<<< Date Index >>>     <<< Thread Index >>>

Nmap 4.00 Released



Bugtraqers,

Insecure.Org is pleased to announce the immediate, free availability
of the Nmap Security Scanner version 4.00 from
http://www.insecure.org/nmap/ .

I try not to burden the Bugtraq list with more than one Nmap
announcement per year. So I encourage those of you who would like to
hear about new Nmap releases as they happen to join the low-volume
nmap-hackers list at
http://cgi.insecure.org/mailman/listinfo/nmap-hackers .

I just did an interview for SecurityFocus which provides some further
details on this release: http://www.securityfocus.com/columnists/384

CHANGES:

Nmap has undergone many substantial changes since our last major
release (3.50 in February 2004) and we recommend that all current
users upgrade. Here are the most important improvements made in the 36
intermediate releases since 3.50:

o Added the ability for Nmap to send and properly route raw ethernet
  frames containing IP datagrams rather than always sending the
  packets via raw sockets. This is particularly useful for Windows,
  since Microsoft has disabled raw socket support in XP.  Nmap tries
  to choose the best method at runtime based on platform, though you
  can override it with the new --send-eth and --send-ip options.

o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP
  requests to determine whether hosts on a LAN are up, rather than
  relying on higher-level IP packets (which can only be sent after a
  successful ARP request and reply anyway).  This is much faster and
  more reliable (not subject to IP-level firewalling) than IP-based
  probes.  It is now used automatically for any hosts that are
  detected to be on a local ethernet network, unless --send-ip was
  specified.

o Added the --spoof-mac option, which asks Nmap to use the given MAC
  address for all of the raw ethernet frames it sends.  Valid
  --spoof-mac argument examples are "Apple", "0", "01:02:03:04:05:06",
  "deadbeefcafe", "0020F2", and "Cisco".

o Rewrote core port scanning engine, which is now named ultra_scan().
  Improved algorithms make this faster (often dramatically so) in
  almost all cases.  Not only is it superior against single hosts, but
  ultra_scan() can scan many hosts (sometimes hundreds) in parallel.
  This offers many efficiency/speed advantages.  For example, hosts
  often limit the ICMP port unreachable packets used by UDP scans to
  1/second.  That made those scans extraordinarily slow in previous
  versions of Nmap.  But if you are scanning 100 hosts at once,
  suddenly you can receive 100 responses per second.  Spreading the
  scan amongst hosts is also gentler toward the target hosts.

o Overhauled UDP scan.  Ports that don't respond are now classified as
  "open|filtered" (open or filtered) rather than "open".  The (somewhat
  rare) ports that actually respond with a UDP packet to the empty
  probe are considered open.  If version detection is requested, it
  will be performed on open|filtered ports.  Any that respond to any of
  the UDP probes will have their status changed to open.  This avoids
  the false-positive problem where filtered UDP ports appear to be
  open, leading to terrified newbies thinking their machine is
  infected by back orifice.

o Put Nmap on a diet, with changes to the core port scanning routine
  (ultra_scan) to substantially reduce memory consumption, particularly
  when tens of thousands of ports are scanned.

o Added 'leet ASCII art to the configurator!  Note that
  only people compiling the UNIX source code get this. (ASCII artist
  unknown).  If you don't like it, feel free to submit your own work.

o Wrote a new man page from scratch.  It is much more comprehensive
  (more than twice as long) and (IMHO) better organized than the
  previous one.  Read it online at http://www.insecure.org/nmap/man/
  or docs/nmap.1 from the Nmap distribution.  Let me know if you have
  any ideas for improving it.  Translations to Chinese, French,
  Japanese, Brazilian Portuguese, Portugal Portuguese, and Romanian
  can be found on the Nmap docs page at
  http://www.insecure.org/nmap/docs.html .  More than a dozen other
  translations are in progress.  The XML source for the man page is
  distributed with Nmap in docs/nmap-man.xml.  Patches to Nmap that are
  user-visible should include patches to the man page XML source rather
  than to the generated Nroff.

o Integrated all service submissions up to January 2006.  The DB has
  tripled in size since 3.50 to 3,153 signatures for 381 service
  protocols.  Those protocols span the gamut from abc, acap, afp, and
  afs to zebedee, zebra, and zenimaging.  It even covers obscure
  protocols such as http, ftp, smtp, and ssh :).  Thanks to Version
  Detection Czar Doug Hoyte for his excellent work on this.  Other
  great probes and signatures came from Dirk Mueller
  (mueller(a)kde.org), Lionel Cons (lionel.cons(a)cern.ch), Martin
  Macok (martin.macok(a)underground.cz), and Bo Jiang
  (jiangbo(a)brandeis.edu).  Thanks also go to the (literally)
  thousands of you who submitted service fingerprints.  Keep them
  coming!

o Integrated tons of new OS detection fingerprints.  The database grew
  more than 50% from 1,121 to 1,684 fingerprints.  Notable additions
  include Mac OS X 10.4 (Tiger), OpenBSD 3.7, FreeBSD 5.4, Windows
  Server 2003 SP1, Sony AIBO (along with a new "robotic pet" device
  type category), the latest Linux 2.6 kernels, Cisco routers with IOS
  12.4, a ton of VoIP devices, Tru64 UNIX 5.1B, new Fortinet
  firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO 3.8.X, and Solaris 10.
  Of course there are also tons of new broadband routers, printers,
  WAPs and pretty much any other device you can coax an ethernet cable
  (or wireless card) into!  Much of this OS detecton work was done by
  Google SoC student Zhao Lei (zhaolei(a)gmail.com).

o Created a Windows executable installer using the open source NSIS
  (Nullsoft Scriptable Install System).  It handles Pcap installation,
  registry performance changes, and adding Nmap to your cmd.exe
  executable path.  The installer source files are in mswin32/nsis/ .
  Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) for
  creating the initial version.

o Added run time interaction as documented at
  http://www.insecure.org/nmap/man/man-runtime-interaction.html .
  While Nmap is running, you can now press 'v' to increase verbosity,
  'd' to increase the debugging level, 'p' to enable packet tracing,
  or the capital versions (V,D,P) to do the opposite.  Any other key
  (such as enter) will print out a status message giving the estimated
  time until scan completion.  Most of this work was done by Paul
  Tarjan (ptarjan(a)stanford.edu), Andrew Lutomirski
  (luto(a)myrealbox.com), and Gisle Vanem (giva(a)bgnett.no).

o Reverse DNS resolution is now done in parallel rather than one at a
  time.  All scans of large networks (particularly list, ping and
  just-a-few-ports scans) benefit substantially from this change. The
  new --system-dns option was added so you can use the (slow) system
  resolver if you prefer that for some reason.  You can specify a
  comma separated list of DNS server IP addresses for Nmap to use with
  the new --dns-servers option.  Otherwise, Nmap looks in
  /etc/resolve.conf (UNIX) or the system registry (Windows) to obtain
  the nameservers already configured for your system.  This excellent
  patch was written by Doug Hoyte (doug(a)hcsw.org).

o Updated NmapFE to build with GTK2 rather than obsolete GTK1.  Thanks
  to Priit Laes (amd(a)store20.com), Mike Basinger
  (dbasinge(a)speakeasy.net) and Meethune Bhowmick
  (meethune(a)oss-institute.org) for developing the patch.  GTK2 is
  prettier, more functional, and actually exists on most modern Linux
  distributions (many of which removed GTK1 long ago).

o Added the --badsum option, which causes Nmap to use invalid TCP or
  UDP checksums for packets sent to target hosts. Since virtually all
  host IP stacks properly drop these packets, any responses received
  are likely coming from a firewall or IDS that didn't bother to
  verify the checksum. For more details on this technique, see
  http://www.phrack.org/phrack/60/p60-0x0c.txt .  The author of that
  paper, Ed3f (ed3f(a)antifork.org), is also the author of this patch
  (which I changed it a bit).

o The 26 Nmap commands that previously included an underscore
  (--max-rtt-timeout, --send-eth, --host-timeout, etc.) have been
  renamed to use a hyphen in the preferred format
  (i.e. --max-rtt-timeout).  Underscores are still supported for
  backward compatibility.

o Added --max-retries option for capping the maximum number of
  retransmissions the port scan engine will do. The value may be as
  low as 0 (no retransmits).  A low value can increase speed, though
  at the risk of losing accuracy.  The -T4 option now allows up to 6
  retries, and -T5 allows 2.  Thanks to Martin Macok
  (martin.macok(a)underground.cz) for writing the initial patch.

o Many of the Nmap low-level timing options take a value in
  milliseconds.  You can now append an 's', 'm', or 'h' to the value
  to give it in seconds, minutes, or hours instead.  So you can specify a
  45 minute host timeout with --host-timeout 45m rather than specifying
  --host-timeout 2700000 and hoping you did the math right and have the 
  correct number of zeros.  This also now works for the
  --min-rtt-timeout, --max-rtt-timeout, --initial-rtt-timeout,
  --scan-delay, and --max-scan-delay options.

o Wrote a new Nmap compilation, installation, and removal guide, which
  you can find at http://www.insecure.org/nmap/install/ .

o Made some changes to allow source port zero scans (-g0).  Nmap used
  to refuse to do this, but now it just gives a warning that it may not
  work on all systems.  It seems to work fine on my Linux box.  Thanks
  to Bill Dale (bill_dale(a)bellsouth.net) for suggesting this feature.

o Applied some small fixes so that Nmap compiles with Visual C++
  2005 Express, which is free from Microsoft at
  http://msdn.microsoft.com/vstudio/express/visualc/ .  Thanks to KX
  (kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com)

o Added --thc option (undocumented)

o Wrote a new "help screen", which you get when running Nmap without
  arguments.  It is also reproduced in the man page and at
  http://www.insecure.org/nmap/data/nmap.usage.txt .  I gave up trying
  to fit it within a 25-line, 80-column terminal window.  It is now 78
  lines and summarizes all but the most obscure Nmap options.

o Added OS, device type, and hostname detection using the service
  detection framework.  Many services print a hostname, which may be
  different than DNS.  The services often give more away as well.  If
  Nmap detects IIS, it reports an OS family of "Windows".  If it sees
  HP JetDirect telnetd, it reports a device type of "printer".  Rather
  than try to combine TCP/IP stack fingerprinting and service OS
  fingerprinting, they are both printed.  After all, they could
  legitimately be different.  An IP that gives a stack fingerprint
  match of "Linksys WRT54G broadband router" and a service fingerprint
  of Windows based on Kazaa running is likely a common NAT setup rather
  than an Nmap mistake.

o Overhauled the Nmap version detection guide and posted it at
  http://www.insecure.org/nmap/vscan/ .

o Service/version detection now handles multiple hosts at once for
  more efficient and less-intrusive operation.

o Added "rarity" feature to Nmap version detection.  This causes
  obscure probes to be skipped when they are unlikely to help.  Each
  probe now has a "rarity" value.  Probes that detect dozens of
  services such as GenericLines and GetRequest have rarity values of
  1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
  When interrogating a port, Nmap always tries probes registered to
  that port number.  So even WWWOFFLEctrlstat will be tried against
  port 8081 and mydoom will be tried against open ports between 3127
  and 3198.  If none of the registered ports find a match, Nmap tries
  probes that have a rarity less than or equal to its current
  intensity level.  The intensity level defaults to 7 (so that most of
  the probes are done).  You can set the intensity level with the new
  --version-intensity option.  Alternatively, you can just use
  --version-light or --version-all which set the intensity to 2 (only
  try the most important probes and ones registered to the port
  number) and 9 (try all probes), respectively.  --version-light is
  much faster than default version detection, but also a bit less
  likely to find a match.  This feature was designed and implemented
  by Doug Hoyte (doug(a)hcsw.org).

o Added a "fallback" feature to the nmap-service-probes database.
  This allows a probe to "inherit" match lines from other probes.  It
  is currently only used for the HTTPOptions, RTSPRequest, and
  SSLSessionReq probes to inherit all of the match lines from
  GetRequest.  Some servers don't respond to the Nmap GetRequest (for
  example because it doesn't include a Host: line) but they do respond
  to some of those other 3 probes in ways that GetRequest match lines
  are general enough to match.  The fallback construct allows us to
  benefit from these matches without repeating hundreds of signatures
  in the file.  This is another feature designed and implemented
  by Doug Hoyte (doug(a)hcsw.org).

o Added "Exclude" directive to nmap-service-probes grammar which
  causes version detection to skip listed ports.  This is helpful for
  ports such as 9100.  Some printers simply print any data sent to
  that port, leading to pages of HTTP requests, SMB queries, X Windows
  probes, etc.  If you really want to scan all ports, specify
  --allports.  This patch came from Doug Hoyte (doug(a)hcsw.org).

o Version detection softmatches (when Nmap determines the service
  protocol such as smtp but isn't able to determine the app name such as
  Postfix) can now parse out the normal match line fields such as
  hostname, device type, and extra info.  For example, we may not know
  what vendor created an sshd, but we can still parse out the protocol
  number.  This was a patch from  Doug Hoyte (doug(a)hcsw.org).

o Fixed a bunch of typos and misspellings throughout the Nmap source
  code (mostly in comments).  This was a 625-line patch by Saint Xavier
  (skyxav(a)skynet.be).

o Added a stripped-down and heavily modified version of Dug Song's
  libdnet networking library (v. 1.10).  This helps with the new raw
  ethernet features.  My (extensive) changes are described in
  libdnet-stripped/NMAP_MODIFICATIONS

o Updated nmap data files (nmap-mac-prefixes, nmap-protocols,
  nmap-rpc) with the latest OUIs, IP protocols, and RPC program numbers,
  respectively.

o Updated the included libpcap from 0.7.2 to 0.9.3.  This was an
  attempt to fix an annoying bug, which I then found was actually in
  my code rather than libpcap :).  Also updated the included GNU
  shtool (to 2.0.2), LibPCRE (6.4), and the autoconf config.* files
  (to the latest from their CVS).

o Nmap now uses (and require) WinPcap 3.1 on Windows.

o Added MAC address printing.  If Nmap receives packet from a target
  machine which is on an Ethernet segment directly connected to the
  scanning machine, Nmap will print out the target MAC address.  Nmap
  also now contains a database (derived from the official IEEE
  version) which it uses to determine the vendor name of the target
  ethernet interface.  Here are examples from normal and XML output
  (angle brackets replaced with [] for HTML changelog compatibility):
  MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems)
  [address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" 
addrtype="mac" /]

o The official Nmap RPM files are now compiled statically for better
  compatibility with other systems.  X86_64 (AMD Athlon64/Opteron)
  binaries are now available in addition to the standard i386.  NmapFE
  RPMs are no longer distributed by Insecure.Org.

o Nmap distribution signing has changed. Release files are now signed
  with a new Nmap Project GPG key (KeyID 6B9355D0).  Learn more at
  http://www.insecure.org/nmap/install/index.html#inst-integrity

o Updated random scan (ip_is_reserved()) to reflect the latest IANA
  assignments.  This to Felix Groebert
  (felix(a)groebert.org) and Chad Loder (cloder(a)loder.us) for
  sending these patches.

o Added the --iflist option, which prints a list of system interfaces
  and routes detected by Nmap.

o Removed WinIP library (and all Windows raw sockets code) since MS
  has gone and broken raw sockets.  Maybe packet receipt via raw
  sockets will come back at some point.  As part of this removal, the
  Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
  --win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
  and --win_trace options have been removed.

o Added new --privileged command-line option and NMAP_PRIVILEGED
  environmental variable.  Either of these tell Nmap to assume that
  the user has full privileges to execute raw packet scans, OS
  detection and the like.  This can be useful when Linux kernel
  capabilities or other systems are used that allow non-root users to
  perform raw packet or ethernet frame manipulation.  Without this
  flag or variable set, Nmap bails on UNIX if geteuid() is
  nonzero.

o Changed the RPM spec file so that if you define "static" to 1 (by
  passing --define "static 1" to rpmbuild), static binaries are built.

o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
  any TCP scans in which the initial probe packet has the ACK flag set.
  This would be the ACK, Xmas, Maimon, and Window scans.

o Fixed an integer overflow that prevented Nmap from scanning
  2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1).  Problem
  noted by Justin Cranford (jcranford(a)n-able.com).  While /1 scans
  are now possible, don't expect them to finish during your bathroom
  break.  No matter how constipated you are.

o Changed from CVS to Subversion source control system (which
  rocks!). Neither repository is currently public due to security
  paranoia.

o Nmap now ships with and installs (in the same directory as other
  data files such as nmap-os-fingerprints) an XSL stylesheet for
  rendering the XML output as HTML.  This stylesheet was written by
  Benjamin Erb ( see http://www.benjamin-erb.de/nmap/ for examples).
  It supports tables, version detection, color-coded port states, and
  more.  The XML output has been augmented to include an
  xml-stylesheet directive pointing to nmap.xsl on the local
  filesystem.  You can point to a different XSL file by providing the
  filename or URL to the new --stylesheet argument.  Omit the
  xml-stylesheet directive entirely by specifying --no-stylesheet.
  The XML to HTML conversion can be done with an XSLT processor such
  as Saxon, Sablot, or Xalan, but modern browsers can do this on the
  fly -- simply load the XML output file in IE or Firefox.It is
  often more convenient to have the stylesheet loaded from a URL
  rather than the local filesystem, allowing the XML to be rendered on
  any machine regardless of whether/where the XSL is installed.  For
  privacy reasons (avoid loading of an external URL when you view
  results), Nmap uses the local filesystem by default.  If you would
  like the latest version of the stylesheet loaded from Insecure.Org when
  rendering, specify --webxml, which is a shortcut for
  --stylesheet http://www.insecure.org/nmap/data/nmap.xsl .

o If a user attempts -PO (the letter O), instead of -P0 (zero), print
  an error suggesting that the user is a doofus (actually it is a nice
  message)

o Upgraded the fragmentation option (-f).  One -f now sets sends
  fragments with just 8 bytes after the IP header, while -ff sends 16
  bytes to reduce the number of fragments needed.  You can specify
  your own fragmentation offset (must be a multiple of 8) with the new
  --mtu flag.  Don't also specify -f if you use --mtu.  Remember that
  some systems (such as Linux with connection tracking) will
  defragment in the kernel anyway -- so test first while sniffing with
  ethereal.  These changes are from a patch by Martin Macok
  (martin.macok(a)underground.cz).

o Nmap now prints the number (and total bytes) of raw IP packets sent
  and received when it completes, if verbose mode (-v) is enabled.  The
  report looks like:
  Nmap finished: 256 IP addresses (3 hosts up) scanned in 30.632 seconds
                 Raw packets sent: 7727 (303KB) | Rcvd: 6944 (304KB)

o Added new "closed|filtered" state.  This is used for Idle scan, since
  that scan method can't distinguish between those two states.  Nmap
  previously just used "closed", but this is more accurate.

o Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered"
  instead of "open" when they fail to receive any response from the
  target port.  After all, it could just as easily be filtered as open.
  This is the same change that was made to UDP scan in 3.70.  Also as
  with UDP scan, adding version detection (-sV) will change the state
  from open|filtered to open if it confirms that they really are open.

o Change IP protocol scan (-sO) so that a response from the target
  host in any protocol at all will prove that protocol is open.  As
  before, no response means "open|filtered", an ICMP protocol
  unreachable means "closed", and most other ICMP error messages mean
  "filtered".

o Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and
  UDP headers when scanning protocols 1, 6, and 17, respectively.  An
  empty IP header is still sent for all other protocols.  This should
  prevent the error messages such as "sendto in send_ip_packet:
  sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not
  permitted" that Linux (and perhaps other systems) would give when
  they try to interpret the raw packet.  This also makes it more
  likely that these protocols will elicit a response, proving that the
  protocol is "open".

o Fixed a memory leak that would generally consume several hundred
  bytes per down host scanned.  While the effect for most scans is
  negligible, it was overwhelming when Scott Carlson
  (Scott.Carlson(a)schwab.com) tried to scan 24 million IPs
  (10.0.0.0/8).  Thanks to him for reporting the problem.  Also thanks
  to Valgrind ( http://valgrind.kde.org ) for making it easy to debug.

o Added --max-scan-delay parameter.  Nmap will sometimes increase the
  delay itself when it detects many dropped packets.  For example,
  Solaris systems tend to respond with only one ICMP port unreachable
  packet per second during a UDP scan.  So Nmap will try to detect
  this and lower its rate of UDP probes to one per second.  This can
  provide more accurate results while reducing network congestion, but
  it can slow the scans down substantially.  By default (with no -T
  options specified), Nmap allows this delay to grow to one second per
  probe.  This option allows you to set a lower or higher maximum.
  The -T4 and -T5 scan modes now limit the maximum scan delay for TCP
  scans to 10 and 5 ms, respectively.

o Added --max-hostgroup option which specifies the maximum number of
  hosts that Nmap is allowed to scan in parallel.

o Added --min-hostgroup option which specifies the minimum number of
  hosts that Nmap should scan in parallel (there are some exceptions
  where Nmap will still scan smaller groups -- see man page).  Of
  course, Nmap will try to choose efficient values even if you don't
  specify hostgroup restrictions explicitly.

o Nmap now estimates completion times for almost all port scan types
  (any that use ultra_scan()) as well as service scan (version
  detection).  These are only shown in verbose mode (-v).  On scans
  that take more than a minute or two, you will see occasional updates
  like:
  SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining)
  New updates are given if the estimates change significantly.

o Added --exclude option, which lets you specify a comma-separated
  list of targets (hosts, ranges, netblocks) that should be excluded
  from the scan.  This is useful to keep from scanning yourself, your
  ISP, particularly sensitive hosts, etc.  The new --excludefile reads
  the list (newline-delimited) from a given file.  All the work was
  done by Mark-David McLaughlin (mdmcl(a)cisco.com> and William McVey
  ( wam(a)cisco.com ), who sent me a well-designed and well-tested
  patch.

o Nmap now has a "port scan ping" system.  If it has received at least
  one response from any port on the host, but has not received
  responses lately (usually due to filtering), Nmap will "ping" that
  known-good port occasionally to detect latency, packet drop rate,
  etc.

o Nmap now wishes itself a happy birthday when run on September 1 in
  verbose mode!  The first public release was on that date in 1997.

o The port randomizer now has a bias toward putting
  commonly-accessible ports (80, 22, etc.) near the beginning of the
  list.  Getting a response early helps Nmap calculate response times and
  detect packet loss, so the scan goes faster.

o Host timeout system (--host-timeout) overhauled to support host
  parallelization.  Hosts times are tracked separately, so a host that
  finishes a SYN scan quickly is not penalized for an exceptionally
  slow host being scanned at the same time.

o When Nmap has not received any responses from a host, it can now use
  certain timing values from other hosts from the same scan group.
  This way Nmap doesn't have to use absolute-worst-case (300bps SLIP
  link to Uzbekistan) round trip time and latency estimates.

o Documented the --osscan-limit option, which saves time by skipping
  OS detection if at least one open and one closed port are not found on
  the remote hosts.  OS detection is much less reliable against such
  hosts anyway, and skipping it can save some time.

o Configure script now detects GNU/k*BSD (whatever that is),
  thanks to patches from Robert Millan (rmh@xxxxxxxxxx) and Petr
  Salinger (Petr.Salinger(a)t-systems.cz)

o Provide limited --packet-trace support for TCP connect() (-sT)
  scans.

o Hundreds of other features, bugfixes, and portability
  enhancements described at http://www.insecure.org/nmap/changelog.html

MOVING FORWARD:

With this stable version out of the way, we plan to dive headfirst
into the next development cycle. Many exciting features are in the
queue, including a next-generation OS detection system. We also plan
to launch the 2006 Nmap User Survey in February, to learn what
features you want most. For the latest news, consider joining the
32,000-member low-volume moderated Nmap-hackers list. Subscribe at
http://cgi.insecure.org/mailman/listinfo/nmap-hackers, or you can read
the archives at seclists.org. You can subscribe to the (high traffic)
development list at http://cgi.insecure.org/mailman/listinfo/nmap-dev.

DOWNLOAD:

Nmap is available for download from http://www.insecure.org/nmap/ for
most platforms in source or binary form. Nmap is free, open source
software (license: http://www.insecure.org/nmap/data/COPYING )

ACKNOWLEDGEMENTS:

A popular open source security scanner recently went proprietary,
complaining that their community never contributes much. We are sorry
to hear that, but happy to report that the Nmap community is as
vibrant and productive as ever! We would like to acknowledge and thank
the many people who contributed ideas and/or code to this release
(since 3.50). Special thanks go out to Adam Kerrison, Adam Morgan,
Adriano Monteiro Marques, Alan Bishoff, Alan William Somers, Albert
Chin, Allison Randal, Alok Tangoankar, Amy Hennings, Anders Thulin,
Andreia Gaita, Andy Lutomirski, Annalee Newitz, Arturo Buanzo
Busleiman, Bart Dopheide, Beirne Konarski, Ben Harris, Bill Dale, Bill
Petersen, Bill Pollock, Bo Jiang, Brian Hatch, Chad Loder, Chris
Gibson, Christophe, Craig Humphrey, Curtis Doty, Dana Epp, Dirk
Mueller, Doug Hoyte, Dragos Ruiu, Dug Song, Duilio J. Protti, Eric
S. Raymond, Felix Gröbert, Florian Ebner, Fyodor Yarochkin, Ganga
Bhavani, Gisle Vanem, Glyn Geoghegan, Greg A. Woods, Greg Darke, Greg
Taleck, Gwenole Beauchesne, HD Moore, Jedi/Sector One, Jeff Nathan,
Jesse Burns, Jim Carras, Jim Harrison, Jonathan Dieter, José Domingos,
Justin Cranford, Justin M Cacak, Krok, KX, Lamont Jones, Lance
Spitzner, Laurent Estieux, Lionel Cons, Lucien Raven, MadHat, Marius
Strobl, Mark-David McLaughlin, Mark Ruef, Martin Macok, Matthieu
Verbert, Matt Selsky, Max Schubert, Meethune Bhowmick, Mephisto, Mike
Basinger, Mike Hatz, Murphy, Netris, Okan Demirmen, Ole Morten
Grodaas, Oliver Eikemeier, Pascal Trouvin, Paul Tarjan, Petr Salinger,
Petter Reinholdtsen, pijn trein, Ping Huang, Piotr Sobolewski, Priit
Laes, Princess Nadia, Raven Alder, Richard Birkett, Richard Moore,
Robert E. Lee, Rob Foehl, Ronak Sutaria, Royce Williams, Ruediger
Rissmann, Saint Xavier, Saravanan, Scott Mansfield, Sebastian
Wolfgarten, Seth Master, Shahid Khan, Simon Burr, Simple Nomad, Sina
Bahram, Solar Designer, Srivatsan, Stephane Loeuillet, Stephen Bishop,
Steve Christensen, Steve Martin, Thorsten Holz, Tom Duffy, Tom Rune
Flo, Tom Sellers, Tony Golding, van Hauser, vlad902, William McVey,
Zapphire, and Zhao Lei.

And of course we would also like to thank the thousands of people who
have submitted OS and service/version fingerprints, as well as
everyone who has found and reported bugs or suggested features.

For further information, see http://www.insecure.org/