Creating Static Binaries for Nmap, Socat and other Tools

In various scenarios it might be helpful or even required to have a statically compiled version of Nmap available. This applies to e.g. scenarios where only limited user privileges are available and installing anything to the system might not be desirable.

For such cases I’ve started to create recipes to build such binaries. Similar projects are already available on GitHub, but there are several reasons why I chose to create my own tools:

  • Compiling Nmap with the openssl-pm-snapshot OpenSSL fork that is also used by testssl.sh in order to support a wide range of (even deprecated/insecure) SSL/TLS features.
  • Including the Nmap data directory in order to do version/service/script scans.
  • Including/Creating static Windows binaries that can be used without installing anything and run without administrative privileges.
  • Create build scripts that built the latest versions from GitHub (especially useful for having the latest Nmap NSE scripts).

I’m using the musl-cross toolchain for compiling the Linux binaries. Currently I’ve switched to my own fork that fetches dependencies via HTTPS. Unfortunately the upstream project rejected my PR. But that should not be a problem for my use case.

On GitHub there is now a static-toolbox repository that includes the following tools already:

Further information and prepackaged archives are available on the repository.

Building on Linux with Docker

The binaries and prepackaged archives are ready-to-run and can be used directly without any prerequisites. However, the recipes directory includes the scripts that have been used to build these binaries. These scripts can also be used to create new binaries, e.g. when new versions of Nmap or Socat become available on the respective GitHub repositories.

The build scripts can be used directly or within a Docker container. Dockerfiles and instructions on how to build the binaries within Docker are available on the repository.

The prepacked archives include a simple shell script wrapper run-nmap.sh that wraps the nmap binary and sets the NMAPDIR environment variable:

NMAPDIR=data ./nmap $@

This can be used to run nmap with a proper data directory that is required for service/script scans:

./run-nmap.sh -sSVC -vv github.com

Building on Windows

Building the static binaries from the GitHub repository on Windows was quite painful. I used Visual Studio 2017 which required some additional configuration. Furthermore I had to modify some files manually to make the build process work. I’m still trying to figure out how to fix the building process properly and if possible, to somehow automate the process with VS. As soon as I’m finished clearing up that mess I will include further building instructions in the repository.

Thus far I’ve tested the Nmap Windows binary on a Windows 10 Developer VM and there it works properly. It should be noted that due to missing administrative privileges SYN scans (-sS) cannot be used. Only the (default) TCP connect scans (-sT) are supported.

The prepackaged archives include a simple PowerShell script run-nmap.ps1 that wraps that static binary and sets the NMAPDIR environment variable:

$allArgs = $PsBoundParameters.Values + $args
$env:NMAPDIR = "data"
.\nmap.exe $allArgs

On a PowerShell the script can be invoked as if it would be a default nmap.exe:

.\run-nmap.ps1 -sVC -vv github.com

Future Work

Currently I’m creating recipes for the ARM architecture including Linux and Windows binaries. Creating the Linux binaries should be rather simple, but the Windows ARM binaries could get interesting because I never did that before. However, not that long ago I had access to a mobile device that was running Windows CE on ARM where it would have been nice to have some static tools available.