Today is an exciting day for the security community... a very exciting today. Today we see the release of Nmap 5.0. Nmap has come a long way since I first used it and it's growing to be more powerful each and every day. With such powerful addons as NSE, Ncat, Ndiff and Zenmap, Nmap is a must-have for your toolbox.
With today's post I wanted to make sure that everyone saw that Nmap 5.0 had been released and I wanted to share a few tips. Before that though, I want to say congratulations to Fyodor. I've had the opportunity to talk to him on a few occasions... while helping out with some of the technical editing on Nmap Network Scanning and over drinks at BH/DC last year. Not only is he brilliant and the obvious reason for the success of Nmap, but he's a great guy to share a beer with. So Congrats Fyodor, today's an exciting day.
When you think about it, Nmap has always been a real "game-changing" piece of software. It was one of the first tools that I can think of that the security industry really standardized on. Everyone who was port scanning anything, was doing it with Nmap. Not much has changed really... sure there are other port scanners but when you talk to others, Nmap is still the most frequently used. Nmap 5.0 may be a another game-changing release, where Nmap goes from port scanner to tool kit... a necessary piece of software for anyone in security.
Now on to some of cool things!
Something that came up during the discussion for this release was the mention that Nmap was no longer just a port scanner. Those days are definitely long gone, the features and extras are numerous and extremely helpful. That being said there are still times when a basic port scanner with minimal dependencies is what you really need. I mentioned that I'd spoken to some people that had run into this issue and the response was to use "--without-ndiff --without-zenmap --without-liblua --without-ncat --without-openssl" during your configure stage. The diffence is astounding (8.5M vs 4.3M on my Ubuntu system) and you're left with only the nmap binary and some files for fingerprinting and service detection.
Another nmap favourite of mine is actually a modification I did to a command posted to the nmap mailing list. I'd previously posted about this, but I think it's worth bringing up again.
You create a shell script with the following:
nmap -sL $1 2>/dev/null |
perl -ne 'print unless /^Host [\d.]+ /' |
grep 'not scanned' |
cut -d ' ' -f 2,3 |
sed -e 's/\(.*\) (\(.*\))/\2 resolves to \1/'
and end up with output that looks like this
198.133.219.9 resolves to test-garbage.cisco.com
198.133.219.10 resolves to fed.cisco.com
198.133.219.11 resolves to asp-web-sj-1.cisco.com
198.133.219.12 resolves to asp-web-sj-2.cisco.com
198.133.219.13 resolves to fedtst.cisco.com
198.133.219.14 resolves to www.netimpactstudy.com
198.133.219.15 resolves to deployx-sj.cisco.com
198.133.219.16 resolves to contact-sj1.cisco.com
198.133.219.17 resolves to scc-sj-1.cisco.com
198.133.219.18 resolves to scc-sj-2.cisco.com
198.133.219.19 resolves to scc-sj-3.cisco.com
198.133.219.20 resolves to jmckerna-test.cisco.com
198.133.219.21 resolves to events.cisco.com
198.133.219.22 resolves to bam-prod-1.cisco.com
198.133.219.23 resolves to redirect.cisco.com
198.133.219.25 resolves to origin-www.cisco.com
198.133.219.26 resolves to partners.cisco.com
Something I've only recently noticed and started playing with is the --reason option. I've never seen anyone use it, but I think that it could be quite useful in some scanning situations.
treguly@ns:~/bin$ nmap --reasonStarting Nmap 5.00 ( http://nmap.org ) at 2009-07-15 04:21 EDT
Interesting ports on( ):
Not shown: 904 filtered ports, 92 closed ports
Reason: 904 no-responses and 92 conn-refused
PORT STATE SERVICE REASON
25/tcp open smtp syn-ack
80/tcp open http syn-ack
443/tcp open https syn-ack
32771/tcp open sometimes-rpc5 syn-ackNmap done: 1 IP address (1 host up) scanned in 9.49 seconds
All in all, today is an exciting day. Everyone go and download Nmap 5.0
