Obtaining Nmap from the Subversion (SVN) Repository sudo, Executing Nmap on Mac OS X Summer of Code (see Google Summer of Code) Sun Solaris (see Solaris) SunRPC (see RPC) SUSE (Linux distribution) sv: (Zenmap search criterion, short for service:), Host Filtering, Searching Saved Results SVN (see Subversion) SYN ping, Host Discovery SYN scan, Port Scanning Techniques syntax highlighting, The âNmap Outputâ tab T T (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2âT7), IP initial time-to-live (T) T1 (OS fingerprint category line), Sequence generation (SEQ, OPS, WIN, and T1) T2âT7 (OS fingerprint category lines), TCP (T2âT7) t: (Zenmap search criterion, short for target:), Host Filtering, Searching Saved Results target specification, Target Specification at random, Target Specification from list, Target Specification in Zenmap, Scanning target: (Zenmap search criterion), Host Filtering, Searching Saved Results target_list.txt, Per-user Configuration Files TCP checksum, Firewall/IDS Evasion and Spoofing TCP flags, TCP flags (F), Port Scanning Techniques TCP Flags, Enabling Packet Tracing TCP options, TCP options (O, O1âO6) and OS detection, Sequence generation (SEQ, OPS, WIN, and T1), TCP timestamp option algorithm (TS) TCP sequence generation, Usage and Examples, TCP sequence number (S), Seq Index field TCP sequence prediction, Usage and Examples, TCP ISN sequence predictability index (SP) TCP timestamp, TCP timestamp option algorithm (TS) TCP window size, TCP initial window size (W, W1âW6), Test expressions TCP/IP fingerprinting (see OS detection) TG (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2âT7), IP initial time-to-live guess (TG) threads in NSE, Thread Mutexes three-way handshake, Host Discovery TI (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), IP ID sequence generation algorithm (TI, CI, II) time to live (TTL), Usage and Examples, IP initial time-to-live (T), Firewall/IDS Evasion and Spoofing timing, Timing and Performance, Timing and Performance slow, Is Unauthorized Port Scanning a Crime?, Can Port Scanning Crash the Target Computer/Networks? timing templates, Timing and Performance (see also paranoid, sneaky, polite, normal, aggressive, and insane) TM (SCAN line test), Decoding the SCAN line of a subject fingerprint âTopologyâ scan results tab, The âTopologyâ tab, Surfing the Network Topology TOS (see type of service) TOS (retired OS detection response test), Retired Tests TOSI (retired OS detection response test), Retired Tests totalwaitms directive (nmap-service-probes), totalwaitms Directive, Putting It All Together traceroute, The Phases of an Nmap Scan, Decoding the SCAN line of a subject fingerprint, Host Discovery translation (see localization) translations of manual pages, Environment Variables Trinity, Saving the Human Race âTrivial jokeâ TCP sequence generation class, Usage and Examples trust relationships, TCP Idle Scan (-sI), Port Scanning Techniques TS (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP timestamp option algorithm (TS) TTL (see time to live) type of service (TOS), ICMP echo (IE), Retired Tests U U1 (OS fingerprint category line), UDP (U1), Retired Tests, Decoding the SCAN line of a subject fingerprint Ubuntu, installing on, Debian Linux and Derivatives such as Ubuntu UDP ping, Host Discovery UDP scan, Port Scanning Techniques ufp: (Zenmap search criterion, short for unfiltered:), Host Filtering, Searching Saved Results ultra_scan, The History and Future of Nmap Umit, The History and Future of Nmap, History UN (OS detection response test), UDP (U1), Unused port unreachable field nonzero (UN) unfiltered port state, Port and Host Rules, Host Filtering, Searching Saved Results, Description, Port Scanning Basics unfiltered: (Zenmap search criterion), Host Filtering, Searching Saved Results uninstallation, Removing Nmap Unix time, XML Output (-oX) Unix, installing on, Unix Compilation and Installation from Source Code unprivileged users, Miscellaneous Options uptime guess, Usage and Examples, OS Detection V V (SCAN line test), Decoding the SCAN line of a subject fingerprint v// (version) version detection field, match Directive vendor (OS detection), Device and OS classification (Class lines) verbosity, Controlling Verbosity of Output, Output (see also -v) verifying the integrity of downloads, Verifying the Integrity of Nmap Downloads version detection, The Phases of an Nmap Scan, Service and Application Version Detection, Service and Application Version Detection, Script Categories, Service and Version Detection, Service and Version Detection (see also âversionâ script category) confidence of, XML Output (-oX) creating new probes, Submit New Probes default intensity, Probe Selection and Rarity, Service and Version Detection examples, Usage and Examples, Usage and Examples features of, Introduction helper functions, match Directive information provided by, Usage and Examples, match Directive intensity, Probe Selection and Rarity, Service and Version Detection performance, Technique Described, Probe Selection and Rarity post-processors, Post-processors technique, Technique Described to improve UDP scan, Introduction, Technique Described using NSE, Introduction, Version Detection Using NSE version number of Nmap (see --version) âversionâ script category, Script Categories, Command-line Arguments, Version Detection Using NSE, Initialization Phase virtual hosts, Cheats and Fallbacks Vogt, Jens, Windows âvulnâ script category, Script Categories vulnerability detection, Introduction W W (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP explicit congestion notification (ECN), TCP initial window size (W, W1âW6) W1âW6 (OS detection response tests), Sequence generation (SEQ, OPS, WIN, and T1), TCP initial window size (W, W1âW6) WAP (see wireless access points) warranty (lack of), No Warranty web browser, Using XML Output web scanning, The History and Future of Nmap welcome banner, Technique Described well-known ports, Well Known Port List: nmap-services, Service and Version Detection white hat, Is Unauthorized Port Scanning a Crime? whois, Script Categories, Thread Mutexes whois.nse, Usage and Examples wildcards (see port selection, wildcards in) in script selection, Script Selection, Nmap Scripting Engine (NSE) WIN (OS fingerprint category line), Sequence generation (SEQ, OPS, WIN, and T1) window scan, Port Scanning Techniques Windows, Windows, Windows limitations of, Windows performance of, Windows running Nmap on, Executing Nmap on Windows self-installer, Windows Self-installer Windows 2000 Dependencies, Windows 2000 Dependencies zip binaries, Command-line Zip Binaries WinPcap, Third-Party Software wireless access points (WAPs), Detecting unauthorized and dangerous devices Wireshark, Firewall/IDS Evasion and Spoofing âWorthy challengeâ TCP sequence generation class, Usage and Examples X x86 architecture, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora) x86_64 architecture, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora) Xalan, Saving a Permanent HTML Report Xcode, Compile Nmap from source code Xmas scan, Port Scanning Techniques .xml filename extension, Controlling Output Type XML output, Introduction, XML Output (-oX), Creating HTML Reports, Output converting to HTML, Creating HTML Reports document type definition, XML Output (-oX), Purpose example, XML Output (-oX) parsing with Perl, Manipulating XML Output with Perl, Manipulating XML Output with Perl uses of, Using XML Output, Using XML Output viewing in a web browser, Using XML Output XSL, Creating HTML Reports, Output XSLT processors, Saving a Permanent HTML Report xsltproc, Saving a Permanent HTML Report Y Yellow Dog (Linux distribution) Yum, Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum Z Zalewski, Michal, Passive Fingerprinting Zenmap, Zenmap GUI Users' Guide, Zenmap GUI Users' Guide command-line options, Command-line Options comparing results, Comparing Results, Comparing Results configuration file (see zenmap.conf) dependencies of, Compile Zenmap from source code history of, History keyword search, Host Filtering, Searching Saved Results keyword search in, Searching Saved Results loading scan results, Saving and Loading Scan Results network inventory, Scan Aggregation profile editor, The Profile Editor purpose of, The Purpose of a Graphical Frontend for Nmap recent scans database, Searching Saved Results, Per-user Configuration Files disabling, Sections of zenmap.conf saving scan results, Saving and Loading Scan Results scan profiles, Profiles, The Profile Editor creating, The Profile Editor deleting, Editing or Deleting a Profile searching, Searching Saved Results, Searching Saved Results sorting by host, Sorting by Host sorting by service, Sorting by Service zenmap.db, Per-user Configuration Files (see also recent scans database) .zenmap directory, Per-user Configuration Files, Options Summary Zenmap search criteria, Searching Saved Results dates in, Searching Saved Results fuzzy date matching, Searching Saved Results zenmap.conf, The âNmap Outputâ tab, Comparing Results, The nmap Executable, Per-user Configuration Files, Description of zenmap.conf, Description of zenmap.conf zenmap.db, Per-user Configuration Files (see recent scans database) ZENMAP_DEVELOPMENT environment variable, Error Output zenmap_version, Per-user Configuration Files zombie host (idle scan), TCP Idle Scan (-sI), Finding a Working Idle Scan Zombie Host, Decoding the Subject Fingerprint Format Prev    The Full DTD Home  / [zenmap-thumb-150x150.png] [nmap_bnr_euroboy.jpg] Intro Reference Guide Book Install Guide Download Changelog Zenmap GUI Docs Bug Reports OS Detection Propaganda Related Projects In the Movies In the News [nmap-401-demoscan-squarecrop-150x150.gif] Nmap Network Scanning [nns-whole-cover-326x200.jpg] Nmap Network Scanning is the official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. Examples and diagrams show actual communication on the wire. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine. Hints and instructions are provided for common uses such as taking network inventory, penetration testing, detecting rogue wireless access points, and quashing network worm outbreaks. Nmap runs on Windows, Linux, and Mac OS X. Nmap's original author, Gordon "Fyodor" Lyon, wrote this book to share everything he has learned about network scanning during more than a decade of Nmap development. It was briefly the #1 selling computer book on Amazon (screenshot). The book is in English, though several translations are in the works. Key facts: The ISBN is 978-0-9799587-1-7 (ISBN-10 is 0-9799587-1-7) and suggested retail prices are $49.95 in the U.S., £34.95 in the U.K., and EUR39.95 in Europe. Like most books, it costs less online (as little as $32.97 - see purchasing options). It is 468 pages long. The official release date was January 1, 2009, though Amazon managed to beat that by a couple weeks. About half of the content is available in the free online edition. Chapters exclusive to the print edition include "Detecting and Subverting Firewalls and Intrusion Detection Systems", "Optimizing Nmap Performance", "Port Scanning Techniques and Algorithms", "Host Discovery (Ping Scanning)", and more. The solution selections which provide detailed instructions on the best way to solve common networking tasks are also exclusive to the printed book. The final table of contents and cover art are available. Reviews Reviews are posted here as they come in. Please let me know if you post a review to your blog or anywhere else. * "If you are looking for the book on Nmap, the search is over: NNS is a winner"--Richard Bejtlich's detailed review. NNS also made Bejtlich's Top Books of 2008 list. * "This is the ultimate Nmap reference guide" on "Nmap, the legendary network scanner"--Ben Rothke's Slashdot review. * "Released for sale on Amazon on December 6th and already number 1 best seller in the Computer books category, this is the MUST-HAVE book on network scanning."--David Heath's review for ITWire. * "This is the most revealing technical book I've ever read about a security tool. Fyodor turns Nmap inside out to explain what it does, how it does it and why it was written that way. If you are looking for a definitive book on Nmap, this is it."--Ethan Ten's 5-star Amazon UK review. * "Some light reading"--Metasploit author HD Moore. * Nmap Network Scanning "is required reading for anyone securing a network" and "should be front and center on your desk for months and years to come"--Wireshark University founder Laura Chappell's glowing review. * NNS is "a must-have book to get the most out of NMAP", filled with examples and analysis that are "like looking over an expert's shoulder"--Mike Fratto's glowing and informative Information Week review. * "I am amazed that after all these years I still learn stuff about nmap. The book is good and you should buy it!"--David Maynor * NNS will "quickly become required reading for network engineers, system administrators, and anyone working in the computer security arena....I have been using nmap for nearly a decade and there were still some great tips and tricks that I found for the first time in these pages."--Eddie Block's 5-star Amazon review. * "Nmap is simply a required tool in the IT toolbox. Similarly, this book is required reading for anyone in IT to get the most out of that tool."--About.com network security expert Tony Bradley's detailed 5-star review. * "The book goes into the detail you would expect with the sort of information that true afficianadoes lust after" while being "easy and fun to read with great examples along the way"--David Pybus's 5-star Amazon UK review. * "I would recommend this as a must-have book for any network or security professional, as well as anyone wanting to learn more about TCP/IP"--JP Bourget's very detailed Ethical Hacker Network review. * Fyodor does an outstanding job covering everything from the most basic use of nmap, through advanced topics, such as evading detection"--Jon R. Kibler's enthusiastic review on the pen-test list. * "Fyodor's absolute, incredibly definitive guide on Nmap will imbue you with rock-solid scanning stratagems"--Josef Chamberlin's 5-star Amazon review. * NNS is "The wealth of information contained in this book will have even hardcore nmap experts learning a thing or two about the preeminent network scanner."--Brad Berkemier's review, which also calls NNS "engaging and informative" and "the ultimate nmap guide". * "Nmap Network Scanning is a masterpiece that teaches the reader the Art of Network Mapping and Scanning ... one of the best books I've read in years."--Raul Siles' review. * Foreign Coverage: Barrapunto (Spanish), Tecnozona (Spanish), Binary Zone (Arabic) Purchase options This page lists online and physical bookstores for purchasing Nmap Network Scanning. If the prices change, you find another good option, or you encounter bad service from any of these providers, please let me know. * Amazon.Com sells the book for $32.97, which includes domestic shipping. It is also available from International Amazon sites such as Amazon.Co.UK, Amazon.CA, and Amazon.DE. * Barnes & Noble stocks NNS at many of their U.S. stores. From their Nmap Network Scanning page, enter your zip code in the "pick me up" box on the right hand side for a list of nearby stores which carry it. You can also order it online from that page, though it is cheaper at Amazon. * KIMBooks lists NNS for $29.97. Domestic (U.S.) shipping is $3.15, for a total price of $33.12. * A1Books.Com lists the book for $30.32. Shipping is $3.95 to the US (total price: $34.27) or $8.99 international (total: $39.31). Save an additional 5% if you sign up with a .edu email address. * Tower Books sells NNS for $35.99 with free domestic shipping. * Germans can purchase the book online from Lehmanns or at their physical bookstores in Berlin and Hamburg (call first to ensure stocking). Updates Several people asked whether Nmap Network Scanning is still up to date, particularly after the release of Nmap 5.00. The good news is that virtually all of the content remains accurate. But we have added some new features and NSE scripts which aren't yet documented in NNS. For a comprehensive and completely current view of Nmap, I recommend reading Nmap Network Scanning first, then read all the changelog entries we've produced since the book was finished. The book is completely up-to-date with Nmap 4.76. So after (or before) you're done reading Nmap Network Scanning, visit the Nmap changelog and search in the file for "Nmap 4.76". Read each item upward from there (scrolling backward) until you get to the top. Translations We would love to make the Nmap book more accessible by working with foreign publishers who will translate and distribute it in their markets. If you are such a publisher or know a good one to suggest, please let me know. Here are the current or in-progress translations: [nmap-opensourcepress-de-cover-95x125.jpg] Nmap - Netzwerke scannen, analysieren und absichern is the German translation by Open Source Press, released in June 2009 at a list price of EUR39.90. Translation was performed expertly by Dinu Gherman. They have contributed back their Nmap Reference Guide German translation. [nmap-ciencia-moderna-cover-95x125.jpg] Exame de Redes con NMAP is the Brazilian Portuguese translation by Editora Ciência Moderna. Translation was done by Angico and release was August 26, 2009. You can buy it directly from the publisher for R$95.20. [nmap-acornpub-ko-cover-95x125.png] The official Korean translation, entitled ì맵 ë¤í¸ìí¬ ì¤ìºë, has been created by Acorn Publishing Co. The release date was November 16, 2009 at a list price of KRW 35,000. Current status August 26: Many Barnes & Noble stores now stock NNS, as described in the purchasing section. August 26: Editora Ciência Moderna released the Brazilian Portuguese translation. See translations. July 31: Held a book signing at Defcon. All copies sold out in 3 hours. July 17: Added Updates section. July 16: Nmap 5.00 released! June 11: The German translation from Open Source Press is now available. They also contributed back a German translation of the Nmap Reference Guide. January 30: Today the Amazon price is back to $32.97 after several days at $37.96. I hope they keep it at this price! January 23: Amazon has raised their prices, so I've added more purchase options, though the cheapest is still only about $4.50 less than Amazon when domestic shipping is taken into account. January 21: NNS receives a glowing review from About.Com. January 19: Translation contracts have been signed for Korean and Brazilian Portuguese editions of Nmap Network Scanning! See the new Translations section for details. January 5: Acorn Publishing Co. will be publishing the official Korean translation of Nmap Network Scanning! Release is expected in August. January 4: NNS is finally in stock at Amazon U.K. and Amazon Germany. Amazon Canada currently still has a 1-3 week backlog. December 31, 2008: NNS makes Richard Bejtlich's TaoSecurity Top Books of 2008 list. December 29, 2008: A new Information Week review is one of the best so far! December 19, 2008: The book is back in stock on Amazon after a 10 day dry spell! December 10, 2008: Amazon has now indexed this book as part of their "Search Inside" program. While Amazon intends this as a marketing tool for prospective buyers, it can be even more useful for folks who already own the book. While we're proud of our index, Search Inside can help find more obscure terms or combinations of them. You can try this out by visiting the Amazon NNS page, scrolling down to the Search Inside box, and typing in a term such as Trinity or Microsoft. December 9, 2008: Sales were so high that Amazon ran out of stock in the US, UK, and Germany. They say it may take a week or more to ship. Amazon still offers a great price, but for those who can't wait, I've added a purchasing options section. It includes vendor such as A1Books and Barnes & Noble with NNS in stock now. December 9, 2008: Nmap Network Scanning sales surge further to become #1 on Amazon's computer book best seller list! Since we can't keep that rank forever, I took a screenshot (larger version). December 8, 2008: An excellent Slashdot review causes NNS to rocket into Amazon's top 10 computer books. December 6, 2008: Amazon has fixed the price so it is now $33.71 rather than $49.95. NNS is in stock and shipping! December 2, 2008: The book has an initial page on Amazon. You can pre-order it now, but Amazon is showing a pre-order price of $49.95. I expect the price to be about $33 when Amazon starts shipping it within a week or two. Amazon will probably refund the difference per their "Pre-order price guarantee", but it might be safer to wait. Book seller BOOKSPLUSMORESTUFF claims to have the book "in stock" on Amazon for $53.94 including shipping. That may or may not be true. November 14, 2008: The book is finished and submitted to the printer! The official release date is January 1, 2009, though our goal is to make it available on Amazon and other retailers by mid-December. To be notified upon publication, join the low-traffic nmap-hackers announcement mailing list. September 15, 2008: The Black Hat/Defcon pre-release was a huge success! All of the Defcon copies were snapped up as soon as the vendor room opened, and the Black Hat copies also sold out in the first morning of the conference. Thanks to Bill Pollock of No Starch Press and Dave Hemsath of BreakPoint Books for handling sales. My conference presentation video and audio have been posted online just in time for the Nmap 4.75 release which includes the new features discussed in that presentation. July 25, 2008: Defcon Pre-Release announced! We have decided to launch the book with a limited pre-release version at Defcon 16. July 1, 2008: After years of work, Nmap Network Scanning is nearing completion. You can browse the current table of contents to see what is coming. We recently conducted a test-printing of some prepublication copies: [nns-preprint3-800x958.jpg] For the latest news about the Nmap book, join the low-traffic nmap-hackers announcement mailing list Nmap Site Navigation Intro Reference Guide Book Install Guide Download Changelog Zenmap GUI Docs Bug Reports OS Detection Propaganda Related Projects In the Movies In the News [ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ] ____________________________________________________________ Site Search Nmap Network Scanning Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Apple Mac OS X Amiga, HP-UX, IRIX, and Other Platforms Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index OpenBSD Binary Packages and Source Ports Instructions FreeBSD Binary Package and Source Ports Instructions NetBSD Binary Package Instructions FreeBSD / OpenBSD / NetBSD Prev  Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap  Next FreeBSD / OpenBSD / NetBSD The BSD flavors are well supported by Nmap, so you can simply compile it from source as described in the section called âUnix Compilation and Installation from Source Codeâ. This provides the normal advantages of always having the latest version and a flexible build process. If you prefer binary packages, these *BSD variants each maintain their own Nmap packages. Many BSD systems also have a ports tree which standardizes the compilation of popular applications. Instructions for installing Nmap on the most popular *BSD variants follow. OpenBSD Binary Packages and Source Ports Instructions According to the OpenBSD FAQ, users âare HIGHLY advised to use packages over building an application from ports. The OpenBSD ports team considers packages to be the goal of their porting work, not the ports themselves.â That same FAQ contains detailed instructions for each method. Here is a summary: Installation using binary packages 1. Choose a mirror from http://www.openbsd.org/ftp.html, then FTP in and grab the Nmap package from /pub/OpenBSD//packages//nmap-.tgz. Or obtain it from the OpenBSD distribution CD-ROM. 2. As root, execute: pkg_add -v nmap-.tgz Installation using the source ports tree 1. If you do not already have a copy of the ports tree, obtain it via CVS using instructions at http://openbsd.org/faq/faq15.html. 2. As root, execute the following command (replace /usr/ports with your local ports directory if it differs): cd /usr/ports/net/nmap && make install clean FreeBSD Binary Package and Source Ports Instructions The FreeBSD project has a whole chapter in their Handbook describing the package and port installation processes. A brief summary of the process follows. Installation of the binary package The easiest way to install the binary Nmap package is to run pkg_add -r nmap. You can then run the same command with the zenmap argument if you want the X-Window front-end. If you wish to obtain the package manually instead, retrieve it from http://freshports.org/security/nmap and http://freshports.org/security/zenmap or the CDROM and run pkg_add . Installation using the source ports tree 1. The ports tree is often installed with the system itself (usually in /usr/ports). If you do not already have it, specific installation instructions are provided in the FreeBSD Handbook chapter referenced above. cd /usr/ports/security/nmap && make install clean NetBSD Binary Package Instructions NetBSD has packaged Nmap for an enormous number of platforms, from the normal i386 to PlayStation 2, PowerPC, VAX, SPARC, MIPS, Amiga, ARM, and several platforms that I have never even heard of! A list of NetBSD Nmap packages is available from ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/net/nmap/README.html and a description of using their package system to install applications is available at http://netbsd.org/Documentation/pkgsrc/using.html. Prev  Up  Next Apple Mac OS X Home  Amiga, HP-UX, IRIX, and Other Platforms Nmap Network Scanning Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Unix Compilation and Installation from Source Code Windows Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora) Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum Debian Linux and Derivatives such as Ubuntu Other Linux Distributions Linux Distributions Linux Distributions Linux is the most popular platform for running Nmap. In one user survey, 86% said that Linux was at least one of the platforms on which they run Nmap. The first release of Nmap in 1997 only ran on Linux. Linux users can choose between a source code install or using binary packages provided by their distribution or Insecure.Org. The binary packages are generally quicker and easier to install, and are often slightly customized to use the distribution's standard directory paths and such. These packages also allow for consistent management in terms of upgrading, removing, or surveying software on the system. A downside is that packages created by the distributions are necessarily behind the Nmap.Org source releases. Most Linux distributions (particularly Debian and Gentoo) keep their Nmap package relatively current, though a few are way out of date. Choosing the source install allows for more flexibility in determining how Nmap is built and optimized for your system. To build Nmap from source, see the section called âUnix Compilation and Installation from Source Codeâ. Here are simple package instructions for the most common distributions. RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora) I build RPM packages for every release of Nmap and post them to the Nmap download page at http://nmap.org/download.html. I build two packages: The nmap package contains just the command-line executable and data files, while the zenmap package contains the optional Zenmap graphical frontend (see Chapter 12, Zenmap GUI Users' Guide). The zenmap package requires that the nmap package be installed first. One down side to installing the RPMs rather than compiling from source is that the RPMs don't support OpenSSL for version detection and Nmap Scripting Engine probing of SSL services. Installing via RPM is quite easyâit even downloads the package for you when given the proper URLs. The following example downloads and installs Nmap 4.68, including the frontend. Of course you should use the latest version at the download site above instead. Any existing RPM-installed versions are upgraded. Example 2.8 demonstrates this installation process. Example 2.8. Installing Nmap from binary RPMs # rpm -vhU http://nmap.org/dist/nmap-4.68-1.i386.rpm Retrieving http://nmap.org/dist/nmap-4.68-1.i386.rpm Preparing... ########################################### [100%] 1:nmap ########################################### [100%] # rpm -vhU http://nmap.org/dist/zenmap-4.68-1.noarch.rpm Retrieving http://nmap.org/dist/zenmap-4.68-1.noarch.rpm 1:zenmap ########################################### [100%] As the filenames above imply, these binary RPMs were created for normal PCs (x86 architecture). I also distribute x86_64 binaries for 64-bit Linux users. These binaries won't work for the relatively few Linux users on other platforms such as SPARC, Alpha, or PowerPC. They also may refuse to install if your library versions are sufficiently different from what the RPMs were initially built on. One option in these cases would be to find binary RPMs prepared by your Linux vendor for your specific distribution. The original install CDs or DVD are a good place to start. Unfortunately, those may not be current or available. Another option is to install Nmap from source code as described previously, though you lose the binary package maintenance consistency benefits. A third option is to build and install your own binary RPMs from the source RPMs distributed from the download page above. Example 2.9 demonstrates this technique with Nmap 4.68. Example 2.9. Building and installing Nmap from source RPMs > rpmbuild --rebuild http://nmap.org/dist/nmap-4.68-1.src.rpm [ hundreds of lines cut ] Wrote: /home/fyodor/rpmdir/RPMS/i386/nmap-4.68-1.i386.rpm [ cut ] > su Password: # rpm -vhU /home/fyodor/rpmdir/RPMS/i386/nmap-4.68-1.i386.rpm # It is not necessary to rebuild Zenmap in this fashion because the Zenmap RPM is architecture-independent (ânoarchâ). For that reason there are no Zenmap source RPMs. Removing RPM packages is as easy as rpm -e nmap zenmap. Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum The Red Hat, Fedora, Mandrake, and Yellow Dog Linux distributions have an application named Yum which manages software installation and updates from central RPM repositories. This makes software installation and updates trivial. Since distribution-specific Yum repositories are normally used, you know the software has already been tested for compatibility with your particular distribution. Most distributions do maintain Nmap in their Yum repository, but they don't always keep it up to date. This is particularly problematic if you (like most people) don't always quickly update to the latest release of your distribution. If you are running a two-year old Linux release, Yum will often give you a two-year-old version of Nmap. Even the latest version of distributions often take months to update to a new Nmap release. So for the latest version of Nmap on these systems, try the RPMs we distribute as described in the previous section. But if our RPMs aren't compatible with your system or you are in a great hurry, installing Nmap from Yum is usually as simple as executing yum install nmap (run yum install nmap zenmap if you would like the GUI too, though some distributions don't yet package Zenmap). Yum takes care of contacting a repository on the Internet, finding the appropriate package for your architecture, and then installing it along with any necessary dependencies. This is shown (edited for brevity) in Example 2.10. You can later perform yum update to install available updates to Nmap and other packages in the repository. Example 2.10. Installing Nmap from a system Yum repository flog~#yum install nmap Setting up Install Process Parsing package install arguments Resolving Dependencies --> Running transaction check ---> Package nmap.x86_64 2:4.52-1.fc8 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================= Package Arch Version Repository Size Installing: nmap x86_64 2:4.52-1.fc8 updates 1.0 M Transaction Summary Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 1.0 M Is this ok [y/N]: y Downloading Packages: (1/1): nmap-4.52-1.fc8.x8 100% |=========================| 1.0 MB 00:02 Running Transaction Test Transaction Test Succeeded Running Transaction Installing: nmap ######################### [1/1] Installed: nmap.x86_64 2:4.52-1.fc8 Complete! Debian Linux and Derivatives such as Ubuntu LaMont Jones does a fabulous job maintaining the Nmap .deb packages, including keeping them reasonably up-to-date. The proper upgrade/install command is apt-get install nmap. This works for Debian derivatives such as Ubuntu too. Information on the latest Debian âstableâ Nmap package is available at http://packages.debian.org/stable/nmap and the development (âunstableâ) Nmap and Zenmap packages are available from http://packages.debian.org/unstable/nmap and http://packages.debian.org/unstable/zenmap. Other Linux Distributions There are far too many Linux distributions available to list here, but even many of the obscure ones include Nmap in their package tree. If they don't, you can simply compile from source code as described in the section called âUnix Compilation and Installation from Source Codeâ. Prev  Up  Next Unix Compilation and Installation from Source Code Home  Windows Nmap Network Scanning Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Sun Solaris FreeBSD / OpenBSD / NetBSD Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Executable Installer Compile from Source Code Third-party Packages Executing Nmap on Mac OS X Apple Mac OS X Apple Mac OS X Thanks to several people graciously donating shell accounts on their Mac OS X boxes, Nmap usually compiles on that platform without problems. Because not everyone has the development tools necessary to compile from source, there is an executable installer as well. Nmap is also available through systems such as MacPorts and Fink which package Unix software for Mac OS X. Executable Installer The easiest way to install Nmap and Zenmap on Mac OS X is to use our installer. The Mac OS X section of the Nmap download page provides a file named nmap-.dmg, where is the version number of the most recent release. The .dmg file is known as a âdisk imageâ. Installation instructions follow: 1. Download the file nmap-.dmg. Double-click the icon to open it. (Depending on how you downloaded the file, it may be opened automatically.) 2. The contents of the disk image will be displayed. One of the files will be a Mac meta-package file named nmap-.mpkg. Double-click it to start the installer. 3. Follow the instructions in the installer. You will be asked for your password since Nmap installs in a system directory. 4. Once the installer is finished, eject the disk image by control-clicking on its icon and selecting âEjectâ. The disk image may now be placed in the trash. See the instructions in the section called âExecuting Nmap on Mac OS Xâ for help on running Nmap and Zenmap after they are installed. The programs installed by the installer are universal binaries that will run on Mac OS X 10.4 (Tiger) or later. Users of earlier versions will have to compile from source or use a third-party package. Compile from Source Code Compiling Nmap from source on Mac OS X is no more difficult than on other platforms once a proper build environment is in place. Compile Nmap from source code Compiling Nmap on Mac OS X requires Xcode, Apple's developer tools that include GCC and the rest of the usual build system. Xcode is not installed by default, but is available as an optional install on the Mac OS X installation discs. If you do not have the installation discs or if you want a newer version, you can download Xcode free of charge by following these steps. 1. Apple restricts downloads of Xcode to members of the Apple Developer Connection. Browse to http://connect.apple.com and fill out some forms to create an account. Skip to the next step if you already have an account. 2. Return to http://connect.apple.com and log in with your account credentials. 3. Hit the Download link and then choose Developer Tools. 4. Download and install the most recent Xcode. These exact steps may change, but it is hoped that this general approach will continue to work. Once you have installed Xcode, follow the compilation instructions found in the section called âUnix Compilation and Installation from Source Codeâ. Note that on some older versions of Mac OS X, you may have to replace the command ./configure with ./configure CPP=/usr/bin/cpp. Compile Zenmap from source code Zenmap depends on some external libraries that do not come with Mac OS X, including GTK+ and PyGTK. These libraries have many dependencies of their own. A convenient way to install all of them is to use a third-party packaging system as described in Section . Once the dependencies are installed, follow the instructions in the section called âUnix Compilation and Installation from Source Codeâ to install Zenmap as usual. Third-party Packages Another option for installing Nmap is to use a system which packages Unix software for Mac OS X. The two discussed here are Fink and MacPorts. See the respective projects' web sites for how to install the package managers. To install using Fink, run the command fink install nmap. Nmap will be installed as /sw/bin/nmap. To uninstall use the command fink remove nmap. To install using MacPorts, run sudo port install nmap. Nmap will be installed as /opt/local/bin/nmap. To uninstall, run sudo port uninstall nmap. These systems install the nmap executable outside the global PATH. To enable Zenmap to find it, set the nmap_command_path variable in zenmap.conf to /sw/bin/nmap or /opt/local/bin/nmap as described in the section called âThe nmap Executableâ. Executing Nmap on Mac OS X The terminal emulator in Mac OS X is called Terminal, and is located in the directory /Applications/Utilities. Open it and a terminal window appears. This is where you will type your commands. By default the root user is disabled on Mac OS X. To run a scan with root privileges prefix the command name with sudo, as in sudo nmap -sS . You will be asked for a password, which is just your normal login password. Only users with administrator privileges can do this. Zenmap requires the X11 application to be installed. If it was not installed by default it may be available as an optional install on the Mac OS X installation discs. When Zenmap is started, a dialog is displayed requesting that you type your password. Users with administrator privileges may enter their password to allow Zenmap to run as the root user and run more advanced scans. To run Zenmap in unprivileged mode, select the âCancelâ button on this authentication dialog. Prev  Up  Next Sun Solaris Home  FreeBSD / OpenBSD / NetBSD Nmap Network Scanning Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap FreeBSD / OpenBSD / NetBSD Removing Nmap Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Amiga, HP-UX, IRIX, and Other Platforms Amiga, HP-UX, IRIX, and Other Platforms One of the wonders of Open Source development is that resources are often directed towards what people find exciting rather than having an exclusive focus on profits as most corporations do. It is along those lines that the Amiga port came about. Diego Casorran performed most of the work and sent in a clean patch which was integrated into the main Nmap distribution. In general, AmigaOS users should be able to simply follow the source compilation instructions in the section called âUnix Compilation and Installation from Source Codeâ. You may encounter a few hurdles on some systems, but I presume that must be part of the fun for Amiga fanatics. Nmap supports many proprietary Unix flavors such as HP-UX and SGI IRIX. The Nmap project depends on the user community to help maintain adequate support for these systems. If you have trouble, try sending a report with full details to the nmap-dev mailing list, as described in the section called âBugsâ. Also let us know if you develop a patch which improves support on your platform so we can incorporate it into Nmap. Prev  Up  Next FreeBSD / OpenBSD / NetBSD Home  Removing Nmap Nmap Network Scanning Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Amiga, HP-UX, IRIX, and Other Platforms Chapter 3. Host Discovery (âPing Scanningâ) Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Removing Nmap Removing Nmap If your purpose for removing Nmap is simply to upgrade to the latest version, you can usually use the upgrade option provided by most binary package managers. Similarly, installing the latest source code (as described in the section called âUnix Compilation and Installation from Source Codeâ) generally overwrites any previous from-source installations. Removing Nmap is a good idea if you are changing install methods (such as from source to RPM or vice versa) or if you are not using Nmap anymore and you care about the few megabytes of disk space it consumes. How to remove Nmap depends on how you installed it initially (see previous sections). Ease of removal (and other maintenance) is a major advantage of most binary packages. For example, when Nmap is installed using the RPM system common on Linux distributions, it can be removed by running the command rpm -e nmap zenmap as root. Analogous options are offered by most other package managersâconsult their documentation for further information. If you installed Nmap from the Windows installer, simply open the Control Panel, select âAdd or Remove Programsâ and select the âRemoveâ button for Nmap. You can also remove WinPcap unless you need it for other applications such as Wireshark. If you installed Nmap from source code, removal is slightly more difficult. If you still have the build directory available (where you initially ran make install), you can remove Nmap by running make uninstall. If you no longer have that build directory, type nmap -V to obtain the Nmap version number. Then download that source tarball for that version of Nmap from http://nmap.org/dist/ or http://nmap.org/dist-old/. Uncompress the tarball and change into the newly created directory (nmap-). Run ./configure, including any install-path options that you specified the first time (such as --prefix or --datadir). Then run make uninstall. Alternatively, you can simply delete all the Nmap-related files. If you used a default source install of Nmap versions 4.50 or higher, the following commands remove it. # cd /usr/local # rm -f bin/nmap bin/nmapfe bin/xnmap # rm -f man/man1/nmap.1 man/man1/zenmap.1 # rm -rf share/nmap # ./bin/uninstall_zenmap You may have to adjust the above commands slightly if you specified --prefix or other install-path option when first installing Nmap. The files relating to zenmap, nmapfe, and xnmap do not exist if you did not install the Zenmap frontend. Prev  Up  Next Amiga, HP-UX, IRIX, and Other Platforms Home  Chapter 3. Host Discovery (âPing Scanningâ) Nmap Network Scanning Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Windows Apple Mac OS X Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Sun Solaris Sun Solaris Solaris has long been well-supported by Nmap. Sun even donated a complete SPARCstation to the project, which is still being used to test new Nmap builds. For this reason, many Solaris users compile and install from source code as described in the section called âUnix Compilation and Installation from Source Codeâ. Users who prefer native Solaris packages will be pleased to learn that Steven Christensen does an excellent job of maintaining Nmap packages at http://www.sunfreeware.com for all modern Solaris versions and architectures. Instructions are on his site, and are generally very simple: download the appropriate Nmap package for your version of Solaris, decompress it, and then run pkgadd -d . As is generally the case with contributed binary packages, these Solaris packages are simple and quick to install. The advantages of compiling from source are that a newer version may be available and you have more flexibility in the build process. Prev  Up  Next Windows Home  Apple Mac OS X Nmap Network Scanning Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Linux Distributions Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Configure Directives Environment Variables If You Encounter Compilation Problems Unix Compilation and Installation from Source Code Unix Compilation and Installation from Source Code While binary packages (discussed in later sections) are available for most platforms, compilation and installation from source code is the traditional and most powerful way to install Nmap. This ensures that the latest version is available and allows Nmap to adapt to the library availability and directory structure of your system. For example, Nmap uses the OpenSSL cryptography libraries for version detection when available, but most binary packages do not include this functionality. On the other hand, binary packages are generally quicker and easier to install, and allow for consistent management (installation, removal, upgrading, etc.) of all packaged software on the system. Source installation is usually a painless processâthe build system is designed to auto-detect as much as possible. Here are the steps required for a default install: 1. Download the latest version of Nmap in .tar.bz2 (bzip2 compression) or .tgz (gzip compression) format from http://nmap.org/download.html. 2. Decompress the downloaded tarball with a command such as: bzip2 -cd nmap-.tar.bz2 | tar xvf - With GNU tar, the simpler command tar xvjf nmap-.tar.bz2 does the trick. If you downloaded the .tgz version, replace bzip2 with gzip in the decompression command. 3. Change into the newly created directory: cd nmap- 4. Configure the build system: ./configure If the configuration succeeds, an ASCII art dragon appears to congratulate you on successful configuration and warn you to be careful, as shown in Example 2.7. Example 2.7. Successful configuration screen flog~/nmap> ./configure checking build system type... x86_64-unknown-linux-gnu [hundreds of lines cut] configure: creating ./config.status config.status: creating Makefile config.status: creating nsock_config.h config.status: nsock_config.h is unchanged ( ) /\ _ ( \ | ( \ ( \.( ) _____ \ \ \ ` ` ) \ ( ___ / _ \ (_` \+ . x ( .\ \/ \____-----------/ (o) \_ - .- \+ ; ( O \____ (__ +- .( -'.- <. \_____________ ` \ / (_____ ._._: <_ - <- _- _ VVVVVVV VV V\ \/ . /./.+- . .- / +-- - . (--_AAAAAAA__A_/ | (__ ' /x / x _/ ( \______________//_ \_______ , x / ( ' . / . / \___' \ / / / _/ / + | \ / ' (__/ / \/ / \ NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY Configuration complete. Type make (or gmake on some *BSD machines) to compile. 5. Build Nmap (and the Zenmap GUI if its requirements are met): make Note that GNU Make is required. On BSD-derived Unix systems, this is often installed as gmake. So if make returns a bunch of errors such as âMakefile, line 1: Need an operatorâ, try running gmake instead. 6. Become a privileged user for system-wide install: su root This step may be skipped if you only have an unprivileged shell account on the system. In that case, you will likely need to pass the --prefix option to configure in step four as described in the next section. 7. Install Nmap, support files, docs, etc.: make install Congratulations! Nmap is now installed as /usr/local/bin/nmap! Run it with no arguments for a quick help screen. As you can see above, a simple source compilation and install consists of little more than running ./configure;make;make install as root. However, there are a number of options available to configure that affect the way Nmap is built. Configure Directives Most of the Unix build options are controlled by the configure script, as used in step number four above. There are dozens of command-line parameters and environmental variables which affect the way Nmap is built. Run ./configure --help for a huge list with brief descriptions. These are not applicable to building Nmap on Windows. Here are the options which are either specific to Nmap or particularly important: --prefix= This option, which is standard to the configure scripts of most software, determines where Nmap and its components are installed. By default, the prefix is /usr/local, meaning that nmap is installed in /usr/local/bin, the man page (nmap.1) is installed in /usr/local/man/man1, and the data files (nmap-os-db, nmap-services, nmap-service-probes, etc.) are installed under /usr/local/share/nmap. If you only wish to change the path of certain components, use the options --bindir, --datadir, and/or --mandir. An example usage of --prefix would be to install Nmap in my account as an unprivileged user. I would run ./configure --prefix=. Nmap creates subdirectories like /home/fyodor/man/man1 in the install stage if they do not already exist. --without-zenmap This option prevents the Zenmap graphical frontend from being installed. Normally the build system checks your system for requirements such as the Python scripting language and then installs Zenmap if they are all available. --with-openssl= The version detection system and Nmap Scripting Engine are able to probe SSL-encrypted services using the free OpenSSL libraries. Normally the Nmap build system looks for these libraries on your system and include this capability if they are found. If they are in a location your compiler does not search for by default, but you still want them to be used, specify --with-openssl=. Nmap then looks in /libs for the OpenSSL libraries themselves and /include for the necessary header files. Specify --without-openssl to disable SSL entirely. Some distributions ship with user OpenSSL libraries that allow running programs, but not the developer files needed to compile them. Without these developer packages, Nmap will not have OpenSSL support. On Debian-based systems, install the libssl-dev package. On Red Hatâbased systems, install openssl-devel. --with-libpcap= Nmap uses the Libpcap library for capturing raw IP packets. Nmap normally looks for an existing copy of Libpcap on your system and uses that if the version number and platform is appropriate. Otherwise Nmap includes its own recent copy of Libpcap, which has been modified for improved Linux functionality. The specific changes are described in libpcap/NMAP_MODIFICATIONS in the Nmap source directory. Because of these Linux-related changes, Nmap always uses its own Libpcap by default on that platform. If you wish to force Nmap to link with your own Libpcap, pass the option --with-libpcap= to configure. Nmap then expects the Libpcap library to be in /lib/libpcap.a and the include files to be in /include. Nmap will always use the version of Libpcap included in its tarball if you specify --with-libpcap=included. --with-libpcre= PCRE is a Perl-compatible regular expression library available from http://www.pcre.org. Nmap normally looks for a copy on your system, and then falls back to its own copy if that fails. If your PCRE library is not in your compiler's standard search path, Nmap probably will not find it. In that case you can tell Nmap where it can be found by specifying the option --with-libpcre= to configure. Nmap then expects the library files to be in /lib and the include files to be in /include. In some cases, you may wish to use the PCRE libraries included with Nmap in preference to those already on your system. In that case, specify --with-libpcre=included. --with-libdnet= Libdnet is an excellent networking library that Nmap uses for sending raw ethernet frames. The version in the Nmap tree is heavily modified (particularly the Windows code), so the default is to use that included version. If you wish to use a version already installed on your system instead, specify --with-libdnet=. Nmap then expects the library files to be in /lib and the include files to be in /include. --with-localdirs This simple option tells Nmap to look in /usr/local/lib and /usr/local/include for important library and header files. This should never be necessary, except that some people put such libraries in /usr/local without configuring their compiler to find them. If you are one of those people, use this option. Environment Variables The configure script is sensitive to several environment variables. These are some of those variables and their effects. CFLAGS, CXXFLAGS, LDFLAGS Extra options to pass to the C compiler, C++ compiler, and linker, respectively. Because parts of Nmap are written in C and others in C++, it's best to use both CFLAGS and CXXFLAGS if you're going to use one of them. LINGUAS By default, make install will install all the available translations of the Nmap man page in addition to the English one. The LINGUAS environment variable can control which translations are installed. Its value should be a space-separated list of ISO language codes. For example, to install only the French and German translations, you might run LINGUAS="fr de" make install. To disable the installation of all translations, run configure with the --disable-nls option or set LINGUAS to the empty string. If You Encounter Compilation Problems In an ideal world, software would always compile perfectly (and quickly) on every system. Unfortunately, society has not yet reached that state of nirvana. Despite all our efforts to make Nmap portable, compilation issues occasionally arise. Here are some suggestions in case the source distribution compilation fails. Upgrade to the latest Nmap Check http://nmap.org/download.html to make sure you are using the latest version of Nmap. The problem may have already been fixed. Read the error message carefully Scroll up in the output screen and examine the error messages given when commands fail. It is often best to find the first error message, as that often causes a cascade of further errors. Read the error message carefully, as it could indicate a system problem such as low disk space or a broken compiler. Users with programming skills may be able to resolve a wider range of problems themselves. If you make code changes to fix the problem, please send a patch (created with diff -uw ) and any details about your problem and platform to nmap-dev as described in the section called âBugsâ. Integrating the change into the base Nmap distribution allows many other users to benefit, and prevents you from having to make the changes with each new Nmap version. Ask Google and other Internet resources Try searching for the exact error message on Google or other search engines. You might also want to browse recent activity on the Nmap development (nmap-dev) listâarchives and a search interface are available at http://seclists.org. Ask nmap-dev If none of your research leads to a solution, try sending a report to the Nmap development (nmap-dev) mailing list, as described in the section called âBugsâ. Consider binary packages Binary packages of Nmap are available on most platforms and are usually easy to install. The downsides are that they may not be as up-to-date and you lose some of the flexibility of self-compilation. Later sections of this chapter describe how to find binary packages on many platforms, and even more are available via Internet searching. Obviously you should only install binary packages from reputable sources. Prev  Up  Next Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Home  Linux Distributions Nmap Network Scanning Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Linux Distributions Sun Solaris Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Windows 2000 Dependencies Windows Self-installer Command-line Zip Binaries Compile from Source Code Executing Nmap on Windows Windows Windows While Nmap was once a Unix-only tool, a Windows version was released in 2000 and has since become the second most popular Nmap platform (behind Linux). Because of this popularity and the fact that many Windows users do not have a compiler, binary executables are distributed for each major Nmap release. Nmap supports all versions of Windows since NT, including 2K, XP, Vista, Windows 7, and Server 2003/2008. While it has improved dramatically, the Windows port is not quite as efficient as on Unix. Here are the known limitations: * You cannot generally scan your own machine from itself (using a loopback IP such as 127.0.0.1 or any of its registered IP addresses). This is a Windows limitation that we haven't yet worked around. If you really want to do this, use a TCP connect scan without pinging (-sT -Pn) as that uses the high level socket API rather than sending raw packets. * Nmap only supports ethernet interfaces (including most 802.11 wireless cards and many VPN clients) for raw packet scans. Unless you use the -sT -Pn options, RAS connections (such as PPP dialups) and certain VPN clients are not supported. This support was dropped when Microsoft removed raw TCP/IP socket support in Windows XP SP2. Now Nmap must send lower-level ethernet frames instead. Scans speeds on Windows are generally comparable to those on Unix, though the latter often has a slight performance edge. One exception to this is connect scan (-sT), which is often much slower on Windows because of deficiencies in the Windows networking API. This is a shame, since that is the one TCP scan that works against localhost and over all networking types (not just ethernet, like the raw packet scans). Connect scan performance can be improved substantially by applying the Registry changes in the nmap_performance.reg file included with Nmap. By default these changes are applied for you by the Nmap executable installer. This registry file is in the nmap- directory of the Windows binary zip file, and nmap-/mswin32 in the source tarball (where is the version number of the specific release). These changes increase the number of ephemeral ports reserved for user applications (such as Nmap) and reduce the time delay before a closed connection can be reused. Most people simply check the box to apply these changes in the executable Nmap installer, but you can also apply them by double-clicking on nmap_performance.reg, or by running the command regedt32 nmap_performance.reg. To make the changes by hand, add these three Registry DWORD values to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters: MaxUserPort Set a large value such as 65534 (0x0000fffe). See MS KB Q196271. TCPTimedWaitDelay Set the minimum value (0x0000001e). See MS KB Q149532. StrictTimeWaitSeqCheck Set to 1 so TCPTimedWaitDelay is checked. I would like to thank Ryan Permeh of eEye, Andy Lutomirski, and Jens Vogt for their hard work on the Nmap Windows port. For many years, Nmap was a Unix-only tool, and it would likely still be that way if not for their efforts. Windows users have three choices for installing Nmap, all of which are available from the download page at http://nmap.org/download.html. Windows 2000 Dependencies Nmap supports Windows 2000, but a couple dependencies from Microsoft must be installed first. Those are the Windows Installer 3.1 (v2) and the Security Update for Windows 2000 (KB835732). After installing these, follow the general instructions in the following two sections to install Nmap. Windows Self-installer Every Nmap release includes a Windows self-installer named nmap--setup.exe (where is the version number of the specific release). Most Nmap users choose this option since it is so easy. Another advantage of the self-installer is that it provides the option to install the Zenmap GUI and other tools. Simply run the installer file and let it walk you through panels for choosing an install path and installing WinPcap. The installer was created with the open-source Nullsoft Scriptable Install System. After it completes, read the section called âExecuting Nmap on Windowsâ for instructions on executing Nmap on the command-line or through Zenmap. Command-line Zip Binaries Most users prefer installing Nmap with the self-installer discussed previously. Every stable Nmap release comes with Windows command-line binaries and associated files in a Zip archive. No graphical interface is included, so you need to run nmap.exe from a DOS/command window. Or you can download and install a superior command shell such as those included with the free Cygwin system available from http://www.cygwin.com. Here are the step-by-step instructions for installing and executing the Nmap .zip binaries. Installing the Nmap zip binaries 1. Download the .zip binaries from http://nmap.org/download.html. 2. Uncompress the zip file into the directory you want Nmap to reside in. An example would be C:\Program Files. A directory called nmap- should be created, which includes the Nmap executable and data files. Microsoft Windows XP and Vista include zip extractionâjust right-click on the file in Explorer. If you do not have a Zip decompression program, there is one (called unzip) in Cygwin described above, or you can download the open-source and free 7-Zip utility. Commercial alternatives are WinZip and PKZIP. 3. For improved performance, apply the Nmap Registry changes discussed previously. 4. Nmap requires the free WinPcap packet capture library. We build our own WinPcap installer which is available in the zip file as winpcap-nmap-.exe, where is the WinPcap version rather than the Nmap version. Alternatively, you can obtain and install the latest version from http://www.winpcap.org. You must install version 4.0 or later. 5. Due to the way Nmap is compiled, it requires the Microsoft Visual C++ 2008 Redistributable Package of runtime components. Many systems already have this installed from other packages, but you should run vcredist_x86.exe from the zip file just in case you need it. 6. Instructions for executing your compiled Nmap are given in the section called âExecuting Nmap on Windowsâ. Most Windows users prefer to use the Nmap binary self-installer, but compilation from source code is an option, particularly if you plan to help with Nmap development. Compilation requires Microsoft Visual C++ 2008, which is part of their commercial Visual Studio suite. Any of the Visual Studio editions should work, including the free Visual C++ 2008 Express SP1. Compiling Nmap on Windows from Source 1. Download the latest Nmap source distribution from http://nmap.org/download.html. It has the name nmap-.tar.bz2 or nmap-.tgz. Those are the same tar file compressed using bzip2 or gzip, respectively. The bzip2-compressed version is smaller. 2. Uncompress the source code file you just downloaded. Recent releases of the free Cygwin distribution can handle both the .tar.bz2 and .tgz formats. Use the command tar xvjf nmap-version.tar.bz2 or tar xvzf nmap-version.tgz, respectively. Alternatively, the common WinZip application can decompress these files. 3. Open Visual Studio and the Nmap solution file (nmap-/mswin32/nmap.sln). 4. Choose âBuild Solutionâ from the âBuild Menuâ. Nmap should begin compiling, and end with the line â-- Done --â saying that all projects built successfully and there were zero failures. 5. The executable and data files can be found in nmap-/mswin32/Release/. You can copy them to a preferred directory as long as they are all kept together. 6. Ensure that you have WinPcap installed. You can obtain it by installing our binary self-installer or executing winpcap-nmap-.exe from our zip package. Alternatively, you can obtain the official installer at http://www.winpcap.org. 7. Instructions for executing your compiled Nmap are given in the next section. If you wish to build an Nmap executable Windows installer or Zenmap executable, see docs/win32-installer-zenmap-buildguide.txt in Nmap SVN (also available on the Nmap Web site). Many people have asked whether Nmap can be compiled with the gcc/g++ included with Cygwin or other compilers. Some users have reported success with this, but we don't maintain instructions for building Nmap under Cygwin. Executing Nmap on Windows Nmap releases now include the Zenmap graphical user interface for Nmap. If you used the Nmap installer and left the Zenmap field checked, there should be a new Zenmap entry on your desktop and Start Menu. Click this to get started. Zenmap is fully documented in Chapter 12, Zenmap GUI Users' Guide. While many users love Zenmap, others prefer the traditional command-line approach to executing Nmap. Here are detailed instructions for users who are unfamiliar with command-line interfaces: 1. Make sure the user you are logged in as has administrative privileges on the computer (user should be a member of the administrators group). 2. Open a command/DOS Window. Though it can be found in the program menu tree, the simplest approach is to choose âStartâ -> âRunâ and type cmd. Opening a Cygwin window (if you installed it) by clicking on the Cygwin icon on the desktop works too, although the necessary commands differ slightly from those shown here. 3. Change to the directory you installed Nmap into. Assuming you used the default path, type the following commands. c: cd "\Program Files\Nmap" 4. Execute nmap.exe. Figure 2.1 is a screen shot showing a simple example. Figure 2.1. Executing Nmap from a Windows command shell Executing Nmap from a Windows command shell If you execute Nmap frequently, you can add the Nmap directory (c:\Program Files\Nmap by default) to your command execution path. The exact place to set this varies by Windows platform. On my Windows XP box, I do the following: 1. From the desktop, right click on My Computer and then click âpropertiesâ. 2. In the System Properties window, click the âAdvancedâ tab. 3. Click the âEnvironment Variablesâ button. 4. Choose Path from the System variables section, then hit edit. 5. Add a semi-colon and then your Nmap directory (c:\Program Files\Nmap by default) to the end of the value. 6. Open a new DOS window and you should be able to execute a command such as nmap scanme.nmap.org from any directory. Prev  Up  Next Linux Distributions Home  Sun Solaris Nmap Network Scanning Nmap Network Scanning The History and Future of Nmap Unix Compilation and Installation from Source Code Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Introduction Unix Compilation and Installation from Source Code Linux Distributions Windows Sun Solaris Apple Mac OS X FreeBSD / OpenBSD / NetBSD Amiga, HP-UX, IRIX, and Other Platforms Removing Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Prev    Next Testing Whether Nmap is Already Installed Command-line and Graphical Interfaces Downloading Nmap Verifying the Integrity of Nmap Downloads Obtaining Nmap from the Subversion (SVN) Repository Unix Compilation and Installation from Source Code Configure Directives Environment Variables If You Encounter Compilation Problems Linux Distributions RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora) Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum Debian Linux and Derivatives such as Ubuntu Other Linux Distributions Windows Windows 2000 Dependencies Windows Self-installer Command-line Zip Binaries Installing the Nmap zip binaries Compile from Source Code Executing Nmap on Windows Sun Solaris Apple Mac OS X Executable Installer Compile Nmap from source code Compile Zenmap from source code Third-party Packages Executing Nmap on Mac OS X FreeBSD / OpenBSD / NetBSD OpenBSD Binary Packages and Source Ports Instructions FreeBSD Binary Package and Source Ports Instructions Installation of the binary package Installation using the source ports tree NetBSD Binary Package Instructions Amiga, HP-UX, IRIX, and Other Platforms Removing Nmap Nmap can often be installed or upgraded with a single command, so don't let the length of this chapter scare you. Most readers will use the table of contents to skip directly to sections that concern them. This chapter describes how to install Nmap on many platforms, including both source code compilation and binary installation methods. Graphical and command-line versions of Nmap are described and contrasted. Nmap removal instructions are also provided in case you change your mind. Testing Whether Nmap is Already Installed The first step toward obtaining Nmap is to check whether you already have it. Many free operating system distributions (including most Linux and BSD systems) come with Nmap packages, although they may not be installed by default. On Unix systems, open a terminal window and try executing the command nmap --version. If Nmap exists and is in your PATH, you should see output similar to that in Example 2.1. Example 2.1. Checking for Nmap and determining its version number felix~>nmap --version Nmap version 4.76 ( http://nmap.org ) felix~> If Nmap does not exist on the system (or if your PATH is incorrectly set), an error message such as nmap: Command not found is reported. As the example above shows, Nmap responds to the command by printing its version number (here 4.76). Even if your system already has a copy of Nmap, you should consider upgrading to the latest version available from http://nmap.org/download.html. Newer versions often run faster, fix important bugs, and feature updated operating system and service version detection databases. A list of changes since the version already on your system can be found at http://nmap.org/changelog.html. Command-line and Graphical Interfaces Nmap has traditionally been a command-line tool run from a Unix shell or (more recently) Windows command prompt. This allows experts to quickly execute a command that does exactly what they want without having to maneuver through a bunch of configuration panels and scattered option fields. This also makes Nmap easier to script and enables easy sharing of useful commands among the user community. One downside of the command-line approach is that it can be intimidating for new and infrequent users. Nmap offers more than a hundred command-line options, although many are obscure features or debugging controls that most users can ignore. Many graphical frontends have been created for those users who prefer a GUI interface. Nmap has traditionally included a simple GUI for Unix named NmapFE, but that was replaced in 2007 by Zenmap, which we have been developing since 2005. Zenmap is far more powerful and effective than NmapFE, particularly in results viewing. Zenmap's tab-based interface lets you search and sort results, and also browse them in several ways (host details, raw Nmap output, and ports/hosts). It works on Linux, Windows, Mac OS X, and other platforms. Zenmap is covered in depth in Chapter 12, Zenmap GUI Users' Guide. The rest of this book focuses on command-line Nmap invocations. Once you understand how the command-line options work and can interpret the output, using Zenmap or the other available Nmap GUIs is easy. Nmap's options work the same way whether you choose them from radio buttons and menus or type them at a command-line. Downloading Nmap Nmap.Org is the official source for downloading Nmap source code and binaries for Nmap and Zenmap. Source code is distributed in bzip2 and gzip compressed tar files, and binaries are available for Linux (RPM format), Windows (NSIS executable installer) and Mac OS X (.dmg disk image). Find all of this at http://nmap.org/download.html. Verifying the Integrity of Nmap Downloads It often pays to be paranoid about the integrity of files downloaded from the Internet. Popular packages such as Sendmail (example), OpenSSH (example), tcpdump, Libpcap, BitchX, Fragrouter, and many others have been infected with malicious trojans. Software distributions sites at the Free Software Foundation, Debian, and SourceForge have also been successfully compromised. This has never happened to Nmap, but one should always be careful. To verify the authenticity of an Nmap release, consult the PGP detached signatures or cryptographic hashes (including SHA1 and MD5) posted for the release in the Nmap signatures directory at http://nmap.org/dist/sigs/?C=M&O=D. The most secure verification mechanism is detached PGP signatures. As the signing key is never stored on production servers, even someone who successfully compromises the web server couldn't forge and properly sign a trojan release. While numerous applications are able to verify PGP signatures, I recommend GNU Privacy Guard (GPG). Nmap releases are signed with a special Nmap Project Signing Key, which can be obtained from the major keyservers or http://nmap.org/data/nmap_gpgkeys.txt. My key is included in that file too. The keys can be imported with the command gpg --import nmap_gpgkeys.txt. You only need to do this once, then you can verify all future Nmap releases from that machine. Before trusting the keys, verify that the fingerprints match the values shown in Example 2.2. Example 2.2. Verifying the Nmap and Fyodor PGP Key Fingerprints flog~> gpg --fingerprint nmap fyodor pub 1024D/33599B5F 2005-04-24 Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F uid Fyodor sub 2048g/D3C2241C 2005-04-24 pub 1024D/6B9355D0 2005-04-24 Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0 uid Nmap Project Signing Key (http://insecure.org/) sub 2048g/A50A6A94 2005-04-24 For every Nmap package download file (e.g. nmap-4.76.tar.bz2 and nmap-4.76-win32.zip), there is a corresponding file in the sigs directory with .asc appended to the name (e.g. nmap-4.76.tar.bz2.asc). This is the detached signature file. With the proper PGP key in your keyring and the detached signature file downloaded, verifying an Nmap release takes a single GPG command, as shown in Example 2.3. That example assumes that the verified file can be found in the same directory by simply removing â.ascâ from the signature filename. When that isn't the case, simply pass the target filename as the final argument to GPG. If the file has been tampered with, the results will look like Example 2.4. Example 2.3. Verifying PGP key fingerprints (Successful) flog> gpg --verify nmap-4.76.tar.bz2.asc gpg: Signature made Fri 12 Sep 2008 02:03:59 AM PDT using DSA key ID 6B9355D0 gpg: Good signature from "Nmap Project Signing Key (http://www.insecure.org/)" Example 2.4. Detecting a bogus file flog> gpg --verify nmap-4.76.tar.bz2.asc nmap-4.76-hacked.tar.bz2 gpg: BAD signature from "Nmap Project Signing Key (http://www.insecure.org/)" While PGP signatures are the recommended validation technique, SHA2, SHA1, and MD5 (among other) hashes are made available for more casual validation. An attacker who can manipulate your Internet traffic in real time (and is extremely skilled) or who compromises Nmap.Org and replaces both the distribution file and digest file, could defeat this test. However, it can be useful to check the authoritative Nmap.Org hashes if you obtain Nmap from a third party or feel it might have been accidentally corrupted. For every Nmap package download file, there is a corresponding file in the sigs directory with .digest.txt appended to the name (e.g. nmap-4.76.tar.bz2.digest.txt). An example is shown in Example 2.5. This is the detached signature file. The hashes from the digest file can be verified using common tools such as gpg, sha1sum, or md5sum, as shown in Example 2.6, âVerifying Nmap hashesâ. Example 2.5. A typical Nmap release digest file flog> cat sigs/nmap-4.76.tgz.digest.txt nmap-4.76.tgz: MD5 = 54 B5 C9 E3 F4 4C 1A DD E1 7D F6 81 70 EB 7C FE nmap-4.76.tgz: SHA1 = 4374 CF9C A882 2C28 5DE9 D00E 8F67 06D0 BCFA A403 nmap-4.76.tgz: RMD160 = AE7B 80EF 4CE6 DBAA 6E65 76F9 CA38 4A22 3B89 BD3A nmap-4.76.tgz: SHA224 = 524D479E 717D98D0 2FB0A42B 9A4E6E52 4027C9B6 1D843F95 D419F87F nmap-4.76.tgz: SHA256 = 0E960E05 53EB7647 0C8517A0 038092A3 969DB65C BE23C03F D6DAEF1A CDCC9658 nmap-4.76.tgz: SHA384 = D52917FD 9EE6EE62 F5F456BF E245675D B6EEEBC5 0A287B27 3CAA4F50 B171DC23 FE7808A8 C5E3A49A 4A78ACBE A5AEED33 nmap-4.76.tgz: SHA512 = 826CD89F 7930A765 C9FE9B41 1DAFD113 2C883857 2A3A9503 E4C1E690 20A37FC8 37564DC3 45FF0C97 EF45ABE6 6CEA49FF E262B403 A52F4ECE C23333A0 48DEDA66 Example 2.6. Verifying Nmap hashes flog> gpg --print-md sha256 nmap-4.76.tgz nmap-4.76.tgz: 0E960E05 53EB7647 0C8517A0 038092A3 969DB65C BE23C03F D6DAEF1A CDCC9658 flog> sha1sum nmap-4.76.tgz 4374cf9ca8822c285de9d00e8f6706d0bcfaa403 nmap-4.76.tgz flog> md5sum nmap-4.76.tgz 54b5c9e3f44c1adde17df68170eb7cfe nmap-4.76.tgz While releases from Nmap.Org are signed as described in this section, certain Nmap add-ons, interfaces, and platform-specific binaries are developed and distributed by other parties. They have different mechanisms for establishing the authenticity of their downloads. Obtaining Nmap from the Subversion (SVN) Repository In addition to regular stable and development releases, the latest Nmap source code is always available using the Subversion (SVN) revision control system. This delivers new features and version/OS detection database updates immediately as they are developed. The downside is that SVN head revisions aren't always as stable as official releases. So SVN is most useful for Nmap developers and users who need a fix which hasn't yet been formally released. SVN write access is strictly limited to top Nmap developers, but everyone has read access to the repository. Check out the latest code using the command svn co --username guest --password "" svn://svn.insecure.org/nmap/. Then you can later update your source code by typing svn up in your working directory. The âguestâ username is required due to an svnserve authorization bug. While most users only follow the /nmap directory in svn (which pulls in /nbase, /nsock, and /zenmap on its own), there is one other interesting directory: /nmap-exp. This directory contains experimental Nmap branches which Nmap developers create when they wish to try new things without destabilizing Nmap proper. When developers feel that an experimental branch is ready for wider-scale testing, they will generally email the location to the nmap-dev mailing list. Once Nmap is checked out, you can build it from source code just as you would with the Nmap tarball (described later in this chapter). If you would like real-time (or digested) notification and diffs by email when any changes are made to Nmap, sign up for the nmap-svn mailing list at http://cgi.insecure.org/mailman/listinfo/nmap-svn. Prev    Next The History and Future of Nmap Home  Unix Compilation and Installation from Source Code Nmap Network Scanning Nmap Network Scanning TCP/IP Reference Nmap Overview and Demonstration Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Introduction Nmap Overview and Demonstration The Phases of an Nmap Scan Legal Issues The History and Future of Nmap Chapter 1. Getting Started with Nmap Prev    Next Nmap Overview and Demonstration Avatar Online Saving the Human Race MadHat in Wonderland The Phases of an Nmap Scan Legal Issues Is Unauthorized Port Scanning a Crime? Can Port Scanning Crash the Target Computer/Networks? Nmap Copyright The History and Future of Nmap Nmap (âNetwork Mapperâ) is a free and open source utility for network exploration and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available. This chapter uses fictional stories to provide a broad overview of Nmap and how it is typically used. An important legal section helps users avoid (or at least be aware of) controversial usage that could lead to ISP account cancellation or even civil and criminal charges. It also discusses the risks of crashing remote machines as well as miscellaneous issues such as the Nmap license (GNU GPL), and copyright. Prev    Next TCP/IP Reference Home  Nmap Overview and Demonstration Nmap Network Scanning Chapter 1. Getting Started with Nmap The Phases of an Nmap Scan The History and Future of Nmap Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Is Unauthorized Port Scanning a Crime? Can Port Scanning Crash the Target Computer/Networks? Nmap Copyright Legal Issues Legal Issues When used properly, Nmap helps protect your network from invaders. But when used improperly, Nmap can (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP. Reduce your risk by reading this legal guide before launching Nmap. Is Unauthorized Port Scanning a Crime? The legal ramifications of scanning networks with Nmap are complex and so controversial that third-party organizations have even printed T-shirts and bumper stickers promulgating opinions on the matter^[7], as shown in Figure 1.3. The topic also draws many passionate but often unproductive debates and flame wars. If you ever participate in such discussions, try to avoid the overused and ill-fitting analogies to knocking on someone's home door or testing whether his door and windows are locked. Figure 1.3. Strong opinions on port scanning legality and morality Strong opinions on port scanning legality and morality While I agree with the sentiment that port scanning should not be illegal, it is rarely wise to take legal advice from a T-shirt. Indeed, taking it from a software engineer and author is only slightly better. Speak to a competent lawyer within your jurisdiction for a better understanding of how the law applies to your particular situation. With that important disclaimer out of the way, here is some general information that may prove helpful. The best way to avoid controversy when using Nmap is to always secure written authorization from the target network representatives before initiating any scanning. There is still a chance that your ISP will give you trouble if they notice it (or if the target administrators accidentally send them an abuse report), but this is usually easy to resolve. When you are performing a penetration test, this authorization should be in the Statement of Work. When testing your own company, make certain that this activity clearly falls within your job description. Security consultants should be familiar with the excellent Open Source Security Testing Methodology Manual (OSSTMM), which provides best practices for these situations. While civil and (especially) criminal court cases are the nightmare scenario for Nmap users, these are very rare. After all, no United States federal laws explicitly make port scanning illegal. A much more frequent occurrence is that the target network will notice a scan and send a complaint to the network service provider where the scan initiated (your ISP). Most network administrators do not seem to care or notice the many scans bouncing off their networks daily, but a few complain. The scan source ISP may track down the user corresponding to the reported IP address and time, then chide the user or even kick them off the service. Port scanning without authorization is sometimes against the provider's acceptable use policy (AUP). For example, the AUP for the huge cable-modem ISP Comcast says: Network probing or port scanning tools are only permitted when used in conjunction with a residential home network, or if explicitly authorized by the destination host and/or network. Unauthorized port scanning, for any reason, is strictly prohibited. Even if an ISP does not explicitly ban unauthorized port scanning, they might claim that some âanti-hackingâ provision applies. Of course this does not make port scanning illegal. Many perfectly legal and (in the United States) constitutionally protected activities are banned by ISPs. For example, the AUP quoted above also prohibits users from transmitting, storing, or posting âany information or material which a reasonable person could deem to be objectionable, offensive, indecent, pornographic, ... embarrassing, distressing, vulgar, hateful, racially or ethnically offensive, or otherwise inappropriate, regardless of whether this material or its dissemination is unlawfulâ. In other words, some ISPs ban any behavior that could possibly offend or annoy someone^[8]. Indiscriminate scanning of other people's networks/computers does have that potential. If you decide to perform such controversial scanning anyway, never do it from work, school, or any other service provider that has substantial control over your well-being. Use a dialup or commercial broadband provider instead. Losing your DSL connection and having to change providers is a slight nuisance, but it is immeasurably preferable to being expelled or fired. While legal cases involving port scanning (without follow-up hacking attacks) are rare, they do happen. One of the most notable cases involved a man named Scott Moulton who had an ongoing consulting contract to maintain the Cherokee County, Georgia emergency 911 system. In December 1999, he was tasked with setting up a router connecting the Canton, Georgia Police Department with the E911 Center. Concerned that this might jeopardize the E911 Center security, Scott initiated some preliminary port scanning of the networks involved. In the process he scanned a Cherokee County web server that was owned and maintained by a competing consulting firm named VC3. They noticed the scan and emailed Scott, who replied that he worked for the 911 Center and was testing security. VC3 then reported the activity to the police. Scott lost his E911 maintenance contract and was arrested for allegedly violating the Computer Fraud and Abuse Act of America Section 1030(a)(5)(B). This act applies against anyone who âintentionally accesses a protected computer without authorization, and as a result of such conduct, causes damageâ (and meets other requirements). The damage claimed by VC3 involved time spent investigating the port scan and related activity. Scott sued VC3 for defamation, and VC3 countersued for violation of the Computer Fraud and Abuse Act as well as the Georgia Computer Systems Protection Act. The civil case against Scott was dismissed before trial, implying a complete lack of merit. The ruling made many Nmap users smile: âCourt holds that plaintiff's act of conducting an unauthorized port scan and throughput test of defendant's servers does not constitute a violation of either the Georgia Computer Systems Protection Act or the Computer Fraud and Abuse Act.ââCiv. Act. No. 1:00-CV-434-TWT (N.D. Ga. November 6, 2000) This was an exciting victory in the civil case, but Scott still had the criminal charges hanging over his head. Fortunately he kept his spirits high, sending the following note to the nmap-hackers mailing list: I am proud that I could be of some benefit to the computer society in defending and protecting the rights of specialists in the computer field, however it is EXTREMELY costly to support such an effort, of which I am not happy about. But I will continue to fight and prove that there is nothing illegal about port scanning especially when I was just doing my job. Eventually, the criminal court came to the same conclusion and all charges were dropped. While Scott was vindicated in the end, he suffered six-figure legal bills and endured stressful years battling through the court system. The silver lining is that after spending so much time educating his lawyers about the technical issues involved, Scott started a successful forensics services company. While the Moulton case sets a good example (if not legal precedent), different courts or situations could still lead to worse outcomes. Remember that many states have their own computer abuse laws, some of which can arguably make even pinging a remote machine without authorization illegal^[9]. Laws in other nations obviously differ as well. For example, A 17-year-old youth was convicted in Finland of attempted computer intrusion for simply port scanning a bank. He was fined to cover the target's investigation expenses. The Moulton ruling might have differed if the VC3 machine had actually crashed and they were able to justify the $5,000 damage figure required by the act. At the other extreme, an Israeli judge acquitted Avi Mizrahi in early 2004 for vulnerability scanning the Mossad secret service. Judge Abraham Tennenbaum even praised Avi as follows: In a way, Internet surfers who check the vulnerabilities of Web sites are acting in the public good. If their intentions are not malicious and they do not cause any damage, they should even be praised. In 2007 and 2008, broad new cybercrime laws took effect in Germany and England. These laws are meant to ban the distribution, use, and even possession of âhacking toolsâ. For example, the UK amendment to the Computer Misuse Act makes it illegal to âsupply or offer to supply, believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act violation]â. These laws have already led some security tool authors to close shop or move their projects to other countries. The problem is that most security tools can be used by both ethical professionals (white-hats) to defend their networks and black-hats to attack. These dangerous laws are based on the tool author or user's intent, which is subjective and hard to divine. Nmap was designed to help secure the Internet, but I'd hate to be arrested and forced to defend my intentions to a judge and jury. These laws are unlikely to affect tools as widespread and popular as Nmap, but they have had a chilling effect on smaller tools and those which are more commonly abused by computer criminals (such as exploitation frameworks). Regardless of the legal status of port scanning, ISP accounts will continue to be terminated if many complaints are generated. The best way to avoid ISP abuse reports or civil/criminal charges is to avoid annoying the target network administrators in the first place. Here are some practical suggestions: * Probably at least 90% of network scanning is non-controversial. You are rarely badgered for scanning your own machine or the networks you administer. The controversy comes when scanning other networks. There are many reasons (good and bad) for doing this sort of network exploration. Perhaps you are scanning the other systems in your dorm or department to look for publicly shared files (FTP, SMB, WWW, etc.). Or maybe you are just trying to find the IP of a certain printer. You might have scanned your favorite web site to see if they are offering any other services, or because you were curious what OS they run. Perhaps you are just trying to test connectivity, or maybe you wanted to do a quick security sanity check before handing off your credit card details to that e-commerce company. You might be conducting Internet research. Or are you performing initial reconnaissance in preparation for a break-in attempt? The remote administrators rarely know your true intentions, and do sometimes get suspicious. The best approach is to get permission first. I have seen a few people with non-administrative roles land in hot water after deciding to âproveâ network insecurity by launching an intrusive scan of the entire company or campus. Administrators tend to be more cooperative when asked in advance than when woken up at 3AM by an IDS alarm claiming they are under massive attack. So whenever possible, obtain written authorization before scanning a network. Adrian Lamo would probably have avoided jail if he had asked the New York Times to test their security rather than telling reporters about the flaws afterward. Unfortunately they would likely have said no. Be prepared for this answer. * Target your scan as tightly as possible. Any machine connected to the Internet is scanned regularly enough that most administrators ignore such Internet white noise. But scanning enough networks or executing very noisy/intrusive scans increases the probability of generating complaints. So if you are only looking for web servers, specify -p80 rather than scanning all 65,536 TCP ports on each machine. If you are only trying to find available hosts, do an Nmap ping scan rather than full port scan. Do not scan a CIDR /16 (65K hosts) when a /24 netblock suffices. The random scan mode now takes an argument specifying the number of hosts, rather than running forever. So consider -iR 1000 rather than -iR 10000 if the former is sufficient. Use the default timing (or even -T polite) rather than -T insane. Avoid noisy and relatively intrusive scans such as version detection (-sV). Similarly, a SYN scan (-sS) is quieter than a connect scan (-sT) while providing the same information and often being faster. * As noted previously, do not do anything controversial from your work or school connections. Even though your intentions may be good, you have too much to lose if someone in power (e.g. boss, dean) decides you are a malicious cracker. Do you really want to explain your actions to someone who may not even understand the terms packet or port scanner? Spend $40 a month for a dialup, shell, or residential broadband account. Not only are the repercussions less severe if you offend someone from such an account, but target network administrators are less likely to even bother complaining to mass-market providers. Also read the relevant AUP and choose a provider accordingly. If your provider (like Comcast discussed above) bans any unauthorized port scanning and posting of âoffensiveâ material, do not be surprised if you are kicked off for this activity. In general, the more you pay to a service provider the more accommodating they are. A T1 provider is highly unlikely to yank your connection without notice because someone reported being port scanned. A dialup or residential DSL/cable provider very well might. This can happen even when the scan was forged by someone else. * Nmap offers many options for stealthy scans, including source-IP spoofing, decoy scanning, and the more recent idle scan technique. These are discussed in the IDS evasion chapter. But remember that there is always a trade-off. You are harder to find if you launch scans from an open WAP far from your house, with 17 decoys, while doing subsequent probes through a chain of nine open proxies. But if anyone does track you down, they will be mighty suspicious of your intentions. * Always have a legitimate reason for performing scans. An offended administrator might write to you first (or your ISP might forward his complaint to you) expecting some sort of justification for the activity. In the Scott Moulton case discussed above, VC3 first emailed Scott to ask what was going on. If they had been satisfied with his answer, matters might have stopped there rather than escalating into civil and criminal litigation. Groups scanning large portions of the Internet for research purposes often use a reverse-DNS name that describes their project and run a web server with detailed information and opt-out forms. Also remember that ancillary and subsequent actions are often used as evidence of intent. A port scan by itself does not always signify an attack. A port scan followed closely by an IIS exploit, however, broadcasts the intention loud and clear. This is important because decisions to prosecute (or fire, expel, complain, etc.) are often based on the whole event and not just one component (such as a port scan). One dramatic case involved a Canadian man named Walter Nowakowski, who was apparently the first person to be charged in Canada with theft of communications (Canadian Criminal Code Section S.342.1) for accessing the Internet through someone's unsecured Wi-Fi network. Thousands of Canadian âwar driversâ do this every day, so why was he singled out? Because of ancillary actions and intent. He was allegedly caught driving the wrong way on a one-way street, naked from the waist down, with laptop in hand, while downloading child pornography through the aforementioned unsecured wireless access point. The police apparently considered his activity egregious enough that they brainstormed for relevant charges and tacked on theft of communications to the many child pornography-related charges. Similarly, charges involving port scanning are usually reserved for the most egregious cases. Even when paranoid administrators notify the police that they have been scanned, prosecution (or any further action) is exceedingly rare. The fact that a 911 emergency service was involved is likely what motivated prosecutors in the Moulton case. Your author has scanned hundreds of thousands of Internet hosts while writing this book and received no complaints. To summarize this whole section, the question of whether port scanning is legal does not have a simple answer. I cannot unequivocally say âport scanning is never a crimeâ, as much as I would like to. Laws differ dramatically between jurisdictions, and cases hinge on their particular details. Even when facts are nearly identical, different judges and prosecutors do not always interpret them the same way. I can only urge caution and reiterate the suggestions above. For testing purposes, you have permission to scan the host scanme.nmap.org. You may have noticed that it was used in several examples already. Note that this permission only includes scanning via Nmap and not testing exploits or denial of service attacks. To conserve bandwidth, please do not initiate more than a dozen scans against that host per day. If this free scanning target service is abused, it will be taken down and Nmap will report Failed to resolve given hostname/IP: scanme.nmap.org. Can Port Scanning Crash the Target Computer/Networks? Nmap does not have any features designed to crash target networks. It usually tries to tread lightly. For example, Nmap detects dropped packets and slows down when they occur in order to avoid overloading the network. Nmap also does not send any corrupt packets. The IP, TCP, UDP, and ICMP headers are always appropriate, though the destination host is not necessarily expecting the packets. For these reasons, no application, host, or network component should ever crash based on an Nmap scan. If they do, that is a bug in the system which should be repaired by the vendor. Reports of systems being crashed by Nmap are rare, but they do happen. Many of these systems were probably unstable in the first place and Nmap either pushed them over the top or they crashed at the same time as an Nmap scan by pure coincidence. In other cases, poorly written applications, TCP/IP stacks, and even operating systems have been demonstrated to crash reproducibly given a certain Nmap command. These are usually older legacy devices, as newer equipment is rarely released with these problems. Smart companies use Nmap and many other common network tools to test devices prior to shipment. Those who omit such pre-release testing often find out about the problem in early beta tests when a box is first deployed on the Internet. It rarely takes long for a given IP to be scanned as part of Internet white noise. Keeping systems and devices up-to-date with the latest vendor patches and firmware should reduce the susceptibility of your machines to these problems, while also improving the security and usability of your network. In many cases, finding that a machine crashes from a certain scan is valuable information. After all, attackers can do anything Nmap can do by using Nmap itself or their own custom scripts. Devices should not crash from being scanned and if they do, vendors should be pressured to provide a patch. In some usage scenarios, detecting fragile machines by crashing them is undesirable. In those cases you may want to perform very light scanning to reduce the risk of adverse effects. Here are a few suggestions: * Use SYN scan (-sS) instead of connect scan (-sT). User-mode applications such as web servers can rarely even detect the former because it is all handled in kernel space (some older Linux kernels are an exception) and thus the services have no excuse to crash. * Version scanning (-sV) risks crashing poorly written applications. Similarly, some pathetic operating systems have been reported to crash when OS fingerprinted (-O). Omit these options for particularly sensitive environments or where you do not need the results. * Using -T2 or slower (-T1, -T0) timing modes can reduce the chances that a port scan will harm a system, though they slow your scan dramatically. Older Linux boxes had an identd daemon that would block services temporarily if they were accessed too frequently. This could happen in a port scan, as well as during legitimate high-load situations. Slower timing might help here. These slow timing modes should only be used as a last resort as they can slow scans by an order of magnitude or more. * Limit the number of ports and machines scanned to the fewest that are required. Every machine scanned has a minuscule chance of crashing, and so cutting the number of machines down improves your odds. Reducing the number of ports scanned reduces the risks to end hosts as well as network devices. Many NAT/firewall devices keep a state entry for every port probe. Most of them expire old entries when the table fills up, but occasional (pathetic) implementations crash instead. Reducing the ports/hosts scanned reduces the number of state entries and thus might help those sorry devices stay up. Nmap Copyright While Nmap is open source, it still has a copyright license that must be respected. As free software, Nmap also carries no warranty. These issues are covered in much greater detail in the section called âLegal Noticesâ. Companies wishing to bundle and use Nmap within proprietary software and appliances are especially encouraged to read this section so they don't inadvertently violate the Nmap license. Fortunately the Nmap Project sells commercial redistribution licenses for companies which need one. _________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________ ^[7] These are from the now-defunct AmericanSushi.Com. ^[8] The Compast AUP was improved after this was first published. The latest version is available at http://www.comcast.net/terms/use/ ^[9] An excellent paper on this topic by lawyer Ethan Preston is available at http://grove.ufl.edu/~techlaw/vol6/issue1/preston.html. He has also written an excellent paper relating to the legal risks of publishing security information and exploits at http://www.mcandl.com/computer-security.html. Prev  Up  Next The Phases of an Nmap Scan Home  The History and Future of Nmap Nmap Network Scanning Chapter 15. Nmap Reference Guide Bugs Legal Notices Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Author Prev  Chapter 15. Nmap Reference Guide  Next Author Gordon âFyodorâ Lyon (http://insecure.org) Hundreds of people have made valuable contributions to Nmap over the years. These are detailed in the CHANGELOG file which is distributed with Nmap and also available from http://nmap.org/changelog.html. Prev  Up  Next Bugs Home  Legal Notices Nmap Network Scanning Chapter 15. Nmap Reference Guide Examples Bugs Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Nmap Book Nmap Book While this reference guide details all material Nmap options, it can't fully demonstrate how to apply those features to quickly solve real-world tasks. For that, we released Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine. Hints and instructions are provided for common Nmap tasks such as taking network inventory, penetration testing, detecting rogue wireless access points, and quashing network worm outbreaks. Examples and diagrams show actual communication on the wire. More than half of the book is available free online. See http://nmap.org/book for more information. Prev  Up  Next Examples Home  Bugs Nmap Network Scanning Chapter 15. Nmap Reference Guide Chapter 15. Nmap Reference Guide Target Specification Chapter 1. Getting Started with Nmap Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap Chapter 3. Host Discovery (âPing Scanningâ) Chapter 4. Port Scanning Overview Chapter 5. Port Scanning Techniques and Algorithms Chapter 6. Optimizing Nmap Performance Chapter 7. Service and Application Version Detection Chapter 8. Remote OS Detection Chapter 9. Nmap Scripting Engine Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems Chapter 11. Defenses Against Nmap Chapter 12. Zenmap GUI Users' Guide Chapter 13. Nmap Output Formats Chapter 14. Understanding and Customizing Nmap Data Files Chapter 15. Nmap Reference Guide Appendix A. Nmap XML Output DTD Index Options Summary Options Summary This options summary is printed when Nmap is run with no arguments, and the latest version is always available at http://nmap.org/data/nmap.usage.txt. It helps people remember the most common options, but is no substitute for the in-depth documentation in the rest of this manual. Some obscure options aren't even included here. Nmap 5.30BETA1 ( http://nmap.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION:   Can pass hostnames, IP addresses, networks, etc.   Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254   -iL : Input from list of hosts/networks   -iR : Choose random targets   --exclude : Exclude hosts/networks   --excludefile : Exclude list from file HOST DISCOVERY:   -sL: List Scan - simply list targets to scan   -sn: Ping Scan - disable port scan   -Pn: Treat all hosts as online -- skip host discovery   -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports   -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes   -PO[protocol list]: IP Protocol Ping   -n/-R: Never do DNS resolution/Always resolve [default: sometimes]   --dns-servers : Specify custom DNS servers   --system-dns: Use OS's DNS resolver   --traceroute: Trace hop path to each host SCAN TECHNIQUES:   -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans   -sU: UDP Scan   -sN/sF/sX: TCP Null, FIN, and Xmas scans   --scanflags : Customize TCP scan flags   -sI : Idle scan   -sY/sZ: SCTP INIT/COOKIE-ECHO scans   -sO: IP protocol scan   -b : FTP bounce scan PORT SPECIFICATION AND SCAN ORDER:   -p : Only scan specified ports     Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9   -F: Fast mode - Scan fewer ports than the default scan   -r: Scan ports consecutively - don't randomize   --top-ports : Scan  most common ports   --port-ratio : Scan ports more common than SERVICE/VERSION DETECTION:   -sV: Probe open ports to determine service/version info   --version-intensity : Set from 0 (light) to 9 (try all probes)   --version-light: Limit to most likely probes (intensity 2)   --version-all: Try every single probe (intensity 9)   --version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN:   -sC: equivalent to --script=default   --script= is a comma separated list of            directories, script-files or script-categories   --script-args=: provide arguments to scripts   --script-trace: Show all data sent and received   --script-updatedb: Update the script database. OS DETECTION:   -O: Enable OS detection   --osscan-limit: Limit OS detection to promising targets   --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE:   Options which takeÂ