Home page logo
/

basics logo Security Basics mailing list archives

Fw: Nmap 4.00 Released! (ARP scanning)
From: "Michael Painter" <tvhawaii () shaka com>
Date: Tue, 31 Jan 2006 10:12:30 -1000

----- Original Message ----- From: "Fyodor" <fyodor () insecure org>
To: <nmap-hackers () insecure org>
Sent: Tuesday, January 31, 2006 7:26 AM
Subject: Nmap 4.00 Released!


Nmap Hackers,

Hot on the heels of 3.9999 (you could probably guess this was coming),
I am pleased to announce that Nmap 4.00 is now available!

Documentation: http://www.insecure.org/nmap/docs.html
Download: http://www.insecure.org/nmap/download.html
Release Announcement: http://www.insecure.org/stf/Nmap-4.00-Release.html

CHANGES:

Nmap has undergone many substantial changes since our last major
release (3.50 in February 2004) and we recommend that all current
users upgrade. Here are the most important improvements made in the 36
intermediate releases since 3.50:

o Added the ability for Nmap to send and properly route raw ethernet
 frames containing IP datagrams rather than always sending the
 packets via raw sockets. This is particularly useful for Windows,
 since Microsoft has disabled raw socket support in XP.  Nmap tries
 to choose the best method at runtime based on platform, though you
 can override it with the new --send-eth and --send-ip options.

o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP
 requests to determine whether hosts on a LAN are up, rather than
 relying on higher-level IP packets (which can only be sent after a
 successful ARP request and reply anyway).  This is much faster and
 more reliable (not subject to IP-level firewalling) than IP-based
 probes.  It is now used automatically for any hosts that are
 detected to be on a local ethernet network, unless --send-ip was
 specified.

o Added the --spoof-mac option, which asks Nmap to use the given MAC
 address for all of the raw ethernet frames it sends.  Valid
 --spoof-mac argument examples are "Apple", "0", "01:02:03:04:05:06",
 "deadbeefcafe", "0020F2", and "Cisco".

o Rewrote core port scanning engine, which is now named ultra_scan().
 Improved algorithms make this faster (often dramatically so) in
 almost all cases.  Not only is it superior against single hosts, but
 ultra_scan() can scan many hosts (sometimes hundreds) in parallel.
 This offers many efficiency/speed advantages.  For example, hosts
 often limit the ICMP port unreachable packets used by UDP scans to
 1/second.  That made those scans extraordinarily slow in previous
 versions of Nmap.  But if you are scanning 100 hosts at once,
 suddenly you can receive 100 responses per second.  Spreading the
 scan amongst hosts is also gentler toward the target hosts.

o Overhauled UDP scan.  Ports that don't respond are now classified as
 "open|filtered" (open or filtered) rather than "open".  The (somewhat
 rare) ports that actually respond with a UDP packet to the empty
 probe are considered open.  If version detection is requested, it
 will be performed on open|filtered ports.  Any that respond to any of
 the UDP probes will have their status changed to open.  This avoids
 the false-positive problem where filtered UDP ports appear to be
 open, leading to terrified newbies thinking their machine is
 infected by back orifice.

o Put Nmap on a diet, with changes to the core port scanning routine
 (ultra_scan) to substantially reduce memory consumption, particularly
 when tens of thousands of ports are scanned.

o Added 'leet ASCII art to the configurator!  Note that
 only people compiling the UNIX source code get this. (ASCII artist
 unknown).  If you don't like it, feel free to submit your own work.

o Wrote a new man page from scratch.  It is much more comprehensive
 (more than twice as long) and (IMHO) better organized than the
 previous one.  Read it online at http://www.insecure.org/nmap/man/
 or docs/nmap.1 from the Nmap distribution.  Let me know if you have
 any ideas for improving it.  Translations to Chinese, French,
 Japanese, Brazilian Portuguese, Portugal Portuguese, and Romanian
 can be found on the Nmap docs page at
 http://www.insecure.org/nmap/docs.html .  More than a dozen other
 translations are in progress.  The XML source for the man page is
 distributed with Nmap in docs/nmap-man.xml.  Patches to Nmap that are
 user-visible should include patches to the man page XML source rather
 than to the generated Nroff.

o Integrated all service submissions up to January 2006.  The DB has
 tripled in size since 3.50 to 3,153 signatures for 381 service
 protocols.  Those protocols span the gamut from abc, acap, afp, and
 afs to zebedee, zebra, and zenimaging.  It even covers obscure
 protocols such as http, ftp, smtp, and ssh :).  Thanks to Version
 Detection Czar Doug Hoyte for his excellent work on this.  Other
 great probes and signatures came from Dirk Mueller
 (mueller(a)kde.org), Lionel Cons (lionel.cons(a)cern.ch), Martin
 Macok (martin.macok(a)underground.cz), and Bo Jiang
 (jiangbo(a)brandeis.edu).  Thanks also go to the (literally)
 thousands of you who submitted service fingerprints.  Keep them
 coming!

o Integrated tons of new OS detection fingerprints.  The database grew
 more than 50% from 1,121 to 1,684 fingerprints.  Notable additions
 include Mac OS X 10.4 (Tiger), OpenBSD 3.7, FreeBSD 5.4, Windows
 Server 2003 SP1, Sony AIBO (along with a new "robotic pet" device
 type category), the latest Linux 2.6 kernels, Cisco routers with IOS
 12.4, a ton of VoIP devices, Tru64 UNIX 5.1B, new Fortinet
 firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO 3.8.X, and Solaris 10.
 Of course there are also tons of new broadband routers, printers,
 WAPs and pretty much any other device you can coax an ethernet cable
 (or wireless card) into!  Much of this OS detecton work was done by
 Google SoC student Zhao Lei (zhaolei(a)gmail.com).

o Created a Windows executable installer using the open source NSIS
 (Nullsoft Scriptable Install System).  It handles Pcap installation,
 registry performance changes, and adding Nmap to your cmd.exe
 executable path.  The installer source files are in mswin32/nsis/ .
 Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) for
 creating the initial version.

o Added run time interaction as documented at
 http://www.insecure.org/nmap/man/man-runtime-interaction.html .
 While Nmap is running, you can now press 'v' to increase verbosity,
 'd' to increase the debugging level, 'p' to enable packet tracing,
 or the capital versions (V,D,P) to do the opposite.  Any other key
 (such as enter) will print out a status message giving the estimated
 time until scan completion.  Most of this work was done by Paul
 Tarjan (ptarjan(a)stanford.edu), Andrew Lutomirski
 (luto(a)myrealbox.com), and Gisle Vanem (giva(a)bgnett.no).

o Reverse DNS resolution is now done in parallel rather than one at a
 time.  All scans of large networks (particularly list, ping and
 just-a-few-ports scans) benefit substantially from this change. The
 new --system-dns option was added so you can use the (slow) system
 resolver if you prefer that for some reason.  You can specify a
 comma separated list of DNS server IP addresses for Nmap to use with
 the new --dns-servers option.  Otherwise, Nmap looks in
 /etc/resolve.conf (UNIX) or the system registry (Windows) to obtain
 the nameservers already configured for your system.  This excellent
 patch was written by Doug Hoyte (doug(a)hcsw.org).

o Updated NmapFE to build with GTK2 rather than obsolete GTK1.  Thanks
 to Priit Laes (amd(a)store20.com), Mike Basinger
 (dbasinge(a)speakeasy.net) and Meethune Bhowmick
 (meethune(a)oss-institute.org) for developing the patch.  GTK2 is
 prettier, more functional, and actually exists on most modern Linux
 distributions (many of which removed GTK1 long ago).

o Added the --badsum option, which causes Nmap to use invalid TCP or
 UDP checksums for packets sent to target hosts. Since virtually all
 host IP stacks properly drop these packets, any responses received
 are likely coming from a firewall or IDS that didn't bother to
 verify the checksum. For more details on this technique, see
 http://www.phrack.org/phrack/60/p60-0x0c.txt .  The author of that
 paper, Ed3f (ed3f(a)antifork.org), is also the author of this patch
 (which I changed it a bit).

o The 26 Nmap commands that previously included an underscore
 (--max-rtt-timeout, --send-eth, --host-timeout, etc.) have been
 renamed to use a hyphen in the preferred format
 (i.e. --max-rtt-timeout).  Underscores are still supported for
 backward compatibility.

o Added --max-retries option for capping the maximum number of
 retransmissions the port scan engine will do. The value may be as
 low as 0 (no retransmits).  A low value can increase speed, though
 at the risk of losing accuracy.  The -T4 option now allows up to 6
 retries, and -T5 allows 2.  Thanks to Martin Macok
 (martin.macok(a)underground.cz) for writing the initial patch.

o Many of the Nmap low-level timing options take a value in
 milliseconds.  You can now append an 's', 'm', or 'h' to the value
 to give it in seconds, minutes, or hours instead.  So you can specify a
 45 minute host timeout with --host-timeout 45m rather than specifying
 --host-timeout 2700000 and hoping you did the math right and have the
 correct number of zeros.  This also now works for the
 --min-rtt-timeout, --max-rtt-timeout, --initial-rtt-timeout,
 --scan-delay, and --max-scan-delay options.

o Wrote a new Nmap compilation, installation, and removal guide, which
 you can find at http://www.insecure.org/nmap/install/ .

o Made some changes to allow source port zero scans (-g0).  Nmap used
 to refuse to do this, but now it just gives a warning that it may not
 work on all systems.  It seems to work fine on my Linux box.  Thanks
 to Bill Dale (bill_dale(a)bellsouth.net) for suggesting this feature.

o Applied some small fixes so that Nmap compiles with Visual C++
 2005 Express, which is free from Microsoft at
 http://msdn.microsoft.com/vstudio/express/visualc/ .  Thanks to KX
 (kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com)

o Added --thc option (undocumented)

o Wrote a new "help screen", which you get when running Nmap without
 arguments.  It is also reproduced in the man page and at
 http://www.insecure.org/nmap/data/nmap.usage.txt .  I gave up trying
 to fit it within a 25-line, 80-column terminal window.  It is now 78
 lines and summarizes all but the most obscure Nmap options.

o Added OS, device type, and hostname detection using the service
 detection framework.  Many services print a hostname, which may be
 different than DNS.  The services often give more away as well.  If
 Nmap detects IIS, it reports an OS family of "Windows".  If it sees
 HP JetDirect telnetd, it reports a device type of "printer".  Rather
 than try to combine TCP/IP stack fingerprinting and service OS
 fingerprinting, they are both printed.  After all, they could
 legitimately be different.  An IP that gives a stack fingerprint
 match of "Linksys WRT54G broadband router" and a service fingerprint
 of Windows based on Kazaa running is likely a common NAT setup rather
 than an Nmap mistake.

o Overhauled the Nmap version detection guide and posted it at
 http://www.insecure.org/nmap/vscan/ .

o Service/version detection now handles multiple hosts at once for
 more efficient and less-intrusive operation.

o Added "rarity" feature to Nmap version detection.  This causes
 obscure probes to be skipped when they are unlikely to help.  Each
 probe now has a "rarity" value.  Probes that detect dozens of
 services such as GenericLines and GetRequest have rarity values of
 1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
 When interrogating a port, Nmap always tries probes registered to
 that port number.  So even WWWOFFLEctrlstat will be tried against
 port 8081 and mydoom will be tried against open ports between 3127
 and 3198.  If none of the registered ports find a match, Nmap tries
 probes that have a rarity less than or equal to its current
 intensity level.  The intensity level defaults to 7 (so that most of
 the probes are done).  You can set the intensity level with the new
 --version-intensity option.  Alternatively, you can just use
 --version-light or --version-all which set the intensity to 2 (only
 try the most important probes and ones registered to the port
 number) and 9 (try all probes), respectively.  --version-light is
 much faster than default version detection, but also a bit less
 likely to find a match.  This feature was designed and implemented
 by Doug Hoyte (doug(a)hcsw.org).

o Added a "fallback" feature to the nmap-service-probes database.
 This allows a probe to "inherit" match lines from other probes.  It
 is currently only used for the HTTPOptions, RTSPRequest, and
 SSLSessionReq probes to inherit all of the match lines from
 GetRequest.  Some servers don't respond to the Nmap GetRequest (for
 example because it doesn't include a Host: line) but they do respond
 to some of those other 3 probes in ways that GetRequest match lines
 are general enough to match.  The fallback construct allows us to
 benefit from these matches without repeating hundreds of signatures
 in the file.  This is another feature designed and implemented
 by Doug Hoyte (doug(a)hcsw.org).

o Added "Exclude" directive to nmap-service-probes grammar which
 causes version detection to skip listed ports.  This is helpful for
 ports such as 9100.  Some printers simply print any data sent to
 that port, leading to pages of HTTP requests, SMB queries, X Windows
 probes, etc.  If you really want to scan all ports, specify
 --allports.  This patch came from Doug Hoyte (doug(a)hcsw.org).

o Version detection softmatches (when Nmap determines the service
 protocol such as smtp but isn't able to determine the app name such as
 Postfix) can now parse out the normal match line fields such as
 hostname, device type, and extra info.  For example, we may not know
 what vendor created an sshd, but we can still parse out the protocol
 number.  This was a patch from  Doug Hoyte (doug(a)hcsw.org).

o Fixed a bunch of typos and misspellings throughout the Nmap source
 code (mostly in comments).  This was a 625-line patch by Saint Xavier
 (skyxav(a)skynet.be).

o Added a stripped-down and heavily modified version of Dug Song's
 libdnet networking library (v. 1.10).  This helps with the new raw
 ethernet features.  My (extensive) changes are described in
 libdnet-stripped/NMAP_MODIFICATIONS

o Updated nmap data files (nmap-mac-prefixes, nmap-protocols,
 nmap-rpc) with the latest OUIs, IP protocols, and RPC program numbers,
 respectively.

o Updated the included libpcap from 0.7.2 to 0.9.3.  This was an
 attempt to fix an annoying bug, which I then found was actually in
 my code rather than libpcap :).  Also updated the included GNU
 shtool (to 2.0.2), LibPCRE (6.4), and the autoconf config.* files
 (to the latest from their CVS).

o Nmap now uses (and require) WinPcap 3.1 on Windows.

o Added MAC address printing.  If Nmap receives packet from a target
 machine which is on an Ethernet segment directly connected to the
 scanning machine, Nmap will print out the target MAC address.  Nmap
 also now contains a database (derived from the official IEEE
 version) which it uses to determine the vendor name of the target
 ethernet interface.  Here are examples from normal and XML output
 (angle brackets replaced with [] for HTML changelog compatibility):
 MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems)
 [address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" addrtype="mac" /]

o The official Nmap RPM files are now compiled statically for better
 compatibility with other systems.  X86_64 (AMD Athlon64/Opteron)
 binaries are now available in addition to the standard i386.  NmapFE
 RPMs are no longer distributed by Insecure.Org.

o Nmap distribution signing has changed. Release files are now signed
 with a new Nmap Project GPG key (KeyID 6B9355D0).  Learn more at
 http://www.insecure.org/nmap/install/index.html#inst-integrity

o Updated random scan (ip_is_reserved()) to reflect the latest IANA
 assignments.  This to Felix Groebert
 (felix(a)groebert.org) and Chad Loder (cloder(a)loder.us) for
 sending these patches.

o Added the --iflist option, which prints a list of system interfaces
 and routes detected by Nmap.

o Removed WinIP library (and all Windows raw sockets code) since MS
 has gone and broken raw sockets.  Maybe packet receipt via raw
 sockets will come back at some point.  As part of this removal, the
 Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
 --win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
 and --win_trace options have been removed.

o Added new --privileged command-line option and NMAP_PRIVILEGED
 environmental variable.  Either of these tell Nmap to assume that
 the user has full privileges to execute raw packet scans, OS
 detection and the like.  This can be useful when Linux kernel
 capabilities or other systems are used that allow non-root users to
 perform raw packet or ethernet frame manipulation.  Without this
 flag or variable set, Nmap bails on UNIX if geteuid() is
 nonzero.

o Changed the RPM spec file so that if you define "static" to 1 (by
 passing --define "static 1" to rpmbuild), static binaries are built.

o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
 any TCP scans in which the initial probe packet has the ACK flag set.
 This would be the ACK, Xmas, Maimon, and Window scans.

o Fixed an integer overflow that prevented Nmap from scanning
 2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1).  Problem
 noted by Justin Cranford (jcranford(a)n-able.com).  While /1 scans
 are now possible, don't expect them to finish during your bathroom
 break.  No matter how constipated you are.

o Changed from CVS to Subversion source control system (which
 rocks!). Neither repository is currently public due to security
 paranoia.

o Nmap now ships with and installs (in the same directory as other
 data files such as nmap-os-fingerprints) an XSL stylesheet for
 rendering the XML output as HTML.  This stylesheet was written by
 Benjamin Erb ( see http://www.benjamin-erb.de/nmap/ for examples).
 It supports tables, version detection, color-coded port states, and
 more.  The XML output has been augmented to include an
 xml-stylesheet directive pointing to nmap.xsl on the local
 filesystem.  You can point to a different XSL file by providing the
 filename or URL to the new --stylesheet argument.  Omit the
 xml-stylesheet directive entirely by specifying --no-stylesheet.
 The XML to HTML conversion can be done with an XSLT processor such
 as Saxon, Sablot, or Xalan, but modern browsers can do this on the
 fly -- simply load the XML output file in IE or Firefox.It is
 often more convenient to have the stylesheet loaded from a URL
 rather than the local filesystem, allowing the XML to be rendered on
 any machine regardless of whether/where the XSL is installed.  For
 privacy reasons (avoid loading of an external URL when you view
 results), Nmap uses the local filesystem by default.  If you would
 like the latest version of the stylesheet loaded from Insecure.Org when
 rendering, specify --webxml, which is a shortcut for
 --stylesheet http://www.insecure.org/nmap/data/nmap.xsl .

o If a user attempts -PO (the letter O), instead of -P0 (zero), print
 an error suggesting that the user is a doofus (actually it is a nice
 message)

o Upgraded the fragmentation option (-f).  One -f now sets sends
 fragments with just 8 bytes after the IP header, while -ff sends 16
 bytes to reduce the number of fragments needed.  You can specify
 your own fragmentation offset (must be a multiple of 8) with the new
 --mtu flag.  Don't also specify -f if you use --mtu.  Remember that
 some systems (such as Linux with connection tracking) will
 defragment in the kernel anyway -- so test first while sniffing with
 ethereal.  These changes are from a patch by Martin Macok
 (martin.macok(a)underground.cz).

o Nmap now prints the number (and total bytes) of raw IP packets sent
 and received when it completes, if verbose mode (-v) is enabled.  The
 report looks like:
 Nmap finished: 256 IP addresses (3 hosts up) scanned in 30.632 seconds
                Raw packets sent: 7727 (303KB) | Rcvd: 6944 (304KB)

o Added new "closed|filtered" state.  This is used for Idle scan, since
 that scan method can't distinguish between those two states.  Nmap
 previously just used "closed", but this is more accurate.

o Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered"
 instead of "open" when they fail to receive any response from the
 target port.  After all, it could just as easily be filtered as open.
 This is the same change that was made to UDP scan in 3.70.  Also as
 with UDP scan, adding version detection (-sV) will change the state
 from open|filtered to open if it confirms that they really are open.

o Change IP protocol scan (-sO) so that a response from the target
 host in any protocol at all will prove that protocol is open.  As
 before, no response means "open|filtered", an ICMP protocol
 unreachable means "closed", and most other ICMP error messages mean
 "filtered".

o Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and
 UDP headers when scanning protocols 1, 6, and 17, respectively.  An
 empty IP header is still sent for all other protocols.  This should
 prevent the error messages such as "sendto in send_ip_packet:
 sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not
 permitted" that Linux (and perhaps other systems) would give when
 they try to interpret the raw packet.  This also makes it more
 likely that these protocols will elicit a response, proving that the
 protocol is "open".

o Fixed a memory leak that would generally consume several hundred
 bytes per down host scanned.  While the effect for most scans is
 negligible, it was overwhelming when Scott Carlson
 (Scott.Carlson(a)schwab.com) tried to scan 24 million IPs
 (10.0.0.0/8).  Thanks to him for reporting the problem.  Also thanks
 to Valgrind ( http://valgrind.kde.org ) for making it easy to debug.

o Added --max-scan-delay parameter.  Nmap will sometimes increase the
 delay itself when it detects many dropped packets.  For example,
 Solaris systems tend to respond with only one ICMP port unreachable
 packet per second during a UDP scan.  So Nmap will try to detect
 this and lower its rate of UDP probes to one per second.  This can
 provide more accurate results while reducing network congestion, but
 it can slow the scans down substantially.  By default (with no -T
 options specified), Nmap allows this delay to grow to one second per
 probe.  This option allows you to set a lower or higher maximum.
 The -T4 and -T5 scan modes now limit the maximum scan delay for TCP
 scans to 10 and 5 ms, respectively.

o Added --max-hostgroup option which specifies the maximum number of
 hosts that Nmap is allowed to scan in parallel.

o Added --min-hostgroup option which specifies the minimum number of
 hosts that Nmap should scan in parallel (there are some exceptions
 where Nmap will still scan smaller groups -- see man page).  Of
 course, Nmap will try to choose efficient values even if you don't
 specify hostgroup restrictions explicitly.

o Nmap now estimates completion times for almost all port scan types
 (any that use ultra_scan()) as well as service scan (version
 detection).  These are only shown in verbose mode (-v).  On scans
 that take more than a minute or two, you will see occasional updates
 like:
 SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining)
 New updates are given if the estimates change significantly.

o Added --exclude option, which lets you specify a comma-separated
 list of targets (hosts, ranges, netblocks) that should be excluded
 from the scan.  This is useful to keep from scanning yourself, your
 ISP, particularly sensitive hosts, etc.  The new --excludefile reads
 the list (newline-delimited) from a given file.  All the work was
 done by Mark-David McLaughlin (mdmcl(a)cisco.com> and William McVey
 ( wam(a)cisco.com ), who sent me a well-designed and well-tested
 patch.

o Nmap now has a "port scan ping" system.  If it has received at least
 one response from any port on the host, but has not received
 responses lately (usually due to filtering), Nmap will "ping" that
 known-good port occasionally to detect latency, packet drop rate,
 etc.

o Nmap now wishes itself a happy birthday when run on September 1 in
 verbose mode!  The first public release was on that date in 1997.

o The port randomizer now has a bias toward putting
 commonly-accessible ports (80, 22, etc.) near the beginning of the
 list.  Getting a response early helps Nmap calculate response times and
 detect packet loss, so the scan goes faster.

o Host timeout system (--host-timeout) overhauled to support host
 parallelization.  Hosts times are tracked separately, so a host that
 finishes a SYN scan quickly is not penalized for an exceptionally
 slow host being scanned at the same time.

o When Nmap has not received any responses from a host, it can now use
 certain timing values from other hosts from the same scan group.
 This way Nmap doesn't have to use absolute-worst-case (300bps SLIP
 link to Uzbekistan) round trip time and latency estimates.

o Documented the --osscan-limit option, which saves time by skipping
 OS detection if at least one open and one closed port are not found on
 the remote hosts.  OS detection is much less reliable against such
 hosts anyway, and skipping it can save some time.

o Configure script now detects GNU/k*BSD (whatever that is),
 thanks to patches from Robert Millan (rmh () debian org) and Petr
 Salinger (Petr.Salinger(a)t-systems.cz)

o Provide limited --packet-trace support for TCP connect() (-sT)
 scans.

o Hundreds of other features, bugfixes, and portability
 enhancements described at http://www.insecure.org/nmap/changelog.html

MOVING FORWARD:

With this stable version out of the way, we plan to dive headfirst
into the next development cycle. Many exciting features are in the
queue, including a next-generation OS detection system. We also plan
to launch the 2006 Nmap User Survey in February, to learn what
features you want most.

DOWNLOAD:

Nmap is available for download from http://www.insecure.org/nmap/ for
most platforms in source or binary form. Nmap is free, open source
software (license: http://www.insecure.org/nmap/data/COPYING )

ACKNOWLEDGEMENTS:

A popular open source security scanner recently went proprietary,
complaining that their community never contributes much. We are sorry
to hear that, but happy to report that the Nmap community is as
vibrant and productive as ever! We would like to acknowledge and thank
the many people who contributed ideas and/or code to this release
(since 3.50). Special thanks go out to Adam Kerrison, Adam Morgan,
Adriano Monteiro Marques, Alan Bishoff, Alan William Somers, Albert
Chin, Allison Randal, Alok Tangoankar, Amy Hennings, Anders Thulin,
Andreia Gaita, Andy Lutomirski, Annalee Newitz, Arturo Buanzo
Busleiman, Bart Dopheide, Beirne Konarski, Ben Harris, Bill Dale, Bill
Petersen, Bill Pollock, Bo Jiang, Brian Hatch, Chad Loder, Chris
Gibson, Christophe, Craig Humphrey, Curtis Doty, Dana Epp, Dirk
Mueller, Doug Hoyte, Dragos Ruiu, Dug Song, Duilio J. Protti, Eric
S. Raymond, Felix Gröbert, Florian Ebner, Fyodor Yarochkin, Ganga
Bhavani, Gisle Vanem, Glyn Geoghegan, Greg A. Woods, Greg Darke, Greg
Taleck, Gwenole Beauchesne, HD Moore, Jedi/Sector One, Jeff Nathan,
Jesse Burns, Jim Carras, Jim Harrison, Jonathan Dieter, José Domingos,
Justin Cranford, Justin M Cacak, Krok, KX, Lamont Jones, Lance
Spitzner, Laurent Estieux, Lionel Cons, Lucien Raven, MadHat, Marius
Strobl, Mark-David McLaughlin, Mark Ruef, Martin Macok, Matthieu
Verbert, Matt Selsky, Max Schubert, Meethune Bhowmick, Mephisto, Mike
Basinger, Mike Hatz, Murphy, Netris, Okan Demirmen, Ole Morten
Grodaas, Oliver Eikemeier, Pascal Trouvin, Paul Tarjan, Petr Salinger,
Petter Reinholdtsen, pijn trein, Ping Huang, Piotr Sobolewski, Priit
Laes, Princess Nadia, Raven Alder, Richard Birkett, Richard Moore,
Robert E. Lee, Rob Foehl, Ronak Sutaria, Royce Williams, Ruediger
Rissmann, Saint Xavier, Saravanan, Scott Mansfield, Sebastian
Wolfgarten, Seth Master, Shahid Khan, Simon Burr, Simple Nomad, Sina
Bahram, Solar Designer, Srivatsan, Stephane Loeuillet, Stephen Bishop,
Steve Christensen, Steve Martin, Thorsten Holz, Tom Duffy, Tom Rune
Flo, Tom Sellers, Tony Golding, van Hauser, vlad902, William McVey,
Zapphire, and Zhao Lei.

And of course we would also like to thank the thousands of people who
have submitted OS and service/version fingerprints, as well as
everyone who has found and reported bugs or suggested features.

For further information, see http://www.insecure.org/



_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-hackers



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Fw: Nmap 4.00 Released! (ARP scanning) Michael Painter (Jan 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault