Nmap 4.75 was released on Sunday 7 September 2008 and, since it includes some great new features, I thought I'd mention a few of them here. The currently available version of Nmap is actually 4.76 which was released on Saturday 13 September 2008 and which fixed some bugs found in the 4.75 release. Go get it: http://nmap.org/download
Fyodor spent the Summer scanning millions of hosts on the Internet in an effort to gather data which could inform decisions on how to improve Nmap in terms of speed, accuracy and host and port discovery. Out of this WorldScan project came the data on how often many of the TCP and UDP ports are found to be open and this frequency data has been added to the nmap-services file used by Nmap during its scans. This is a major benefit to Nmap users:
- Nmap's default scan (
nmap <target>) now interrogates the top 1000 most frequently open TCP or UDP ports. Previously, the first 1024 ports as well as all named ports above 1024 were scanned (1715 TCP and 1488 UDP) and this improvement means that the number of ports scanned is dramatically reduced whilst increasing the chance that the ports scanned will be open i.e. improving the default scans ability to find open ports. About 93% of open TCP ports and roughly 98% of open UDP ports are found (on average) with the default scan.
- Nmap's fast scan (
nmap -F <target>) now scans the top 100 most frequently open TCP or UDP ports. This scan previously scanned 1276 TCP and 1017 UDP ports and whilst, faster than the default scan, wasn't particularly deserving of it's name - it is now. 73% of open TCP and 90% of open UDP ports are found with the Fast scan.
--top-ports <number>allows you to scan <number> of the most frequently open ports. For example
nmap -sS --top-ports 3674finds, on average, 100% of open TCP ports and
nmap -sU --top-ports 1017finds, on average, 100% of open UDP ports (making scanning every one of the 65535 (
-p-) largely unnecessary).
- Nmap's default scan (
There have been several significant improvements to Zenmap, the Nmap GUI. The most visible of these is the Topology System which uses
--tracerouteinformation to draw a map of the network. That's right, a visualisation of the network topology in the form of a map! Have a look at http://nmap.org/book/zenmap-topology.html to see what I mean. The map starts with the scanning host at the centre of a set of concentric rings representing increasing numbers of network hops. The scanned hosts are placed according to the number of hops between them and the scanning machine. It's possible to redraw the map with any of the hosts at the centre of the map by simply clicking a host whilst the "Change Focus" control is selected and the result is a sweet animation as the hosts are rearranged to show the network from the perspective of the selected host.
- Zenmap Scan Aggregation
http://nmap.org/book/zenmap-scanning.html#aggregation is another
improvement to Zenmap which allows you to build-up a picture of the network
by adding scans. For instance, you might start with
nmap -sP -PE --traceroute <targets>to get an overall picture of the topology of the network and then perform more detailed scans of each of the hosts found and the information acquired builds into a more complete picture (literally if you look at the Topology tab).
- The Nmap Scripting Engine has been significantly improved making it easier to write custom scripts to perform all sorts of network, host and application discovery tasks. There are new NSE libraries to make scripting of common tasks a painless exercise and there are new scripts to give you more information about your targets.
So these are just a few of the new features you can try for yourself and there are more on the horizon. You can see a complete list of changes to Nmap in the changelog at http://nmap.org/changelog.html
Here's an example of a scan which is faster, more accurate and results in more information than previous versions:
nmap -sSV -F --script default,discovery scanme.nmap.org Starting Nmap 4.76 ( http://nmap.org ) at 2008-09-27 16:05 GMT Standard Time Interesting ports on scanme.nmap.org (220.127.116.11): Not shown: 95 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp closed smtp 53/tcp open domain ISC BIND 9.3.4 80/tcp open http Apache httpd 2.2.2 ((Fedora)) |\_ HTML title: Go ahead and ScanMe! 113/tcp closed auth Host script results: | Whois: Record found at whois.arin.net | netrange: 18.104.22.168 - 22.214.171.124 | netname: NET-64-13-143-0-26 | orgname: Titan Networks | orgid: INSEC |\_ country: US stateprov: CA | AS Numbers: | BGP: 126.96.36.199/21 and 188.8.131.52/18 | Country: US | Origin AS: 10565 - SVCOLO-AS - Silicon Valley Colocation, Inc. |\_ Peer AS: 3561 6461 Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.09 seconds