Thursday, December 27, 2007

NMAP 4.50 Release

Nmap was first released in 1997, so this release celebrates the 10th anniversary. Major new features since 4.00 include the Zenmap cross-platform GUI, 2nd Generation OS Detection, the Nmap Scripting Engine, a rewritten host discovery system, performance optimization, advanced traceroute functionality, TCP and IP options support, and nearly 1,500 new version detection signatures.

The Nmap Changelog describes 320 improvements since 4.00 in more than 1,500 lines. Here are the highlights:

Zenmap graphical front-end and results viewer
Zenmap is a cross-platform (tested on Linux, Windows, Mac OS X) GUI which supports all Nmap options. It allows easier browsing, searching, sorting, and saving of Nmap results. Zenmap replaces the venerable but dated NmapFE, which was the default Nmap GUI for more than 8 years.
2nd Generation OS Detection
Nmap revolutionized OS detection when the feature was first released in October 1998, and it served us well for more than 9 years as the database grew to 1,684 fingerprints. The new 2nd generation system incorporates everything we learned during those years and has proven itself more effective and accurate. The new database has 1,085 signatures, ranging from the 2Wire 11701HG wireless ADSL modem to the ZyXEL ZyWall 2 Plus firewall. In addition to more than 500 general purpose OS fingerprints, it contains 94 switches, 92 printers, 81 WAPs, 63 broadband routers, 31 firewalls, 19 VoIP phones, 16 webcams, 8 cell phones, and more. Nmap currently only have fingerprints for 1 ATM machine and 2 game consoles. The new system is extensively documented.
Nmap Scripting Engine
The Nmap Scripting Engine helps change that by allowing users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. Nmap 4.50 includes 40 scripts ranging from simple (showHTMLTitle, ripeQuery) to more complex (netbios-smb-os-discovery, SQLInject, bruteTelnet). An NSE library system (NSELib) allows common functions and extensions to be written in LUA or C. NSE can efficiently handle normal TCP or UDP sockets, or read and write raw packets using Libpcap. The system and API are extensively documented. You can try NSE (along with other features) out by adding the -A option to your Nmap command-line.
Performance and accuracy improvements
Not only were the host discovery and OS detection systems completely replaced, but Nmap improved the port scanning algorithms in the process. We also optimized the configure scripts and removed a lot of dead code to improve compile times and reduce the distribution size. Another performance boost came from ignoring certain rate-limited ICMP error messages in cases such as SYN scan where the ICMP error means the same as the lack of any response does anyway.
Version detection enhancements
It allows Nmap to determine the service listening on a port using protocol communication rather than making assumptions based on port number. In addition to the service name, the system can also often deduce other information such as application name, version number, device type, operating system, and more. The DB has grown more than 40% since 4.00 to 4,542 signatures representing 449 services. The service protocols with the most signatures are http (1,473), telnet (459), ftp (423), smtp (327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46) and nntp (44).
Host discovery (ping scanning) system rewritten
The old host discovery system (massping()) was removed and the primary port scanning engine (ultra_scan()) augmented to support host discovery. The new system is more accurate, and in some cases faster. We removed the artificial limits on the number of ports and protocols (such as -PS arguments) which can be used for discovery. A new IP protocol ping type (-PO) was added which sends IP headers with your specified protocol numbers in the hope of eliciting a response.
--reason explains why a port is open/closed/filtered
The new --reason option adds a column to the Nmap port state table which explains why Nmap assigned a port status. For example, a port could be listed as “filtered” because no response was received, or because an ICMP network unreachable message was received. With --reason, you can find out which was the case without digging through --packet-trace logs.
Advanced traceroute support
Nmap now offers a --traceroute option which uses Nmap data to determine which sort of packets are most likely to slip through the target network and produce useful results. The system is well optimized for speed and bandwidth efficiency, and the clever output system avoids repeating the same initial hops for each target system. The -A option now includes traceroute.
TCP and IP Options
Nmap now supports IP options with the new --ip-options flag. You can specify any options in hex, or use “R” (record route), “T” (record timestamp), “U” (record route & timestamp), “S [route]” (strict source route), or “L [route]” (loose source route). Specify --packet-trace to display IP options of responses. For further information and examples, see this post. TCP options are now reported by --packet-trace too.
Other changes to enjoy in Nmap 4.50:
  • Added the --open option, which causes Nmap to show only open ports. Ports in the states “open|closed” and “unfiltered” might be open, so those are shown unless the host has an overwhelming number of them.
  • The --scanflags option now also accepts “ECE”, “CWR”, “ALL” and “NONE” as arguments.
  • The new --servicedb and --versiondb options let you specify a custom Nmap services (port to port number translation and port frequency) file or version detection database.
  • IP Protocol scan (-sO) now sends proper protocol headers for TCP, UDP, ICMP, and IGMP.
  • Improved nmap.xsl, which is used to transform Nmap XML output into pretty HTML reports.
  • Added the --unprivileged option, which is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful for testing, debugging, or when the raw network functionality of your operating system is somehow broken.
  • Nmap now allows multiple ignored port states. If a 65K-port scan had, 64K filtered ports, 1K closed ports, and a few dozen open ports, Nmap used to list the dozen open ones among a thousand lines of closed ports. Now Nmap will give reports like “Not shown: 64330 filtered ports, 1000 closed ports” or “All 2051 scanned ports on 192.168.0.69 are closed (1051) or filtered (1000)”, and omit all of those ports from the table. Open ports are never ignored.