Nmap Security Scanner
*Ref Guide
Security Lists
Security Tools
Site News
Advertising
About/Contact
Credits
Sponsors





Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
The History and Future of Nmap
Prev Chapter 1. Getting Started with Nmap Next

The History and Future of Nmap

Many ancient and well loved security tools, such as Netcat, tcpdump, and John the Ripper, haven't changed much over the years. Others, including Nessus, Wireshark, Cain and Abel, and Snort have been under constant development since the day they were released. Nmap is in that second category. It was released as a simple Linux-only port scanner in 1997. Over the next 10 years it sprouted a myriad of valuable features, including OS detection, version detection, the Nmap Scripting Engine, a Windows port, a graphical user interface, and more. This section provides a timeline of the most important events over a decade of Nmap history, followed by brief productions on the future of Nmap. For all significant Nmap changes (thousands of them), read the Nmap Changelog Old releases of Nmap can be found at http://nmap.org/dist/ and even older versions at http://nmap.org/dist-old/

  • September 1, 1997 — Nmap first released in Phrack Magazine Issue 51, article 11 It didn't have a version number because new releases weren't planned. Nmap was about 2,000 lines long, and compilation was as simple as gcc -O6 -o nmap nmap.c -lm.

  • September 5, 1997 — Due to popular demand, a slightly modified version of the Phrack code was released, calling itself version 1.25. The gzipped tarball is 28KB. Version 1.26 (48KB) is released 19 days later.

  • January 11, 1998 — Insecure.Org is registered and Nmap moves there from its previous home at the DataHaven Project (dhp.com) ISP.

  • March 14, 1998 — Renaud Deraison writes to let me that he is writing a security scanner, and asks if he can use some Nmap source code. Of course I say yes. 9 days later he sends me a pre-release version of Nessus, noting that it “is designed for sysadmins, not 3l33t H4ck3rZ”.

  • September 1, 1998 — Inspired by Nmap's first anniversary, I begin work on adding remote OS detection for the upcoming Nmap 2.00. On October 7 I release the first private beta version to a handful of top Nmap developers. We quietly work on this for several months.

  • December 12, 1998 — Nmap version 2.00 is publicly released, introducing Nmap OS detection for the first time. An article describing the techniques was released in Phrack 54, Article 9 By this point Nmap is broken up into many files, consists of about 8,000 lines of code, is kept in a private CVS revision control system, and the tarball is 275KB. The nmap-hackers mailing list is started, and later grows to more than 50,000 members.

  • April 11, 1999 — Nmap 2.11BETA1 is released. This is the first version to contain a graphical user interface as an alternative to the traditional command-line usage. The bundled GUI is NmapFE, which was originally written by Zach Smith. Some people like it, but the GUI never becomes as popular as traditional command-line usage.

  • April 28, 2000 — Nmap 2.50 is released By this point the tarball has grown to 461KB. This release includes timing modes such as -T aggressive, direct SunRPC scanning, and Window and ACK scan methods.

  • May 28, 2000 — Gerhard Rieger sends a message to the nmap-dev list describing a new “protocol scan” he has developed for Nmap, and he even includes a patch. This is so cool that I release Nmap 2.54BETA1 with his patch less than 12 hours later.

  • December 7, 2000 — Nmap 2.54BETA16 is released as the first official version to compile and run on Microsoft Windows. The Windows porting work was done by Ryan Permeh and Andy Lutomirski.

  • July 9, 2001 — The Nmap IP ID idle scan is introduced with Nmap 2.54BETA26. A paper describing the technique is released concurrently. This extremely cool (though not always practical) scan technique is described in the section called “TCP Idle Scan (-sI)”

  • July 25, 2002 — I quit my job at Netscape/AOL and start my dream job working on Nmap full time.

  • July 31, 2002 — Nmap 3.00 is released The tarball is 922K. This release includes Mac OS X support, XML output, and uptime detection.

  • August 28, 2002 — Nmap is converted from C to C++ and IPv6 supported is added as part of the Nmap 3.10ALPHA1 release

  • May 15, 2003 — Nmap was featured in the movie The Matrix Reloaded, where Trinity uses it (followed by a real SSH exploit) to hack a power station and save the world. This led to more publicity for Nmap than it had ever seen before or has seen since then. Details and screenshots are available at http://nmap.org/nmap_inthenews.html#matrix

  • July 21, 2003 — I finish a first implementation of Nmap service/version detection (Chapter 7, Service and Application Version Detection) and release it to a couple dozen top Nmap developers and users as Nmap 3.40PVT1. That is followed up by 16 more private releases over the next couple months as we improve the system and add signatures.

  • September 16, 2003 — Nmap service detection is finally released publicly as part of Nmap 3.45. A detailed paper is released concurrently.

  • February 20, 2004 — Nmap 3.50 is released The tarball is now 1571KB. SCO corporation is banned from redistributing Nmap because they refuse to comply with the GPL. They have to rebuild their Caldera release ISOs to remove Nmap. This release includes the packet tracing and UDP ping options. It also includes the OS classification system which classifies each of the hundreds of detected operating systems by vendor name, operating system name, OS generation, and device type.

  • August 31, 2004 — The core Nmap port scanning engine is rewritten for Nmap 3.70 The new engine, named ultra_scan() features dramatically improved algorithms and parallelization support to improve both accuracy and speed. The differences are particularly dramatic for hosts behind strict firewalls.

  • June 25, 2005 — Google sponsors 10 college and graduate students to work on Nmap full time for the summer as part of Google's Summer of Code initiative, which starts on this day. Projects include a second generation OS detection system (Zhao Lei) and a new cross-platform GUI named UMIT (Adriano Monteiro), and many other cool projects described at http://seclists.org/nmap-hackers/2005/0008.html

  • September 8, 2005 — Nmap gains raw ethernet frame sending support with the release of version 3.90 This allows for ARP scanning (see the section called “ARP Scan (-PR)”) and MAC address spoofing as well as evading the raw IP packet ban introduced by Microsoft in Windows XP SP2.

  • January 31, 2006 — Nmap 4.00 is released The tarball is now 2388KB. This release includes runtime interaction to provide on-demand completion estimates, a Windows executable installer, NmapFE updates to support GTK2, and much more.

  • May 24, 2006 — Google sponsors 10 more Nmap summer developers as part of their SoC program. Zhao and Adriano return as part of 2006 SoC to further develop their respective projects. There are eight other talented students with projects described at http://seclists.org/nmap-hackers/2006/0009.html

  • June 24, 2006 — After two years of development and testing, the 2nd generation OS detection system is integrated into Nmap 4.20ALPHA1 This new system is based on everything we've learned and the new ideas had since the 1st generation system debuted 8 years earlier. After a bit of time to grow the DB, the new system proves much more accurate and granular than the old one. It is described in Chapter 8, Remote OS Detection

  • December 20, 2006 — Nmap public Subversion source revision control repository is released Until this time, only a handful of developers had access to the private source repository. Everyone else had to wait for releases. Now everyone can follow Nmap development day by day. There is even an nmap-svn mailing list providing real-time change notification. Details are provided in the section called “Obtaining Nmap from the Subversion (SVN) Repository”

  • May 28, 2007 — Google sponsors 6 summer Nmap developers as part of their SoC program. Meanwhile, Adriano's UMIT GUI for Nmap is approved as an independent program for SoC sponsorship. The Nmap students and their projects are posted at http://seclists.org/nmap-hackers/2007/0003.html

  • July 8, 2007 — The UMIT graphical front end is integrated into the Nmap 4.22SOC1 release for testing. At first it is only included in the Unix tarballs, but it is integrated into the Windows installer just over a month later as part of 4.22SOC3.

  • December 2007 — Nmap 4.50 is released to celebrate Nmap's 10th anniversary!

While it is easy to catalogue the history of Nmap, the future is uncertain. Nmap didn't start off with any grand development plan, and most of the milestones in the preceding timeline were not planned more than a year in advance. Instead of trying to predict the shape of the Internet and networking way out in the future, I closely study where it is now and decide what will be most useful for Nmap now and in the near future. So I have no idea where Nmap will be 10 years from now, though I expect it to be as popular and vibrant as ever. The Nmap community is large enough that we will be able to guide Nmap wherever it needs to go. Nmap has faced curve balls before, such as the sudden removal of raw packet support in Windows XP SP2, dramatic changes in network filtering practices and technology, and the slow emergence of IPv6. Each of those required significant changes to Nmap, and we'll have to do the same to embrace or at least cope with networking changes in the future.

While the 10-year plan is up in the air, the coming year is easier to predict. As exciting as big new features are, they won't be a focus. None of us want to see Nmap get bloated and disorganized. So this will be a year of consolidation. The new UMIT and NSE systems are not nearly as mature as the rest of Nmap, so improving them will be a big priority. New NSE scripts are great because they extend Nmap's functionality without the stability risks of incorporating new source code into Nmap proper. Meanwhile, UMIT needs usability and stability improvements, as well as proper documentation. Another focus is the Nmap web site, which will become more useful and dynamic. A web discussion system and Nmap demo site may be built.

Some of the coolest Nmap features in the past, such as OS detection and version scanning, were developed in secret and given a surprise release. You can expect more of these in coming years because they are so much fun!


Prev Up Next
Legal Issues Home Chapter 2. Obtaining, Compiling, Installing, and Removing Nmap
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]