Nmap is perhaps the best-known port scanner available and the standard against which all others are measured. Freely available from Insecure.org under the GPL license, Nmap will run on just about any operating system in existence, from Microsoft's Windows to your favorite variety of Linux/Unix.
At this point in its life cycle, Nmap 4.01's core port-scanning engine is mature, robust and capable of scanning both IPv4 and IPv6 hosts, independent of whether or not they are protected by firewalls.
Our lab testing on a SUSE 9 Linux workstation showed improved speed (about 10 percent) over the 3.81 Nmap release with which we compared it. (Information Security reviewed Nmap 3.75 in December 2004.) Considering that a typical SYN scan takes about 1.5 seconds per host, the difference will likely be imperceptible to the user when scanning a small number of machines on a network.
The big improvements in Nmap's 4.01 release are in the areas of service and OS identification. If you're willing to take a substantial hit on the amount of time Nmap spends on a host (our results varied widely from 15 to 90 seconds, depending on the number of open ports/services on the host and command-line options used), the application can give you a wealth of information about services running on the target being scanned, including the type of service and the version number (e.g., Microsoft IIS 6.0).
Nmap has expanded its database to include more than 3,000 signatures for some 380 service protocols; this is a very handy tool for determining if the host is running vulnerable versions of popular services, and for giving you the information you need to take appropriate steps to remediate the vulnerabilities.
The OS fingerprinting results in 4.01 were better than what we obtained in 3.81, but there is still room for improvement with this cool feature, especially in speed and accuracy. For example, Nmap could correctly identify a Windows 2003 SP1 VMware target on a VMware ESX server, but could not identify a Windows NT SP6a target on a different ESX server (it did identify the latter as a generic Windows host).
The service and OS identification portions of Nmap are of particular interest to the security community, so we expect these capabilities to be improved with future versions.
Both application source and binary installation packages are available, so you should be able to get the application up and running via standard methods, including RPM installation for Linux, or by simply unzipping the Windows binaries if you don't want to compile them yourself.
The Linux versions provide a GUI front end that will help users familiarize themselves with the various choices available for starting and running Nmap. The GUI is quite nice, but, quite frankly, it's not much more than a thin wrapper covering the rich command-line flags that Nmap supports, and will only be of value to the greenest of newbies. If you're not familiar with it already, do yourself and your organization a favor and learn the command-line interface as soon as possible so that you can get the most value out of this highly versatile tool.
Nmap is an indispensable component of any system administrator's toolbox, and is one of the best examples of what can be accomplished with well-managed and useful open-source projects. It's freely available, and if you haven't used it yet, download it now and start exploring its deep capabilities.
This product review originally appeared in the May 2006 issue of Information Security magazine.