Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 4.00 from .


Nmap has undergone many substantial changes since our last major
release (3.50 in February 2004) and we recommend that all current
users upgrade. Here are the most important improvements made in the 36
intermediate releases since 3.50:

o Added the ability for Nmap to send and properly route raw ethernet
frames containing IP datagrams rather than always sending the
packets via raw sockets. This is particularly useful for Windows,
since Microsoft has disabled raw socket support in XP. Nmap tries
to choose the best method at runtime based on platform, though you
can override it with the new --send-eth and --send-ip options.

o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP
requests to determine whether hosts on a LAN are up, rather than
relying on higher-level IP packets (which can only be sent after a
successful ARP request and reply anyway). This is much faster and
more reliable (not subject to IP-level firewalling) than IP-based
probes. It is now used automatically for any hosts that are
detected to be on a local ethernet network, unless --send-ip was

o Added the --spoof-mac option, which asks Nmap to use the given MAC
address for all of the raw ethernet frames it sends. Valid
--spoof-mac argument examples are "Apple", "0", "01:02:03:04:05:06",
"deadbeefcafe", "0020F2", and "Cisco".

o Rewrote core port scanning engine, which is now named ultra_scan().
Improved algorithms make this faster (often dramatically so) in
almost all cases. Not only is it superior against single hosts, but
ultra_scan() can scan many hosts (sometimes hundreds) in parallel.
This offers many efficiency/speed advantages. For example, hosts
often limit the ICMP port unreachable packets used by UDP scans to
1/second. That made those scans extraordinarily slow in previous
versions of Nmap. But if you are scanning 100 hosts at once,
suddenly you can receive 100 responses per second. Spreading the
scan amongst hosts is also gentler toward the target hosts.

o Overhauled UDP scan. Ports that don't respond are now classified as
"open|filtered" (open or filtered) rather than "open". The (somewhat
rare) ports that actually respond with a UDP packet to the empty
probe are considered open. If version detection is requested, it
will be performed on open|filtered ports. Any that respond to any of
the UDP probes will have their status changed to open. This avoids
the false-positive problem where filtered UDP ports appear to be
open, leading to terrified newbies thinking their machine is
infected by back orifice.

o Put Nmap on a diet, with changes to the core port scanning routine
(ultra_scan) to substantially reduce memory consumption, particularly
when tens of thousands of ports are scanned.

o Added 'leet ASCII art to the configurator! Note that
only people compiling the UNIX source code get this. (ASCII artist
unknown). If you don't like it, feel free to submit your own work.

o Wrote a new man page from scratch. It is much more comprehensive
(more than twice as long) and (IMHO) better organized than the
previous one. Read it online at
or docs/nmap.1 from the Nmap distribution. Let me know if you have
any ideas for improving it. Translations to Chinese, French,
Japanese, Brazilian Portuguese, Portugal Portuguese, and Romanian
can be found on the Nmap docs page at . More than a dozen other
translations are in progress. The XML source for the man page is
distributed with Nmap in docs/nmap-man.xml. Patches to Nmap that are
user-visible should include patches to the man page XML source rather
than to the generated Nroff.

o Integrated all service submissions up to January 2006. The DB has
tripled in size since 3.50 to 3,153 signatures for 381 service
protocols. Those protocols span the gamut from abc, acap, afp, and
afs to zebedee, zebra, and zenimaging. It even covers obscure
protocols such as http, ftp, smtp, and ssh :). Thanks to Version
Detection Czar Doug Hoyte for his excellent work on this. Other
great probes and signatures came from Dirk Mueller
(mueller(a), Lionel Cons (lionel.cons(a), Martin
Macok (martin.macok(a), and Bo Jiang
(jiangbo(a) Thanks also go to the (literally)
thousands of you who submitted service fingerprints. Keep them

o Integrated tons of new OS detection fingerprints. The database grew
more than 50% from 1,121 to 1,684 fingerprints. Notable additions
include Mac OS X 10.4 (Tiger), OpenBSD 3.7, FreeBSD 5.4, Windows
Server 2003 SP1, Sony AIBO (along with a new "robotic pet" device
type category), the latest Linux 2.6 kernels, Cisco routers with IOS
12.4, a ton of VoIP devices, Tru64 UNIX 5.1B, new Fortinet
firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO 3.8.X, and Solaris 10.
Of course there are also tons of new broadband routers, printers,
WAPs and pretty much any other device you can coax an ethernet cable
(or wireless card) into! Much of this OS detecton work was done by
Google SoC student Zhao Lei (zhaolei(a)

o Created a Windows executable installer using the open source NSIS
(Nullsoft Scriptable Install System). It handles Pcap installation,
registry performance changes, and adding Nmap to your cmd.exe
executable path. The installer source files are in mswin32/nsis/ .
Thanks to Google SoC student Bo Jiang (jiangbo(a) for
creating the initial version.

o Added run time interaction as documented at .
While Nmap is running, you can now press 'v' to increase verbosity,
'd' to increase the debugging level, 'p' to enable packet tracing,
or the capital versions (V,D,P) to do the opposite. Any other key
(such as enter) will print out a status message giving the estimated
time until scan completion. Most of this work was done by Paul
Tarjan (ptarjan(a), Andrew Lutomirski
(luto(a), and Gisle Vanem (giva(a)

o Reverse DNS resolution is now done in parallel rather than one at a
time. All scans of large networks (particularly list, ping and
just-a-few-ports scans) benefit substantially from this change. The
new --system-dns option was added so you can use the (slow) system
resolver if you prefer that for some reason. You can specify a
comma separated list of DNS server IP addresses for Nmap to use with
the new --dns-servers option. Otherwise, Nmap looks in
/etc/resolve.conf (UNIX) or the system registry (Windows) to obtain
the nameservers already configured for your system. This excellent
patch was written by Doug Hoyte (doug(a)

o Updated NmapFE to build with GTK2 rather than obsolete GTK1. Thanks
to Priit Laes (amd(a), Mike Basinger
(dbasinge(a) and Meethune Bhowmick
(meethune(a) for developing the patch. GTK2 is
prettier, more functional, and actually exists on most modern Linux
distributions (many of which removed GTK1 long ago).

o Added the --badsum option, which causes Nmap to use invalid TCP or
UDP checksums for packets sent to target hosts. Since virtually all
host IP stacks properly drop these packets, any responses received
are likely coming from a firewall or IDS that didn't bother to
verify the checksum. For more details on this technique, see
 . The author of that
paper, Ed3f (ed3f(a), is also the author of this patch
(which I changed it a bit).

o The 26 Nmap commands that previously included an underscore
(--max-rtt-timeout, --send-eth, --host-timeout, etc.) have been
renamed to use a hyphen in the preferred format
(i.e. --max-rtt-timeout). Underscores are still supported for
backward compatibility.

o Added --max-retries option for capping the maximum number of
retransmissions the port scan engine will do. The value may be as
low as 0 (no retransmits). A low value can increase speed, though
at the risk of losing accuracy. The -T4 option now allows up to 6
retries, and -T5 allows 2. Thanks to Martin Macok
(martin.macok(a) for writing the initial patch.

o Many of the Nmap low-level timing options take a value in
milliseconds. You can now append an 's', 'm', or 'h' to the value
to give it in seconds, minutes, or hours instead. So you can specify a
45 minute host timeout with --host-timeout 45m rather than specifying
--host-timeout 2700000 and hoping you did the math right and have the
correct number of zeros. This also now works for the
--min-rtt-timeout, --max-rtt-timeout, --initial-rtt-timeout,
--scan-delay, and --max-scan-delay options.

o Wrote a new Nmap compilation, installation, and removal guide, which
you can find at .

o Made some changes to allow source port zero scans (-g0). Nmap used
to refuse to do this, but now it just gives a warning that it may not
work on all systems. It seems to work fine on my Linux box. Thanks
to Bill Dale (bill_dale(a) for suggesting this feature.

o Applied some small fixes so that Nmap compiles with Visual C++
2005 Express, which is free from Microsoft at . Thanks to KX
(kxmail(a) and Sina Bahram (sbahram(a)

o Added --thc option (undocumented)

o Wrote a new "help screen", which you get when running Nmap without
arguments. It is also reproduced in the man page and at . I gave up trying
to fit it within a 25-line, 80-column terminal window. It is now 78
lines and summarizes all but the most obscure Nmap options.

o Added OS, device type, and hostname detection using the service
detection framework. Many services print a hostname, which may be
different than DNS. The services often give more away as well. If
Nmap detects IIS, it reports an OS family of "Windows". If it sees
HP JetDirect telnetd, it reports a device type of "printer". Rather
than try to combine TCP/IP stack fingerprinting and service OS
fingerprinting, they are both printed. After all, they could
legitimately be different. An IP that gives a stack fingerprint
match of "Linksys WRT54G broadband router" and a service fingerprint
of Windows based on Kazaa running is likely a common NAT setup rather
than an Nmap mistake.

o Overhauled the Nmap version detection guide and posted it at .

o Service/version detection now handles multiple hosts at once for
more efficient and less-intrusive operation.

o Added "rarity" feature to Nmap version detection. This causes
obscure probes to be skipped when they are unlikely to help. Each
probe now has a "rarity" value. Probes that detect dozens of
services such as GenericLines and GetRequest have rarity values of
1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
When interrogating a port, Nmap always tries probes registered to
that port number. So even WWWOFFLEctrlstat will be tried against
port 8081 and mydoom will be tried against open ports between 3127
and 3198. If none of the registered ports find a match, Nmap tries
probes that have a rarity less than or equal to its current
intensity level. The intensity level defaults to 7 (so that most of
the probes are done). You can set the intensity level with the new
--version-intensity option. Alternatively, you can just use
--version-light or --version-all which set the intensity to 2 (only
try the most important probes and ones registered to the port
number) and 9 (try all probes), respectively. --version-light is
much faster than default version detection, but also a bit less
likely to find a match. This feature was designed and implemented
by Doug Hoyte (doug(a)

o Added a "fallback" feature to the nmap-service-probes database.
This allows a probe to "inherit" match lines from other probes. It
is currently only used for the HTTPOptions, RTSPRequest, and
SSLSessionReq probes to inherit all of the match lines from
GetRequest. Some servers don't respond to the Nmap GetRequest (for
example because it doesn't include a Host: line) but they do respond
to some of those other 3 probes in ways that GetRequest match lines
are general enough to match. The fallback construct allows us to
benefit from these matches without repeating hundreds of signatures
in the file. This is another feature designed and implemented
by Doug Hoyte (doug(a)

o Added "Exclude" directive to nmap-service-probes grammar which
causes version detection to skip listed ports. This is helpful for
ports such as 9100. Some printers simply print any data sent to
that port, leading to pages of HTTP requests, SMB queries, X Windows
probes, etc. If you really want to scan all ports, specify
--allports. This patch came from Doug Hoyte (doug(a)

o Version detection softmatches (when Nmap determines the service
protocol such as smtp but isn't able to determine the app name such as
Postfix) can now parse out the normal match line fields such as
hostname, device type, and extra info. For example, we may not know
what vendor created an sshd, but we can still parse out the protocol
number. This was a patch from Doug Hoyte (doug(a)

o Fixed a bunch of typos and misspellings throughout the Nmap source
code (mostly in comments). This was a 625-line patch by Saint Xavier

o Added a stripped-down and heavily modified version of Dug Song's
libdnet networking library (v. 1.10). This helps with the new raw
ethernet features. My (extensive) changes are described in

o Updated nmap data files (nmap-mac-prefixes, nmap-protocols,
nmap-rpc) with the latest OUIs, IP protocols, and RPC program numbers,

o Updated the included libpcap from 0.7.2 to 0.9.3. This was an
attempt to fix an annoying bug, which I then found was actually in
my code rather than libpcap :). Also updated the included GNU
shtool (to 2.0.2), LibPCRE (6.4), and the autoconf config.* files
(to the latest from their CVS).

o Nmap now uses (and require) WinPcap 3.1 on Windows.

o Added MAC address printing. If Nmap receives packet from a target
machine which is on an Ethernet segment directly connected to the
scanning machine, Nmap will print out the target MAC address. Nmap
also now contains a database (derived from the official IEEE
version) which it uses to determine the vendor name of the target
ethernet interface. Here are examples from normal and XML output
(angle brackets replaced with [] for HTML changelog compatibility):
MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems)
[address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" addrtype="mac" /

o The official Nmap RPM files are now compiled statically for better
compatibility with other systems. X86_64 (AMD Athlon64/Opteron)
binaries are now available in addition to the standard i386. NmapFE
RPMs are no longer distributed by Insecure.Org.

o Nmap distribution signing has changed. Release files are now signed
with a new Nmap Project GPG key (KeyID 6B9355D0). Learn more at

o Updated random scan (ip_is_reserved()) to reflect the latest IANA
assignments. This to Felix Groebert
(felix(a) and Chad Loder (cloder(a) for
sending these patches.

o Added the --iflist option, which prints a list of system interfaces
and routes detected by Nmap.

o Removed WinIP library (and all Windows raw sockets code) since MS
has gone and broken raw sockets. Maybe packet receipt via raw
sockets will come back at some point. As part of this removal, the
Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
--win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
and --win_trace options have been removed.

o Added new --privileged command-line option and NMAP_PRIVILEGED
environmental variable. Either of these tell Nmap to assume that
the user has full privileges to execute raw packet scans, OS
detection and the like. This can be useful when Linux kernel
capabilities or other systems are used that allow non-root users to
perform raw packet or ethernet frame manipulation. Without this
flag or variable set, Nmap bails on UNIX if geteuid() is

o Changed the RPM spec file so that if you define "static" to 1 (by
passing --define "static 1" to rpmbuild), static binaries are built.

o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
any TCP scans in which the initial probe packet has the ACK flag set.
This would be the ACK, Xmas, Maimon, and Window scans.

o Fixed an integer overflow that prevented Nmap from scanning
2,147,483,648 hosts in one expression (e.g. Problem
noted by Justin Cranford (jcranford(a) While /1 scans
are now possible, don't expect them to finish during your bathroom
break. No matter how constipated you are.

o Changed from CVS to Subversion source control system (which
rocks!). Neither repository is currently public due to security

o Nmap now ships with and installs (in the same directory as other
data files such as nmap-os-fingerprints) an XSL stylesheet for
rendering the XML output as HTML. This stylesheet was written by
Benjamin Erb ( see  for examples).
It supports tables, version detection, color-coded port states, and
more. The XML output has been augmented to include an
xml-stylesheet directive pointing to nmap.xsl on the local
filesystem. You can point to a different XSL file by providing the
filename or URL to the new --stylesheet argument. Omit the
xml-stylesheet directive entirely by specifying --no-stylesheet.
The XML to HTML conversion can be done with an XSLT processor such
as Saxon, Sablot, or Xalan, but modern browsers can do this on the
fly -- simply load the XML output file in IE or Firefox.It is
often more convenient to have the stylesheet loaded from a URL
rather than the local filesystem, allowing the XML to be rendered on
any machine regardless of whether/where the XSL is installed. For
privacy reasons (avoid loading of an external URL when you view
results), Nmap uses the local filesystem by default. If you would
like the latest version of the stylesheet loaded from Insecure.Org when
rendering, specify --webxml, which is a shortcut for
--stylesheet .

o If a user attempts -PO (the letter O), instead of -P0 (zero), print
an error suggesting that the user is a doofus (actually it is a nice

o Upgraded the fragmentation option (-f). One -f now sets sends
fragments with just 8 bytes after the IP header, while -ff sends 16
bytes to reduce the number of fragments needed. You can specify
your own fragmentation offset (must be a multiple of 8) with the new
--mtu flag. Don't also specify -f if you use --mtu. Remember that
some systems (such as Linux with connection tracking) will
defragment in the kernel anyway -- so test first while sniffing with
ethereal. These changes are from a patch by Martin Macok

o Nmap now prints the number (and total bytes) of raw IP packets sent
and received when it completes, if verbose mode (-v) is enabled. The
report looks like:
Nmap finished: 256 IP addresses (3 hosts up) scanned in 30.632 seconds
Raw packets sent: 7727 (303KB) | Rcvd: 6944 (304KB)

o Added new "closed|filtered" state. This is used for Idle scan, since
that scan method can't distinguish between those two states. Nmap
previously just used "closed", but this is more accurate.

o Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered"
instead of "open" when they fail to receive any response from the
target port. After all, it could just as easily be filtered as open.
This is the same change that was made to UDP scan in 3.70. Also as
with UDP scan, adding version detection (-sV) will change the state
from open|filtered to open if it confirms that they really are open.

o Change IP protocol scan (-sO) so that a response from the target
host in any protocol at all will prove that protocol is open. As
before, no response means "open|filtered", an ICMP protocol
unreachable means "closed", and most other ICMP error messages mean

o Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and
UDP headers when scanning protocols 1, 6, and 17, respectively. An
empty IP header is still sent for all other protocols. This should
prevent the error messages such as "sendto in send_ip_packet:
sendto(3, packet, 20, 0,, 16) => Operation not
permitted" that Linux (and perhaps other systems) would give when
they try to interpret the raw packet. This also makes it more
likely that these protocols will elicit a response, proving that the
protocol is "open".

o Fixed a memory leak that would generally consume several hundred
bytes per down host scanned. While the effect for most scans is
negligible, it was overwhelming when Scott Carlson
(Scott.Carlson(a) tried to scan 24 million IPs
( Thanks to him for reporting the problem. Also thanks
to Valgrind (  ) for making it easy to debug.

o Added --max-scan-delay parameter. Nmap will sometimes increase the
delay itself when it detects many dropped packets. For example,
Solaris systems tend to respond with only one ICMP port unreachable
packet per second during a UDP scan. So Nmap will try to detect
this and lower its rate of UDP probes to one per second. This can
provide more accurate results while reducing network congestion, but
it can slow the scans down substantially. By default (with no -T
options specified), Nmap allows this delay to grow to one second per
probe. This option allows you to set a lower or higher maximum.
The -T4 and -T5 scan modes now limit the maximum scan delay for TCP
scans to 10 and 5 ms, respectively.

o Added --max-hostgroup option which specifies the maximum number of
hosts that Nmap is allowed to scan in parallel.

o Added --min-hostgroup option which specifies the minimum number of
hosts that Nmap should scan in parallel (there are some exceptions
where Nmap will still scan smaller groups -- see man page). Of
course, Nmap will try to choose efficient values even if you don't
specify hostgroup restrictions explicitly.

o Nmap now estimates completion times for almost all port scan types
(any that use ultra_scan()) as well as service scan (version
detection). These are only shown in verbose mode (-v). On scans
that take more than a minute or two, you will see occasional updates
SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining)
New updates are given if the estimates change significantly.

o Added --exclude option, which lets you specify a comma-separated
list of targets (hosts, ranges, netblocks) that should be excluded
from the scan. This is useful to keep from scanning yourself, your
ISP, particularly sensitive hosts, etc. The new --excludefile reads
the list (newline-delimited) from a given file. All the work was
done by Mark-David McLaughlin (mdmcl(a)> and William McVey
( wam(a) ), who sent me a well-designed and well-tested

o Nmap now has a "port scan ping" system. If it has received at least
one response from any port on the host, but has not received
responses lately (usually due to filtering), Nmap will "ping" that
known-good port occasionally to detect latency, packet drop rate,

o Nmap now wishes itself a happy birthday when run on September 1 in
verbose mode! The first public release was on that date in 1997.

o The port randomizer now has a bias toward putting
commonly-accessible ports (80, 22, etc.) near the beginning of the
list. Getting a response early helps Nmap calculate response times and
detect packet loss, so the scan goes faster.

o Host timeout system (--host-timeout) overhauled to support host
parallelization. Hosts times are tracked separately, so a host that
finishes a SYN scan quickly is not penalized for an exceptionally
slow host being scanned at the same time.

o When Nmap has not received any responses from a host, it can now use
certain timing values from other hosts from the same scan group.
This way Nmap doesn't have to use absolute-worst-case (300bps SLIP
link to Uzbekistan) round trip time and latency estimates.

o Documented the --osscan-limit option, which saves time by skipping
OS detection if at least one open and one closed port are not found on
the remote hosts. OS detection is much less reliable against such
hosts anyway, and skipping it can save some time.

o Configure script now detects GNU/k*BSD (whatever that is),
thanks to patches from Robert Millan (rmh (at) debian (dot) org [email concealed]) and Petr
Salinger (Petr.Salinger(a)

o Provide limited --packet-trace support for TCP connect() (-sT)

o Hundreds of other features, bugfixes, and portability
enhancements described at

The link for this article located at BugTraq is no longer available.