> -----Original Message-----
> From: Fyodor [mailto:fyodor@xxxxxxxxxxxx]
> Sent: Tuesday, January 31, 2006 9:10 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Nmap 4.00 Released
>
> Bugtraqers,
>
> Insecure.Org is pleased to announce the immediate, free availability
> of the Nmap Security Scanner version 4.00 from
> .
>
> I try not to burden the Bugtraq list with more than one Nmap
> announcement per year. So I encourage those of you who would like to
> hear about new Nmap releases as they happen to join the low-volume
> nmap-hackers list at
> .
>
> I just did an interview for SecurityFocus which provides some further
> details on this release:
>
> CHANGES:
>
> Nmap has undergone many substantial changes since our last major
> release (3.50 in February 2004) and we recommend that all current
> users upgrade. Here are the most important improvements made in the 36
> intermediate releases since 3.50:
>
> o Added the ability for Nmap to send and properly route raw ethernet
> frames containing IP datagrams rather than always sending the
> packets via raw sockets. This is particularly useful for Windows,
> since Microsoft has disabled raw socket support in XP. Nmap tries
> to choose the best method at runtime based on platform, though you
> can override it with the new --send-eth and --send-ip options.
>
> o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP
> requests to determine whether hosts on a LAN are up, rather than
> relying on higher-level IP packets (which can only be sent after a
> successful ARP request and reply anyway). This is much faster and
> more reliable (not subject to IP-level firewalling) than IP-based
> probes. It is now used automatically for any hosts that are
> detected to be on a local ethernet network, unless --send-ip was
> specified.
>
> o Added the --spoof-mac option, which asks Nmap to use the given MAC
> address for all of the raw ethernet frames it sends. Valid
> --spoof-mac argument examples are "Apple", "0", "01:02:03:04:05:06",
> "deadbeefcafe", "0020F2", and "Cisco".
>
> o Rewrote core port scanning engine, which is now named ultra_scan().
> Improved algorithms make this faster (often dramatically so) in
> almost all cases. Not only is it superior against single hosts, but
> ultra_scan() can scan many hosts (sometimes hundreds) in parallel.
> This offers many efficiency/speed advantages. For example, hosts
> often limit the ICMP port unreachable packets used by UDP scans to
> 1/second. That made those scans extraordinarily slow in previous
> versions of Nmap. But if you are scanning 100 hosts at once,
> suddenly you can receive 100 responses per second. Spreading the
> scan amongst hosts is also gentler toward the target hosts.
>
> o Overhauled UDP scan. Ports that don't respond are now classified as
> "open|filtered" (open or filtered) rather than "open". The
> (somewhat
> rare) ports that actually respond with a UDP packet to the empty
> probe are considered open. If version detection is requested, it
> will be performed on open|filtered ports. Any that respond
> to any of
> the UDP probes will have their status changed to open. This avoids
> the false-positive problem where filtered UDP ports appear to be
> open, leading to terrified newbies thinking their machine is
> infected by back orifice.
>
> o Put Nmap on a diet, with changes to the core port scanning routine
> (ultra_scan) to substantially reduce memory consumption,
> particularly
> when tens of thousands of ports are scanned.
>
> o Added 'leet ASCII art to the configurator! Note that
> only people compiling the UNIX source code get this. (ASCII artist
> unknown). If you don't like it, feel free to submit your own work.
>
> o Wrote a new man page from scratch. It is much more comprehensive
> (more than twice as long) and (IMHO) better organized than the
> previous one. Read it online at
> or docs/nmap.1 from the Nmap distribution. Let me know if you have
> any ideas for improving it. Translations to Chinese, French,
> Japanese, Brazilian Portuguese, Portugal Portuguese, and Romanian
> can be found on the Nmap docs page at
> . More than a dozen other
> translations are in progress. The XML source for the man page is
> distributed with Nmap in docs/nmap-man.xml. Patches to
> Nmap that are
> user-visible should include patches to the man page XML
> source rather
> than to the generated Nroff.
>
> o Integrated all service submissions up to January 2006. The DB has
> tripled in size since 3.50 to 3,153 signatures for 381 service
> protocols. Those protocols span the gamut from abc, acap, afp, and
> afs to zebedee, zebra, and zenimaging. It even covers obscure
> protocols such as http, ftp, smtp, and ssh :). Thanks to Version
> Detection Czar Doug Hoyte for his excellent work on this. Other
> great probes and signatures came from Dirk Mueller
> (mueller(a)kde.org), Lionel Cons (lionel.cons(a)cern.ch), Martin
> Macok (martin.macok(a)underground.cz), and Bo Jiang
> (jiangbo(a)brandeis.edu). Thanks also go to the (literally)
> thousands of you who submitted service fingerprints. Keep them
> coming!
>
> o Integrated tons of new OS detection fingerprints. The database grew
> more than 50% from 1,121 to 1,684 fingerprints. Notable additions
> include Mac OS X 10.4 (Tiger), OpenBSD 3.7, FreeBSD 5.4, Windows
> Server 2003 SP1, Sony AIBO (along with a new "robotic pet" device
> type category), the latest Linux 2.6 kernels, Cisco routers with IOS
> 12.4, a ton of VoIP devices, Tru64 UNIX 5.1B, new Fortinet
> firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO 3.8.X, and Solaris 10.
> Of course there are also tons of new broadband routers, printers,
> WAPs and pretty much any other device you can coax an ethernet cable
> (or wireless card) into! Much of this OS detecton work was done by
> Google SoC student Zhao Lei (zhaolei(a)gmail.com).
>
> o Created a Windows executable installer using the open source NSIS
> (Nullsoft Scriptable Install System). It handles Pcap installation,
> registry performance changes, and adding Nmap to your cmd.exe
> executable path. The installer source files are in mswin32/nsis/ .
> Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) for
> creating the initial version.
>
> o Added run time interaction as documented at
> .
> While Nmap is running, you can now press 'v' to increase verbosity,
> 'd' to increase the debugging level, 'p' to enable packet tracing,
> or the capital versions (V,D,P) to do the opposite. Any other key
> (such as enter) will print out a status message giving the estimated
> time until scan completion. Most of this work was done by Paul
> Tarjan (ptarjan(a)stanford.edu), Andrew Lutomirski
> (luto(a)myrealbox.com), and Gisle Vanem (giva(a)bgnett.no).
>
> o Reverse DNS resolution is now done in parallel rather than one at a
> time. All scans of large networks (particularly list, ping and
> just-a-few-ports scans) benefit substantially from this change. The
> new --system-dns option was added so you can use the (slow) system
> resolver if you prefer that for some reason. You can specify a
> comma separated list of DNS server IP addresses for Nmap to use with
> the new --dns-servers option. Otherwise, Nmap looks in
> /etc/resolve.conf (UNIX) or the system registry (Windows) to obtain
> the nameservers already configured for your system. This excellent
> patch was written by Doug Hoyte (doug(a)hcsw.org).
>
> o Updated NmapFE to build with GTK2 rather than obsolete GTK1. Thanks
> to Priit Laes (amd(a)store20.com), Mike Basinger
> (dbasinge(a)speakeasy.net) and Meethune Bhowmick
> (meethune(a)oss-institute.org) for developing the patch. GTK2 is
> prettier, more functional, and actually exists on most modern Linux
> distributions (many of which removed GTK1 long ago).
>
> o Added the --badsum option, which causes Nmap to use invalid TCP or
> UDP checksums for packets sent to target hosts. Since virtually all
> host IP stacks properly drop these packets, any responses received
> are likely coming from a firewall or IDS that didn't bother to
> verify the checksum. For more details on this technique, see
> . The author of that
> paper, Ed3f (ed3f(a)antifork.org), is also the author of this patch
> (which I changed it a bit).
>
> o The 26 Nmap commands that previously included an underscore
> (--max-rtt-timeout, --send-eth, --host-timeout, etc.) have been
> renamed to use a hyphen in the preferred format
> (i.e. --max-rtt-timeout). Underscores are still supported for
> backward compatibility.
>
> o Added --max-retries option for capping the maximum number of
> retransmissions the port scan engine will do. The value may be as
> low as 0 (no retransmits). A low value can increase speed, though
> at the risk of losing accuracy. The -T4 option now allows up to 6
> retries, and -T5 allows 2. Thanks to Martin Macok
> (martin.macok(a)underground.cz) for writing the initial patch.
>
> o Many of the Nmap low-level timing options take a value in
> milliseconds. You can now append an 's', 'm', or 'h' to the value
> to give it in seconds, minutes, or hours instead. So you
> can specify a
> 45 minute host timeout with --host-timeout 45m rather than
> specifying
> --host-timeout 2700000 and hoping you did the math right
> and have the
> correct number of zeros. This also now works for the
> --min-rtt-timeout, --max-rtt-timeout, --initial-rtt-timeout,
> --scan-delay, and --max-scan-delay options.
>
> o Wrote a new Nmap compilation, installation, and removal guide, which
> you can find at .
>
> o Made some changes to allow source port zero scans (-g0). Nmap used
> to refuse to do this, but now it just gives a warning that
> it may not
> work on all systems. It seems to work fine on my Linux box. Thanks
> to Bill Dale (bill_dale(a)bellsouth.net) for suggesting
> this feature.
>
> o Applied some small fixes so that Nmap compiles with Visual C++
> 2005 Express, which is free from Microsoft at
> . Thanks to KX
> (kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com)
>
> o Added --thc option (undocumented)
>
> o Wrote a new "help screen", which you get when running Nmap without
> arguments. It is also reproduced in the man page and at
> . I gave up trying
> to fit it within a 25-line, 80-column terminal window. It is now 78
> lines and summarizes all but the most obscure Nmap options.
>
> o Added OS, device type, and hostname detection using the service
> detection framework. Many services print a hostname, which may be
> different than DNS. The services often give more away as well. If
> Nmap detects IIS, it reports an OS family of "Windows". If it sees
> HP JetDirect telnetd, it reports a device type of "printer". Rather
> than try to combine TCP/IP stack fingerprinting and service OS
> fingerprinting, they are both printed. After all, they could
> legitimately be different. An IP that gives a stack fingerprint
> match of "Linksys WRT54G broadband router" and a service fingerprint
> of Windows based on Kazaa running is likely a common NAT
> setup rather
> than an Nmap mistake.
>
> o Overhauled the Nmap version detection guide and posted it at
> .
>
> o Service/version detection now handles multiple hosts at once for
> more efficient and less-intrusive operation.
>
> o Added "rarity" feature to Nmap version detection. This causes
> obscure probes to be skipped when they are unlikely to help. Each
> probe now has a "rarity" value. Probes that detect dozens of
> services such as GenericLines and GetRequest have rarity values of
> 1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
> When interrogating a port, Nmap always tries probes registered to
> that port number. So even WWWOFFLEctrlstat will be tried against
> port 8081 and mydoom will be tried against open ports between 3127
> and 3198. If none of the registered ports find a match, Nmap tries
> probes that have a rarity less than or equal to its current
> intensity level. The intensity level defaults to 7 (so that most of
> the probes are done). You can set the intensity level with the new
> --version-intensity option. Alternatively, you can just use
> --version-light or --version-all which set the intensity to 2 (only
> try the most important probes and ones registered to the port
> number) and 9 (try all probes), respectively. --version-light is
> much faster than default version detection, but also a bit less
> likely to find a match. This feature was designed and implemented
> by Doug Hoyte (doug(a)hcsw.org).
>
> o Added a "fallback" feature to the nmap-service-probes database.
> This allows a probe to "inherit" match lines from other probes. It
> is currently only used for the HTTPOptions, RTSPRequest, and
> SSLSessionReq probes to inherit all of the match lines from
> GetRequest. Some servers don't respond to the Nmap GetRequest (for
> example because it doesn't include a Host: line) but they do respond
> to some of those other 3 probes in ways that GetRequest match lines
> are general enough to match. The fallback construct allows us to
> benefit from these matches without repeating hundreds of signatures
> in the file. This is another feature designed and implemented
> by Doug Hoyte (doug(a)hcsw.org).
>
> o Added "Exclude" directive to nmap-service-probes grammar which
> causes version detection to skip listed ports. This is helpful for
> ports such as 9100. Some printers simply print any data sent to
> that port, leading to pages of HTTP requests, SMB queries, X Windows
> probes, etc. If you really want to scan all ports, specify
> --allports. This patch came from Doug Hoyte (doug(a)hcsw.org).
>
> o Version detection softmatches (when Nmap determines the service
> protocol such as smtp but isn't able to determine the app
> name such as
> Postfix) can now parse out the normal match line fields such as
> hostname, device type, and extra info. For example, we may not know
> what vendor created an sshd, but we can still parse out the protocol
> number. This was a patch from Doug Hoyte (doug(a)hcsw.org).
>
> o Fixed a bunch of typos and misspellings throughout the Nmap source
> code (mostly in comments). This was a 625-line patch by
> Saint Xavier
> (skyxav(a)skynet.be).
>
> o Added a stripped-down and heavily modified version of Dug Song's
> libdnet networking library (v. 1.10). This helps with the new raw
> ethernet features. My (extensive) changes are described in
> libdnet-stripped/NMAP_MODIFICATIONS
>
> o Updated nmap data files (nmap-mac-prefixes, nmap-protocols,
> nmap-rpc) with the latest OUIs, IP protocols, and RPC
> program numbers,
> respectively.
>
> o Updated the included libpcap from 0.7.2 to 0.9.3. This was an
> attempt to fix an annoying bug, which I then found was actually in
> my code rather than libpcap :). Also updated the included GNU
> shtool (to 2.0.2), LibPCRE (6.4), and the autoconf config.* files
> (to the latest from their CVS).
>
> o Nmap now uses (and require) WinPcap 3.1 on Windows.
>
> o Added MAC address printing. If Nmap receives packet from a target
> machine which is on an Ethernet segment directly connected to the
> scanning machine, Nmap will print out the target MAC address. Nmap
> also now contains a database (derived from the official IEEE
> version) which it uses to determine the vendor name of the target
> ethernet interface. Here are examples from normal and XML output
> (angle brackets replaced with [] for HTML changelog compatibility):
> MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems)
> [address addr="00:A0:CC:63:85:4B" vendor="Lite-on
> Communications" addrtype="mac" /]
>
> o The official Nmap RPM files are now compiled statically for better
> compatibility with other systems. X86_64 (AMD Athlon64/Opteron)
> binaries are now available in addition to the standard i386. NmapFE
> RPMs are no longer distributed by Insecure.Org.
>
> o Nmap distribution signing has changed. Release files are now signed
> with a new Nmap Project GPG key (KeyID 6B9355D0). Learn more at
>
>
> o Updated random scan (ip_is_reserved()) to reflect the latest IANA
> assignments. This to Felix Groebert
> (felix(a)groebert.org) and Chad Loder (cloder(a)loder.us) for
> sending these patches.
>
> o Added the --iflist option, which prints a list of system interfaces
> and routes detected by Nmap.
>
> o Removed WinIP library (and all Windows raw sockets code) since MS
> has gone and broken raw sockets. Maybe packet receipt via raw
> sockets will come back at some point. As part of this removal, the
> Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
> --win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
> and --win_trace options have been removed.
>
> o Added new --privileged command-line option and NMAP_PRIVILEGED
> environmental variable. Either of these tell Nmap to assume that
> the user has full privileges to execute raw packet scans, OS
> detection and the like. This can be useful when Linux kernel
> capabilities or other systems are used that allow non-root users to
> perform raw packet or ethernet frame manipulation. Without this
> flag or variable set, Nmap bails on UNIX if geteuid() is
> nonzero.
>
> o Changed the RPM spec file so that if you define "static" to 1 (by
> passing --define "static 1" to rpmbuild), static binaries are built.
>
> o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
> any TCP scans in which the initial probe packet has the ACK
> flag set.
> This would be the ACK, Xmas, Maimon, and Window scans.
>
> o Fixed an integer overflow that prevented Nmap from scanning
> 2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1). Problem
> noted by Justin Cranford (jcranford(a)n-able.com). While /1 scans
> are now possible, don't expect them to finish during your bathroom
> break. No matter how constipated you are.
>
> o Changed from CVS to Subversion source control system (which
> rocks!). Neither repository is currently public due to security
> paranoia.
>
> o Nmap now ships with and installs (in the same directory as other
> data files such as nmap-os-fingerprints) an XSL stylesheet for
> rendering the XML output as HTML. This stylesheet was written by
> Benjamin Erb ( see for examples).
> It supports tables, version detection, color-coded port states, and
> more. The XML output has been augmented to include an
> xml-stylesheet directive pointing to nmap.xsl on the local
> filesystem. You can point to a different XSL file by providing the
> filename or URL to the new --stylesheet argument. Omit the
> xml-stylesheet directive entirely by specifying --no-stylesheet.
> The XML to HTML conversion can be done with an XSLT processor such
> as Saxon, Sablot, or Xalan, but modern browsers can do this on the
> fly -- simply load the XML output file in IE or Firefox.It is
> often more convenient to have the stylesheet loaded from a URL
> rather than the local filesystem, allowing the XML to be rendered on
> any machine regardless of whether/where the XSL is installed. For
> privacy reasons (avoid loading of an external URL when you view
> results), Nmap uses the local filesystem by default. If you would
> like the latest version of the stylesheet loaded from
> Insecure.Org when
> rendering, specify --webxml, which is a shortcut for
> --stylesheet .
>
> o If a user attempts -PO (the letter O), instead of -P0 (zero), print
> an error suggesting that the user is a doofus (actually it is a nice
> message)
>
> o Upgraded the fragmentation option (-f). One -f now sets sends
> fragments with just 8 bytes after the IP header, while -ff sends 16
> bytes to reduce the number of fragments needed. You can specify
> your own fragmentation offset (must be a multiple of 8) with the new
> --mtu flag. Don't also specify -f if you use --mtu. Remember that
> some systems (such as Linux with connection tracking) will
> defragment in the kernel anyway -- so test first while sniffing with
> ethereal. These changes are from a patch by Martin Macok
> (martin.macok(a)underground.cz).
>
> o Nmap now prints the number (and total bytes) of raw IP packets sent
> and received when it completes, if verbose mode (-v) is
> enabled. The
> report looks like:
> Nmap finished: 256 IP addresses (3 hosts up) scanned in
> 30.632 seconds
> Raw packets sent: 7727 (303KB) | Rcvd: 6944 (304KB)
>
> o Added new "closed|filtered" state. This is used for Idle
> scan, since
> that scan method can't distinguish between those two states. Nmap
> previously just used "closed", but this is more accurate.
>
> o Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered"
> instead of "open" when they fail to receive any response from the
> target port. After all, it could just as easily be
> filtered as open.
> This is the same change that was made to UDP scan in 3.70. Also as
> with UDP scan, adding version detection (-sV) will change the state
> from open|filtered to open if it confirms that they really are open.
>
> o Change IP protocol scan (-sO) so that a response from the target
> host in any protocol at all will prove that protocol is open. As
> before, no response means "open|filtered", an ICMP protocol
> unreachable means "closed", and most other ICMP error messages mean
> "filtered".
>
> o Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and
> UDP headers when scanning protocols 1, 6, and 17, respectively. An
> empty IP header is still sent for all other protocols. This should
> prevent the error messages such as "sendto in send_ip_packet:
> sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not
> permitted" that Linux (and perhaps other systems) would give when
> they try to interpret the raw packet. This also makes it more
> likely that these protocols will elicit a response, proving that the
> protocol is "open".
>
> o Fixed a memory leak that would generally consume several hundred
> bytes per down host scanned. While the effect for most scans is
> negligible, it was overwhelming when Scott Carlson
> (Scott.Carlson(a)schwab.com) tried to scan 24 million IPs
> (10.0.0.0/8). Thanks to him for reporting the problem. Also thanks
> to Valgrind ( ) for making it easy to debug.
>
> o Added --max-scan-delay parameter. Nmap will sometimes increase the
> delay itself when it detects many dropped packets. For example,
> Solaris systems tend to respond with only one ICMP port unreachable
> packet per second during a UDP scan. So Nmap will try to detect
> this and lower its rate of UDP probes to one per second. This can
> provide more accurate results while reducing network congestion, but
> it can slow the scans down substantially. By default (with no -T
> options specified), Nmap allows this delay to grow to one second per
> probe. This option allows you to set a lower or higher maximum.
> The -T4 and -T5 scan modes now limit the maximum scan delay for TCP
> scans to 10 and 5 ms, respectively.
>
> o Added --max-hostgroup option which specifies the maximum number of
> hosts that Nmap is allowed to scan in parallel.
>
> o Added --min-hostgroup option which specifies the minimum number of
> hosts that Nmap should scan in parallel (there are some exceptions
> where Nmap will still scan smaller groups -- see man page). Of
> course, Nmap will try to choose efficient values even if you don't
> specify hostgroup restrictions explicitly.
>
> o Nmap now estimates completion times for almost all port scan types
> (any that use ultra_scan()) as well as service scan (version
> detection). These are only shown in verbose mode (-v). On scans
> that take more than a minute or two, you will see occasional updates
> like:
> SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04
> (0:01:09 remaining)
> New updates are given if the estimates change significantly.
>
> o Added --exclude option, which lets you specify a comma-separated
> list of targets (hosts, ranges, netblocks) that should be excluded
> from the scan. This is useful to keep from scanning yourself, your
> ISP, particularly sensitive hosts, etc. The new --excludefile reads
> the list (newline-delimited) from a given file. All the work was
> done by Mark-David McLaughlin (mdmcl(a)cisco.com> and William McVey
> ( wam(a)cisco.com ), who sent me a well-designed and well-tested
> patch.
>
> o Nmap now has a "port scan ping" system. If it has received at least
> one response from any port on the host, but has not received
> responses lately (usually due to filtering), Nmap will "ping" that
> known-good port occasionally to detect latency, packet drop rate,
> etc.
>
> o Nmap now wishes itself a happy birthday when run on September 1 in
> verbose mode! The first public release was on that date in 1997.
>
> o The port randomizer now has a bias toward putting
> commonly-accessible ports (80, 22, etc.) near the beginning of the
> list. Getting a response early helps Nmap calculate
> response times and
> detect packet loss, so the scan goes faster.
>
> o Host timeout system (--host-timeout) overhauled to support host
> parallelization. Hosts times are tracked separately, so a host that
> finishes a SYN scan quickly is not penalized for an exceptionally
> slow host being scanned at the same time.
>
> o When Nmap has not received any responses from a host, it can now use
> certain timing values from other hosts from the same scan group.
> This way Nmap doesn't have to use absolute-worst-case (300bps SLIP
> link to Uzbekistan) round trip time and latency estimates.
>
> o Documented the --osscan-limit option, which saves time by skipping
> OS detection if at least one open and one closed port are
> not found on
> the remote hosts. OS detection is much less reliable against such
> hosts anyway, and skipping it can save some time.
>
> o Configure script now detects GNU/k*BSD (whatever that is),
> thanks to patches from Robert Millan (rmh@xxxxxxxxxx) and Petr
> Salinger (Petr.Salinger(a)t-systems.cz)
>
> o Provide limited --packet-trace support for TCP connect() (-sT)
> scans.
>
> o Hundreds of other features, bugfixes, and portability
> enhancements described at
>
>
> MOVING FORWARD:
>
> With this stable version out of the way, we plan to dive headfirst
> into the next development cycle. Many exciting features are in the
> queue, including a next-generation OS detection system. We also plan
> to launch the 2006 Nmap User Survey in February, to learn what
> features you want most. For the latest news, consider joining the
> 32,000-member low-volume moderated Nmap-hackers list. Subscribe at
> , or you can read
> the archives at seclists.org. You can subscribe to the (high traffic)
> development list at .
>
> DOWNLOAD:
>
> Nmap is available for download from for
> most platforms in source or binary form. Nmap is free, open source
> software (license: )
>
> ACKNOWLEDGEMENTS:
>
> A popular open source security scanner recently went proprietary,
> complaining that their community never contributes much. We are sorry
> to hear that, but happy to report that the Nmap community is as
> vibrant and productive as ever! We would like to acknowledge and thank
> the many people who contributed ideas and/or code to this release
> (since 3.50). Special thanks go out to Adam Kerrison, Adam Morgan,
> Adriano Monteiro Marques, Alan Bishoff, Alan William Somers, Albert
> Chin, Allison Randal, Alok Tangoankar, Amy Hennings, Anders Thulin,
> Andreia Gaita, Andy Lutomirski, Annalee Newitz, Arturo Buanzo
> Busleiman, Bart Dopheide, Beirne Konarski, Ben Harris, Bill Dale, Bill
> Petersen, Bill Pollock, Bo Jiang, Brian Hatch, Chad Loder, Chris
> Gibson, Christophe, Craig Humphrey, Curtis Doty, Dana Epp, Dirk
> Mueller, Doug Hoyte, Dragos Ruiu, Dug Song, Duilio J. Protti, Eric
> S. Raymond, Felix Gr?bert, Florian Ebner, Fyodor Yarochkin, Ganga
> Bhavani, Gisle Vanem, Glyn Geoghegan, Greg A. Woods, Greg Darke, Greg
> Taleck, Gwenole Beauchesne, HD Moore, Jedi/Sector One, Jeff Nathan,
> Jesse Burns, Jim Carras, Jim Harrison, Jonathan Dieter, Jos? Domingos,
> Justin Cranford, Justin M Cacak, Krok, KX, Lamont Jones, Lance
> Spitzner, Laurent Estieux, Lionel Cons, Lucien Raven, MadHat, Marius
> Strobl, Mark-David McLaughlin, Mark Ruef, Martin Macok, Matthieu
> Verbert, Matt Selsky, Max Schubert, Meethune Bhowmick, Mephisto, Mike
> Basinger, Mike Hatz, Murphy, Netris, Okan Demirmen, Ole Morten
> Grodaas, Oliver Eikemeier, Pascal Trouvin, Paul Tarjan, Petr Salinger,
> Petter Reinholdtsen, pijn trein, Ping Huang, Piotr Sobolewski, Priit
> Laes, Princess Nadia, Raven Alder, Richard Birkett, Richard Moore,
> Robert E. Lee, Rob Foehl, Ronak Sutaria, Royce Williams, Ruediger
> Rissmann, Saint Xavier, Saravanan, Scott Mansfield, Sebastian
> Wolfgarten, Seth Master, Shahid Khan, Simon Burr, Simple Nomad, Sina
> Bahram, Solar Designer, Srivatsan, Stephane Loeuillet, Stephen Bishop,
> Steve Christensen, Steve Martin, Thorsten Holz, Tom Duffy, Tom Rune
> Flo, Tom Sellers, Tony Golding, van Hauser, vlad902, William McVey,
> Zapphire, and Zhao Lei.
>
> And of course we would also like to thank the thousands of people who
> have submitted OS and service/version fingerprints, as well as
> everyone who has found and reported bugs or suggested features.
>
> For further information, see
>
>
