Nmap 5.00 Initial Impressions - Niiiice!


I don’t know if you’ve seen it yet, but Nmap 5.00 was released just a short while ago.  In fact, this isn’t just some routine, small-fry update from Fyodor and the Nmap development crew.  In fact, they rightfully point out that they consider this, “The most important Nmap release since 1997.”  I’ve been kicking its tires over the last day, and I fully agree.  I ran Nmap 5.00 right next to 4.75 (the previous stable release besides the 4.85BETA) to get a feel for the deltas.  I’ve been extremely impressed with the myriad of new features, improved stability, and speed. 

From a speed perspective, Nmap 5.00 feels quite a bit zippier.  The default ports it scans are based on statistics gathered from a huge series of scans Fyodor conducted last year, so that Nmap focuses on checking those ports that are most likely to be open.  But, if you want it to scan all ports or a specific range, there are some new timing features that let you get very specific about the rate at which Nmap will send packets.  Also, the Zenmap GUI has been updated for 5.00, with a still-familiar look but with less clutter.   The organization of the GUI has also been tweaked to store and display information from multiple scans in a more intuitive and useful way, and the network topology view is very cool.

One of my favorite items that’s been growing within Nmap over the past year and a half is the Nmap Scripting Engine (NSE).  With this feature set, Nmap offers an environment for running Lua scripts to perform more detailed information gathering from target systems (such as fetching SMB information, performing whois lookups, etc), or even determining whether a given vulnerability is present on Nmap-scanned targets.  All these rich features built right into Nmap have shown the great promise of NSE.  I’ve covered NSE in my SANS 560 course for over a year.  The scripts that I chose to cover hands-on class had to meet three criteria: 1) They had to be useful, 2) They had to work reliably with a nearly 100 percent chance of reporting accurate results, and 3) They had to avoid crashing Nmap. 

Prior to Nmap 5.00, criteria 1 was easy to meet, as there were about three dozen scripts that offered a myriad of cool and useful features.  However, in constructing exercises for class, I had to carefully pick and choose among that set to find ones that would give reliable results without crashing Nmap.  While there were some useful options left after that filtering process, we couldn’t reliably try out all of the scripts.

Well, with Nmap 5.00, all of that has changed.  Not only are there a bunch of awesome new scripts included in Nmap, but all of the scripts are more far more reliable and stable.   In my Nmap 5.00 testing, I haven’t yet had an NSE script crash.  Also, the new scripts included in this release will prove incredibly useful in penetration testing, especially Ron Bowes' awesome scripts associated with enumeration of Windows and SAMBA targets via SMB and MS-RPC, including smb-os-discovery.nse, smb-enum-users.nse, smb-pwdump.nse (Yup, password dumping from within Nmap… but, you’ll have to download a DLL and an EXE from pwdump6 to make it work), and much more.  You’ve gotta check them out!

There are a lot more features and tweaks throughout Nmap 5.00, including the fantastic ndiff and ncat tools included, showing that Nmap truly is becoming an integrated suite of tools for a variety of in-depth network reconnaissance, mapping, and attack activities.  Congrats to Fyodor and the Nmap Development Team for this awesome release.  Also, thanks for this great set of new tools.  Your incredible development and testing efforts are truly appreciated!


By Ed Skoudis