NMAP Tutorial 2.pdf - Scf

Nmap 5.00 Released
July 16, 2009 -- Insecure.Org is pleased to announce the immediate, free availability of the
Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since
4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of
development releases led up to this.
Considering all the changes, we consider this the most important Nmap release since 1997, and
we recommend that all current users upgrade.
About Nmap
Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or
security auditing. Many systems and network administrators also find it useful for tasks such as
network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network,
what services (application name and version) those hosts are offering, what operating systems
(and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of
other characteristics. It was designed to rapidly scan large networks, but works fine against
single hosts. Nmap runs on all major computer operating systems, and official binary packages
are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap
executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible
data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results
(Ndiff).
Nmap was named “Security Product of the Year” by Linux Journal, Info World,
LinuxQuestions.Org, and Codetalker Digest. It was even featured in eight movies, including The
Matrix Reloaded, Die Hard 4, and The Bourne Ultimatum.
As free software, we don't have any sort of advertising budget. So please spread the word that
Nmap 5.00 is now available!
Top 5 Improvements in Nmap 5
Before we go into the detailed changes, here are the top 5 improvements in Nmap 5:
1. The new Ncat tool aims to be your Swiss Army Knife for data transfer, redirection, and
debugging. We released a whole users' guide detailing security testing and network
administration tasks made easy with Ncat.
2. The addition of the Ndiff scan comparison tool completes Nmap's growth into a whole
suite of applications which work together to serve network administrators and security
practitioners. Ndiff makes it easy to automatically scan your network daily and report on
any changes (systems coming up or going down or changes to the software services they
are running). The other two tools now packaged with Nmap itself are Ncat and the much
improved Zenmap GUI and results viewer.

3. Nmap performance has improved dramatically. We spent last summer scanning much of
the Internet and merging that data with internal enterprise scan logs to determine the most
commonly open ports. This allows Nmap to scan fewer ports by default while finding
more open ports. We also added a fixed-rate scan engine so you can bypass Nmap's
congestion control algorithms and scan at exactly the rate (packets per second) you
specify.
4. We released Nmap Network Scanning, the official Nmap guide to network discovery and
security scanning. From explaining port scanning basics for novices to detailing low-level
packet crafting methods used by advanced hackers, this book suits all levels of security
and networking professionals. A 42-page reference guide documents every Nmap feature
and option, while the rest of the book demonstrates how to apply those features to quickly
solve real-world tasks. More than half the book is available in the free online edition.
5. The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features.
It allows users to write (and share) simple scripts to automate a wide variety of
networking tasks. Those scripts are then executed in parallel with the speed and
efficiency you expect from Nmap. All existing scripts have been improved, and 32 new
ones added. New scripts include a whole bunch of MSRPC/NetBIOS attacks, queries,
and vulnerability probes; open proxy detection; whois and AS number lookup queries;
brute force attack scripts against the SNMP and POP3 protocols; and many more. All
NSE scripts and modules are described in the new NSE documentation portal.
News articles and reviews
Please mail Fyodor if you see (or write) reviews/articles on the Nmap 5.00 release. Here are the
ones seen so far: Reasonably detailed (or with many comments) English articles:
ITWire: Nmap Turns Five
Slashdot: Nmap 5.00 Released, With Many Improvements
SecurityFocus: Nmap gets a major upgrade,
LoveMyTool: Exclusive Review of Nmap 5.0 (by Tim O'Neill)
Reddit: Nmap 5.00 Released, considered by maintainers as most important release since 1997
Ed Skoudis: Nmap 5.00 Initial Impressions - Niiiice!
Hacker News: Nmap 5.00 Released
Risky Business: Nmap Reloaded: Biggest Release Since 1997
Linux Weekly News: Nmap 5.00 Released
InternetNews.com: Nmap 5 improves open source network security auditing
Michael Rash (Cipherdyne): Nmap-5.00, Zenmap, and ndiff
IronGeek.Com added a new video: NDiff: Comparing two Nmap 5 scans to find changes in
your network
Twitter has literally thousands of tweets about 5.00 (you may need to page back to July 16).
AllVoices: Powerful network security tool Nmap reaches version 5.00

The H: Version 5.0 of the Nmap network scanner released
Sans Internet Storm Center: Nmap 5.0 Released
Linuxologist: Nmap 5.0 Released: Most Important Since 1997!
Brief mentions: Wireshark.Org, Securiteam, Dark Reading, Linux Today, CGISecurity.Com,
Security4All, Help Net Security, Red Gecko, Peter Van Eeckhoutte, Security Database, Owl
Linux, Priveon Labs
Non-English articles:
Arabic: Linux AC, iSecur1ty.org
Czech: ABC Linuxu, Root.cz
Chinese: Solidot, Netsecurity.51cto.com
Dutch: Tweakers.net, Security.nl
French: Silicon.fr, LinuxFR.org
German: Golem.de, Heise online, Pro-Linux.de, PC Welt, Menzer.net, Secorvo Security News
(PDF)
Russian: OpenNet.ru, Xakep.ru, Linux.org.ru
Spanish: Viva Linux, Barrapunto, menéame, Linux Maya, Iniqua, A por Linux, Portal Chileno
de Seguridad Informatica
Others: Version 2 (Danish), hup.hu (Hungarian), BR-Linux.Org (Portuguese), IDG.se (Swedish)
Journalists (anyone writing about the Nmap release) are welcome to use any of the text or screen
shots on this page.
Example run and screen shots
Nmap 5.00 provides a wealth of information about remote systems, as shown in this sample
scan:
# nmap -A -T4 scanme.nmap.org 207.68.200.30
Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-13 16:22 PDT
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 994 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 03:5f:d3:9d:95:74:8a:d0:8d:70:17:9a:bf:93:84:13 (DSA)
|_ 2048 fa:af:76:4c:b0:f4:4b:83:a4:6e:70:9f:a1:ec:51:0c (RSA)
53/tcp open domain ISC BIND 9.3.4
70/tcp closed gopher
80/tcp open http Apache httpd 2.2.2 ((Fedora))
|_ html-title: Go ahead and ScanMe!
113/tcp closed auth
31337/tcp closed Elite
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)
Interesting ports on 207.68.200.30:
Not shown: 991 filtered ports
PORT STATE SERVICE VERSION

53/tcp open domain Microsoft DNS 6.0.6001
88/tcp open kerberos-sec Microsoft Windows kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds
464/tcp open kpasswd5?
49158/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49175/tcp open msrpc Microsoft Windows RPC
Running: Microsoft Windows 2008|Vista
Host script results:
| smb-os-discovery: Windows Server (R) 2008 Enterprise 6001 Service Pack 1
| LAN Manager: Windows Server (R) 2008 Enterprise 6.0
| Name: MSAPPLELAB\APPLELAB2K8
|_ System time: 2009-07-13 16:17:07 UTC-7
| nbstat: NetBIOS name: APPLELAB2K8, NetBIOS user: , NetBIOS MAC:
00:1a:a0:9a:a3:96
| Name: APPLELAB2K8 Flags:
|_ Name: MSAPPLELAB Flags:
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
[Cut first 8 lines for brevity]
9 36.88 ge-10-0.hsa1.Seattle1.Level3.net (4.68.105.6)
10 36.61 unknown.Level3.net (209.245.176.2)
11 41.21 207.68.200.30
Nmap done: 2 IP addresses (2 hosts up) scanned in 120.26 seconds
# (Note: some output was modified to fit results on screen)
Here are some Nmap and Zenmap 5.00 screen shots (click thumbnails for full resolution):
screenshots/nmap5-samplescan-706x964.png screenshots/zenmap-5-topology-885x793.png

screenshots/nmap5-samplescan-706x964.png
Classic command-line Nmap
screenshots/zenmap-5-services-http-885x541.png
screenshots/zenmap-5-services-http-885x541.png
Zenmap showing all discovered HTTP services
Change details
screenshots/zenmap-5-topology-885x793.png
Zenmap's new network topology graphing mode
screenshots/zenmap-5-nmapout-885x793.png
screenshots/zenmap-5-nmapout-885x793.png
Zenmap displaying Nmap output
The Nmap Changelog describes nearly 600 significant improvements since our last major release
(4.50). Here are the highlights:
Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It
allows users to write (and share) simple scripts to automate a wide variety of networking tasks.
Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap.
It existed in Nmap 4.50, but has been dramatically improved:
Every script has been improved, and the number of scripts has grown nearly 50% to 59.
Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmap to interrogate
Windows machines much more completely. He added six NSE libraries (msrpc,
msrpcperformance, msrpctypes, netbios, smb, and smbauth) and 14 scripts (p2pconficker,
smb-brute, smb-check-vulns, smb-enum-domains, smb-enum-processes, smbenum-sessions,
smb-enum-shares, smb-enum-users, smb-os-discovery, smb-pwdump,
smb-security-mode, smb-server-stats, and smb-system-info). He also wrote a detailed
paper on the new scripts.
Nmap was one of the first scanners to remotely detect the Conficker worm thanks to smbcheck-vulns,
and p2p-conficker.
Other new scripts include:
asn-query—Maps IP addresses to autonomous system (AS) numbers.
auth-spoof—Checks for an identd (auth) server which is spoofing its replies.

anner—A simple banner grabber which connects to an open TCP port and prints out
anything sent by the listening service within five seconds.
dns-random-srcport—Checks a DNS server for the predictable-port recursion
vulnerability. Predictable source ports can make a DNS server vulnerable to cache
poisoning attacks (see CVE-2008-1447).
dns-random-txid—Checks a DNS server for the predictable-TXID DNS recursion
vulnerability. Predictable TXID values can make a DNS server vulnerable to cache
poisoning attacks (see CVE-2008-1447).
ftp-bounce—Checks to see if an FTP server allows port scanning using the FTP bounce
method.
http-iis-webdav-vuln—Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary
users to access secured WebDAV folders by searching for a password-protected folder
and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin
MS09-020.
http-passwd—Checks if a web server is vulnerable to directory traversal by attempting
to retrieve /etc/passwd using various traversal methods such as requesting
../../../../etc/passwd.
imap-capabilities—Retrieves IMAP email server capabilities.
mysql-info—Connects to a MySQL server and prints information such as the protocol
and version numbers, thread ID, status, capabilities, and the password salt.
pop3-brute—Tries to log into a POP3 account by guessing usernames and passwords.
pop3-capabilities—Retrieves POP3 email server capabilities.
rpcinfo—Connects to portmapper and fetches a list of all registered programs.
snmp-brute—Attempts to find an SNMP community string by brute force guessing.
socks-open-proxy—Checks if an open socks proxy is running on the target.
upnp-info—Attempts to extract system information from the UPnP service.
whois—Queries the WHOIS services of Regional Internet Registries (RIR) and attempts
to retrieve information about the IP Address Assignment which contains the Target IP
Address.
The set of new libraries is equally impressive. Modules are all listed here (scroll down to
"Modules").
Introduced the NSE Documentation Portal which documents every NSE script and library
included with Nmap. It is generated from NSEDoc comments embedded in scripts.
Scripts are available for download on this site as well. We also dramatically improved the
NSE Guide.
NSE now supports run-time interaction so you know when it will complete, and the --hosttimeout
option so you can define when it completes. Support for -S (source IP address)
and --ip-options has been added to the NSE and version detection subsystems.
Added Boolean Operators for --script. You may now use ("and", "or", or "not") combined
with categories, filenames, and wildcarded filenames to match a set of files. A new
default category includes the scripts which run by default when NSE is requested.
NSE can now be used in combination with ping scan (e.g. "-sP --script") so that you can
execute host scripts without needing to perform a port scan.

Zenmap graphical front-end and results viewer
Zenmap is a cross-platform (Linux, Windows, Mac OS X, etc.) Nmap GUI and results viewer
which supports all Nmap options. It aims to make Nmap easy for beginners to use while
providing advanced features for experienced Nmap users. Frequently used scans can be saved as
profiles to make them easy to run repeatedly. A command creator allows interactive creation of
Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be
compared with one another to see how they differ. The results of recent scans are stored in a
searchable database. While Zenmap already existed in Nmap 4.50, it has improved dramatically
since then:
http://nmap.org/book/zenmap-topology.html
http://nmap.org/book/zenmap-topology.html
While Nmap stands for “Network Mapper”, it
hasn't been able to actually draw you a map of
the network—until now! The new Zenmap
Network Topology feature provides an
interactive, animated visualization of the hosts on
a network and connections between them. The
scan source is (initially) in the center, with other
hosts on a series of concentric circles which
represent the number of hops away they are from the source. Nodes are connected by
lines representing discovered paths between them. Read the full details (and oogle the
pretty pictures) in our article on Surfing the Network Topology. Topology views can be
saved as a PNG, postscript, PDF, or SVG image.
The scan aggregation feature allows you to combine the results of many Nmap scans into one
view. When one scan is finished, you may start another in the same window. Results of
the new scan are seamlessly merged into one view.
Zenmap has been internationalized and translated by volunteers into four languages (French,
German, Brazilian Portuguese, and Croatian). We have instructions on using an existing
translation and we're always looking for volunteers to translate Zenmap into your native
language.
Overhauled the default list of scan profiles to provide a much more diverse and useful set of
default profile options. If users don't like any of these canned scan commands, they can
easily create their own in the Profile Editor.
Added a context-sensitive help system to the Profile Editor. Mouse-over options to learn
more about what they do and their argument syntax.
Added advanced search functionality to Zenmap so that you can locate previous scans using
criteria such as which ports were open, keywords in the target names, OS detection
results, etc. Try it out with Ctrl-F or "Tools->Search Scan Results".
The “Compare Results” feature now uses our new Ndiff scan comparison tool.
And more: An animated throbber has been added to indicate that a scan is running, and a new
cancel button lets you stop a scan in its track. The Nmap output window now scrolls
automatically, and ports are colored based on open/closed state.

David wrote an exceptional users' guide, which also became a chapter of Nmap Network
Scanning.
Ncat data transfer, redirection, and debugging tool
. .
\`-"'"-'/
} 6 6 {
==. Y ,==
/^^^\ .
/ \ )
( )-( )/ _
-""---""--- /
/ Ncat \_/
( ____
\_.=|____E
Nmap 5 introduces Ncat, a general-purpose command-line tool for reading, writing, redirecting,
and encrypting data across a network. It aims to be your network Swiss Army knife, handling a
wide variety of security testing and administration tasks. Ncat is suitable for interactive use or as
a network-connected back end for other tools. Ncat can:
Act as a simple TCP/UDP/SSL client for interacting with web servers, telnet servers, mail
servers, and other TCP/IP network services. Often the best way to understand a service
(for fixing problems, finding security flaws, or testing custom commands) is to interact
with it using Ncat. This lets you you control every character sent and view the raw,
unfiltered responses.
Act as a simple TCP/UDP/SSL server for offering services to clients, or simply to understand
what existing clients are up to by capturing every byte they send.
Redirect or proxy TCP/UDP traffic to other ports or hosts. This can be done using simple
redirection (everything sent to a port is automatically relayed somewhere else you specify
in advance) or by acting as a SOCKS or HTTP proxy so clients specify their own
destinations. In client mode, Ncat can connect to destinations through a chain of
anonymous or authenticated proxies.
Run on all major operating systems. We distribute Linux, Windows, and Mac OS X binaries,
and Ncat compiles on most other systems. A trusted tool must be available whenever you
need it, no matter what computer you're using.
Encrypt communication with SSL, and transport it over IPv4 or IPv6.
Act as a network gateway for execution of system commands, with I/O redirected to the
network. It was designed to work like the Unix utility cat, but for the network.
Act as a connection broker, allowing two (or far more) clients to connect to each other
through a third (brokering) server. This enables multiple machines hidden behind NAT
gateways to communicate with each other, and also enables the simple Ncat chat mode.
These capabilities become even more powerful and versatile when combined.
Ncat is our modern reinvention of the venerable Netcat (nc) tool released by Hobbit in 1996.
While Ncat is similar to Netcat in spirit, they don't share any source code. Instead, Ncat makes
use of Nmap's well optimized and tested networking libraries. Compatibility with the original

Netcat and some well known variants is maintained where it doesn't conflict with Ncat's
enhancements or cause usability problems. Ncat adds many capabilities not found in Hobbit's
original nc, including SSL support, proxy connections, IPv6, and connection brokering. The
original nc contained a simple port scanner, but we omitted that from Ncat because we have a
preferred tool for that function.
Ncat is extensively documented in its Users' Guide, man page, and home page.
Host discovery and port scanning performance and features
Nmap has been doing host discovery and port scanning since its release in '97, but we continue
to improve this core functionality. We've added many new features and dramatically improved
performance! Here are the biggest enhancements since 4.50:
Nmap now scans the most common 1,000 ports by default in either protocol (UDP scan is
still optional). These were determined by spending months scanning tens of millions of
IPs on the Internet. This makes Nmap faster (used to scan 1,715 TCP ports by default)
and yet more comprehensive since the smaller number of ports are better chosen.
Nmap fast scan (-F) now scans the top 100 ports by default in either protocol. This is a
decrease from 1,276 (TCP) and 1,017 (UDP) in Nmap 4.68. Port scanning time with -F is
generally an order of magnitude faster than before, making -F worthy of its "fast scan"
moniker.
The --top-ports option lets you specify the number of ports you wish to scan in each protocol,
and will pick the most popular ports for you based on the new frequency data. For both
TCP and UDP, the top 10 ports gets you roughly half of the open ports. The top 1,000
(out of 65,536 possible) finds roughly 93% of the open TCP ports and more than 95% of
the open UDP ports.
Added a new --min-rate option that allows specifying a minimum rate at which to send
packets. This allows you to override Nmap's congestion control algorithms and request
that Nmap try to keep at least the rate you specify. A complementary --max-rate option
was added as well. They are documented here.
Added SCTP port scanning support to Nmap. Stream control transmission protocol is a layer
4 protocol used mostly for telephony related applications. This brings the following new
features:
SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK chunk, closed
ones an ABORT chunk. This is the SCTP equivalent of a TCP SYN stealth scan.
SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent, closed ports
return an ABORT chunk.
SCTP-specific IP protocol scan (-sO -p sctp).
SCTP-specific traceroute support (--traceroute).
The server scanme.csnc.ch has been set up for your SCTP scan testing pleasure. But
note that SCTP doesn't pass through most NAT devices.
David spent more than a month on algorithms to improve port scan performance while
retaining or improving accuracy. The changes, described here, reduce our "benchmark
scan time" (which involves many different scan types from many source networks to

many targets) from 1879 seconds to 1321 without harming accuracy. That is a 30% time
reduction! Fyodor made a number of performance improvements as well.
The host discovery (ping probe) defaults have been enhanced to include twice as many
probes. The default is now "-PE -PS443 -PA80 -PP". In exhaustive testing of 90 different
probes, this emerged as the best four-probe combination, finding 14% more Internet hosts
than the previous default, "-PE -PA80". The default for non-root users is -PS80,443,
replacing the previous default of -PS80. In addition, ping probes are now sent in order of
effectiveness (-PE first) so that less effective probes may not have to be sent. ARP ping is
still the default on local ethernet networks.
Fixed an integer overflow which prevented a target specification of "*.*.*.*" from working.
Support for the CIDR /0 is now also available for those times you wish to scan the entire
Internet.
When Nmap finds a probe during ping scan which elicits a response, it now saves that
information for the port scan and later phases. It can then "ping" the host with that probe
as necessary to collect timing information even if the host is not responding to the normal
port scan packets. Previously, Nmap's port scan timing pings could only use information
gathered during that port scan itself. A number of other "port scan ping" system
improvements were made at the same time to improve performance against firewalled
hosts (full details).
Fyodor's Nmap book
http://nmap.org/book/
http://nmap.org/book/
Fyodor released Nmap Network Scanning:
The Official Nmap Project Guide to Network
Discovery and Security Scanning. From
explaining port scanning basics for novices to
detailing low-level packet crafting methods
used by advanced hackers, this book suits all
levels of security and networking
professionals. A 42-page reference guide
documents every Nmap feature and option,
while the rest of the book demonstrates how
to apply those features to quickly solve realworld
tasks. It was briefly the #1 selling computer book on Amazon. More than half of the book
is already free online.
A German translation is available from Open Source Press; Korean and Brazilian Portuguese
translations are forthcoming.
Operating system detection
Thanks to fingerprint submissions from thousands of Nmap users around the world, the 2nd
generation OS detection database has nearly doubled in size since 4.50 to 2,003 entries. These
include the latest versions of Windows, Linux, and Mac OS X as well as more specialized entries

such as oscilloscopes, ATM machines, employee timeclocks, DVRs, game consoles, and much
more. Keep those submissions coming!
In addition to doubling the database size, we enhanced the OS detection engine and its tests to
improve accuracy. For example, we added a new SEQ.CI test (IP ID sequence generation from
closed TCP port) and removed the U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI tests.
Version detection
Nmap's version detection system interrogates open ports to determine what service (e.g. http,
smtp) is running and often the exact application name and version number. The version detection
database grew by nearly a thousand signatures. It grew from 4,558 signatures representing 449
protocols in Nmap 4.50 to 5,512 signatures for 511 protocols in 5.00. You can read about Doug's
signature creation adventures here, here, and here. The service protocols with the most signatures
are http (1,868), telnet (584), ftp (506), smtp (363), pop3 (209), http-proxy (136), ssh (123), imap
(122), and irc (48). Among the protocols with just one signature are netrek, gopher-proxy, ncatchat,
and metasploit.
Ndiff scan comparison tool
The new Ndiff utility compares the results of two Nmap scans and describes the new/removed
hosts, newly open/closed ports, changed operating systems, or application versions, etc. This
makes it trivial to scan your networks on a regular basis and create a report (XML or text format)
on all the changes. See the Ndiff man page and home page for more information. Ndiff is
included in our binary packages and built by default, though you can prevent it from being built
by specifying the --without-ndiff configure flag.
Here are excerpts from an Ndiff comparison between two scans for the Facebook network:
> ndiff -v facebook-vscan-1237136401.xml facebook-vscan-1237395601.xml
-Nmap 4.85BETA3 at 2009-03-15 10:00
+Nmap 4.85BETA4 at 2009-03-18 10:00
+arborvip.tfbnw.net (69.63.179.23):
+Host is up.
+Not shown: 100 filtered ports
www2.02.07.facebook.com (69.63.180.12):
Host is up.
Not shown: 98 filtered ports
PORT STATE SERVICE VERSION
-80/tcp open http Apache httpd 1.3.41.fb2
+80/tcp open http Apache httpd 1.3.41.fb1
443/tcp open ssl/http Apache httpd 1.3.41.fb2
And here is a trivial cron script demonstrating how easy it is to scan a network daily and mail
yourself the changes (and full results in this case):
#!/bin/sh
date=`date "+%s"`
cd /hack/facebook/scripts/
nmap -T4 -F -sV -O --osscan-limit --osscanguess -oA facebook-${date}
[netblocks] > /dev/null
ndiff facebook-old.xml facebook-${date}.xml > facebook-diff-${date}
cp facebook-${date}.xml facebook-old.xml
echo "\n********** NDIFF RESULTS **********\n"

cat facebook-vscan-diff-${date}
echo "\n********** SCAN RESULTS **********\n"
cat facebook-vscan-${date}.nmap
You could do a similar thing using Windows' scheduled tasks.
IronGeek has created an Ndiff 5 introductory video demonstrating command-line Ndiff plus its
use within Zenmap.
Documentation and web site improvements
While Nmap Network Scanning may be the most exciting documentation news for this release,
we did make many other important web site and documentation changes:
Added German and Russian translations of the Nmap Reference Guide (Man Page). You can
choose from all 16 available languages from the Nmap docs page.
Nmap has moved. Everything at http://insecure.org/nmap/ can now be found at
http://nmap.org . That should save your fingers from a little bit of typing.
A copy of the Nmap public svn repository (/nmap, plus its zenmap, nsock, nbase, and ncat
externals) is now available at http://nmap.org/svn/. We update this regularly, but it may
be slightly behind the SVN version. It is particularly useful when you need to link to files
in the tree, since browsers generally don't handle svn:// repository links.
Portability enhancements
Nmap's dramatic improvements are of little value if it doesn't run on your system. Fortunately,
portability has always been a high priority. Nmap 5.00 runs on all major operating systems, plus
the Amiga. Portability improvements in this release include:
A Mac OS X Nmap/Zenmap installer is now available from the Nmap download page. It is
rather straightforward, but detailed instructions are available anyway. As a universal
installer, it works on both Intel and PPC Macs. It is distributed as a disk image file (.dmg)
containing an mpkg package. The installed Nmap include OpenSSL support and also
supports Authorization Services so that Zenmap can run as root when necessary.
Nmap's special WinPcap installer now handles 64-bit Windows machines by installing the
proper 64-bit npf.sys.
The Nmap installer was updated to handle the Windows 7 release candidate.
The Windows version of Nmap (both .zip and executable installer) now supports OpenSSL,
as do the Linux RPM binaries we distribute. The UNIX source tarball has supported
OpenSSL for years.
We now compile in IPv6 support on Windows. In order to use this, you need to have IPv6 set
up. It is installed by default on Vista, but must be manually installed for XP.
Even more improvements
The compile-time Nmap ASCII dragon is now more ferocious thanks to better teeth
alignment:
( ) /\ _ (

\ | ( \ ( \.( ) _____
\ \ \ ` ` ) \ ( ___ / _ \
(_` \+ . x ( .\ \/ \____-----------/ (o) \_
- .- \+ ; ( O \____
) \_____________ ` \ /
(__ +- .( -'.-

Google sponsored 6 college/grad students for Summer of Code 2009. They and their ongoing
projects are introduced here.
Nmap now builds with the _FORTIFY_SOURCE=2 define. With modern versions of GCC,
this adds extra buffer overflow protection and other security checks.
Nmap was discovered in its eighth movie. In the Russian film Khottabych, teenage hacker
Gena uses Nmap (and telnet) to hack Microsoft. In response, MS sends a pretty female
hacker to flush him out (more details and screen shots).
To better support users with attention deficit disorder, we created an Nmap Twitter feed. We
still recommend that all users subscribe to the low-traffic nmap-hackers announcement
mailing list.
Nmap won LinuxQuestions.Org Network Security Application of the Year for the sixth year
in a row.
These release notes mostly discuss new features, but we also made many performance
enhancements and fixed a large number of bugs which could lead to crashes, compilation
failures, or other misbehavior.
These are just highlights from the full list of changes you can find in our CHANGELOG.
Moving Forward
With this stable version out of the way, we are diving headfirst into the next development cycle.
Many exciting features are in the queue, including:
Ncrack, a high speed network authentication cracker
Nping, a raw packet network probing tool
High speed port scanning through http or socks proxies (or chains of proxies)
NSE scripts for web application fingerprinting, HTTP spidering, and whatever else
developers think up.
We're working a new survey to redo our top security tools list at SecTools.Org. We have
other web projects in mind as well.
You can read more of our short-term and longer-term plans from our public TODO list.
For the latest Insecure.Org and Nmap announcements, join the 68,000-member Nmap-hackers
announcement list. Traffic rarely exceeds one message per month. subscribe here or read the
archives at SecLists.Org. To participate in Nmap development, join the (high traffic) nmap-dev
list. You can also follow us on Twitter.
Acknowledgments
A free open source scanner as powerful as Nmap is only possible thanks to the help of hundreds
of developers and other contributors. We would like to acknowledge and thank the many people
who contributed ideas and/or code since Nmap 4.50. Special thanks go out to:
4N9e Gutek, Aaron Leininger, Adriano Monteiro Marques, Allison Randal, Andrew J.
Bennieston, Andy Lutomirski, Angico, Arturo Buanzo, Arturo Buanzo Busleiman, Benson
Kalahar, Bill Pollock, Brandon Enright, Brian Hatch, Busleiman, Chad Loder, Chris
Clements, Chris Gibson, Chris Leick,, Daniel Roethlisberger, David Fifield, David Moore,

Diman Todorov, Diman Todorov,, Dinu Gherman, Doug Hoyte, Dragos Ruiu, Dudi
Itzhakov, Eddie Bell, Emma Jane Hogbin, Fabio Pedretti, Felix Leder, Gisle Vanem, Gisle
Vanem,, Guilherme Polo, Guz Alexander, HD Moore, Henri Doreau, Henri Doreau,, Henry
Gebhardt, Ithilgore, Jabra, Jah, James Messer, Jason DePriest, Jeff Nathan, Jesse Burns,
Joao Correa, Joao Medeiros, Josh Marlow, Jurand Nogiec, Kris Katterjohn, Lamont
Jones, Lance Spitzner, Leslie Hawthorn, Lionel Cons, Marius Sturm, Martin Macok, Matt
Selsky, Max Schubert, Michael Pattrick, Michal Januszewski, Mike Frysinger, Mixter,
Nathan Bills, Patrick Donnelly, Philip Pickering, Pieter Bowman, Rainer Müller, Raven
Alder, Robert Mead, Rob Nicholls, Ron Bowes, Sebastián García, Simple Nomad, Solar
Designer, Stephan Fijneman, Steve Christensen, Sven Klemm, Tedi Heriyanto, Thomas
Buchanan, Thorsten Holz, Tillmann Werner, Tim Adam, Tom Duffy, Tom Sellers, Trevor
Bain, Tyler Reguly, Valerie Aurora, van Hauser, Venkat Sanaka, Vlad Alexa, Vladimir
Mitrovic, Vlatko Kosturjak, Will Cladek, William McVey, Zhao Lei
We would also like to thank the thousands of people who have submitted OS and service/version
fingerprints, as well as everyone who has found and reported bugs or suggested features.
Download and Updates
Nmap is available for download from http://nmap.org/download.html in source and binary form.
Nmap is free, open source software (license).
To learn about Nmap announcements as they happen, subscribe to nmap-hackers! It is a very low
volume (7 messages in 2008), moderated list for announcements about Nmap, Insecure.org, and
related projects. You can join the 65,000 current subscribers by submitting your e-mail address
here:
Subs c ribe
(or subscribe with custom options from the Nmap-hackers list info page.
Nmap-hackers is archived at Seclists.org and has an RSS feed. You can also follow the Nmap
Twitter feed.
Brandon Enright and UCSD have generously mirrored the Nmap binaries to handle the deluge of
traffic expected as users download this release.
Direct questions or comments to Fyodor (fyodor@insecure.org) . Report any bugs as described
here.