Moreira Cipolla, Javier Pablo (legajo n°

Many ancient and well loved security tools, such as Netcat, tcpdump, and John the Ripper, haven't changed much over the

have been under constant development since the day they were released. Nmap is in that second category. It was released as a simple Linux-only port scanner in 1997. Over the next 10+ years it sprouted a myriad of valuable features, including OS detection, version detection, the Nmap Scripting Engine, a Windows port, a graphical user interface, and more. This section provides a timeline of the most important events over a decade of Nmap history,

followed by brief predictions on the future of Nmap. For all significant Nmap changes (thousands of them), read the Nmap Changelog. Old releases of Nmap can be found at

http://nmap.org/dist/, and ancient versions at http://nmap.org/dist- old/.

• September 1, 1997 — Nmap is first released in Phrack Magazine Issue 51, article 11. It doesn't have a version

number because new releases aren't planned. Nmap is about 2,000 lines long, and compilation is as simple as gcc -O6 -o

nmap nmap.c -lm.

• September 5, 1997 — Due to popular demand, a slightly

modified version of the Phrack code is released, calling itself version 1.25. The gzipped tarball is 28KB. Version 1.26 (48KB) is released 19 days later.

• January 11, 1998 — Insecure.Org is registered and Nmap

moves there from its previous home at the DataHaven Project ISP.

• March 14, 1998 — Renaud Deraison writes to inform me that

he is writing a security scanner, and asks if he can use some Nmap source code. Of course I say yes. Nine days later he sends me a pre-release version of Nessus, noting that it “is designed for sysadmins, not 3l33t H4ck3rZ”.

• September 1, 1998 — Inspired by Nmap's first anniversary, I

begin work on adding remote OS detection for the upcoming Nmap 2.00. On October 7 I release the first private beta

version to a handful of top Nmap developers. We quietly work on this for several months.

• December 12, 1998 — Nmap version 2.00 is publicly

released, introducing Nmap OS detection for the first time. An article describing the techniques was released in Phrack 54, Article 9. By this point Nmap is broken up into many files, consists of about 8,000 lines of code, is kept in a private CVS revision control system, and the tarball size is 275KB. The nmap-hackers mailing list is started, and later grows to more than 55,000 members.

• April 11, 1999 — Nmap 2.11BETA1 is released. This is the

first version to contain a graphical user interface as an alternative to the traditional command-line usage. The

bundled Unix-only GUI named NmapFE was originally written by Zach Smith. Some people like it, but most prefer command- line execution.

• April 28, 2000 — Nmap 2.50 is released. By this point the tarball has grown to 461KB. This release includes timing modes such as -T aggressive, direct SunRPC scanning, and Window and ACK scan methods.

• May 28, 2000 — Gerhard Rieger sends a message to the

nmap-dev list describing a new “protocol scan” he has

developed for Nmap, and he even includes a patch. This is so cool that I release Nmap 2.54BETA1 with his patch less than 12 hours later.

• December 7, 2000 — Nmap 2.54BETA16 is released as the

first official version to compile and run on Microsoft Windows. The Windows porting work was done by Ryan Permeh and Andy Lutomirski.

• July 9, 2001 — The Nmap IP ID idle scan is introduced with

Nmap 2.54BETA26. A paper describing the technique is

released concurrently. This extremely cool (though not always practical) scan technique is described in the section called “TCP Idle Scan (-sI)”.

• July 25, 2002 — I quit my job at Netscape/AOL and start my

dream job working on Nmap full time.

• July 31, 2002 — Nmap 3.00 is released. The tarball is 922K. This release includes Mac OS X support, XML output, and uptime detection.

• August 28, 2002 — Nmap is converted from C to C++ and

IPv6 supported is added as part of the Nmap 3.10ALPHA1 release.

• May 15, 2003 — Nmap is featured in the movie The Matrix

Reloaded, where Trinity uses it (followed by a real SSH exploit) to hack a power station and save the world. This leads to more publicity for Nmap than it had ever seen before or has seen since then. Details and screen shots are available at

http://nmap.org/movies.html.

• July 21, 2003 — I finish a first implementation of Nmap

service/version detection (Chapter 7, Service and Application Version Detection) and release it to a couple dozen top Nmap developers and users as Nmap 3.40PVT1. That is followed up by 16 more private releases over the next couple months as we improve the system and add signatures.

• September 16, 2003 — Nmap service detection is finally

released publicly as part of Nmap 3.45. A detailed paper is released concurrently.

• February 20, 2004 — Nmap 3.50 is released. The tarball is now 1,571KB. SCO Corporation is banned from redistributing Nmap because they refuse to comply with the GPL. They have to rebuild their Caldera release ISOs to remove Nmap. This release includes the packet tracing and UDP ping options. It also includes the OS classification system which classifies each of the hundreds of detected operating systems by vendor name, operating system name, OS generation, and device type.

• August 31, 2004 — The core Nmap port scanning engine is

rewritten for Nmap 3.70. The new engine, named ultra_scan features dramatically improved algorithms and parallelization support to improve both accuracy and speed. The differences are particularly dramatic for hosts behind strict firewalls.

• June 25, 2005 — Google sponsors 10 college and graduate

students to work on Nmap full time for the summer as part of Google's Summer of Code initiative. Projects include a second generation OS detection system (Zhao Lei), a new cross-

platform GUI named Umit (Adriano Monteiro Marques), and many other cool projects described at http://seclists.org/nmap- hackers/2005/0008.html.

• September 8, 2005 — Nmap gains raw ethernet frame

sending support with the release of version 3.90. This allows for ARP scanning (see the section called “ARP Scan (-PR)”) and MAC address spoofing as well as evading the raw IP packet ban introduced by Microsoft in Windows XP SP2.

• January 31, 2006 — Nmap 4.00 is released. The tarball is now 2,388KB. This release includes runtime interaction to provide on-demand completion estimates, a Windows

executable installer, NmapFE updates to support GTK2, and much more.

• May 24, 2006 — Google sponsors 10 more Nmap summer

developers as part of their SoC program. Zhao and Adriano return as part of 2006 SoC to further develop their respective projects. Diman Todorov is sponsored to help develop the Nmap Scripting Engines. These and seven other talented students and their projects are described at

http://seclists.org/nmap-hackers/2006/0009.html.

• June 24, 2006 — After two years of development and testing,

the 2nd generation OS detection system is integrated into Nmap 4.20ALPHA1. This new system is based on everything

we've learned and the new ideas we've conceived since the 1st generation system debuted 8 years earlier. After a bit of time to grow the DB, the new system proves much more accurate and granular than the old one. It is described in Chapter 8, Remote OS Detection.

• December 10, 2006 — The Nmap Scripting Engine is

released as part of Nmap 4.21ALPHA1. NSE allows users to write (and share) simple scripts to automate a wide variety of networking tasks. The system is a huge success, and is

described in Chapter 9, Nmap Scripting Engine.

• December 20, 2006 — Nmap's Subversion source code

repository opens to the public. Until this time, only a handful of developers had access to the private source repository. Everyone else had to wait for releases. Now everyone can follow Nmap development day by day. There is even an nmap- svn mailing list providing real-time change notification by email. Details are provided in the section called “Obtaining Nmap from the Subversion (SVN) Repository”.

• May 28, 2007 — Google sponsors six summer Nmap

developers as part of their SoC program. Meanwhile, Adriano's Umit GUI for Nmap is approved as an independent program for SoC sponsorship. Among the sponsored students was David Fifield, who continued long after the summer ended and became one of Nmap's top developers. The Nmap students and their projects are listed at http://seclists.org/nmap- hackers/2007/0003.html.

• June 27, 2007 — Die Hard 4: Live Free or Die Hard is released in theaters. It includes a brief scene of hacker Matthew Farrell (Justin Long) demonstrating his Nmap skills. Then he leaves his computer to join Bruce Willis in fighting a diabolical terrorist mastermind. One week later, The Bourne Ultimatum is released and also contains an Nmap scene! The CIA uses Nmap in this movie to hack a newspaper's mail server and read the email of a reporter they assassinated (nice guys)! Screen shots of Nmap movie cameos are all available on the Nmap movies page.

• July 8, 2007 — The Umit graphical front end is improved and

integrated into the Nmap 4.22SOC1 release for testing. Umit is later renamed to Zenmap, and the venerable NmapFE GUI is removed. Zenmap is covered in Chapter 12, Zenmap GUI Users' Guide.

• December 13, 2007 — Nmap 4.50 is released to celebrate

• June 1, 2008 — Nmap 4.65 is released and includes, for the first time, an executable Mac OS X installer. The Nmap source tarball is now four megabytes. This release includes 41 NSE scripts, 1,307 OS fingerprints, and 4,706 version detection signatures.

• August 18, 2008 — The Nmap project completes its fourth

Summer of Code, with our highest success percentage ever (six out of seven sponsored students). They greatly improved Zenmap, the Nmap Scripting Engine, OS detection, and Ncat, as described at http://seclists.org/nmap-

dev/2008/q4/0193.html.

• September 8, 2008 — Nmap 4.75 is released with almost

100 significant improvements over 4.68. These include the Zenmap network topology and scan aggregation features (see Chapter 12, Zenmap GUI Users' Guide). It also includes port- frequency data from my Worldscan project, which I presented at Black Hat and Defcon in August.

While it is easy to catalogue the history of Nmap, the future is uncertain. Nmap didn't start off with any grand development plan, and most of the milestones in the preceding timeline were not planned more than a year in advance. Instead of trying to predict the shape of the Internet and networking way out in the future, I closely study where it is now and decide what will be most useful for Nmap now and in the near future. So I have no idea where Nmap will be 10 years from now, though I expect it to be as popular and

vibrant as ever. The Nmap community is large enough that we will be able to guide Nmap wherever it needs to go. Nmap has faced curve balls before, such as the sudden removal of raw packet support in Windows XP SP2, dramatic changes in network filtering practices and technology, and the slow emergence of IPv6. Each of those required significant changes to Nmap, and we'll have to do the same to embrace or at least cope with networking changes in the future.

While the 10-year plan is up in the air, the coming year is easier to predict. As exciting as big new features are, they won't be a focus. None of us want to see Nmap get bloated and disorganized. So this will be a year of consolidation. The Zenmap and NSE systems are not as mature as the rest of Nmap, so improving these is a big priority. New NSE scripts are great because they extend Nmap's functionality without the stability risks of incorporating new source code into Nmap proper. Meanwhile, Zenmap needs usability and stability improvements, as well as better results visualization.

Another focus is the Nmap web site, which will become more useful and dynamic. A web discussion system, Nmap demo site, and wiki are planned.

Nmap may also grow in its ability to handle web scanning. When Nmap was first developed, different services were often provided as separate daemons identified by the port number they listen on. Now, many new services simply run over HTTP and are identified by a URL path name rather than port number. Scanning for known URL paths is similar in many ways to port scanning (and to the SunRPC scanning which Nmap has also done for many years). Nmap already does some web scanning using the Nmap Scripting Engine (see Chapter 9, Nmap Scripting Engine), but it would be faster and more efficient if basic support was built into Nmap itself.

Some of the coolest Nmap features in the past, such as OS detection and version scanning, were developed in secret and given a surprise release. You can expect more of these in coming years because they are so much fun!

Chapter 2. Obtaining, Compiling,

Installing, and Removing Nmap

Table of Contents Introduction

Testing Whether Nmap is Already Installed Command-line and Graphical Interfaces Downloading Nmap

Verifying the Integrity of Nmap Downloads

Obtaining Nmap from the Subversion (SVN) Repository Unix Compilation and Installation from Source Code

Configure Directives

If You Encounter Compilation Problems Linux Distributions

RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora)

Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum Debian Linux and Derivatives such as Ubuntu

Other Linux Distributions Windows

Windows 2000 Dependencies Windows Self-installer

Command-line Zip Binaries Installing the Nmap zip binaries Compile from Source Code Executing Nmap on Windows Sun Solaris

Apple Mac OS X

Executable Installer Compile from Source Code Compile Nmap from source code Compile Zenmap from source code Third-party Packages

Executing Nmap on Mac OS X FreeBSD / OpenBSD / NetBSD

OpenBSD Binary Packages and Source Ports Instructions FreeBSD Binary Package and Source Ports Instructions Installation of the binary package

Installation using the source ports tree NetBSD Binary Package Instructions Amiga, HP-UX, IRIX, and Other Platforms Removing Nmap

Introduction

Nmap can often be installed or upgraded with a single command, so don't let the length of this chapter scare you. Most readers will use the table of contents to skip directly to sections that concern them. This chapter describes how to install Nmap on many platforms, including both source code compilation and binary installation methods. Graphical and command-line versions of Nmap are described and contrasted. Nmap removal instructions are also provided in case you change your mind.