installation Nmap can often be installed or upgraded with a single command, so don't let the length of this chapter scare you. Most readers will use the table of contents to skip directly to sections that concern them. This chapter describes how to install Nmap on many platforms, including both source code compilation and binary installation methods. Graphical and command-line versions of Nmap are described and contrasted. Nmap removal instructions are also provided in case you change your mind. Nmapchecking if installed The first step toward obtaining Nmap is to check whether you already have it. Many free operating system distributions (including most Linux and BSD systems) come with Nmap packages, although they may not be installed by default. On Unix systems, open a terminal window and try executing the command nmap --version. If Nmap exists and is in your PATH,PATH environment variable you should see output similar to that in . version number of Nmap--version --versionexample of felix~>nmap --version Nmap version 4.68 ( http://nmap.org ) felix~> If Nmap does not exist on the system (or if your PATH is incorrectly set), an error message such as nmap: Command not found is reported. As the example above shows, Nmap responds to the command by printing its version number (here 4.68). Even if your system already has a copy of Nmap, you should consider upgrading to the latest version available from .downloading Newer versions often run faster, fix important bugs, and feature updated operating system and service version detection databases. A list of changes since the version already on your system can be found at .changelog Nmap output examples in this book may not match the output produced by older versions. Nmap has traditionally been a command-line tool run from a Unix shell or (more recently) Windows command prompt. This allows experts to quickly execute a command that does exactly what they want without having to maneuver through a bunch of configuration panels and scattered option fields. This also makes Nmap easier to script and enables easy sharing of useful commands among the user community. One downside of the command-line approach is that it can be intimidating for new and infrequent users. Nmap offers more than a hundred command-line options, although many are obscure features or debugging controls that most users can ignore. Many graphical frontends have been created for those users who prefer a GUI interface. Nmap has traditionally included a simple GUI for Unix named NmapFENmapFE, but that was replaced in 2007 by Zenmap, which we have been developing since 2005. Zenmap is far more powerful and effective than NmapFE, particularly in results viewing. Zenmap's tab-based interface lets you search and sort results, and also browse them in several ways (host details, raw Nmap output, and ports/hosts). It works on Linux, Windows, Mac OS X, and other platforms. Zenmap is covered in depth in . The rest of this book focuses on command-line Nmap invocations. Once you understand how the command-line options work and can interpret the output, using Zenmap or the other available Nmap GUIs is easy. Nmap's options work the same way whether you choose them from radio buttons and menus or type them at a command-line. downloading Nmap.Org is the official source for downloading Nmap source code and binaries for Nmap and Zenmap. Source code is distributed in bzip2 and gzip compressed tar files, and binaries are available for Linux (RPM format), Windows (NSIS executable installer) and Mac OS X (.dmg disk image). Find all of this at . verifying the integrity of downloads It often pays to be paranoid about the integrity of files downloaded from the Internet. Popular packages such as Sendmail (example), OpenSSH (example), tcpdump, Libpcap, BitchX, Fragrouter, and many others have been infected with malicious trojans. Software distributions sites at the Free Software Foundation, Debian, and SourceForge have also been successfully compromised. This has never happened to Nmap, but one should always be careful. To verify the authenticity of an Nmap release, consult the PGP detached signatures or cryptographic hashes (including SHA1 and MD5) posted for the release in the Nmap signatures directory at . The most secure verification mechanism is detached PGPPGP signatures signatures. As the signing key is never stored on production servers, even someone who successfully compromises the web server couldn't forge and properly sign a trojan release. While numerous applications are able to verify PGP signatures, I recommend GNU Privacy Guard (GPG). keys, cryptographic Nmap releases are signed with a special Nmap Project Signing Key,Nmap Project Signing Key which can be obtained from the major keyservers or . My key is included in that file too. The keys can be imported with the command gpg --import nmap_gpgkeys.txt. You only need to do this once, then you can verify all future Nmap releases from that machine. Before trusting the keys, verify that the fingerprints match the values shown in . flog~> gpg --fingerprint nmap fyodor pub 1024D/33599B5F 2005-04-24 Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F uid Fyodor <fyodor@insecure.org> sub 2048g/D3C2241C 2005-04-24 pub 1024D/6B9355D0 2005-04-24 Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0 uid Nmap Project Signing Key (http://insecure.org/) sub 2048g/A50A6A94 2005-04-24 For every Nmap package download file (e.g. nmap-4.68.tar.bz2 and nmap-4.68-win32.zip), there is a corresponding file in the sigs directory with .gpg.txt appended to the name (e.g. nmap-4.68.tar.bz2.gpg.txt). This is the detached signature file. With the proper PGP key in your keyring and the detached signature file downloaded, verifying an Nmap release takes a single GPG command, as shown in . If the file has been tampered with, the results will look like . flog> gpg --verify nmap-4.68.tar.bz2.gpg.txt nmap-4.68.tar.bz2 gpg: Signature made Sun 29 Jun 2008 02:40:34 AM PDT using DSA key ID 6B9355D0 gpg: Good signature from "Nmap Project Signing Key (http://www.insecure.org/)" flog> gpg --verify nmap-4.68.tar.bz2.gpg.txt nmap-4.68-hacked.tar.bz2 gpg: Signature made Sun 29 Jun 2008 02:40:34 AM PDT using DSA key ID 6B9355D0 gpg: BAD signature from "Nmap Project Signing Key (http://www.insecure.org/)" While PGP signatures are the recommended validation technique, SHA1 and MD5 (among other) hasheshashes, cryptographicdigests, cryptographic are made available for more casual validation. An attacker who can manipulate your Internet traffic in real time (and is extremely skilled) or who compromises Nmap.Org and replaces both the distribution file and digest file, could defeat this test. However, it can be useful to check the authoritative Nmap.Org hashes if you obtain Nmap from a third party or feel it might have been accidentally corrupted. For every Nmap package download file, there is a corresponding file in the sigs directory with .digest.txt appended to the name (e.g. nmap-4.68.tar.bz2.digest.txt). An example is shown in . This is the detached signature file. The hashes from the digest file can be verified using common tools such as sha1sum, md5sum, or gpg, as shown in . flog> cat nmap-4.53.tgz.digest.txt nmap-4.53.tgz: MD5 = 0D 86 C1 C4 FA 55 E9 36 D0 B7 C8 05 1F 70 36 E9 nmap-4.53.tgz: SHA1 = 3516 D794 8AD8 F994 F2FD B52E 1C51 7C5F ED91 E06F nmap-4.53.tgz: RMD160 = A5DA A78C 583E 7D2D 650E E1F5 0551 A4EC 54DF 55A6 nmap-4.53.tgz: SHA224 = 6B8B62D6 FA1B83DF D8AC2350 D2496906 A9069515 9B98FA93 31782297 nmap-4.53.tgz: SHA256 = 7D415EB8 E6CBD0F6 FBC2301E A65C6A6D 3580B810 85FAF0FE 42D00863 8BAC12FB nmap-4.53.tgz: SHA384 = 9E2086D4 4AAE1FEA 7F347ACA C7A44363 10387CF3 F73BDB3B 492887D5 6F1923D8 154F8D90 6B9FBDEB 903CFEC0 F6D38020 nmap-4.53.tgz: SHA512 = 31235D3A F8C39057 91A61F7C 63E69D51 722B7540 EA457220 FF2391E7 93B98F0D DFEF9A8B F6C02725 CBE32E0F 35766C6C 554F759C C9D4C4BC F42227F4 6E7B2B3D flog> sha1sum nmap-4.53.tgz 3516d7948ad8f994f2fdb52e1c517c5fed91e06f nmap-4.53.tgz flog> md5sum nmap-4.53.tgz 0d86c1c4fa55e936d0b7c8051f7036e9 nmap-4.53.tgz flog> gpg --print-md sha1 nmap-4.53.tgz nmap-4.53.tgz: 3516 D794 8AD8 F994 F2FD B52E 1C51 7C5F ED91 E06F While releases from Nmap.Org are signed as described in this section, certain Nmap add-ons, interfaces, and platform-specific binaries are developed and distributed by other parties. They have different mechanisms for establishing the authenticity of their downloads. Subversion SVNSubversion In addition to regular stable and development releases, the latest Nmap source code is always available using the Subversion (SVN) revision control system. This delivers new features and version/OS detection database updates immediately as they are developed. The downside is that SVN head revisions aren't always as stable as official releases. So SVN is most useful for Nmap developers and users who need a fix which hasn't yet been formally released. SVN write access is strictly limited to top Nmap developers, but everyone has read access to the repository. Check out the latest code using the command svn co --username guest --password "" svn://svn.insecure.org/nmap/. Then you can later update your source code by typing svn up in your working directory. The guest username is required due to an svnserve authorization bug. While most users only follow the /nmap directory in svn (which pulls in /nbase, /nsock, and /zenmap on its own), there is one other interesting directory: /nmap-exp. This directory contains experimental Nmap branches which Nmap developers create when they wish to try new things without destabilizing Nmap proper. When developers feel that an experimental branch is ready for wider-scale testing, they will generally email the location to the nmap-dev mailing list. Once Nmap is checked out, you can build it from source code just as you would with the Nmap tarball (described later in this chapter guide). If you would like real-time (or digested) notification and diffs by email when any changes are made to Nmap, sign up for the nmap-svn mailing list at . Unix, installing on Linuxcompiling on installationfrom source code source code compilation source codeadvantages of While binary packages (discussed in later sections) are available for most platforms, compilation and installation from source code is the traditional and most powerful way to install Nmap. This ensures that the latest version is available and allows Nmap to adapt to the library availability and directory structure of your system. For example, Nmap uses the OpenSSL cryptography libraries for version detection when available, but most binary packages do not include this functionality. On the other hand, binary packages are generally quicker and easier to install, and allow for consistent management (installation, removal, upgrading, etc.) of all packaged software on the system. Source installation is usually a painless process—the build system is designed to auto-detect as much as possible. Here are the steps required for a default install: Download the latest version of Nmap in .tar.bz2 (bzip2 compression) or .tgz (gzip compression) format from . Decompress the downloaded tarball with a command such as: bzip2 -cd nmap-VERSION.tar.bz2 | tar xvf - With GNU tar, the simpler command tar xvjf nmap-VERSION.tar.bz2 does the trick. If you downloaded the .tgz version, replace bzip2 with gzip in the decompression command. Change into the newly created directory: cd nmap-VERSION Configure the build system: ./configure If the configuration succeeds, an ASCII art dragon appears to congratulate you on successful configuration and warn you to be careful, as shown in . ./configure checking build system type... x86_64-unknown-linux-gnu [hundreds of lines cut] configure: creating ./config.status config.status: creating Makefile config.status: creating nsock_config.h config.status: nsock_config.h is unchanged ( ) /\ _ ( \ | ( \ ( \.( ) _____ \ \ \ ` ` ) \ ( ___ / _ \ (_` \+ . x ( .\ \/ \____-----------/ (o) \_ - .- \+ ; ( O \____ ) \_____________ ` \ / (__ +- .( -'.- <. - _ VVVVVVV VV V\ \/ (_____ ._._: <_ - <- _ (-- _AAAAAAA__A_/ | . /./.+- . .- / +-- - . \______________//_ \_______ (__ ' /x / x _/ ( \___' \ / , x / ( ' . / . / | \ / / / _/ / + / \/ ' (__/ / \ NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY Configuration complete. Type make (gmake on some *BSD machines) to compile. ]]> Build Nmap (and the Zenmap GUI if its requirements are met): make Note that GNU Make is required. On BSD-derived Unix systems, this is often installed as gmake. So if make returns a bunch of errors such as Makefile, line 1: Need an operator, try running gmake instead. Become a privileged user for system-wide install: su root This step may be skipped if you only have an unprivileged shell account on the system. In that case, you will likely need to pass the --prefix option to configure in step four as described in the next section. Install Nmap, support files, docs, etc.: make install Congratulations! Nmap is now installed as /usr/local/bin/nmap! Run it with no arguments for a quick help screen. As you can see above, a simple source compilation and install consists of little more than running ./configure;make;make install as root. However, there are a number of options available to configure that affect the way Nmap is built. configure directives Most of the Unix build options are controlled by the configure script, as used in step number four above. There are dozens of command-line parameters and environmental variables which affect the way Nmap is built. Run ./configure --help for a huge list with brief descriptions. These are not applicable to building Nmap on Windows. Here are the options which are either specific to Nmap or particularly important: --prefix=directoryname This option, which is standard to the configure scripts of most software, determines where Nmap and its components are installed. By default, the prefix is /usr/local, meaning that nmap is installed in /usr/local/bin, the man page (nmap.1) is installed in /usr/local/man/man1, and the data files (nmap-os-db, nmap-services, nmap-service-probes, etc.) are installed under /usr/local/share/nmap. If you only wish to change the path of certain components, use the options --bindir, --datadir, and/or --mandir. An example usage of --prefix would be to install Nmap in my account as an unprivileged user. I would run ./configure --prefix=/home/fyodor. Nmap creates subdirs like /home/fyodor/man/man1 in the install stage if they do not already exist. --without-zenmap ZenmapdisablingThis option prevents the Zenmap graphical frontend from being installed. Normally the build system checks your system for requirements such as the Python scripting language and then installs Zenmap if they are all available. --with-openssl=directoryname OpenSSLdisablingThe version detection system and Nmap Scripting Engine are able to probe SSL-encrypted services using the free OpenSSL libraries. Normally the Nmap build system looks for these libraries on your system and include this capability if they are found. If they are in a location your compiler does not search for by default, but you still want them to be used, specify --with-openssl=directoryname. Nmap then looks in directoryname/libs for the OpenSSL libraries themselves and directoryname/include for the necessary header files. Specify --without-openssl to disable SSL entirely. --with-libpcap=directoryname Nmap uses the Libpcap library for capturing raw IP packets. Nmap normally looks for an existing copy of Libpcap on your system and uses that if the version number and platform is appropriate. Otherwise Nmap includes its own recent copy of Libpcap, which has been modified for improved Linux functionality. The specific changes are described in libpcap/NMAP_MODIFICATIONS in the Nmap source directory. Because of these Linux-related changes, Nmap always uses its own Libpcap by default on that platform. If you wish to force Nmap to link with your own Libpcap, pass the option --with-libpcap=directoryname to configure. Nmap then expects the Libpcap library to be in directoryname/lib/libpcap.a and the include files to be in directoryname/include. Nmap will always use the version of Libpcap included in its tarball if you specify --with-libpcap=included. --with-libpcre=directoryname PCRE is a Perl-compatible regular expression library available from . Nmap normally looks for a copy on your system, and then falls back to its own copy if that fails. If your PCRE library is not in your compiler's standard search path, Nmap probably will not find it. In that case you can tell Nmap where it can be found by specifying the option --with-libpcre=directoryname to configure. Nmap then expects the library files to be in directoryname/lib and the include files to be in directoryname/include. In some cases, you may wish to use the PCRE libraries included with Nmap in preference to those already on your system. In that case, specify --with-libpcre=included. --with-libdnet=directoryname Libdnet is an excellent networking library that Nmap uses for sending raw ethernet frames. The version in the Nmap tree is heavily modified (particularly the Windows code), so the default is to use that included version. If you wish to use a version already installed on your system instead, specify --with-libdnet=directoryname. Nmap then expects the library files to be in directoryname/lib and the include files to be in directoryname/include. --with-localdirs This simple option tells Nmap to look in /usr/local/lib and /usr/local/include for important library and header files. This should never be necessary, except that some people put such libraries in /usr/local without configuring their compiler to find them. If you are one of those people, use this option. compilationproblems with In an ideal world, software would always compile perfectly (and quickly) on every system. Unfortunately, society has not yet reached that state of nirvana. Despite all our efforts to make Nmap portable, compilation issues occasionally arise. Here are some suggestions in case the source distribution compilation fails. Upgrade to the latest Nmap Check to make sure you are using the latest version of Nmap. The problem may have already been fixed. Read the error message carefully Scroll up in the output screen and examine the error messages given when commands fail. It is often best to find the first error message, as that often causes a cascade of further errors. Read the error message carefully, as it could indicate a system problem such as low disk space or a broken compiler. Users with programming skills may be able to resolve a wider range of problems themselves. If you make code changes to fix the problem, please send a patch (created with diff -uw oldfile newfile) and any details about your problem and platform to nmap-dev as described in . Integrating the change into the base Nmap distribution allows many other users to benefit, and prevents you from having to make the changes with each new Nmap version. Ask Google and other Internet resources Try searching for the exact error message on Google or other search engines. You might also want to browse recent activity on the Nmap development (nmap-dev)nmap-dev mailing list list—archives and a search interface are available at . Ask nmap-dev If none of your research leads to a solution, try sending a report to the Nmap development (nmap-dev) mailing list, as described in . Consider binary packages binary packages Binary packages of Nmap are available on most platforms and are usually easy to install. The downsides are that they may not be as up-to-date and you lose some of the flexibility of self-compilation. Later sections of this chapter describe how to find binary packages on many platforms, and even more are available via Internet searching. Obviously you should only install binary packages from reputable sources. Linux is the most popular platform for running Nmap. In one user survey, 86% said that Linux was at least one of the platforms on which they run Nmap. The first release of Nmap in 1997 only ran on Linux. Linux users can choose between a source code install or using binary packages provided by their distribution or Insecure.Org. The binary packages are generally quicker and easier to install, and are often slightly customized to use the distribution's standard directory paths and such. These packages also allow for consistent management in terms of upgrading, removing, or surveying software on the system. A downside is that packages created by the distributions are necessarily behind the Nmap.Org source releases. Most Linux distributions (particularly Debian and Gentoo) keep their Nmap package relatively current, though a few are way out of date. Choosing the source install allows for more flexibility in determining how Nmap is built and optimized for your system. To build Nmap from source, see . Here are simple package instructions for the most common distributions. RPM Linuxinstalling on, with RPM> Red Hat (Linux distribution)installing on, with RPM> Mandrake (Linux distribution)installing on, with RPM Suse (Linux distribution)installing on, with RPM Fedora (Linux distribution)installing on, with RPM I build RPM packages for every release of Nmap and post them to the Nmap download page at . I build two packages: The nmap package contains just the command-line executable and data files, while the zenmap package contains the optional Zenmap graphical frontend (see ). The zenmap package requires that the nmap package be installed first. One down side to installing the RPMs rather than compiling from source is that the RPMs don't support OpenSSL for version detection and Nmap Scripting Engine probing of SSL services. RPMinstalling from Installing via RPM is quite easy—it even downloads the package for you when given the proper URLs. The following example downloads and installs Nmap 4.68, including the frontend. Of course you should use the latest version at the download site above instead. Any existing RPM-installed versions are upgraded. demonstrates this installation process. # rpm -vhU http://nmap.org/dist/nmap-4.68-1.i386.rpm Retrieving http://nmap.org/dist/nmap-4.68-1.i386.rpm Preparing... ########################################### [100%] 1:nmap ########################################### [100%] # rpm -vhU http://nmap.org/dist/zenmap-4.68-1.noarch.rpm Retrieving http://nmap.org/dist/zenmap-4.68-1.noarch.rpm Preparing... ########################################### [100%] 1:zenmap ########################################### [100%] As the filenames above imply, these binary RPMs were created for normal PCs (x86 architecture).x86 architecture I also distribute x86_64x86_64 architecture binaries for 64-bit Linux users. These binaries won't work for the relatively few Linux users on other platforms such as SPARC, Alpha, or PowerPC. They also may refuse to install if your library versions are sufficiently different from what the RPMs were initially built on. One option in these cases would be to find binary RPMs prepared by your Linux vendor for your specific distribution. The original install CDs or DVD are a good place to start. Unfortunately, those may not be current or available. Another option is to install Nmap from source code as described previously, though you lose the binary package maintenance consistency benefits. A third option is to build and install your own binary RPMs from the source RPMs distributed from the download page above. demonstrates this technique with Nmap 4.68. > rpmbuild --rebuild http://nmap.org/dist/nmap-4.68-1.src.rpm [ hundreds of lines cut ] Wrote: /home/fyodor/rpmdir/RPMS/i386/nmap-4.68-1.i386.rpm [ cut ] > su Password: # rpm -vhU /home/fyodor/rpmdir/RPMS/i386/nmap-4.68-1.i386.rpm Preparing... ########################################### [100%] 1:nmap ########################################### [100%] # It is not necessary to rebuild Zenmap in this fashion because the Zenmap RPM is architecture-independent (noarch). For that reason there are no Zenmap source RPMs. Removing RPM packages is as easy as rpm -e nmap zenmap. Yum Linuxinstalling on, with Yum Red Hat (Linux distribution)installing on, with Yum Mandrake (Linux distribution)installing on, with Yum Yellow Dog (Linux distribution)installing on, with Yum Fedora (Linux distribution)installing on, with Yum The Red Hat, Fedora, Mandrake, and Yellow Dog Linux distributions have an application named Yum which manages software installation and updates from central RPM repositories. This makes software installation and updates trivial. Since distribution-specific Yum repositories are normally used, you know the software has already been tested for compatibility with your particular distribution. Most distributions do maintain Nmap in their Yum repository, but they don't always keep it up to date. This is particularly problematic if you (like most people) don't always quickly update to the latest release of your distribution. If you are running a two-year old Linux release, Yum will often give you a two-year-old version of Nmap. Even the latest version of distributions often take months to update to a new Nmap release. So for the latest version of Nmap on these systems, try the RPMs we distribute as described in the previous section. But if our RPMs aren't compatible with your system or you are in a great hurry, installing Nmap from Yum is usually as simple as executing yum install nmap (run yum install nmap zenmap if you would like the GUI too, though some distributions don't yet package Zenmap). Yum takes care of contacting a repository on the Internet, finding the appropriate package for your architecture, and then installing it along with any necessary dependencies. This is shown (edited for brevity) in . You can later perform yum update to install available updates to Nmap and other packages in the repository. Running transaction check ---> Package nmap.x86_64 2:4.52-1.fc8 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: nmap x86_64 2:4.52-1.fc8 updates 1.0 M Transaction Summary ============================================================================= Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 1.0 M Is this ok [y/N]: y Downloading Packages: (1/1): nmap-4.52-1.fc8.x8 100% |=========================| 1.0 MB 00:02 Running Transaction Test Transaction Test Succeeded Running Transaction Installing: nmap ######################### [1/1] Installed: nmap.x86_64 2:4.52-1.fc8 Complete! ]]> Linuxinstalling on, with apt-get Debian, installing on Ubuntu, installing on LaMont Jones Jones, LaMont does a fabulous job maintaining the Nmap .deb packages, including keeping them reasonably up-to-date. The proper upgrade/install command is apt-get install nmap. apt-get This works for Debian derivatives such as Ubuntu too. Information on the latest Debian stable Nmap package is available at and the development (unstable) Nmap and Zenmap packages are available from and . There are far too many Linux distributions available to list here, but even many of the obscure ones include Nmap in their package tree. If they don't, you can simply compile from source code as described in . Windows Microsoft WindowsWindows While Nmap was once a Unix-only tool, a Windows version was released in 2000 and has since become the second most popular Nmap platform (behind Linux). Because of this popularity and the fact that many Windows users do not have a compiler, binary executables are distributed for each major Nmap release. While it has improved dramatically, the Windows port is not quite as efficient or stable as on Unix. Here are some known limitations: Windowslimitations of You cannot generally scan your own machine from itself (using a loopbackloopback interface IP such as 127.0.0.1 or any of its registered IP addresses). This is a Windows limitation that we haven't yet worked around. If you really want to do this, use a TCP connect scan without pinging (-sT -PN) as that uses the high level socket API rather than sending raw packets. Nmap only supports ethernet interfaces (including most 802.11 wireless cards and many VPN clients) for raw packet scans. Unless you use the -sT -PN options, RAS connections (such as PPP dialups) and certain VPN clients are not supported. This support was dropped when Microsoft removed raw TCP/IP socket support in Windows XP SP2. Now Nmap must send lower-level ethernet frames instead. Windowsperformance of Scans speeds on Windows are generally comparable to those on Unix, though the latter often has a slight performance edge. One exception to this is connect scan (-sT), which is often much slower on Windows because of deficiencies in the Windows networking API. This is a shame, since that is the one TCP scan that works against localhost and over all networking types (not just ethernet, like the raw packet scans). Connect scan performance can be improved substantially by applying the Registry changes in the nmap_performance.reg file included with Nmap. By default these changes are applied for you by the Nmap executable installer. This registry file is in the nmap-version directory of the Windows binary zip file, and nmap-version/mswin32 in the source tarball (where version is the version number of the specific release). These changes increase the number of ephemeral ports reserved for user applications (such as Nmap) and reduce the time delay before a closed connection can be reused. Most people simply check the box to apply these changes in the executable Nmap installer, but you can also apply them by double-clicking on nmap_performance.reg, or by running the command regedt32 nmap_performance.reg. To make the changes by hand, add these three Registry DWORD values to the CurrentControlSet\Services\Tcpip\Parameters entry under HKEY_LOCAL_MACHINE\SYSTEM: MaxUserPort Set a large value such as 65534 (0x0000fffe). See MS KB Q196271. TCPTimedWaitDelay Set the minimum value (0x0000001e). See MS KB Q149532. StrictTimeWaitSeqCheck Set to 1 so TCPTimedWaitDelay is checked. I would like to thank Ryan PermehPermeh, Ryan of eEye, Andy LutomirskiLutomirski, Andy, and Jens VogtVogt, Jens for their hard work on the Nmap Windows port. For many years, Nmap was a Unix-only tool, and it would likely still be that way if not for their efforts. Windows users have three choices for installing Nmap, all of which are available from the download page at . Windowsself-installer Every Nmap release includes a Windows self-installer named nmap-version-setup.exe (where version is the version number of the specific release). Most Nmap users choose this option since it is so easy. Another advantage of the self-installer is that it provides the option to install the Zenmap GUI. Simply run the installer file and let it walk you through panels for choosing an install path and installing WinPcap. The installer was created with the open-source Nullsoft Scriptable Install System. After it completes, read for instructions on executing Nmap on the command-line or through Zenmap. Windowszip binaries Most users prefer installing Nmap with the self-installer discussed previously. Every stable Nmap release comes with Windows command-line binaries and associated files in a Zip archive. No graphical interface is included, so you need to run nmap.exe from a DOS/command window. Or you can download and install a superior command shell such as those included with the free CygwinCygwin system available from . Here are the step-by-step instructions for installing and executing the Nmap .zip binaries. Download the .zip binaries from . Uncompress the zip file into the directory you want Nmap to reside in. An example would be C:\Program Files. A directory called nmap-version should be created, which includes the Nmap executable and data files. Microsoft Windows XP and Vista include zip extraction—just right-click on the file in Explorer. If you do not have a Zip decompression program, there is one (called unzip) in Cygwin described above, or you can download the open-source and free 7-zip utility. Commercial alternatives are WinZip and PKZIP. For improved performance, apply the Nmap Registry changes discussed previously. Nmap requires the free WinPcap packet capture library. We build our own WinPcap installer which is available in the zip file as winpcap-nmap-version.exe, where version is the Nmap version rather than the WinPcap version. Alternatively, you can obtain and install the latest version from . You must install version 4 or later. Due to the way Nmap is compiled, it requires the Microsoft Visual C++ 2008 Redistributable Package of runtime components. Many systems already have this installed from othher packages, but you should run vcredist_x86.exe from the zip file just in case you need it. Instructions for executing your compiled Nmap are given in . Windowscompiling on Most Windows users prefer to use the Nmap binary self-installer, but compilation from source code is an option, particularly if you plan to help with Nmap development. Compilation requires Microsoft Visual C++ 2008, which is part of their commercial Visual Studio suite. Any of the Visual Studio editions should wor, including the free Visual C++ 2008 Express. Download the latest Nmap source distribution from . It has the name nmap-version.tar.bz2 or nmap-version.tgz. Those are the same tar file compressed using gzip or bzip2, respectively. The bzip2-compressed version is smaller. Uncompress the source code file you just downloaded. Recent releases of the free Cygwin distributionCygwin can handle both the .tar.bz2 and .tgz formats. Use the command tar xvjf nmap-version.tar.bz2 or tar xvzf nmap-version.tgz, respectively. Alternatively, the common WinZip application can decompress the .tgz version. Open Visual Studio and the Nmap solution file ( nmap-version/mswin32/nmap.sln). Choose Build Solution from the Build Menu. Nmap should begin compiling, and end with the line -- Done -- saying that all projects built successfully and there were 0 failures. The executable and data files can be found in nmap-version/mswin32/Release/. You can copy them to a preferred directory as long as they are all kept together. Ensure that you have WinPcap installed. You can obtain it by installing our binary self-installer or executing winpcap-nmap-version.exe from our zip package. Alternatively, you can obtain the official installer at . Instructions for executing your compiled Nmap are given in the next section. Many people have asked whether Nmap can be compiled with the gcc/g++ included with Cygwin or other compilers. Some users have reported success with this, but we don't maintain instructions for building Nmap under Cygwin. Windowsrunning Nmap on Nmap releases now include the Zenmap graphical user interface for Nmap. If you used the Nmap installer and left the Zenmap field checked, there should be a new Zenmap entry on your desktop and Start Menu. Click this to get started. Zenmap is fully documented in . While many users love Zenmap, others prefer the traditional command-line approach to executing Nmap. Here are detailed instructions for users who are unfamiliar with command-line interfaces: Make sure the user you are logged in as has administrative privilegesprivileged users on the computer (user should be a member of the administrators group). Open a command/DOS Window. Though it can be found in the program menu tree, the simplest approach is to choose Start -> Run and type cmd<enter>. Opening a Cygwin window (if you installed it) by clicking on the Cygwin icon on the desktop works too, although the necessary commands differ slightly from those shown here. Change to the directory you installed Nmap into. Assuming you used the default path, type the following commands. c: cd "\Program Files\Nmap" Execute nmap.exe. is a screen shot showing a simple example.

If you execute Nmap frequently, you can add the Nmap directory (c:\Program Files\Nmap by default) to your command execution path. The exact place to set this varies by Windows platform. On my Windows XP box, I do the following: From the desktop, right click on My Computer and then click properties. In the System Properties window, click the Advanced tab. Click the Environment Variables button. PATH environment variablePath on Windows Choose Path from the System variables section, then hit edit. Add a semi-colon and then your Nmap directory (c:\Program Files\Nmap by default) to the end of the value. Open a new DOS window and you should be able to execute a command such as nmap scanme.nmap.org from any directory. Solaris, installing on Sun SolarisSolaris Solaris has long been well-supported by Nmap. Sun even donated a complete SPARCstation to the project, which is still being used to test new Nmap builds. For this reason, many Solaris users compile and install from source code as described in . Users who prefer native Solaris packages will be pleased to learn that Steven ChristensenChristensen, Steven does an excellent job of maintaining Nmap packages at for all modern Solaris versions and architectures. Instructions are on his site, and are generally very simple: download the appropriate Nmap package for your version of Solaris, decompress it, and then run pkgadd -d packagename. As is generally the case with contributed binary packages, these Solaris packages are simple and quick to install. The advantages of compiling from source are that a newer version may be available and you have more flexibility in the build process. Mac OS X Apple Mac OS XMac OS X Thanks to several people graciously donating shell accounts on their Mac OS X boxes, Nmap usually compiles on that platform without problems. Because not everyone has the development tools necessary to compile from source, there is an executable installer as well. Nmap is also available through systems such as MacPorts and Fink which package Unix software for Mac OS X. Mac OS Xexecutable installer The easiest way to install Nmap and Zenmap on Mac OS X is to use our installer. The Mac OS X section of the Nmap download page provides a file named nmap-version.dmg, where version is the version number of the most recent release. The .dmg.dmg (Mac OS X disk image)disk image (Mac OS X) file is known as a disk image. Installation instructions follow: Download the file nmap-version.dmg. Double-click the icon to open it. (Depending on how you downloaded the file, it may be opened automatically.) The contents of the disk image will be displayed. One of the files will be a Mac meta-package file named nmap-version.mpkg. Double-click it to start the installer. Follow the instructions in the installer. You will be asked for your password since Nmap installs in a system directory. Once the installer is finished, eject the disk image by control-clicking on its icon and selecting Eject. The disk image may now be placed in the trash. See the instructions in for help on running Nmap and Zenmap after they are installed. The programs installed by the installer are universal binaries that will run on Mac OS X 10.4 (Tiger) or later. Users of earlier versions will have to compile from source or use a third-party package. Mac OS Xcompiling on Compiling Nmap from source on Mac OS X is no more difficult than on other platforms once a proper build environment is in place. Compiling Nmap on Mac OS X requires Xcode,Xcode Apple's developer tools that include GCC and the rest of the usual build system. Xcode is not installed by default, but is available as an optional install on the Mac OS X installation discs. If you do not have the installation discs or if you want a newer version, you can download Xcode free of charge by following these steps. Apple restricts downloads of Xcode to members of the Apple Developer Connection.Apple Developer Connection Browse to and fill out some forms to create an account. Skip to the next step if you already have an account. Return to and log in with your account credentials. Hit the Download link and then choose Developer Tools. Download and install the most recent Xcode. These exact steps may change, but it is hoped that this general approach will continue to work. Once you have installed Xcode, follow the compilation instructions found in . Note that on some older versions of Mac OS X, you may have to replace the command ./configure with ./configure CPP=/usr/bin/cpp. Zenmapdependencies of Zenmap depends on some external libraries that do not come with Mac OS X, including GTK+ and PyGTK. These libraries have many dependencies of their own. A convenient way to install all of them is to use a third-party packaging system as described in . Once the dependencies are installed, follow the instructions in to install Zenmap as usual. Mac OS Xinstalling from third-party packages Another option for installing Nmap is to use a system which packages Unix software for Mac OS X. The two discussed here are Fink and MacPorts. See the respective projects' web sites for installation instructions. Fink To install using Fink, run the command fink install nmap. Nmap will be installed as /sw/bin/nmap. To uninstall use the command fink remove nmap. MacPorts To install using MacPorts, run sudo port install nmap. Nmap will be installed as /opt/local/bin/nmap. To uninstall, run sudo port uninstall nmap. Mac OS Xrunning Nmap on The terminal emulator in Mac OS X is called Terminal, and is located in the directory /Applications/Utilities. Open it and a terminal window appears. This is where you will type your commands. By default the root user is disabled on Mac OS X. To run a scan with root privileges prefix the command name with sudo,sudo as in sudo nmap -sS target. You will be asked for a password, which is just your normal login password. Only users with administrator privileges can do this. Zenmap requires the X11 application to be installed. If it was not installed by default it may be available as an optional install on the Mac OS X installation discs. When Zenmap is started, a dialog is displayed requesting that you type your password. Users with administrator privilegesprivileged users may enter their password to allow Zenmap to run as the root user and run more advanced scans. To run Zenmap in unprivileged mode, select the Cancel button on this authentication dialog. BSDs The BSD flavors are well supported by Nmap, so you can simply compile it from source as described in . This provides the normal advantages of always having the latest version and a flexible build process. If you prefer binary packages, these *BSD variants each maintain their own Nmap packages. Many BSD systems also have a ports tree which standardizes the compilation of popular applications. Instructions for installing Nmap on the most popular *BSD variants follow. OpenBSD, installing on According to the OpenBSD FAQ, users are HIGHLY advised to use packages over building an application from ports. The OpenBSD ports team considers packages to be the goal of their porting work, not the ports themselves. That same FAQ contains detailed instructions for each method. Here is a summary: Choose a mirror from , then FTP in and grab the Nmap package from /pub/OpenBSD/version/packages/platform/nmap-version.tgz. Or obtain it from the OpenBSD distribution CD-ROM. As root, execute: pkg_add -v nmap-version.tgz If you do not already have a copy of the ports tree, obtain it via CVS using instructions at . As root, execute the following command (replace /usr/ports with your local ports directory if it differs): cd /usr/ports/net/nmap && make install clean FreeBSD, installing on The FreeBSD project has a whole chapter in their Handbook describing the package and port installation processes. A brief summary of the process follows. The easiest way to install the binary Nmap package is to run pkg_add -r nmap. You can then run the same command with the zenmap argument if you want the X-Window front-end. If you wish to obtain the package manually instead, retrieve it from and or the CDROM and run pkg_add packagename.tgz. The ports tree is often installed with the system itself (usually in /usr/ports). If you do not already have it, specific installation instructions are provided in the FreeBSD Handbook chapter referenced above. As root, execute the following command (replace /usr/ports with your local ports directory if it differs): cd /usr/ports/security/nmap && make install clean NetBSD, installing on NetBSD has packaged Nmap for an enormous number of platforms, from the normal i386 to PlayStation 2, PowerPC, VAX, SPARC, MIPS, Amiga, ARM, and several platforms that I have never even heard of! Unfortunately they are not very up-to-date. A list of NetBSD Nmap packages is available from and a description of using their package system to install applications is available at . AmigaOS, installing on HP-UX, installing on IRIX, installing on One of the wonders of Open Source development is that resources are often directed towards what people find exciting rather than having an exclusive focus on profits as most corporations do. It is along those lines that the Amiga port came about. Diego CasorranCasorran, Diego performed most of the work and sent in a clean patch which was integrated into the main Nmap distribution. In general, AmigaOS users should be able to simply follow the source compilation instructions in . You may encounter a few hurdles on some systems, but I presume that must be part of the fun for Amiga fanatics. Nmap supports many proprietary Unix flavors such as HP-UX and SGI IRIX. The Nmap project depends on the user community to help maintain adequate support for these systems. If you have trouble, try sending a report with full details to the nmap-dev mailing listnmap-dev mailing list, as described in . Also let us know if you develop a patch which improves support on your platform so we can incorporate it into Nmap. uninstallation removal If your purpose for removing Nmap is simply to upgrade to the latest version, you can usually use the upgrade option provided by most binary package managers. Similarly, installing the latest source code (as described in ) generally overwrites any previous from-source installations. Removing Nmap is a good idea if you are changing install methods (such as from source to RPM or vice versa) or if you are not using Nmap anymore and you care about the few megabytes of disk space it consumes. How to remove Nmap depends on how you installed it initially (see previous sections). Ease of removal (and other maintenance) is a major advantage of most binary packages. For example, when Nmap is installed using the RPMRPM system common on Linux distributions, it can be removed by running the command rpm -e nmap zenmap as root. Analogous options are offered by most other package managers—consult their documentation for further information. If you installed Nmap from the Windows, simply open the Control Panel, select Add or Remove Programs and select the Remove button for Nmap. You can also remove WinPcap unless you need it for other applications such as Wireshark. If you installed Nmap from source code, removal is slightly more difficult. If you still have the build directory available (where you initially ran make install), you can remove Nmap by running make uninstall. If you no longer have that build directory, type nmap -V to obtain the Nmap version number. Then download that source tarball for that version of Nmap from or . Uncompress the tarball and change into the newly created directory (nmap-version). Run ./configure, including any install-path options that you specified the first time (such as --prefix or --datadir). Then run make uninstall. Alternatively, you can simply delete all the Nmap-related files. If you used a default source install of Nmap versions 4.50 or higher, the following commands remove it. # cd /usr/local # rm -f bin/nmap bin/nmapfe bin/xnmap # rm -f man/man1/nmap.1 man/man1/zenmap.1 # rm -rf share/nmap # ./bin/uninstall_zenmap You may have to adjust the above commands slightly if you specified --prefix or other install-path option when first installing Nmap. The files relating to zenmap, nmapfe, and xnmap do not exist if you did not install the Zenmap frontend initially.