Is nmap Good or Evil?

A tool as powerful as nmap can be a double-edged sword. At least one Internet-related reference to nmap describes it as a "hacking tool," and technology purists who don't consider the word "hack" to be a four letter word would certainly agree with this description. It is unfortunate that the term "hacker" has been used incorrectly so often in mainstream society. These uninformed connotations of hacking have overshadowed the original meaning of the word and altered it in horribly negative ways. True hacking is about the pursuit of technology, not about illegal or inappropriate technology subversions.

Still, the ethical question remains; is nmap a useful utility or a nefarious tool? Nmap is about as far as one can go without actively attempting an electronic break-in, but that isn't necessarily a bad feature. It's one thing to drive by a house and see the door propped open. It's something entirely different to stop your car, walk through the door, and steal the television. This is the critical distinction between nmap and more active tools that can exploit vulnerabilities on networked systems, and it's not a small characteristic. Nmap actively scans devices, but nmap does not perform any malicious activity.

The bad guys are already using nmap for reconnaissance, because a single scan can tell you a lot about the open doors and windows in a computer's house. What the bad guys do once they have this information is why they are called the "bad guys."

The good guys are using nmap to make their network safer. The network management team uses nmap to identify unknown IP addresses that appear in reports or in a network analysis trace. The security team uses nmap to scan the internal network for a specific open port that might help to identify the extent of a spyware infestation. The client desktop team uses nmap to inventory a remote location to ensure that all known systems are identified and properly patched against future security concerns.

Nmap is a powerful tool, and its power brings responsibility. Some of nmap's scanning techniques can disable or disrupt production applications. I've personally crashed previously stable applications with a single nmap scan. Many security managers tend to frown on unauthorized users poking around on their network. If you employ nmap, be sure to use it with the knowledge and permission of the network owners.

As a final ethical assessment, one should examine the real-world results of using nmap. Fyodor's nmap man page states that he's used nmap to scan hundreds of thousands of machines, and he's only received one complaint during that time. If the network management and security world has a problem with nmap, they appear to be uncharacteristically quiet regarding its use. It seems that the industry feels that nmap does far more to promote better security than to harm the network.