TODO $Id: TODO 11866 2009-01-24 23:10:05Z fyodor $ -*-text-*- o Work on Nmap on Mobile devices, particularly Android. Would be great to get it in Google Play store, for example. An official version with a workable GUI. For now, people have to do manual work and it isn't as well tested either: https://secwiki.org/w/Nmap/Android . If this is successful, we could consider iOS. o Nmap performance work. Particularly with --min-rate. o Consider re-architecting Nmap to have more of a scanning pipeline approach rather than fixed sets of hosts which start and finish one phase and then move into the next in parallel. This could potentially allow us to add hosts one by one to a phase as other hosts finish that phase and, ideally, the phases could run in parallel too. o Nmap Network Scanning, 2nd Edition work [placeholder] o Organize nselib into a hierarchy. A library "dirname/filename.lua" can be required as "dirname.filename". We would need to ensure the installers (Makefile, OS X, Windows, RPM) can handle this. See http://seclists.org/nmap-dev/2014/q3/364 o We should work to reduce Zenmap's memory consumption. We used to commonly get error reports from people who load so many systems that Zenmap gives an out of memory error and crashes. For example, see this thread: http://seclists.org/nmap-dev/2014/q2/46 After committing patch at http://seclists.org/nmap-dev/2014/q2/429, we no longer get the error report but the problem still exists. The problem seems to lie in a very large Nmap Output being stored in memory and a possible fix seems to be to use a file based paging system. o Consider making a version of Nmap for Apple's official Mac App Store. A particular concern with the downloadable Mac version of Nmap is that Apple's new "Mountain Lion" release may require users to jump through hoops to install unsigned non-app-store content per their "Gatekeeper" "feature". Though maybe signing the app will be enough. There may also be an issue with the "Sandboxing" requirement for App Store apps starting June 2012. Will Nmap be able to request all the permissions it needs? Ignoring the technical challenges for the moment, what will users prefer? o Do a roll up on (state, TTL) pair instead of just state so that TTL info is not lost when doing roll up on port states. See thread at http://seclists.org/nmap-dev/2014/q3/93 o Consider looking into differring TTL values during OS detection phase and choose a port that is (hopefully) not firewalled to get a better chance at correct result. See thread at http://seclists.org/nmap-dev/2014/q3/33 o [Zenmap] Look into and refactor code which uses the (very slow) += operation on strings. http://seclists.org/nmap-dev/2014/q2/432 helped improve speeds for opening files (from hours to seconds) and it seems like more speedups can be done in other places. o Look into moving our Mac building/testing system into a virtual machine or leased server sort of environment so that multiple Nmap developers can access it and nobody has to keep a stack of Mac Minis in their closet. o INFRASTRUCTURE: Upgrade seclists to use Mailman 3, which apparently has many improvements. o We should fix nsedoc generation so it doesn't fail when blocks like @usage, @output, etc. are followed by a local declaration. See http://seclists.org/nmap-dev/2014/q2/331. If for some reason this just can't be fixed, we will have to document the heck out of it, I suppose. o When scanning your own IP from Windows, Nmap currently recognizes the problem (can't do a raw scan like that on Windows) and skips the SYN scan, leading to Nmap printing a bunch of ports in "unknown" state at the end. Nmap should probably act like unprivileged mode in this case (e.g. do a connect scan, etc.). See http://seclists.org/nmap-dev/2013/q3/519 o Investigate Checkmarx static analysis report of Nmap source tree that someone sent us on Feb 12. It looks like mostly false positives, but we should go through to check for any real bugs or even possible security issues. Fyodor has the report. o INFRASTRUCTURE: Consider updating our svn-mailer.py (and conf file) to the latest official version. First check whether there is a later official version and whether it has material changes. We're currently using one from subversion-1.4.2/tools/hook-scripts/mailer/mailer.py. o Consider a two-stage model for IPv6 subnet/pattern support o Right now you can try to scan a /64, for example, and Nmap will try to iterate through them all (and of course never complete). So perhaps Nmap should first look at a specification and decide if it should use other techniques like multicast discovery instead. o Move advanced IPv6 host discovery features from NSE into core Nmap. We'll probably add the functionality of targets-ipv6-multicast-invalid-dst, targets-ipv6-multicast-echo, and maybe targets-ipv6-multicast-slaac. - The idea is that Nmap does them automatically if it gets a large target specification and sees that it is local so can be multicast pinged. o We should figure out why (at least with Nping) raw ethernet frame sends seem to be taking significantly longer than raw socket sends (e.g. using --send-ip or the OS-provided ping utility). This has been reproduced on Linux and Windows. Here's a thread: http://seclists.org/nmap-dev/2012/q4/424 o Note that David and I tried to reproduce this on his machine and on 'web' and 'research' machines and could not reproduce. Still happens with Fyodor's machine connected with WiFi. Fyodor should test on the same machine using wired and see if that changes anything. o Implement some improvements to dns-ip6-arpa.nse, as describe at http://seclists.org/nmap-dev/2012/q2/45. - Also consider a move to "fire and forget" logic. Just blast out the queries that we know we have to make, and then read any replies that may happen to come back. (but still try not to introduce inaccuracy (missed hosts) by flooding the network. o Treat the input to the escape function in xml.cc as UTF-8, not just ASCII. Good UTF-8 should survive into the output; i.e., "\xe2\x98\xbb" should become "\xe2\x98\xbb" in the output, not "☻". If the input happens not to be UTF-8, (like the file name in http://seclists.org/nmap-dev/2013/q1/180), I suppose we can individually encode each byte of each invalid sequence: "\xba\xda\xbf" becomes "ºÚ¿". Can probably do this with simple byte->rune and rune->byte functions as in http://plan9.bell-labs.com/sys/doc/utf.html. o We should probably redo the Nmap header (e.g. on https://nmap.org) to make it more attractive. Or, at a minimum we should update the screenshots and think about which links we really need (some of those pages aren't really updated any more). o Test a hierarchical classifier for IPv6 OS detection. Our classifier currently treats, for example, some localhost Linux fingerprints as separate classes from remote Linux fingerprints, simply because we lose precision if we lump them together (for example TCP window size differs across certain Linux versions when measured remotely, but not on localhost). This leads to the linear classifier having to use narrow margins between fingerprints that are really very similar. I want to try a tree of classification where each non-leaf node is a separately trained classifier and each leaf node is a final classification. The first layer of the hierarchy would be something like (linux windows solaris aix ... other) where "linux" would contain *all* the Linux fingerprints in a single class. Lower levels would be like (linux-2.4 linux-2.6) (windows-xp windows-vista windows-7) Lower levels will include only those fingerprints in their parent class, so we don't even think about Windows when classifying Linux. Probably three or four levels will be sufficient. There may be a principled or automatic way to build this hierarchy, but I suspect playing it by ear will be sufficient. Talk to David for more of his thinking on this topic. o Maybe we should rename dns-brute to dns-brute-enum since it is so different from our traditional brute force authentication cracking -brute scripts? o NSE WORK (note that this is mostly infrastructure because script ideas are generally put on the script ideas page instead: https://secwiki.org/w/Nmap_Script_Ideas) o Review NSE-based port scanning and RST idle scan. http://seclists.org/nmap-dev/2011/q2/307. [Henri and Hani?] o Maybe we should add an analysis or reporting or intelligence (or different name) for our NSE scripts which don't send any packets, but simply analyze Nmap's existing data and report when useful. o Install some sort of svnview webapp for svn.nmap.org which is wrapped in Insecure chrome, allows people to click link for direct file download, probably shows revision history and allows users to see older versions, etc. o Process Nmap survey and send out results [Fyodor] o Nping (we think) will stop after 2^32 rounds even when "-c 0" is given. We should probably make this a 64-bit integrer so that "-c 0" will go essentially forever and so that users can give values higher than 4 billion. o Nscan work [placeholder] - Hosted Nmap system o Add CPE entries to OS fingerpting DB entries which still lack them. This is a gradual process since almost all of the missing ones aren't in the official CPE dictionary either and it can take a lot of research to decide on an appropriate entry. Milestones so far: - 3/21/12: We have entries for 2,601 of 3,572 fingerprints (971 missing; 73% coverage) - 11/5/12: We have entries for 3,285 of 3,907 fingerpritns (622 missing; 84% coverage) - 11/12/12: We have entries for 3,558 of 3,946 fingerprints (388 missing; 90% coverage). o [Zenmap] should actually parse and use script results. See http://seclists.org/nmap-dev/2010/q1/1108 - We have an initial prototype, but probably need to redo because it doesn't present the results in the way we'd like yet due to problems implementing such a presentation with GTK, etc. o Make Zenmap settings get upgraded when the Zenmap executable is upgraded. The per-user configuration files such as scan_profile.usp and zenmap.conf are never overwritten once installed by Zenmap, so changes and fixes to those files don't reach anyone who has installed Zenmap already. This is most noticeable with changes to profiles and highlight definitions are notably affected. This fix may involve hard-coding settings that are not normally configured by users (like highlighting) or updating the per-user files at startup (only those parts that haven't been changed by the user). o We should offer partial results when a host timeouts. I (Fyodor) have been against this in the past, but maybe the value is sufficient to be worth the maintenance headaches. Many users have asked for this. If we do implement this, we may want to only print results for the COMPLETED phases (e.g. host discovery, port scanning, version detection, traceroute, NSE, etc.) Trying to print partial results of a port scan or NSE or the like might be a pain. And if we print some results for a host which timeouts, we should give a very clear warning that the results for that host are incomplete. As an example, here is someone who hacked Nmap source code to achieve this: http://seclists.org/pen-test/2010/Mar/108. o Another benefit would be that it would allow us to clean up/regularize the host output code. Right now there are I think three places where a host's final output can be printed. If, instead, that code just looked at what information was available and printed that out only, we could potentially isolate it in just one place. o This also might let us provide a feature for skipping the rest of an Nmap phase which is going too slowly (I think that has its own Nmap TODO item). o [Nsock] Some SSL connections that used to work now fail; find out why. http://seclists.org/nmap-dev/2010/q4/788. Narrowed down to r19801 in http://seclists.org/nmap-dev/2011/q1/12. o [NSE] Consider a system where scripts can tell if any other scripts depend on them. They could then use that to determine whether they should bother storing information in the registry. For example, snmp-interfaces could store the discovered table if another script (such as a mac address geolocator script) depends on it. o [NSE] Consider whether we need script.db for performance reasons at all or should just read through all the scripts and parse on the fly. See: [http://seclists.org/nmap-dev/2009/q2/0221.html] o A couple minor nsedoc issues (see http://seclists.org/nmap-dev/2011/q1/1095): o After the ssh-hostkey portrule was added, nsedoc seems to be generating a blank "Script types" filed for the script: http://localhost:8082/nsedoc/scripts/ssh-hostkey.html o This is happening because "portrule" and "hostrule" appear later in the script, and NSEDoc thinks it is their definition, and there is no NSEDoc there. local ActionsTable = { -- portrule: retrieve ssh hostkey portrule = portaction, -- postrule: look for duplicate hosts (same hostkey) postrule = postaction } o ssh-hostkey and rmi-dumpregistry each have two @output sections, and NSEDoc is only showing the second one. We should probably just combine them into one @output section, and maybe make nsedoc give a warning in this case. Or we could make nsedoc handle multiple @outputs. o Add general regression unit testing system to Nmap o David has created a system for Ncat which could serve as a model. o Make version detection and NSE timing system more dynamic so that the concurrency can change based on network conditions/ability. After all, beefy systems on fast connections should be able to handle far more parallel connections than slower systems. o At a minimum, this at least warrants more benchmark testing. o We should run at least one SCTP service on scanme. Daniel Roethlisberger has made available dummy services which support IPv4 and IPv6 (see http://seclists.org/nmap-dev/2011/q2/450). Alternatively, we could run some sort of "real" SCTP application(s) (preferably one which is relatively simple, easy to install, secure, and supports IPv6). o Create new default username list: http://seclists.org/nmap-dev/2010/q1/798 o Could be a SoC Ncrack task, though should prove useful for Nmap too o We probably want to support several lists. Like an admin/default list like "root", "admin", "administrator", "web", "user", "test", and also a general list which we obtain from spidering from emails, etc. o Improve Nsock proxies system - Add SSL support - Add proxy authentication - Switch Ncat to using Nsock proxy system rather than it's own built-in support. - Move the code which is shared with ncat to nbase (URL parsing code, for instance). - Add socks4a/socks5 support. This requires to figure out how to enter the nsock proxy code w/o having the target IP address. No huge technical blocker there though, only design choices to make. - Nping could potentially use it as well (could be useful for measuring latency and reliability of a given proxy chain, for example). - Add proxy support to connect() scan. This would mean moving connect scan to nsock. o [NCAT] Send one line at a time when --delay is in effect. This is cumbersome to do until Nsock supports buffered reading. o [NCAT] Make the HTTP proxy support the chunked transfer encoding, then change it to be HTTP/1.1 and support pipelining. o [NCAT] Drop privileges once it has started up, bound the ports it needs to, etc. o [NCAT] Work as a SOCKS4a/SOCKSv5 proxy. o [NCAT] Resolve names through the proxy when possible. http://seclists.org/nmap-dev/2012/q2/768 o [NSE] Script writing contest (something to think about) o We should document an official way to compile/test refguide.xml so people can more easily test their changes to it. This will probably involve moving legal-notices.xml into /nmap/docs, among other things. o Note that nping has its own /nmap/nping/docs/genmanpage.sh - we could look at how that could apply to Nmap. o Move Zenmap man page from nmap/docs/ to nmap/zenmap/docs to match the man page location for ncat and ndiff. o Don't break packaging/build system o Don't break the system for posting html to web site. o Consider standardizing names for nping and ncrack man pages as well. [Fyodor] o [NSE] MSRPC - Improve domain support all around -- in particular, let the user give the domain in the format DOMAIN\username or username@DOMAIN anywhere that usernames are accepted. Suggested at http://seclists.org/nmap-dev/2010/q2/389 o [NSE] Combine similar MSRPC scripts, especially the "get info" stuff. See this thread on combining (http://seclists.org/nmap-dev/2010/q1/1023). This was suggested by Ron at http://seclists.org/nmap-dev/2010/q2/389. o [Zenmap] Investigate getting new OS icon art. See http://seclists.org/nmap-dev/2010/q1/1090 o We should probably enhance scan stats--maybe we can add a full-scan completion time estimate? Some ideas here: http://seclists.org/nmap-dev/2010/q1/1007 o [NSE] Do some benchmarking of our brute.nse. We should check the performance with different levels of thread parallelism. Our initial results show that it isn't helping much for vnc-brute or for drda-brute (which is currently using the multi-thread feature directly rather than through brute.nse library). We should figure out why the threads aren't helping more, and whether there is something we can do to fix it. It would also be interesting to compare speed with Ncrack for services we have in common. o Start project to make Nmap a Featured Article on Wikipedia. - See http://seclists.org/nmap-dev/2010/q1/614 o Add Nmap web board/forum - First step is looking at the available software for this. - Nmap subreddit exists: https://www.reddit.com/r/nmap o [Zenmap] Consider a couple ideas from Norris Carden (http://seclists.org/nmap-dev/2010/q2/228): - remember last save and/or open location for new saves and/or opens - default save location option o [Nsock] Consider adding server support to Nsock so it can accept multiple connections and multiplex the SD's, like it does for clients. This could potentially be used by Ncat and Nping echo mode. Currently Ncat server doesn't use Nsock at all, while Nping echo mode basically polls, repeating a loop of 1s in nsock_loop followed by a nonblocking accept(). Then Nping gives the SD's to Nsock to manage. o Consider implementing both global and per-host congestion control in the IPv6 OS detection engine. Currently it handles congestion globally (one CWND and SSTHRESH shared by all hosts). This works fine but it may not be the most efficient approach: if the congestion is not in our network segment but in a target's and we are os-scanning hosts in different networks, then all hosts get "penalized" because there is congestion in another network, not in theirs. o [Nsock] Consider implementing a nsock_pcap_close() function or making nsp_delete() call pcap_close() when pcap IODs are used. Currently valgrind warns about a socket descriptor left opened (at least in Nping). ==10526== at 0x62F77A7: socket (syscall-template.S:82) ==10526== by 0x4E348A5: ??? (in /usr/lib/libpcap.so.1.0.0) ==10526== by 0x4E36819: pcap_activate (in /usr/lib/libpcap.so.1.0.0) ==10526== by 0x4E375FC: pcap_open_live (in /usr/lib/libpcap.so.1.0.0) ==10526== by 0x4311A9: nsock_pcap_open (nsock_pcap.c:64) ==10526== by 0x428078: ProbeMode::start() (ProbeMode.cc:329) o Consider rethinking Nmap's -s* syntax for specifing scan types o Current problems with this -s syntax: o We already use like 20 of the 26 letters, so we end up with things like SCTP scan using -sY o Can make Nmap command lines hard to read, particularly given that we often need to improvise to find a letter which isn't taken. o Problematic for scan types -sI and -b which require arguments o Inconsistencies. For example, -sC and -sV do script scan and version detection, respectively, and yet for OS detection we use -O. Also, control flow (-sP, -sL) is used with -s, which further overloads the options. o Possible solution: o We are enabling -Pn and -sn as preferred notations for -PN and -sP which mean "no ping" and "no port scan". Those match the already existing -n for "no DNS". The problem with -sP is that it implies "ping only", when what it really should mean is "disable port scan" because you may want to do NSE, OS detection, traceroute, etc. still. o We might want to just give them normal option strings, so you could do --maimon instead of -sM, for example. For extremely common options such as SYN scan, UDP scan, version detection, we could perhaps find good single letter options as an alias to the longer one. o Another idea is to use something like --scantype syn,udp,sctp, which is a lot longer for single-type scans, but shorter when you're combining mulitiple ones. Doesn't allow for individual scan arguments easily. I (Fyodor) think I prefer the idea above of just givem them top level arguments. o If we keep -s*, we could just give it one defined function, such as selecting port scan type, or control flow. o Obviously this will take some discussion/brainstorming on nmap-dev. o Do -p- Internet UDP scans. o Scanning through proxies o Nmap should be able to scan through proxy servers, particularly now that we have an NSE script for detectiong open proxies and now that Ncat can act as proxy client or server. o Requirements: o Would be nice to be able to chain through multiple proxy servers of different types. o Would be nice to be able to spread the load amongst multiple proxies. o Should support port scanning, version detection, and NSE. In other words, nsock should support proxies. o Support IPv4 and v6 o Need to figure out how to get good performance. Pool of connections to proxy or proxies for concurrency? HTTP pipelining? o Support the different varieties of proxies: socks4, socks4a, socks5, HTTP GET (if possible), HTTP CONNECT. Note that GET proxies present some challenges since the error messages may not be standard, etc. o Maybe auto-detect the proxy type so that Nmap can try the most efficient scanning method first? o I've been asked to support basic, ntlm, and digest authentication if possible. o Implementation ideas: o There is a patch by Zoltan Panczel (http://nmap-dev.fw.hu) and it has been improved by Jacob Appelbaum in nmap-exp/ioerror/ . This patch doesn't handle things like parallelization, but it may be a good proof of concept. o This might not be appropriate for ultra_scan ... perhaps would be better to write a general scanning engine for abusing applications for port scanning purposes. This could handle scanning through proxies and the existing FTP bounce scan would also be ported to this engine (or, frankly, we could probably get away with removing FTP bounce). rembrandt at jpberlin.de tells me that you can also do this with the "forwarding" commands on IMAP servers. Whoever does this should probably start by reading the code for the main port scanning engine (ultra_scan()) and also the version detection code (service_scan()). And the version detection paper at https://nmap.org/book/vscan.html. If you understand all that, you may be ready for this project :). This is important, because it is easy to do poorly. The tough part is high performance and clean code which is general enough that all these different applications can be scanned through using the same basic engine. You should run your ideas by nmap-dev in as much detail as possible before starting. o David: I'm starting to think about building proxy support into Nsock and then implementing -sT with Nsock instead of ultra_scan. o [Web] Consider adding training/introduction videos to the Nmap site o Would be great to have a (5 minute or less) promotional video introduction to each tool (Nmap, Zenmap, Ncat, Ndiff) on its web page. o They need to be good to be useful--the sort of the quality you see in Laura Chappell's Wireshark videos or James Messer's Nmap videos or Irongeek's videos (http://www.irongeek.com). o Besides the promotional videos, users would probably enjoy more in-depth video instructions (e.g. covering the Nmap Network Scanning topics). o Here's an example product page with lots of videos (we may not go that far): http://www.splunk.com/product o The Zenmap translation system (https://nmap.org/book/zenmap-lang.html) has been pretty successful so far. We should consider doing the same for Nmap. After all, we already have the reference guide in 16 languages at https://nmap.org/docs.html. We should definitely try to use the same translation methods for Zenmap as we do for Nmap. In fact, maybe we can create a combined PO file Nmap, Zenmap, Ncat, and Ndiff so that they can all be translated and maintained together. Something to consider: calling setlocale can change the behavior of functions like isalpha. Locale-dependent functions need to be checked for security risks. o [NSE] Consider whether we should include some sort of NSE debugger. Or we could include something simpler. For example, Nmap now provides a traceback (with sufficient debugging/verbosity) when a script ends in error. For some inspiration/ideas, look at Diman's NSE debugger (http://seclists.org/nmap-dev/2008/q1/0228.html). o [NSE] Support routing http requests through proxies. o [NSE] Would be great if NSE scripts could be made to NOT run as root if they don't have to. o [NSE] Security Review o Consider what, if any, vulnerabilities or security risks NSE has with respect to buffer overflows, format string bugs, any other maliciously formatted responses from target systems, etc. Maybe address the known risk of malicious scripts too. o Consider that NSE runs scripts as root o More security auditing of Nmap code (it never hurts to do more proactive security auditing). o Figure out and document (in at least the Ncat user's guide) the best way to use Ncat for chaining through proxies. One option is this sort of thing: ncat -l localhost 1234 --sh-exec "ncat --proxy A.A.A.A B.B.B.B" ncat --proxy localhost:1234 C.C.C.C If you had two proxies A.A.A.A and B.B.B.B, connecting to C.C.C.C. With another listener/--sh-exec pair for each additional proxy. But perhaps we can make it easier by adding it to the syntax. o Look into whether we should loosen/change the global congestion control system to address possible cases of one target host with many dropped packets slowing down the whole group. See http://seclists.org/nmap-dev/2008/q1/0096.html . * Related possibility: Fix --nogcc to gracefully handle ping scans. Right now it seems to go WAY TOO FAST (e.g. several thousand packets per second on my DSL line). * [12/22/09] David says: It still is in one case that I've documented on my wiki. I had an idea to fix it, but on testing it it didn't work. The idea was to treat the global congestion limit differently. Instead of dropping it down to the minimum level on a drop as is done currently, I thought about only dropping it by the amount that the individual host limit drops. For example, if a host had a drop and its limit fell from 25 to 1, then the global limit would change (if it was at 100 to begin with) to 76, not all the way down to 2 or whatever it is. The idea being that the global limit is most important at the beginning of a scan, when there's no information to set host limits, and every host wants to send all its first probes at once. See http://www.bamsoftware.com/wiki/Nmap/PerformanceNotesArchive2#global-cc. I am convinced, though, that some sort of global control is necessary. There's a reason that a web browser limits the number of connections it will make, and doesn't try to download every image file at once and count on the fairness of TCP to sort it out. o libnmap organization for UNIX and Windows o Then change Nmap and Zenmap to simply call this library o It is interesting to look at: http://www.gnupg.org/gpgme.html o Deal with UDP retransmission for version detection (I think I should just do a second run of all probes for UDP if it fails to match anything). The advantage there is that no retransmissions are neccessary if the service is found. Then again, per-probe retransmission would let us redo the most likely probes (the one(s) that match the port number) quickly. Lost packets should probably affect ideal_parallelism. o Make RPM relocatable (requires somehow avoiding storing paths in the binary) - That may be easier now that David has made some big improvements in detecting where the binary is cross-platform and then looking for data files based on that location. o Nmaprc-related - Create a system to store Nmap defaults/preferences in an nmaprc file. o nmaprc should be in ~/.nmap on UNIX o On Windows, we may need a registry key to find the .nmaprc o Perhaps Lua could be used as the format? o .nmaprc for keeping defaults, etc. o Nmaprc infrastructure, hook to new timing variables o Nmaprc man page o Default timing mode o Default NSE arguments, such as user agent o Maybe Default source IP (-S) argument o should be a way to specify your own .nmaprc o Maybe lets you add a directory and template for saving all scans. o Maybe let you define "scan profiles" like is done with Zenmap. There would then be a command-line option to select the profile used. o Get new Zenmap logo o consider putting back on top-right of command constructor wizard (there used to be umit logo there). o Maybe that can be done after the release by soliciting ideas. o Create or collect some great ./configure ascii art. o Look at all the pcap functions, there are some like pcap_findalldevs() which could be quite useful. There are mails to the Nmap list relating to suggested improvements -- http://seclists.org/lists/nmap-dev/2004/Apr-Jun/0024.html . Actually I do indirectly use that for Windows. I wonder if they work for UNIX? o perhaps each 'match' line in nmap-service-probes should have a maximum lines, bytes, and/or time by which a response should be available. Once that much time (or many bytes or lines) have passed, that match can be considered 'failed' and ignored in subsequent runs. Once all matches are considered failed, that probe is done. This could be a useful optimization and is arguably better than the less granular 'totalwaitms'. Or I could just have a simple function that looks at whether a given regex could possibly match something starting with the received data (not too hard since almost all of the current regexes are anchored). But before doing this, I should look long and hard at how many of the probes have every match capable of doing this. In particular, many of the softmatch lines don't offer many chars anchored at the front. o Separate nbase into its own Windows library in the same way as Andy did with iphlpapi . o Nmap / Nmap-hackers FAQ o random tip database