Home page logo

Nmap 5.00 Released

July 16, 2009 -- Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this.

Considering all the changes, we consider this the most important Nmap release since 1997, and we recommend that all current users upgrade.

About Nmap

Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in eight movies, including The Matrix Reloaded, Die Hard 4, and The Bourne Ultimatum.

As free software, we don't have any sort of advertising budget. So please spread the word that Nmap 5.00 is now available!

Top 5 Improvements in Nmap 5

Before we go into the detailed changes, here are the top 5 improvements in Nmap 5:

  1. The new Ncat tool aims to be your Swiss Army Knife for data transfer, redirection, and debugging. We released a whole users' guide detailing security testing and network administration tasks made easy with Ncat.

  2. The addition of the Ndiff scan comparison tool completes Nmap's growth into a whole suite of applications which work together to serve network administrators and security practitioners. Ndiff makes it easy to automatically scan your network daily and report on any changes (systems coming up or going down or changes to the software services they are running). The other two tools now packaged with Nmap itself are Ncat and the much improved Zenmap GUI and results viewer.

  3. Nmap performance has improved dramatically. We spent last summer scanning much of the Internet and merging that data with internal enterprise scan logs to determine the most commonly open ports. This allows Nmap to scan fewer ports by default while finding more open ports. We also added a fixed-rate scan engine so you can bypass Nmap's congestion control algorithms and scan at exactly the rate (packets per second) you specify.

  4. We released Nmap Network Scanning, the official Nmap guide to network discovery and security scanning. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. More than half the book is available in the free online edition.
  5. The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. All existing scripts have been improved, and 32 new ones added. New scripts include a whole bunch of MSRPC/NetBIOS attacks, queries, and vulnerability probes; open proxy detection; whois and AS number lookup queries; brute force attack scripts against the SNMP and POP3 protocols; and many more. All NSE scripts and modules are described in the new NSE documentation portal.

News articles and reviews

Please mail Fyodor if you see (or write) reviews/articles on the Nmap 5.00 release. Here are the ones seen so far: Reasonably detailed (or with many comments) English articles:

Brief mentions: Wireshark.Org, Securiteam, Dark Reading, Linux Today, CGISecurity.Com, Security4All, Help Net Security, Red Gecko, Peter Van Eeckhoutte, Security Database, Owl Linux, Priveon Labs

Non-English articles:
Arabic: Linux AC, iSecur1ty.org
Czech: ABC Linuxu, Root.cz
Chinese: Solidot, Netsecurity.51cto.com
Dutch: Tweakers.net, Security.nl
French: Silicon.fr, LinuxFR.org
German: Golem.de, Heise online, Pro-Linux.de, PC Welt, Menzer.net, Secorvo Security News (PDF)
Russian: OpenNet.ru, Xakep.ru, Linux.org.ru
Spanish: Viva Linux, Barrapunto, menéame, Linux Maya, Iniqua, A por Linux, Portal Chileno de Seguridad Informatica
Others: Version 2 (Danish), hup.hu (Hungarian), BR-Linux.Org (Portuguese), IDG.se (Swedish)

Journalists (anyone writing about the Nmap release) are welcome to use any of the text or screen shots on this page.

Example run and screen shots

Nmap 5.00 provides a wealth of information about remote systems, as shown in this sample scan:

# nmap -A -T4 scanme.nmap.org

Starting Nmap 5.00 ( http://nmap.org ) at 2009-07-13 16:22 PDT
Interesting ports on scanme.nmap.org (
Not shown: 994 filtered ports
22/tcp    open   ssh     OpenSSH 4.3 (protocol 2.0)
|  ssh-hostkey: 1024 03:5f:d3:9d:95:74:8a:d0:8d:70:17:9a:bf:93:84:13 (DSA)
|_ 2048 fa:af:76:4c:b0:f4:4b:83:a4:6e:70:9f:a1:ec:51:0c (RSA)
53/tcp    open   domain  ISC BIND 9.3.4
70/tcp    closed gopher
80/tcp    open   http    Apache httpd 2.2.2 ((Fedora))
|_ html-title: Go ahead and ScanMe!
113/tcp   closed auth
31337/tcp closed Elite
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)

Interesting ports on
Not shown: 991 filtered ports
53/tcp    open  domain       Microsoft DNS 6.0.6001
88/tcp    open  kerberos-sec Microsoft Windows kerberos-sec
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds Microsoft Windows 2003 microsoft-ds
464/tcp   open  kpasswd5?
49158/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49175/tcp open  msrpc        Microsoft Windows RPC
Running: Microsoft Windows 2008|Vista

Host script results:
|  smb-os-discovery: Windows Server (R) 2008 Enterprise 6001 Service Pack 1
|  LAN Manager: Windows Server (R) 2008 Enterprise 6.0
|_ System time: 2009-07-13 16:17:07 UTC-7
|  nbstat: NetBIOS name: APPLELAB2K8, NetBIOS user: , NetBIOS MAC: 00:1a:a0:9a:a3:96
|  Name: APPLELAB2K8<00>      Flags: 
|_ Name: MSAPPLELAB<00>       Flags: 

TRACEROUTE (using port 135/tcp)
[Cut first 8 lines for brevity]
9   36.88  ge-10-0.hsa1.Seattle1.Level3.net (
10  36.61  unknown.Level3.net (
11  41.21

Nmap done: 2 IP addresses (2 hosts up) scanned in 120.26 seconds
# (Note: some output was modified to fit results on screen)

Here are some Nmap and Zenmap 5.00 screen shots (click thumbnails for full resolution):

Classic command-line Nmap

Zenmap's new network topology graphing mode

Zenmap showing all discovered HTTP services

Zenmap displaying Nmap output

Change details

The Nmap Changelog describes nearly 600 significant improvements since our last major release (4.50). Here are the highlights:

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. It existed in Nmap 4.50, but has been dramatically improved:

  • Every script has been improved, and the number of scripts has grown nearly 50% to 59.

  • Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmap to interrogate Windows machines much more completely. He added six NSE libraries (msrpc, msrpcperformance, msrpctypes, netbios, smb, and smbauth) and 14 scripts (p2p-conficker, smb-brute, smb-check-vulns, smb-enum-domains, smb-enum-processes, smb-enum-sessions, smb-enum-shares, smb-enum-users, smb-os-discovery, smb-pwdump, smb-security-mode, smb-server-stats, and smb-system-info). He also wrote a detailed paper on the new scripts.

  • Nmap was one of the first scanners to remotely detect the Conficker worm thanks to smb-check-vulns, and p2p-conficker.

  • Other new scripts include:
    asn-query—Maps IP addresses to autonomous system (AS) numbers.
    auth-spoof—Checks for an identd (auth) server which is spoofing its replies.
    banner—A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.
    dns-random-srcport—Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
    dns-random-txid—Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
    ftp-bounce—Checks to see if an FTP server allows port scanning using the FTP bounce method.
    http-iis-webdav-vuln—Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020.
    http-passwd—Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd using various traversal methods such as requesting ../../../../etc/passwd.
    imap-capabilities—Retrieves IMAP email server capabilities.
    mysql-info—Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.
    pop3-brute—Tries to log into a POP3 account by guessing usernames and passwords.
    pop3-capabilities—Retrieves POP3 email server capabilities.
    rpcinfo—Connects to portmapper and fetches a list of all registered programs.
    snmp-brute—Attempts to find an SNMP community string by brute force guessing.
    socks-open-proxy—Checks if an open socks proxy is running on the target.
    upnp-info—Attempts to extract system information from the UPnP service.
    whois—Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

  • The set of new libraries is equally impressive. Modules are all listed here (scroll down to "Modules").

  • Introduced the NSE Documentation Portal which documents every NSE script and library included with Nmap. It is generated from NSEDoc comments embedded in scripts. Scripts are available for download on this site as well. We also dramatically improved the NSE Guide.

  • NSE now supports run-time interaction so you know when it will complete, and the --host-timeout option so you can define when it completes. Support for -S (source IP address) and --ip-options has been added to the NSE and version detection subsystems.

  • Added Boolean Operators for --script. You may now use ("and", "or", or "not") combined with categories, filenames, and wildcarded filenames to match a set of files. A new default category includes the scripts which run by default when NSE is requested.

  • NSE can now be used in combination with ping scan (e.g. "-sP --script") so that you can execute host scripts without needing to perform a port scan.

Zenmap graphical front-end and results viewer

Zenmap is a cross-platform (Linux, Windows, Mac OS X, etc.) Nmap GUI and results viewer which supports all Nmap options. It aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. While Zenmap already existed in Nmap 4.50, it has improved dramatically since then:

  • While Nmap stands for “Network Mapper”, it hasn't been able to actually draw you a map of the network—until now! The new Zenmap Network Topology feature provides an interactive, animated visualization of the hosts on a network and connections between them. The scan source is (initially) in the center, with other hosts on a series of concentric circles which represent the number of hops away they are from the source. Nodes are connected by lines representing discovered paths between them. Read the full details (and oogle the pretty pictures) in our article on Surfing the Network Topology. Topology views can be saved as a PNG, postscript, PDF, or SVG image.

  • The scan aggregation feature allows you to combine the results of many Nmap scans into one view. When one scan is finished, you may start another in the same window. Results of the new scan are seamlessly merged into one view.

  • Zenmap has been internationalized and translated by volunteers into four languages (French, German, Brazilian Portuguese, and Croatian). We have instructions on using an existing translation and we're always looking for volunteers to translate Zenmap into your native language.

  • Overhauled the default list of scan profiles to provide a much more diverse and useful set of default profile options. If users don't like any of these canned scan commands, they can easily create their own in the Profile Editor.

  • Added a context-sensitive help system to the Profile Editor. Mouse-over options to learn more about what they do and their argument syntax.

  • Added advanced search functionality to Zenmap so that you can locate previous scans using criteria such as which ports were open, keywords in the target names, OS detection results, etc. Try it out with Ctrl-F or "Tools->Search Scan Results".

  • The “Compare Results” feature now uses our new Ndiff scan comparison tool.

  • And more: An animated throbber has been added to indicate that a scan is running, and a new cancel button lets you stop a scan in its track. The Nmap output window now scrolls automatically, and ports are colored based on open/closed state.

  • David wrote an exceptional users' guide, which also became a chapter of Nmap Network Scanning.

Ncat data transfer, redirection, and debugging tool

  .       .       
   } 6 6 {        
  ==. Y ,==       
    /^^^\  .      
   /     \  )     
  (  )-(  )/     _
  -""---""---   / 
 /   Ncat    \_/  
(     ____        

Nmap 5 introduces Ncat, a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a network. It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks. Ncat is suitable for interactive use or as a network-connected back end for other tools. Ncat can:

  • Act as a simple TCP/UDP/SSL client for interacting with web servers, telnet servers, mail servers, and other TCP/IP network services. Often the best way to understand a service (for fixing problems, finding security flaws, or testing custom commands) is to interact with it using Ncat. This lets you you control every character sent and view the raw, unfiltered responses.

  • Act as a simple TCP/UDP/SSL server for offering services to clients, or simply to understand what existing clients are up to by capturing every byte they send.

  • Redirect or proxy TCP/UDP traffic to other ports or hosts. This can be done using simple redirection (everything sent to a port is automatically relayed somewhere else you specify in advance) or by acting as a SOCKS or HTTP proxy so clients specify their own destinations. In client mode, Ncat can connect to destinations through a chain of anonymous or authenticated proxies.

  • Run on all major operating systems. We distribute Linux, Windows, and Mac OS X binaries, and Ncat compiles on most other systems. A trusted tool must be available whenever you need it, no matter what computer you're using.

  • Encrypt communication with SSL, and transport it over IPv4 or IPv6.

  • Act as a network gateway for execution of system commands, with I/O redirected to the network. It was designed to work like the Unix utility cat, but for the network.

  • Act as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server. This enables multiple machines hidden behind NAT gateways to communicate with each other, and also enables the simple Ncat chat mode.

These capabilities become even more powerful and versatile when combined.

Ncat is our modern reinvention of the venerable Netcat (nc) tool released by Hobbit in 1996. While Ncat is similar to Netcat in spirit, they don't share any source code. Instead, Ncat makes use of Nmap's well optimized and tested networking libraries. Compatibility with the original Netcat and some well known variants is maintained where it doesn't conflict with Ncat's enhancements or cause usability problems. Ncat adds many capabilities not found in Hobbit's original nc, including SSL support, proxy connections, IPv6, and connection brokering. The original nc contained a simple port scanner, but we omitted that from Ncat because we have a preferred tool for that function.

Ncat is extensively documented in its Users' Guide, man page, and home page.

Host discovery and port scanning performance and features

Nmap has been doing host discovery and port scanning since its release in '97, but we continue to improve this core functionality. We've added many new features and dramatically improved performance! Here are the biggest enhancements since 4.50:

  • Nmap now scans the most common 1,000 ports by default in either protocol (UDP scan is still optional). These were determined by spending months scanning tens of millions of IPs on the Internet. This makes Nmap faster (used to scan 1,715 TCP ports by default) and yet more comprehensive since the smaller number of ports are better chosen.

  • Nmap fast scan (-F) now scans the top 100 ports by default in either protocol. This is a decrease from 1,276 (TCP) and 1,017 (UDP) in Nmap 4.68. Port scanning time with -F is generally an order of magnitude faster than before, making -F worthy of its "fast scan" moniker.

  • The --top-ports option lets you specify the number of ports you wish to scan in each protocol, and will pick the most popular ports for you based on the new frequency data. For both TCP and UDP, the top 10 ports gets you roughly half of the open ports. The top 1,000 (out of 65,536 possible) finds roughly 93% of the open TCP ports and more than 95% of the open UDP ports.

  • Added a new --min-rate option that allows specifying a minimum rate at which to send packets. This allows you to override Nmap's congestion control algorithms and request that Nmap try to keep at least the rate you specify. A complementary --max-rate option was added as well. They are documented here.

  • Added SCTP port scanning support to Nmap. Stream control transmission protocol is a layer 4 protocol used mostly for telephony related applications. This brings the following new features:

    • SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK chunk, closed ones an ABORT chunk. This is the SCTP equivalent of a TCP SYN stealth scan.
    • SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent, closed ports return an ABORT chunk.
    • SCTP-specific IP protocol scan (-sO -p sctp).
    • SCTP-specific traceroute support (--traceroute).
    • The server scanme.csnc.ch has been set up for your SCTP scan testing pleasure. But note that SCTP doesn't pass through most NAT devices.
  • David spent more than a month on algorithms to improve port scan performance while retaining or improving accuracy. The changes, described here, reduce our "benchmark scan time" (which involves many different scan types from many source networks to many targets) from 1879 seconds to 1321 without harming accuracy. That is a 30% time reduction! Fyodor made a number of performance improvements as well.

  • The host discovery (ping probe) defaults have been enhanced to include twice as many probes. The default is now "-PE -PS443 -PA80 -PP". In exhaustive testing of 90 different probes, this emerged as the best four-probe combination, finding 14% more Internet hosts than the previous default, "-PE -PA80". The default for non-root users is -PS80,443, replacing the previous default of -PS80. In addition, ping probes are now sent in order of effectiveness (-PE first) so that less effective probes may not have to be sent. ARP ping is still the default on local ethernet networks.

  • Fixed an integer overflow which prevented a target specification of "*.*.*.*" from working. Support for the CIDR /0 is now also available for those times you wish to scan the entire Internet.

  • When Nmap finds a probe during ping scan which elicits a response, it now saves that information for the port scan and later phases. It can then "ping" the host with that probe as necessary to collect timing information even if the host is not responding to the normal port scan packets. Previously, Nmap's port scan timing pings could only use information gathered during that port scan itself. A number of other "port scan ping" system improvements were made at the same time to improve performance against firewalled hosts (full details).

Fyodor's Nmap book

Fyodor released Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. It was briefly the #1 selling computer book on Amazon. More than half of the book is already free online.

A German translation is available from Open Source Press; Korean and Brazilian Portuguese translations are forthcoming.

Operating system detection

Thanks to fingerprint submissions from thousands of Nmap users around the world, the 2nd generation OS detection database has nearly doubled in size since 4.50 to 2,003 entries. These include the latest versions of Windows, Linux, and Mac OS X as well as more specialized entries such as oscilloscopes, ATM machines, employee timeclocks, DVRs, game consoles, and much more. Keep those submissions coming!

In addition to doubling the database size, we enhanced the OS detection engine and its tests to improve accuracy. For example, we added a new SEQ.CI test (IP ID sequence generation from closed TCP port) and removed the U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI tests.

Version detection

Nmap's version detection system interrogates open ports to determine what service (e.g. http, smtp) is running and often the exact application name and version number. The version detection database grew by nearly a thousand signatures. It grew from 4,558 signatures representing 449 protocols in Nmap 4.50 to 5,512 signatures for 511 protocols in 5.00. You can read about Doug's signature creation adventures here, here, and here. The service protocols with the most signatures are http (1,868), telnet (584), ftp (506), smtp (363), pop3 (209), http-proxy (136), ssh (123), imap (122), and irc (48). Among the protocols with just one signature are netrek, gopher-proxy, ncat-chat, and metasploit.

Ndiff scan comparison tool

The new Ndiff utility compares the results of two Nmap scans and describes the new/removed hosts, newly open/closed ports, changed operating systems, or application versions, etc. This makes it trivial to scan your networks on a regular basis and create a report (XML or text format) on all the changes. See the Ndiff man page and home page for more information. Ndiff is included in our binary packages and built by default, though you can prevent it from being built by specifying the --without-ndiff configure flag.

Here are excerpts from an Ndiff comparison between two scans for the Facebook network:

> ndiff -v facebook-vscan-1237136401.xml facebook-vscan-1237395601.xml
-Nmap 4.85BETA3 at 2009-03-15 10:00
+Nmap 4.85BETA4 at 2009-03-18 10:00

+arborvip.tfbnw.net (
+Host is up.
+Not shown: 100 filtered ports

 www2.02.07.facebook.com (
 Host is up.
 Not shown: 98 filtered ports
-80/tcp  open  http     Apache httpd 1.3.41.fb2
+80/tcp  open  http     Apache httpd 1.3.41.fb1
 443/tcp open  ssl/http Apache httpd 1.3.41.fb2

And here is a trivial cron script demonstrating how easy it is to scan a network daily and mail yourself the changes (and full results in this case):

date=`date "+%s"`
cd /hack/facebook/scripts/
nmap -T4 -F -sV -O --osscan-limit --osscanguess -oA facebook-${date} [netblocks] > /dev/null
ndiff facebook-old.xml facebook-${date}.xml > facebook-diff-${date}
cp facebook-${date}.xml facebook-old.xml
echo "\n********** NDIFF RESULTS **********\n"
cat facebook-vscan-diff-${date}
echo "\n********** SCAN RESULTS **********\n"
cat facebook-vscan-${date}.nmap

You could do a similar thing using Windows' scheduled tasks.

IronGeek has created an Ndiff 5 introductory video demonstrating command-line Ndiff plus its use within Zenmap.

Documentation and web site improvements

While Nmap Network Scanning may be the most exciting documentation news for this release, we did make many other important web site and documentation changes:

  • Added German and Russian translations of the Nmap Reference Guide (Man Page). You can choose from all 16 available languages from the Nmap docs page.

  • Nmap has moved. Everything at http://insecure.org/nmap/ can now be found at http://nmap.org . That should save your fingers from a little bit of typing.

  • A copy of the Nmap public svn repository (/nmap, plus its zenmap, nsock, nbase, and ncat externals) is now available at http://nmap.org/svn/. We update this regularly, but it may be slightly behind the SVN version. It is particularly useful when you need to link to files in the tree, since browsers generally don't handle svn:// repository links.

Portability enhancements

Nmap's dramatic improvements are of little value if it doesn't run on your system. Fortunately, portability has always been a high priority. Nmap 5.00 runs on all major operating systems, plus the Amiga. Portability improvements in this release include:

  • A Mac OS X Nmap/Zenmap installer is now available from the Nmap download page. It is rather straightforward, but detailed instructions are available anyway. As a universal installer, it works on both Intel and PPC Macs. It is distributed as a disk image file (.dmg) containing an mpkg package. The installed Nmap include OpenSSL support and also supports Authorization Services so that Zenmap can run as root when necessary.

  • Nmap's special WinPcap installer now handles 64-bit Windows machines by installing the proper 64-bit npf.sys.

  • The Nmap installer was updated to handle the Windows 7 release candidate.

  • The Windows version of Nmap (both .zip and executable installer) now supports OpenSSL, as do the Linux RPM binaries we distribute. The UNIX source tarball has supported OpenSSL for years.

  • We now compile in IPv6 support on Windows. In order to use this, you need to have IPv6 set up. It is installed by default on Vista, but must be manually installed for XP.

Even more improvements

  • The compile-time Nmap ASCII dragon is now more ferocious thanks to better teeth alignment:

      (  )   /\   _                 (     
        \ |  (  \ ( \.(               )                      _____
      \  \ \  `  `   ) \             (  ___                 / _   \
     (_`    \+   . x  ( .\            \/   \____-----------/ (o)   \_
    - .-               \+  ;          (  O                           \____
                              )        \_____________  `              \  /
    (__                +- .( -'.- <. - _  VVVVVVV VV V\                \/
    (_____            ._._: <_ - <- _  (--_AAAAAAA__A_/                |
      .    /./.+-  . .- /  +--  - .     \______________//_              \_______
      (__ ' /x  / x _/ (                                  \___'          \     /
     , x / ( '  . / .  /                                      |           \   /
        /  /  _/ /    +                                      /              \/
       '  (__/                                             /                  \
  • The new --stats-every option takes a time interval that controls how often timing status updates are printed. It is useful when Nmap is run by another program as a subprocess, or if you just like frequent timing updates.

  • Completion time estimates provided in verbose mode or when you hit a key during scanning are now more accurate.

  • The nmap-dev and nmap-hackers mailing list RSS feeds at SecLists.Org now include message excerpts to make it easier to identify interesting messages and speed the process of reading through the list. Feeds for all other mailing lists archived at SecLists.Org have been similarly augmented (details).

  • Fixed an integer overflow in the scan progress meter. As an Nmap user, few things are more discouraging than seeing your estimated completion time rise so high that it goes negative.

  • Nmap's output options (-oA, -oX, etc.) now support strftime()-like conversions in the filename. %H, %M, %S, %m, %d, %y, and %Y are all the same as in strftime(). %T is the same as %H%M%S, %R is the same as %H%M, and %D is the same as %m%d%y. So means that "-oX 'scan-%T-%D.xml'" uses an XML file in the form of "scan-144840-121307.xml".

  • Removed Brazilian poetry/lyrics from Zenmap source code (NmapOutputViewer.py). We've seen enough of it in the debug logs. "E nao se entrega, nao". We also removed a code comment which declared /*WANKER ALERT!*/ for no good reason.

  • Nmap and Nmap-WinPcap silent installation now works on Windows. Nmap can be silently installed with the /S option to the installer. If you install Nmap from the zip file, you can install just WinPcap silently with the /S option to that installer.

  • --traceroute is now faster and more effective because it uses the timing ping probe saved from host discovery and port scanning. The timing ping probe is always the best probe Nmap knows about for eliciting a response from a target.

  • We now have a public TODO list describing our future plans and tasks which need work.

  • Google sponsored 6 college/grad students for Summer of Code 2009. They and their ongoing projects are introduced here.

  • Nmap now builds with the _FORTIFY_SOURCE=2 define. With modern versions of GCC, this adds extra buffer overflow protection and other security checks.

  • Nmap was discovered in its eighth movie. In the Russian film Khottabych, teenage hacker Gena uses Nmap (and telnet) to hack Microsoft. In response, MS sends a pretty female hacker to flush him out (more details and screen shots).

  • To better support users with attention deficit disorder, we created an Nmap Twitter feed. We still recommend that all users subscribe to the low-traffic nmap-hackers announcement mailing list.

  • Nmap won LinuxQuestions.Org Network Security Application of the Year for the sixth year in a row.

  • These release notes mostly discuss new features, but we also made many performance enhancements and fixed a large number of bugs which could lead to crashes, compilation failures, or other misbehavior.

These are just highlights from the full list of changes you can find in our CHANGELOG.

Moving Forward

With this stable version out of the way, we are diving headfirst into the next development cycle. Many exciting features are in the queue, including:

  • Ncrack, a high speed network authentication cracker
  • Nping, a raw packet network probing tool
  • High speed port scanning through http or socks proxies (or chains of proxies)
  • NSE scripts for web application fingerprinting, HTTP spidering, and whatever else developers think up.
  • We're working a new survey to redo our top security tools list at SecTools.Org. We have other web projects in mind as well.

You can read more of our short-term and longer-term plans from our public TODO list.

For the latest Insecure.Org and Nmap announcements, join the 68,000-member Nmap-hackers announcement list. Traffic rarely exceeds one message per month. subscribe here or read the archives at SecLists.Org. To participate in Nmap development, join the (high traffic) nmap-dev list. You can also follow us on Twitter.


A free open source scanner as powerful as Nmap is only possible thanks to the help of hundreds of developers and other contributors. We would like to acknowledge and thank the many people who contributed ideas and/or code since Nmap 4.50. Special thanks go out to:

4N9e Gutek, Aaron Leininger, Adriano Monteiro Marques, Allison Randal, Andrew J. Bennieston, Andy Lutomirski, Angico, Arturo Buanzo, Arturo Buanzo Busleiman, Benson Kalahar, Bill Pollock, Brandon Enright, Brian Hatch, Busleiman, Chad Loder, Chris Clements, Chris Gibson, Chris Leick,, Daniel Roethlisberger, David Fifield, David Moore, Diman Todorov, Diman Todorov,, Dinu Gherman, Doug Hoyte, Dragos Ruiu, Dudi Itzhakov, Eddie Bell, Emma Jane Hogbin, Fabio Pedretti, Felix Leder, Gisle Vanem, Gisle Vanem,, Guilherme Polo, Guz Alexander, HD Moore, Henri Doreau, Henri Doreau,, Henry Gebhardt, Ithilgore, Jabra, Jah, James Messer, Jason DePriest, Jeff Nathan, Jesse Burns, Joao Correa, Joao Medeiros, Josh Marlow, Jurand Nogiec, Kris Katterjohn, Lamont Jones, Lance Spitzner, Leslie Hawthorn, Lionel Cons, Marius Sturm, Martin Macok, Matt Selsky, Max Schubert, Michael Pattrick, Michal Januszewski, Mike Frysinger, Mixter, Nathan Bills, Patrick Donnelly, Philip Pickering, Pieter Bowman, Rainer Müller, Raven Alder, Robert Mead, Rob Nicholls, Ron Bowes, Sebastián García, Simple Nomad, Solar Designer, Stephan Fijneman, Steve Christensen, Sven Klemm, Tedi Heriyanto, Thomas Buchanan, Thorsten Holz, Tillmann Werner, Tim Adam, Tom Duffy, Tom Sellers, Trevor Bain, Tyler Reguly, Valerie Aurora, van Hauser, Venkat Sanaka, Vlad Alexa, Vladimir Mitrovic, Vlatko Kosturjak, Will Cladek, William McVey, Zhao Lei

We would also like to thank the thousands of people who have submitted OS and service/version fingerprints, as well as everyone who has found and reported bugs or suggested features.

Download and Updates

Nmap is available for download from http://nmap.org/download.html in source and binary form. Nmap is free, open source software (license).

To learn about Nmap announcements as they happen, subscribe to nmap-hackers! It is a very low volume (7 messages in 2008), moderated list for announcements about Nmap, Insecure.org, and related projects. You can join the 65,000 current subscribers by submitting your e-mail address here:

(or subscribe with custom options from the Nmap-hackers list info page.

Nmap-hackers is archived at Seclists.org and has an RSS feed. You can also follow the Nmap Twitter feed.

Brandon Enright and UCSD have generously mirrored the Nmap binaries to handle the deluge of traffic expected as users download this release.

Direct questions or comments to Fyodor (fyodor@nmap.org) . Report any bugs as described here.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]