Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Nmap 6 Released Featuring Improved Scripting, Full IPv6 Support

Unknown Lamer posted more than 2 years ago | from the port-scanning-is-not-a-crime dept.

Open Source 45

First time accepted submitter Chankey Pathak writes "The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more!"

cancel ×


Sorry! There are no comments related to the filter you selected.

Machine learning (AI) for the IPv6 OS detection (4, Interesting)

Anonymous Coward | more than 2 years ago | (#40076915)

It's great to see the use of machine learning for the OS clasification / fingerprinting with IPv6. If this works out well I'd love to see a 3rd-generation IPv4 OS detection added using similar techniques. See []

STILL THE ONE !!?? (-1)

Anonymous Coward | more than 2 years ago | (#40076927)

Am I still number 1, after passing by TWICE !!

Why do we care who submitted this article? (-1)

Anonymous Coward | more than 2 years ago | (#40077069)

...and a slashvertisement to their content farm site?

Re:Why do we care who submitted this article? (3, Informative)

Anonymous Coward | more than 2 years ago | (#40077313)


1. Giving credit who submitted a story has been the way Slashdot has worked since last century.

2. Users are free to put whatever web page in as their home page, whether it be a replacement for a finger profile, or Last Measure, or their own blog or whatever.

3. Anonymous Cowards are 99.997% morons.

Better Details (5, Informative)

Anonymous Coward | more than 2 years ago | (#40077091)

Here's a better detail of what's up, even more following the link.

1. NSE Enhanced
  The script count has grown from 59 in Nmap 5 to 348 in Nmap 6, and all of them are documented and categorized in our NSE Documentation Portal. The underlying NSE infrastructure has improved dramatically as well.

3. Full IPv6 Support
Basic support isn't enough, so we spent many months ensuring that Nmap version 6 contains full support for IP version 6. And we released it just in time for the World IPv6 Launch.

        We've created a new IPv6 OS detection system, advanced host discovery, raw-packet IPv6 port scanning, and many NSE scripts for IPv6-related protocols. It's easy to use too—just specify the -6 argument along with IPv6 target IP addresses or DNS records. In addition, all of our web sites are now accessible via IPv6. For example, can be found at 2600:3c01::f03c:91ff:fe96:967c.

4. New Nping Tool

        The newest member of the Nmap suite of networking and security tools is Nping, an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing full control over protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress testing, ARP poisoning, Denial of Service attacks, route tracing, etc. Nping's novel echo mode lets users see how packets change in transit between the source and destination hosts. That's a great way to understand firewall rules, detect packet corruption, and more.

5. Better Zenmap GUI & results viewer

        While Nmap started out as a command-line tool and many (possibly most) users still use it that way, we've also developed an enhanced GUI and results viewer named Zenmap. One addition since Nmap 5 is a “filter hosts” feature which allows you to see only the hosts which match your criteria (e.g. Linux boxes, hosts running Apache, etc.) We've also localized the GUI to support five languages besides English. A new script selection interface helps you find and execute Nmap NSE scripts. It even tells you what arguments each script supports.

6. Faster scans

Since Nmap 5 we've rewritten the traceroute system for higher performance and increased the allowed parallelism of the Nmap Scripting Engine and version detection subsystems. We also performed an intense memory audit which reduced peak consumption during our benchmark scan by 90%. We made many improvements to Zenmap data structures and algorithms as well so that it can now handle large enterprise scans with ease.

Re:Better Details (1)

Provocateur (133110) | more than 2 years ago | (#40077453)

Do we need to rewrite The Matrix Reloaded then?

The Wachowsky Brothers

Re:Better Details (1)

AndrewStephens (815287) | more than 2 years ago | (#40082017)

Yes, but not for this reason.

Filmgoing Public

Re:Better Details (2)

whoisisis (1225718) | more than 2 years ago | (#40078467)

I find it a bit amusing that their IPv6 address starts with 2600

Re:Better Details (1)

unixisc (2429386) | more than 2 years ago | (#40079933)

I didn't get the joke. 2600 is one of the /12 blocks assigned to ARIN [] . Other than that, not commenting much - not sure I understand what Nmap is in the first place.

Re:Better Details (1)

pLnCrZy (583109) | more than 2 years ago | (#40080503)

I think you would need a much smaller /. UID in order to get that joke.

Re:Better Details (1)

unixisc (2429386) | more than 2 years ago | (#40080881)

Except that whoisisis has a 7-digit UID, just like mine. Oh, whatever...

Re:Better Details (1)

skids (119237) | more than 2 years ago | (#40081933)

Yes that makes it easy to rememb... oh screw that!

Thee will be a lot of 2600 prefixes, though, considering usual allocations for people with "sites" and preexisting IPV4 allocations are /48 or /44.

BT5r2 doesn't have deb build yet - it's here (3, Informative)

phillips321 (955784) | more than 2 years ago | (#40077181)

Shameful plug here guys.
I've compiled the sources earlier this morning into deb packages for those that want to play with it without building from source (building from source will confuse the system and you might not get updates). Both i386 and amd64 versions working on BT5 r2 here. []

My eyes! The goggles do nothing! (-1)

Anonymous Coward | more than 2 years ago | (#40077257)

Why does their site look like it's stuck in 1999? There's a giant, unused header bar area, all the text (headers and paragraphs) are the same size of ultra-generic sans-serif font, and they even have a quaint little site navigation table (with the curiously right-justified "In The News" link). Kudos to whoever included the screenshot of the console output; the green-text-on-a-black-background really shows us how l33t they are (along with everyone else on Geocities and MySpace)!

If this is the quality of their HTML and CSS code, that doesn't give me much optimism about the quality of their C code.

Re:My eyes! The goggles do nothing! (1)

Anonymous Coward | more than 2 years ago | (#40077377)

I've never expected engineers to make anything "pretty". Functionality is king.

Re:My eyes! The goggles do nothing! (3, Interesting)

Jeng (926980) | more than 2 years ago | (#40077387)

If this is the quality of their HTML and CSS code, that doesn't give me much optimism about the quality of their C code.

Why? Just because they didn't spend time making it look pretty for you?

Re:My eyes! The goggles do nothing! (2)

phillips321 (955784) | more than 2 years ago | (#40077415)

There's such thing as great coders and also such thing as great developers, but rarely, if ever, the both together.

What are you talking about? (0)

Anonymous Coward | more than 2 years ago | (#40080571)

If this is the quality of their HTML and CSS code, that doesn't give me much optimism about the quality of their C code.

That makes perfect sense. After all, being an expert C programmer automatically makes one an expert in HTML and CSS. [rolls eyes]

I never did get an answer to ... (3, Interesting)

Skapare (16644) | more than 2 years ago | (#40077309)

... the question of whether or not Nmap could be used to sniff a network before it is configured with an IP address (DHCP can, so mechanisms to do so must exist, like maybe raw interface access), to do things like silently watch what other traffic is taking place to make smart guess as to which LAN a given interface is physically connected to. This information could then be used to select the IP address it is statically configured to use for a given subnet (but without specific interface information since that can change for many reasons).

Re:I never did get an answer to ... (4, Informative)

walshy007 (906710) | more than 2 years ago | (#40077447)

Wireshark can do this.

Re:I never did get an answer to ... (0)

tokul (682258) | more than 2 years ago | (#40078337)

Wireshark can do this.

No, it can't. Libpcap and tcpdump are not part of wireshark package. Wireshark is packet analyzer and not network sniffer.

Re:I never did get an answer to ... (3, Interesting)

flux (5274) | more than 2 years ago | (#40078607)

Well, neither libpcap nor tcpdump can do it either, they don't come with the network drivers. They are libraries/tools to access that functionality in the kernel.

Re:I never did get an answer to ... (1)

Shatrat (855151) | more than 2 years ago | (#40080275)

I think the 'teach a man to fish' answer would be that he needs a layer 1 or 2 tool, and nmap is for layer 3 and 4.

Re:I never did get an answer to ... (1)

insecuritiez (606865) | more than 2 years ago | (#40077785)

It's not exactly sniffing but take a look at all of the host detection scripts for IPv6: targets-ipv6-multicast-echo, targets-ipv6-multicast-invalid-dst, targets-ipv6-multicast-mld, targets-ipv6-multicast-slaac.

These scripts are using this feature "The new pre-scan occurs before Nmap starts scanning. Some of the initial pre-scan scripts use techniques like broadcast DNS service discovery or DNS zone transfers to enumerate hosts which can optionally be treated as targets.". So if you want to sniff an IPv4 network to add targets Nmap now has all of the tools you need to do that (NSE, libpcap bidings, the ability to add targets).

The issue is mostly that this isn't usually a useful feature for IPv4.

Re:I never did get an answer to ... (2)

bill_mcgonigle (4333) | more than 2 years ago | (#40077877)

What are you trying to do, nmap devices on a subnet without a DHCP server? Passive OS fingerprinting? Passive service discovery? Are you willing to do a little bit of switch ARP poisoning? All of the above to gather as much intel as possible without tripping too many IDS logs?

Re:I never did get an answer to ... (0)

Anonymous Coward | more than 2 years ago | (#40078119)

I don't think you really understand networking sufficiently to understand the question you are asking. DHCP cannot "sniff" a network, DHCP works via UDP Broadcast, a client configured for DHCP sends a UDP Broadcast announcing that it is looking for a DHCP server. A UDP broadcast gets sent to all hosts on a subnet, so the DHCP server receives it and sends a UDP Broadcast in response. There is no mechanism to silently receive unicast TCP or UDP messages by a host plugged in to a switch if that host does not have an IP address. Switches only send unicast packets to hosts with the appropriate IP address. If you were connected to a hub instead of a switch, the hub sends all packets out all ports, so you could receive any traffic sent to any host on the hub regardless of whether or not you have an IP address. You could also do some kind of ARP poisoning to tell the switch that you have an IP address that you don't actually have, but this is of dubious usefulness since it is not nondestructive, in that any packets sent to you aren't sent to the host they were originally intended for.

Re:I never did get an answer to ... (1)

skids (119237) | more than 2 years ago | (#40082037)

Switches only send unicast packets to hosts with the appropriate IP address.

Switches flood packets whenever their destination address's CAM entry expires, until they see another one to refresh the entry (unless switches have advanced port security/dot1x features turned on that prevent unicast flooding) so you will indeed see a bit of unicast traffic meant for other hosts, mostly hosts that are sporadically used, but also during STP topology changes.

This is not enough traffic to get much data at L7, but it is enough for L2/L3/L4 intelligence gathering. So it is theoretically possible to do a passive pre-scan to build a target list. However, that's really the job of pcap-based apps, not nmap.

Re:I never did get an answer to ... (1)

Skapare (16644) | more than 2 years ago | (#40118145)

FYI, the purpose is actually for dynamic configuration intelligence. Imagine having network static configuration data but without any interface names to associate it with. That and the newbie network admin just plugged the cables in the wrong ports (or ... is there a wrong port ... really).

Re:I never did get an answer to ... (1)

Anonymous Coward | more than 2 years ago | (#40078275)

Completely passive: Use tcpdump to gather packets from a promiscuous interface. There are usually lots of broadcasts including ARP queries, domain announcements, UPnP announcements, DHCP requests, etc. Wireshark will interpret all of this in easily digested form.

Active: Nmap can do ARP scans which broadcast queries and collect responses. You need to have some idea of what IP ranges are present (see above) to get meaningful results in reasonable time. No IP address is necessary to do this.

Re:I never did get an answer to ... (0)

Anonymous Coward | more than 2 years ago | (#40079701)

Check out the script broadcast-listener it does do some passive analysis.

Re:I never did get an answer to ... (1)

PhunkySchtuff (208108) | more than 2 years ago | (#40097769)

You'd either need to do some arp spoofing (Ettercap can do this) or be on a managed switch with port mirroring turned on, otherwise if you're on a regular switch port, you'll only see traffic that's actually destined for your MAC address, and regular broadcast traffic which tends to be less interesting (most of the time) than unicast traffic.

If you're playing with the arp tables, you can confuse switches to broadcast more traffic than they normally would, or if you've got a hub, you'll see what's going on in more detail.

Re:I never did get an answer to ... (1)

Skapare (16644) | more than 2 years ago | (#40118127)

I think the broadcast traffic will be sufficient. This could be augmented with some DHCP proding (try to get an address, but don't actually accept it ... just use it to get more information about what subnets other hosts think is here). The purpose is to detect which subnets are being used on this physical LAN ... for each interface ... before configuring them. A configuration table for this will exist, listing IP addresses and network prefixes. The idea is to figure out which interface to put them on without any specification of the interfaces in the configuration. Once that is done, it will continue to watch the network and look for changes. If there is a change, move the IP addresses around to match.

Don't forget Gopher! (4, Interesting)

ckthorp (1255134) | more than 2 years ago | (#40077341)

From the release notes: "Nmap now supports the old-school Gopher protocol thanks to our handy gopher-ls NSE script. We even support Gopher over IPv6!"

Re:Don't forget Gopher! (1)

kestasjk (933987) | more than 2 years ago | (#40085227)

YES! I thought the best new feature this year was Emacs getting COBOL scripting support, but then this comes along!

AFSE (0)

Anonymous Coward | more than 2 years ago | (#40077759)

ASFE: "Another Fucking Scripting Engine"

Re:AFSE (1)

macshit (157376) | more than 2 years ago | (#40083703)

ASFE: "Another Fucking Scripting Engine"

It isn't really, of course—it's Lua, which has a long history and is widely used, and is perfectly suited for the application...

When you say nmap.. (0, Troll)

SirFatty (1940968) | more than 2 years ago | (#40077983)

I think of Fyodor. And why i think of him, this comes to mind: []

Re:When you say nmap.. (0)

Anonymous Coward | more than 2 years ago | (#40078797)

I love how whoever wrote that seems to think they've fucking Woodward and Bernstein. Seriously, one obnoxious "hacker" pulled a lame prank, then another obnoxious hacker pulled a slightly less lame prank in retaliation. It happened in 2002, thus prior to the 2002 amendment of the Computer Fraud and Abuse Act, thus it was probably a misdemeanor since there was no financial or otherwise criminal motivation. Even under current laws where this would be a felony, most prosecutors would probably not even bother to try this type of case since no damage was actually done.

Seriously, it's been ten fucking years, the people actually involved have grown the fuck up, it might be time you do the same.

So... (0)

Anonymous Coward | more than 2 years ago | (#40078829)

Does it already support scanning both "most common ports" and user defined ones without doing two separate runs?

AMD64 (64-bit) port 4 Windows (of NMap's latest)? (-1)

Anonymous Coward | more than 2 years ago | (#40079777)

See subject, & thanks for the information people... i.e.-> Is there a 64-bit port of this "latest/greatest" build for Windows for the AMD64 bit versions of that OS family (specifically Windows 7).


P.S.=> I've used WireShark in the past but I have YET to use this NMap tool, so what are some advantages/disadvantages vs. WireShark, and what can NMap do that WireShark can't? Those'd be my "main questions" here actually to get a comparison view from others who HAVE used both tools... & again, for feedback there too? Thanks... apk

That was quite an answer guys (0)

Anonymous Coward | more than 2 years ago | (#40084751)

In downmodding my post, that was only asking a couple questions...


P.S.=> Whoever did that downmod's a fool, & a total coward - seriously (& it's just about the dumbest thing I've seen of trolls here, ever)... apk

Well, @ least WireShark has a 64-bit port... apk (0)

Anonymous Coward | more than 2 years ago | (#40098333) []


P.S.=> I'm still astounded that someone modded down the post I replied to (my original one here), & especially as ALL it was, was an honest question - that STILL REMAINS UNANSWERED no less!

Then again?


(Hence, the "effete technically unjustified downmod retaliation" of posts I do is their ONLY "revenge" (lol, weak @ that))... apk

Online Port Scanner Updated (1)

hackertarget (1265522) | more than 2 years ago | (#40082345)

Great work to Fyodor and the dev team. Another quality release. The new NSE scripts are great, as is the speed improvements.

For those who have not used ncat - I urge you to check it out [] . With the portable windows version, you can drop this on a box and build encrypted tunnels. You can bring up a HTTP proxy in the time it takes you to type "ncat --proxy-type http -l 9090" It is a very handy little tool. When it comes to features ncat blows nc away.

Now to plug my service.

Online port scanner [] that uses Nmap, now updated to version 6.0. Allows port scanning of IPv4 and IPv6 addresses.

I just downloaded this, built it and ran it (0)

Anonymous Coward | more than 2 years ago | (#40084073)

I just downloaded this, built it, and ran it (against the new router my ISP sent me and its open ports).... about 90 minutes before I read this article on /. It is a lot faster than nmap used to be.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>