The first step toward obtaining Nmap is to check whether you already have it. Many free operating system distributions (including most Linux and BSD systems) come with Nmap, although it may not be installed by default. On Unix systems, open a terminal window and try executing the command nmap --version. If Nmap exists and is in your $PATH, you should see output similar to Example 2.1, “Checking for Nmap and determining its version number”.

felix~>nmap --version

nmap version 4.60 ( http://nmap.org )
felix~>

If Nmap does not exist on the system (or if your $PATH is incorrectly set), an error message such as nmap: Command not found is reported. As the example above shows, Nmap responds to the command by printing its version number (here 4.60).

Even if your system already has a copy of Nmap, you should consider upgrading to the latest version available from http://nmap.org/download.html. Newer versions often run faster, fix important bugs, and feature updated operating system and service version detection databases. A list of changes since the version already on your system can be found at http://nmap.org/changelog.html.

Nmap has traditionally been a command-line application run from a Unix shell or (more recently) Windows command prompt. This allows experts to quickly execute a command that does exactly what they want without having to maneuver through a bunch of configuration panels and scattered option fields. This also makes Nmap easier to script and enables easy sharing of useful commands among the user community.

One downside of the command-line approach is that it can be intimidating for new and infrequent users. Nmap offers more than a hundred command-line options, although many are obscure features or debugging controls that most users can ignore. Many graphical frontends have been created for those users who prefer a GUI interface. Nmap has traditionally included a simple GUI for Unix named NmapFE, but that was replaced in 2007 by Zenmap, which we had been developing since 2005. Zenmap is far more powerfual and effective than NmapFE, particularly in results viewing. Zenmap's tab-based interface lets you search and sort results, and also browse them in several ways (host details, raw Nmap output, and ports/hosts). It works on Microsoft Windows, Linux, Mac OS X, and other platforms. Zenmap is covered in depth in Chapter 12, Zenmap GUI Users' Guide. The rest of this book focuses on command-line invocations of Nmap. Once you understand how the command-line options work and can interpret the output, using Zenmap or the other available Nmap GUIs is easy. Nmap's options are all the same whether you choose them from radio buttons and menus or type them at a command-line.

Insecure.Org is the official source for downloading Nmap source code and binaries for Nmap and Zenmap. Source code is distributed in bzip2 and gzip compressed tar files, and binaries are available for Windows and Linux (RPM format). Find all of this at http://nmap.org/download.html.

It often pays to be paranoid about the integrity of files downloaded from the Internet. Popular packages such as Sendmail (example), OpenSSH (example), tcpdump, Libpcap, BitchX, Fragrouter, and many others have been infected with malicious trojans. Software distributions sites at the Free Software Foundation, Debian, and SourceForge have also been successfully compromised. This has never happened to Nmap, but one should always be careful. To verify the authenticity of an Nmap releases, consult the PGP detached signatures or cryptographic hashes (including SHA1 and MD5) posted for each release to the Nmap sigs directory at http://nmap.org/dist/sigs/?C=M&O=D.

The most secure verification mechanism is detached PGP signatures. As the signing key is never stored on production servers, even someone who successfully compromises the web server couldn't forge and properly sign a trojan release. While numerous applications are able to verify PGP signatures, I recommend the GNU Privacy Guard (GPG).

Nmap releases are signed with a special Nmap Project Signing Key, which can be obtained from they major keyservers or http://nmap.org/data/nmap_gpgkeys.txt. My key is included in that file too. The keys can be imported with the command gpg --import nmap_gpgkeys.txt. You only need to do this once, then you can verify all future Nmap releases from that machine. Before trusting the keys, verify that the fingerprints match the values shown in Example 2.2, “Verifying the Nmap and Fyodor PGP Key Fingerprints”.

flog~> gpg --fingerprint nmap fyodor
pub 1024D/33599B5F 2005-04-24
    Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F
uid                Fyodor <fyodor@insecure.org>
sub 2048g/D3C2241C 2005-04-24

pub 1024D/6B9355D0 2005-04-24
    Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0
uid                Nmap Project Signing Key (http://insecure.org/)
sub 2048g/A50A6A94 2005-04-24

For every Nmap package download file (e.g. nmap-3.95.tar.bz2 and nmap-3.95-win32.zip), there is a corresponding file in the sigs directory with .gpg.txt appended to the name (e.g. nmap-3.95.tar.bz2.gpg.txt). This is the detached signature file.

With the proper PGP key in your keyring and the detached signature file downloaded, verifying an Nmap release takes a single GPG command, as shown in Example 2.3, “Verifying PGP Key Fingerprints (Successful)”. If the file has been tampered with, the results will look like Example 2.4, “Detecting a bogus file”

flog~> gpg --verify nmap-3.95.tar.bz2.gpg.txt nmap-3.95.tar.bz2
gpg: Signature made Thu 08 Dec 2005 12:26:23 AM PST
     using DSA key ID 6B9355D0
gpg: Good signature from 
     "Nmap Project Signing Key (http://insecure.org/)"

flog~> gpg --verify nmap-3.95.tar.bz2.gpg.txt nmap-3.95-hacked.tar.bz2 
gpg: Signature made Thu 08 Dec 2005 12:26:23 AM PST
     using DSA key ID 6B9355D0
gpg: BAD signature from 
     "Nmap Project Signing Key (http://insecure.org/)"

While PGP signatures are the recommended validation technique, SHA1 and MD5 (among other) hashes are made available for more casual validation. An attacker who can manipulate your Internet traffic in real time (and is extremely skilled) or who compromises Insecure.Org and replaces both the distribution file and digest file, could defeat this test. However, it can be useful to check the authoritative Insecure.Org hashes if you obtain Nmap from a third party or feel it might have been accidentally corrupted. For every Nmap package download file, there is a corresponding file in the sigs directory with .digest.txt appended to the name (e.g. nmap-3.95.tar.bz2.digest.txt). An example is shown in Example 2.5, “A typical Nmap release digest file”. This is the detached signature file. The hashes from the digest file can be verified using common tools such as sha1sum, md5sum, or gpg, as shown in Example 2.6, “Verifying Nmap hashes”.

flog> cat nmap-4.53.tgz.digest.txt 
nmap-4.53.tgz:    MD5 = 0D 86 C1 C4 FA 55 E9 36  D0 B7 C8 05 1F 70 36 E9
nmap-4.53.tgz:   SHA1 = 3516 D794 8AD8 F994 F2FD  B52E 1C51 7C5F ED91 E06F
nmap-4.53.tgz: RMD160 = A5DA A78C 583E 7D2D 650E  E1F5 0551 A4EC 54DF 55A6
nmap-4.53.tgz: SHA224 = 6B8B62D6 FA1B83DF D8AC2350 D2496906 A9069515 9B98FA93
                        31782297
nmap-4.53.tgz: SHA256 = 7D415EB8 E6CBD0F6 FBC2301E A65C6A6D 3580B810 85FAF0FE
                        42D00863 8BAC12FB
nmap-4.53.tgz: SHA384 = 9E2086D4 4AAE1FEA 7F347ACA C7A44363 10387CF3 F73BDB3B
                        492887D5 6F1923D8 154F8D90 6B9FBDEB 903CFEC0 F6D38020
nmap-4.53.tgz: SHA512 = 31235D3A F8C39057 91A61F7C 63E69D51 722B7540 EA457220
                        FF2391E7 93B98F0D DFEF9A8B F6C02725 CBE32E0F 35766C6C
                        554F759C C9D4C4BC F42227F4 6E7B2B3D

flog> sha1sum nmap-4.53.tgz 
3516d7948ad8f994f2fdb52e1c517c5fed91e06f  nmap-4.53.tgz
flog> md5sum nmap-4.53.tgz 
0d86c1c4fa55e936d0b7c8051f7036e9  nmap-4.53.tgz
flog> gpg --print-md sha1 nmap-4.53.tgz 
nmap-4.53.tgz: 3516 D794 8AD8 F994 F2FD  B52E 1C51 7C5F ED91 E06F

While releases from Insecure.Org are signed as described in this section, certain Nmap add-ons, interfaces, and platform-specific binaries are developed and distributed by other parties. They have different mechanisms for establishing the authenticity of their downloads.

In addition to regular stable and development releases, the latest Nmap source code is always available using the Subversion (SVN) revision control system. This brings new features and version/OS detection database updates immediately upon development. The downside is that SVN head revisions aren't always as stable as official release. So SVN is most useful for Nmap developers and users who need a fix which hasn't yet been formally released.

SVN write access is strictly limited to a few top Nmap developers, but everyone has read access to the repository. Check out the latest code using the command svn co --username guest --password "" svn://svn.insecure.org/nmap/. Then you can later update your source code by typing svn up in your working directory. The “guest” username is required due to a bug in SVN.

Once Nmap is checked out, you can build it from source code just as you would with the Nmap tarball (described later in this guide).

If you would like real-time (or digested) notification and diffs by email when any changes are made to Nmap, sign up for the nmap-svn mailing list at http://cgi.insecure.org/mailman/listinfo/nmap-svn.