[8707] in bugtraq

home help back first fref pref prev next nref lref last post

Nmap network auditing/exploring tool V. 2.00 released

daemon@ATHENA.MIT.EDU (Fyodor)
Tue Dec 15 11:12:12 1998

Date: 	Tue, 15 Dec 1998 05:22:38 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Fyodor <fyodor@DHP.COM>
To: BUGTRAQ@NETSPACE.ORG

I have just released version 2.00 of nmap, a program for network
security auditing and general Internet exploration.  Almost all of the
core code has been rewritten for better performance and accuracy, and
many new features have been added.  Here are some of its current
capabilities:

* You can have it do a fast parallel ping of all hosts on a network to
  determine which ones are up.  You can use the traditional ICMP echo
  request (ping), a TCP ACK packet, or a TCP SYN packet to probe for
  responses.  By default it uses both ACKs & ICMP pings to maximize
  the chance of sneaking through packet filters.  There is also a
  connect() version for under-privileged users.  The syntax for
  specifying what hosts should be scanned is quite flexible.

* The hosts found to be up can be port scanned to determine what
  services are running.  Techniques you can use include the SYN
  (half-open) scan, FIN, Xmas, or Null stealth scans, connect scan
  (does not require root), FTP bounce attack, and UDP scan.  Options
  exist for common filter-bypassing techniques such as packet
  fragmentation and setting the source port number (to 20 or 53, for
  example).  It can also query a remote identd for the usernames that
  servers are running under.  You can select any (or all) port
  number(s) to scan, since you may want to just sweep the networks you
  run for 1 or 2 services recently found to be vulnerable.

* Remote OS detection via TCP/IP fingerprinting allows you to
  determine what operating system release each host is running.  This
  functionality is similar to the awesome queso program, although nmap
  implements many new techniques.  I wrote an article about these
  techniques for the next Phrack, but the impatient can always read
  the source code.  In many cases, nmap can narrow down the OS to the
  kernel number or release version.  A database of ~100 fingerprints
  for common operating system versions is included, thanks to a couple
  dozen wonderful beta testers who worked on the last 19 private beta
  releases.

* TCP ISN sequence predictability lets you know what sequence
  prediction class (64K, time dependent, "true random", constant, etc)
  the host falls into.  A difficulty index is provided to tell you
  roughly how vulnerable the machine is to sequence prediction.

* Decoy scans are also allowed.  The idea is that for every packet
  sent by nmap from your address, a similar packet is sent from each
  of the decoy hosts you specify.  This is useful due to the rising
  popularity of stealth port scan detection software.  If such
  software is used, it will generally report a dozen (or however many
  you choose) port scans from different addresses at the same time.
  It is very difficult to determine which address is doing the
  scanning, and which are simply innocent decoys.

* There are many other features which are useful in special
  situations, see the documentation for full details.

Nmap is quite portable, and has been reported to run on Linux,
FreeBSD, OpenBSD, NetBSD, Solaris, IRIX, HP/UX, and BSDI.  It uses its
own raw networking library for packet transmission, and the LBL
Libpcap library for raw receives.

Nmap is free software, distributed as source code under the terms of
the GNU public license.  Comments, questions, and problems can be sent
to fyodor@dhp.com .  You are also encouraged to send me the
fingerprints for operating systems it fails to detect (if at least one
port is open and the machine is not behind a filtering firewall -- I
want the reference fingerprints to be pristine).  Anything with a TCP
stack is fair game for detection, including firewalls, palm pilots,
'net cameras, etc.

The newest version of nmap is always available at the nmap home page:
http://www.insecure.org/nmap/ .  Check out the man page to learn how
to do the things above and for examples of common usage.

Cheers,
Fyodor


--
Fyodor                            'finger pgp@www.insecure.org | pgp -fka'
In a free and open marketplace, it would be surprising to have such an
obviously flawed standard generate much enthusiasm outside of the criminal
community.  --Mitch Stone on Microsoft ActiveX

home help back first fref pref prev next nref lref last post