Nmap New Features

Saturday, 27 September 2008

Nmap 4.75 was released on Sunday 7 September 2008 and, since it includes some great new features, I thought I'd mention a few of them here.  The currently available version of Nmap is actually 4.76 which was released on Saturday 13 September 2008 and which fixed some bugs found in the 4.75 release.  Go get it: http://nmap.org/download

New features

  • Fyodor spent the Summer scanning millions of hosts on the Internet in an effort to gather data which could inform decisions on how to improve Nmap in terms of speed, accuracy and host and port discovery.  Out of this WorldScan project came the data on how often many of the TCP and UDP ports are found to be open and this frequency data has been added to the nmap-services file used by Nmap during its scans.  This is a major benefit to Nmap users:

    • Nmap's default scan (nmap <target>) now interrogates the top 1000 most frequently open TCP or UDP ports.  Previously, the first 1024 ports as well as all named ports above 1024 were scanned (1715 TCP and 1488 UDP) and this improvement means that the number of ports scanned is dramatically reduced whilst increasing the chance that the ports scanned will be open i.e. improving the default scans ability to find open ports.  About 93% of open TCP ports and roughly 98% of open UDP ports are found (on average) with the default scan.
    • Nmap's fast scan (nmap -F <target>) now scans the top 100 most frequently open TCP or UDP ports.  This scan previously scanned 1276 TCP and 1017 UDP ports and whilst, faster than the default scan, wasn't particularly deserving of it's name - it is now.  73% of open TCP and 90% of open UDP ports are found with the Fast scan.
    • --top-ports <number> allows you to scan <number> of the most frequently open ports.  For example nmap -sS --top-ports 3674 finds, on average, 100% of open TCP ports and nmap -sU --top-ports 1017 finds, on average, 100% of open UDP ports (making scanning every one of the 65535 ( -p- ) largely unnecessary).

  • There have been several significant improvements to Zenmap, the Nmap GUI.  The most visible of these is the Topology System which uses --traceroute information to draw a map of the network.  That's right, a visualisation of the network topology in the form of a map!  Have a look at http://nmap.org/book/zenmap-topology.html to see what I mean.  The map starts with the scanning host at the centre of a set of concentric rings representing increasing numbers of network hops.  The scanned hosts are placed according to the number of hops between them and the scanning machine.  It's possible to redraw the map with any of the hosts at the centre of the map by simply clicking a host whilst the "Change Focus" control is selected and the result is a sweet animation as the hosts are rearranged to show the network from the perspective of the selected host.

  • Zenmap Scan Aggregation http://nmap.org/book/zenmap-scanning.html#aggregation is another improvement to Zenmap which allows you to build-up a picture of the network by adding scans.  For instance, you might start with nmap -sP -PE --traceroute <targets> to get an overall picture of the topology of the network and then perform more detailed scans of each of the hosts found and the information acquired builds into a more complete picture (literally if you look at the Topology tab).
  • The Nmap Scripting Engine has been significantly improved making it easier to write custom scripts to perform all sorts of network, host and application discovery tasks.  There are new NSE libraries to make scripting of common tasks a painless exercise and there are new scripts to give you more information about your targets.

So these are just a few of the new features you can try for yourself and there are more on the horizon.  You can see a complete list of changes to Nmap in the changelog at http://nmap.org/changelog.html

Here's an example of a scan which is faster, more accurate and results in more information than previous versions:

nmap -sSV -F --script default,discovery scanme.nmap.org

Starting Nmap 4.76 ( http://nmap.org ) at 2008-09-27 16:05 GMT Standard Time
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 95 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 4.3 (protocol 2.0)
25/tcp  closed smtp
53/tcp  open   domain  ISC BIND 9.3.4
80/tcp  open   http    Apache httpd 2.2.2 ((Fedora))
|\_ HTML title: Go ahead and ScanMe!
113/tcp closed auth

Host script results:
|  Whois: Record found at whois.arin.net
|  netrange: 64.13.134.0 - 64.13.134.63
|  netname: NET-64-13-143-0-26
|  orgname: Titan Networks
|  orgid: INSEC
|\_ country: US stateprov: CA
|  AS Numbers:
|  BGP: 64.13.128.0/21 and 64.13.128.0/18 | Country: US
|    Origin AS: 10565 - SVCOLO-AS - Silicon Valley Colocation, Inc.
|\_     Peer AS: 3561 6461

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.09 seconds

How Cool?