Merge pull request #1487 from HackTricks-wiki/update_Compiling_static_Nmap_binary_for_jobs_in_restricte_20251014_124512

carlospolop · web-flow · commit 06e4a67ea43a · 2025-10-15T19:09:48.000+02:00
Compiling static Nmap binary for jobs in restricted environm...
diff --git a/src/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md b/src/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md
@@ -45,7 +45,7 @@ By default Nmap launches a discovery phase consisting of: `-PA80 -PS443 -PE -PP`
 - **`--badsum`:** It sends the sum wrong, the computers would discard the packets, but the firewalls could answer something, it is used to detect firewalls.
 - **`-sZ`:** "Weird" SCTP scanner, when sending probes with cookie echo fragments they should be dropped if open or responded with ABORT if closed. It can pass through firewalls that init does not pass through, the bad thing is that it does not distinguish between filtered and open.
 - **`-sO`:** Protocol Ip scan. Sends bad and empty headers in which sometimes not even the protocol can be distinguished. If ICMP unreachable protocol arrives it is closed, if unreachable port arrives it is open, if another error arrives, filtered, if nothing arrives, open|filtered.
-- **`-b <server>`:** FTPhost--> It is used to scan a host from another one, this is done by connecting the ftp of another machine and asking it to send files to the ports that you want to scan from another machine, according to the answers we will know if they are open or not. \[\<user>:\<password>@]\<server>\[:\<port>] Almost all ftps servers no longer let you do this and therefore it is of little practical use.
+- **`-b <server>`:** FTPhost--> It is used to scan a host from another one, this is done by connecting the ftp of another machine and asking it to send files to the ports that you want to scan from another machine, according to the answers we will know if they are open or not. [\<user>:\<password>@]\<server>\[:\<port>] Almost all ftps servers no longer let you do this and therefore it is of little practical use.
 
 ### **Focus Analysis**
 
@@ -257,7 +257,143 @@ Moreover, probes which do not have a specifically defined **`servicewaitms`** us
 If you don't want to change the values of **`totalwaitms`** and **`tcpwrappedms`** at all in the `/usr/share/nmap/nmap-service-probes` file, you can edit the [parsing code](https://github.com/nmap/nmap/blob/master/service_scan.cc#L1358) such that these values in the `nmap-service-probes` file are completely ignored.
 
 
-{{#include ../../banners/hacktricks-training.md}}
+## Build a static Nmap for restricted environments
+
+In hardened or minimal Linux environments (containers, appliances), dynamically linked Nmap binaries often fail due to missing runtime loaders or shared libraries (e.g., /lib64/ld-linux-x86-64.so.2, libc.so). Building your own statically linked Nmap and bundling NSE data allows execution without installing system packages.
+
+High-level approach
+- Use a clean amd64 Ubuntu builder via Docker.
+- Build OpenSSL and PCRE2 as static libraries.
+- Build Nmap linking statically and using the included libpcap/libdnet to avoid dynamic deps.
+- Bundle NSE scripts and data directories with the binary.
+
+Discover target architecture (example)
+```bash
+uname -a
+# If building from macOS/ARM/etc., pin the builder arch:
+docker run --rm --platform=linux/amd64 -v "$(pwd)":/out -w /tmp ubuntu:22.04 bash -lc 'echo ok'
+```
+
+Step 1 — Prepare toolchain
+```bash
+set -euo pipefail
+export DEBIAN_FRONTEND=noninteractive
+apt-get update && apt-get install -y --no-install-recommends \
+  build-essential ca-certificates curl bzip2 xz-utils pkg-config perl python3 file git \
+  automake autoconf libtool m4 zlib1g-dev
+```
+
+Step 2 — Build static OpenSSL (1.1.1w)
+```bash
+OSSL="1.1.1w"
+curl -fsSLO "https://www.openssl.org/source/openssl-$OSSL.tar.gz"
+tar xzf "openssl-$OSSL.tar.gz" && cd "openssl-$OSSL"
+./Configure no-shared no-zlib linux-x86_64 -static --prefix=/opt/ossl
+make -j"$(nproc)" && make install_sw
+cd /tmp
+```
+
+Step 3 — Build static PCRE2 (10.43)
+```bash
+PCRE2=10.43
+curl -fsSLO "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-$PCRE2/pcre2-$PCRE2.tar.bz2"
+tar xjf "pcre2-$PCRE2.tar.bz2" && cd "pcre2-$PCRE2"
+./configure --disable-shared --enable-static --prefix=/opt/pcre2
+make -j"$(nproc)" && make install
+cd /tmp
+```
+
+Step 4 — Build static Nmap (7.98)
+```bash
+NMAP=7.98
+curl -fsSLO "https://nmap.org/dist/nmap-$NMAP.tar.bz2"
+tar xjf "nmap-$NMAP.tar.bz2" && cd "nmap-$NMAP"
+export CPPFLAGS="-I/opt/ossl/include -I/opt/pcre2/include"
+export LDFLAGS="-L/opt/ossl/lib -L/opt/pcre2/lib -static -static-libstdc++ -static-libgcc"
+export LIBS="-lpcre2-8 -ldl -lpthread -lz"
+./configure \
+  --with-openssl=/opt/ossl \
+  --with-libpcre=/opt/pcre2 \
+  --with-libpcap=included \
+  --with-libdnet=included \
+  --without-zenmap --without-ndiff --without-nmap-update
+# Avoid building shared libpcap by accident
+sed -i -e "s/^shared: /shared: #/" libpcap/Makefile || true
+make -j1 V=1 nmap
+strip nmap
+```
+Key points
+- -static, -static-libstdc++, -static-libgcc force static linkage.
+- Using --with-libpcap=included/--with-libdnet=included avoids system-shared libs.
+- sed tweak neuters a shared libpcap target if present.
+
+Step 5 — Bundle binary and NSE data
+```bash
+mkdir -p /out/nmap-bundle/nmap-data
+cp nmap /out/nmap-bundle/nmap-linux-amd64-static
+cp -r scripts nselib /out/nmap-bundle/nmap-data/
+cp nse_main.lua nmap-services nmap-protocols nmap-service-probes \
+   nmap-mac-prefixes nmap-os-db nmap-payloads nmap-rpc \
+   /out/nmap-bundle/nmap-data/ 2>/dev/null || true
+
+tar -C /out -czf /out/nmap-linux-amd64-static-bundle.tar.gz nmap-bundle
+```
+
+Verification and ops notes
+- Use file on the artifact to confirm it is statically linked.
+- Keep NSE data with the binary to ensure script parity on hosts without Nmap installed.
+- Even with a static binary, execution may be blocked by AppArmor/seccomp/SELinux; DNS/egress must still work.
+- Deterministic builds reduce supply-chain risk vs downloading opaque “static” binaries.
+
+One-liner (Dockerized)
+<details>
+<summary>Build, bundle, and print artifact info</summary>
+
+```bash
+docker run --rm --platform=linux/amd64 -v "$(pwd)":/out -w /tmp ubuntu:22.04 bash -lc '
+  set -euo pipefail
+  export DEBIAN_FRONTEND=noninteractive
+  apt-get update && apt-get install -y --no-install-recommends \
+    build-essential ca-certificates curl bzip2 xz-utils pkg-config perl python3 file git \
+    automake autoconf libtool m4 zlib1g-dev
+
+  OSSL="1.1.1w"; curl -fsSLO "https://www.openssl.org/source/openssl-$OSSL.tar.gz" \
+    && tar xzf "openssl-$OSSL.tar.gz" && cd "openssl-$OSSL" \
+    && ./Configure no-shared no-zlib linux-x86_64 -static --prefix=/opt/ossl \
+    && make -j"$(nproc)" && make install_sw && cd /tmp
+
+  PCRE2=10.43; curl -fsSLO "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-$PCRE2/pcre2-$PCRE2.tar.bz2" \
+    && tar xjf "pcre2-$PCRE2.tar.bz2" && cd "pcre2-$PCRE2" \
+    && ./configure --disable-shared --enable-static --prefix=/opt/pcre2 \
+    && make -j"$(nproc)" && make install && cd /tmp
+
+  NMAP=7.98; curl -fsSLO "https://nmap.org/dist/nmap-$NMAP.tar.bz2" \
+    && tar xjf "nmap-$NMAP.tar.bz2" && cd "nmap-$NMAP" \
+    && export CPPFLAGS="-I/opt/ossl/include -I/opt/pcre2/include" \
+    && export LDFLAGS="-L/opt/ossl/lib -L/opt/pcre2/lib -static -static-libstdc++ -static-libgcc" \
+    && export LIBS="-lpcre2-8 -ldl -lpthread -lz" \
+    && ./configure --with-openssl=/opt/ossl --with-libpcre=/opt/pcre2 --with-libpcap=included --with-libdnet=included --without-zenmap --without-ndiff --without-nmap-update \
+    && sed -i -e "s/^shared: /shared: #/" libpcap/Makefile || true \
+    && make -j1 V=1 nmap && strip nmap
+
+  mkdir -p /out/nmap-bundle/nmap-data \
+    && cp nmap /out/nmap-bundle/nmap-linux-amd64-static \
+    && cp -r scripts nselib /out/nmap-bundle/nmap-data/ \
+    && cp nse_main.lua nmap-services nmap-protocols nmap-service-probes nmap-mac-prefixes nmap-os-db nmap-payloads nmap-rpc /out/nmap-bundle/nmap-data/ 2>/dev/null || true \
+    && tar -C /out -czf /out/nmap-linux-amd64-static-bundle.tar.gz nmap-bundle \
+    && echo "===== OUTPUT ====="; ls -lah /out; echo "===== FILE TYPE ====="; file /out/nmap-bundle/nmap-linux-amd64-static || true
+'
+```
+
+</details>
+
+## References
 
+- [Compiling static Nmap binary for jobs in restricted environments](https://www.pentestpartners.com/security-blog/compiling-static-nmap-binary-for-jobs-in-restricted-environments/)
+- [Static Nmap Binary Generator (helper tool)](https://github.com/0x5ubt13/static_nmap_binary_generator)
+- [OpenSSL sources](https://www.openssl.org/source/)
+- [PCRE2 releases](https://github.com/PCRE2Project/pcre2/releases)
+- [Nmap source tarballs](https://nmap.org/dist/)
 
 
+{{#include ../../banners/hacktricks-training.md}}
