NPSL License Restrictions and Open-Source Fingerprint Alternatives
Nmap is the gold standard of network scanning, and its fingerprint databases (nmap-os-db, nmap-service-probes) represent over two decades of accumulated knowledge. However, since Nmap 7.90 (2021), Nmap’s license was changed from GPLv2 to NPSL (Nmap Public Source License), adding many restrictions beyond standard GPL terms.
This means: even open-source projects that read or embed Nmap’s fingerprint data files may constitute derivative works of Nmap and must be released under an NPSL-compatible license. For closed-source commercial products, the compliance risk is even more severe—either open-source the entire project under NPSL, or pay a one-time OEM license fee of $59,980~$119,980.
This article provides an in-depth analysis of NPSL’s key clauses, evaluates compliance risks across various use cases, and recommends fully NPSL-free open-source fingerprint alternative solutions.
NPSL License Deep Dive
Nmap transitioned from GPLv2 to NPSL starting with version 7.90 (initial version v0.92), and updated to NPSL v0.95 with version 7.94. NPSL is restructured on the basis of GPLv2 but adds several restrictions beyond standard GPLv2.
NPSL Core Features
| Feature | Description |
|---|---|
| Base License | Based on GPLv2, retains copyleft requirements |
| Additional Restriction 1 | Prohibits using Nmap technology in “competitive network scanning products” |
| Additional Restriction 2 | Derivative works must be published under an NPSL-compatible license |
| Additional Restriction 3 | Commercial embedded use requires OEM license purchase |
| Coverage Scope | Source code, binaries, and data files (nmap-os-db, nmap-service-probes, etc.) |
Key Differences: NPSL vs Standard GPLv2
| Clause | GPLv2 | NPSL |
|---|---|---|
| Derivative work licensing | Any GPLv2-compatible license | Must be NPSL-compatible |
| Commercial competitive products | No restriction | Explicitly prohibited for competitive products |
| Data file coverage | Data files typically not covered | Explicitly covers fingerprint data files |
| Embedded use | No restriction | Requires OEM license |
| Network service clause | None | None (no AGPL-style network copyleft) |
Note: NPSL does not have an AGPL-style “network service” clause. If your SaaS service only consumes Nmap scan results via REST APIs (without distributing modified code or embedding fingerprint data), the distribution clauses may not apply. However, this does not grant blanket permission to use Nmap fingerprint data files—see the next section for details.
Derivative Works and Compliance Risks
NPSL’s broad definition of “derivative work” is the most critical clause in the entire license, and also the source of the greatest compliance risk for developers.
Broad Definition of Derivative Works
NPSL explicitly states that the following actions constitute derivative works:
| Action | Constitutes Derivative? | Description |
|---|---|---|
| Modifying Nmap source code | ✅ Yes | Standard GPL derivative definition |
| Linking Nmap libraries | ✅ Yes | Standard GPL derivative definition |
| Reading Nmap data files | ✅ Yes | NPSL-specific: Any program that “reads or includes Covered Software data files, such as nmap-os-db or nmap-service-probes” is considered a derivative work |
| Invoking Nmap binary | ⚠️ Case-by-case | Via exec/subprocess with output parsing—legally controversial |
| Parsing Nmap XML output | ⚠️ Case-by-case | Whether output itself is covered by NPSL is disputed |
| Using Nmap fingerprint format for reference only | ❌ No | Formats themselves are not copyrightable |
flowchart TD
A["Modified Nmap<br/>source code?"] --> B["Yes: Derivative work<br/>Must open-source<br/>under NPSL"]
A --> C["No"]
C --> D["Reads or embeds<br/>Nmap data files?"]
D --> E["Yes: Derivative work<br/>NPSL-specific clause"]
D --> F["No"]
F --> G["Calls Nmap binary<br/>via subprocess?"]
G --> H["Yes: Gray area<br/>Consult legal counsel"]
G --> I["No: Not a<br/>derivative work"]
style B fill:#f44336,color:#fff
style E fill:#FF9800,color:#fff
style H fill:#FF9800,color:#fff
style I fill:#4CAF50,color:#fffDecision tree explanation: Modifying Nmap source code (red) always constitutes a derivative work. Even without source modification, reading or embedding Nmap fingerprint data files (orange) still constitutes a derivative work—this is the critical clause where NPSL goes beyond standard GPL. Calling the Nmap binary via subprocess (orange) falls into a legal gray area. Completely avoiding Nmap code and data (green) is the safest approach.
Core Compliance Risks
The biggest risk point: NPSL explicitly states that any program that “reads or includes Covered Software data files, such as nmap-os-db or nmap-service-probes” is considered a derivative work of Nmap and must be released under an NPSL-compatible license. This means:
- Direct fingerprint database loading: If your tool directly reads
nmap-os-dbornmap-service-probesfiles, your tool is a derivative work and must be open-sourced (NPSL-compatible) - Embedding fingerprint data: Embedding Nmap fingerprint data into your binary (as some third-party libraries do) also constitutes a derivative work
- Commercial product restrictions: Even if open-sourced, derivative works cannot be used in “competitive network scanning products”
- naabu trap: naabu itself is MIT-licensed, but its
-sVservice detection feature directly usesnmap-service-probes, so it remains NPSL-constrained when using this feature
Commercial OEM Licensing
For projects that cannot comply with NPSL open-source requirements, Nmap offers commercial OEM licensing. Note that the license fee is a one-time permanent payment, with annual maintenance being optional.
| License Tier | Permanent Fee (One-Time) | Optional Annual Maintenance | Use Case |
|---|---|---|---|
| Small OEM | $59,980 | $17,980/year | Small teams / startups, below revenue threshold. First year with maintenance totals $77,960 |
| Enterprise OEM | $119,980 | $29,980/year | Large enterprises, no revenue limit. First year with maintenance totals $149,960 |
| Custom License | Negotiable | Negotiable | Special requirements (e.g., embedded device vendors) |
Key benefits of OEM licensing:
- Permits embedding Nmap technology in proprietary/closed-source products
- Permits use in competitive products
- Includes technical support
- Permanent license fee is a one-time payment; annual maintenance is optional (includes upgrades and support)
Compliance Scenario Analysis
| Use Case | Compliance Method | Risk Level |
|---|---|---|
| Personal learning / research | Open-source under NPSL | 🟢 Low |
| Open-source security tool (GPLv2-compatible) | Release under NPSL | 🟢 Low |
| Open-source tool (non-GPL license) | Switch to NPSL or buy OEM | 🟡 Medium |
| Commercial product (closed-source) | Must purchase OEM license | 🔴 High (violation without license) |
| Commercial product (open-source but non-NPSL) | Buy OEM or switch to NPSL | 🔴 High |
| SaaS service (no binary distribution) | NPSL has no network clause, but data file use still restricted | 🟡 Medium |
| Parsing Nmap XML output only | Legal gray area, consult attorney | 🟡 Medium |
| Directly reading nmap-service-probes | Must open-source under NPSL or buy OEM | 🔴 High |
Key conclusion: If your project is a closed-source commercial product, or you do not wish to release your open-source project under NPSL, directly reading or embedding Nmap’s fingerprint databases (
nmap-os-db,nmap-service-probes) presents serious compliance risks. This is the core motivation for seeking alternative fingerprint libraries.
Alternative Selection Criteria
When evaluating alternatives to Nmap’s fingerprint databases, consider the following dimensions:
| Dimension | Weight | Description |
|---|---|---|
| License Compliance | ★★★★★ | Released under permissive license (Apache-2.0/MIT/BSD) to fully avoid NPSL restrictions |
| Fingerprint Coverage | ★★★★☆ | Number of protocols/services/OS supported, whether fingerprints are self-developed (not dependent on Nmap) |
| Project Activity | ★★★★☆ | Recent commits, release frequency, issue response time |
| Language Ecosystem | ★★★☆☆ | Ease of integration into Go/Rust projects |
| Performance | ★★★☆☆ | Scan speed, concurrency capability |
| OS Fingerprint Support | ★★★☆☆ | Whether OS identification is supported (one of Nmap’s core strengths) |
Service Fingerprint Alternatives
fingerprintx (Praetorian) — Best Alternative
| Property | Details |
|---|---|
| License | Apache-2.0 (✅ Permissive, avoids NPSL) |
| Language | Go (99.9%) |
| Protocol Coverage | 51 self-developed service detection plugins, covering TCP/UDP |
| OS Fingerprint | None (service layer only) |
| Latest Version | v1.1.19 (2026-01-01) |
| Activity | 147 commits, 26 releases, 140 dependents |
| GitHub | https://github.com/praetorian-inc/fingerprintx |
Supported protocols include: HTTP/HTTPS, SSH, RDP, MySQL, PostgreSQL, MSSQL, OracleDB, MongoDB, Redis, Kafka, MQTT, SMB, VNC, Telnet, DNS, LDAP, Modbus, IPMI, Diameter, SMPP, and vector databases ChromaDB/Milvus/Pinecone.
Key advantages:
- Completely independent of nmap-service-probes, all plugins are self-developed—a truly clean NPSL alternative
- JSON output, usable as a library
- Fast mode prioritizes default service ports
- Apache-2.0 license permits commercial closed-source use
masscan — High-Speed Scanning + Banner Grabbing
| Property | Details |
|---|---|
| License | AGPL-3.0 (⚠️ copyleft, includes network service clause) |
| Language | C |
| Protocol Coverage | ~13 protocol banner grabbers (FTP/HTTP/IMAP4/memcached/POP3/SMTP/SSH/SSL/SMBv1/v2/Telnet/RDP/VNC) |
| OS Fingerprint | None |
| Latest Version | 1.3.x (actively maintained) |
| Activity | 892 commits, last commit 2026-04 |
| GitHub | https://github.com/robertdavidgraham/masscan |
Key features: Self-developed async TCP/IP stack, 10 million packets/second on a single machine, can scan the entire internet in 5 minutes; output compatible with Nmap (XML/grepable/JSON); built-in banner grabbing (not dependent on Nmap libraries).
License risk: AGPL-3.0 includes a network service clause—if you provide the service over a network, you must open-source all code.
ZMap + ZGrab2 — Internet-Scale Scanning
| Property | ZMap | ZGrab2 |
|---|---|---|
| License | Apache-2.0 (✅ Permissive) | Apache-2.0 (✅ Permissive) |
| Language | C (84.8%) + Python | Go |
| Function | Stateless single-packet probe (TCP SYN/ICMP/DNS/UPnP/BACNET) | Application layer handshakes (HTTP/TLS/SSH/MySQL/Redis, etc.) |
| Latest Version | v4.3.4 (2025-05-12) | Continuously updated |
| Activity | 1,411 commits, last commit 2026-05 | Active |
| GitHub | https://github.com/zmap/zmap | https://github.com/zmap/zgrab2 |
Key features: Scans a single IPv4 port in 45 minutes on gigabit ethernet, 5 minutes on 10G with netmap/PF_RING; widely cited in academic research (USENIX Security); ZGrab2 performs application layer handshakes but requires pre-specified protocols, no automatic identification.
NPSL Warning About naabu
Important warning: naabu itself (github.com/projectdiscovery/naabu) is MIT-licensed, but its service version detection (-sV) directly uses nmap-service-probes (NPSL!). Therefore, from a service fingerprint perspective, it does not truly avoid NPSL. If your project depends on naabu’s -sV functionality for service version identification, you remain NPSL-constrained. Only the port scanning portion can be safely used.
OS Fingerprint Alternatives
p0f — Passive OS Fingerprinting
| Property | Details |
|---|---|
| License | Apache-2.0 (✅ Permissive, avoids NPSL) |
| Language | C |
| Protocol Coverage | TCP/IP (SYN/SYN+ACK stack fingerprints), HTTP application layer fingerprints |
| OS Fingerprint | ✅ Yes (passive) — identifies OS, system uptime, NAT/proxy detection, link type |
| Latest Version | v3.09b (2016) |
| Activity | 21 commits, last commit 2019-02 — essentially unmaintained |
| GitHub | https://github.com/p0f/p0f |
Key features: Purely passive sniffing (identifies OS from a single SYN), ideal for scenarios where Nmap’s active probing would be blocked or trigger alerts; provides unix socket API for third-party queries; MTU/uptime/NAT detection; includes p0f.fp fingerprint database.
Limitations: Project is no longer maintained, fingerprint database is not updated; passive mode cannot actively probe specific targets.
JA4+ (FoxIO) — Network Fingerprint Standard
| Property | Details |
|---|---|
| License | Mixed — JA4 (TLS Client) is BSD-3-Clause (✅ Permissive); JA4S/JA4L/JA4H/JA4X/JA4SSH/JA4T/JA4TS/JA4TScan are FoxIO License 1.1 (⚠️ No commercial resale) |
| Language | Rust / Python / C (Wireshark plugin) / Zeek |
| Protocol Coverage | TLS, HTTP, SSH, X.509, TCP, DHCP/DHCPv6 |
| OS Fingerprint | ✅ Yes — JA4T (passive TCP fingerprint), JA4TScan (active TCP scan) |
| Latest Version | Rust ~v0.18.5; Zeek v1.2 (2025-11) |
| Activity | 503 commits, last commit 2026-05, 49 tags |
| GitHub | https://github.com/FoxIO-LLC/ja4 |
Key features: a_b_c token format preserves locality for substring search; widely integrated by Wireshark/Zeek/Cloudflare/AWS/Palo Alto; supports both active scanning and passive detection; fingerprint database ja4db.com under active development.
License note: JA4 core is BSD-3 (permissive); FoxIO License 1.1 for other methods is permissive for academic/internal use, but commercial product resale requires OEM authorization.
Port Scanning Alternatives
naabu (ProjectDiscovery)
| Property | Details |
|---|---|
| License | MIT (✅ Permissive) |
| Language | Go |
| Function | SYN/CONNECT/UDP port scanning |
| OS Fingerprint | None |
| Latest Version | v2.x (continuously updated) |
| Activity | 2,091 commits, last commit 2026-07-03 — very active |
| GitHub | https://github.com/projectdiscovery/naabu |
Key features: Lightweight, CDN/WAF exclusion, IPv4/IPv6, Shodan InternetDB passive enumeration, pipeline-friendly.
⚠️ Important warning: naabu is MIT-licensed, but its service version detection (
-sV) directly uses nmap-service-probes (NPSL!). Therefore, from a service fingerprint perspective, it does not truly avoid NPSL. Only the port scanning portion can be safely used.
Port Scanner Comparison
| Feature | Nmap | masscan | ZMap | naabu |
|---|---|---|---|---|
| License | NPSL | AGPL-3.0 | Apache-2.0 | MIT |
| Scan Speed | Medium | Extremely fast (10M pps) | Extremely fast (full net in 45min) | Fast |
| SYN Scan | ✅ | ✅ | ✅ | ✅ |
| UDP Scan | ✅ | Limited | ✅ (modular) | ✅ |
| Service Detection | ✅ (NPSL) | Banner only | ZGrab2 | ✅ (⚠️ NPSL) |
| OS Detection | ✅ (NPSL) | ❌ | ❌ | ❌ |
| Avoids NPSL | — | ✅ | ✅ | ⚠️ Partial |
Web Technology Fingerprint Alternatives
Nmap is not particularly strong in web technology fingerprinting. The following tools excel in this domain, and some have permissive licenses.
httpx (ProjectDiscovery) — Best Web Probe
| Property | Details |
|---|---|
| License | MIT (✅ Permissive, avoids NPSL) |
| Language | Go |
| Function | URL/status code/title/TLS cert/CSP/CDN/JARM/favicon hash/Web Server/Technology detection (based on Wappalyzer dataset), screenshot, ASN |
| Latest Version | v1.8.x |
| Activity | 2,791 commits, last commit 2026-06, 65 tags — very active |
| GitHub | https://github.com/projectdiscovery/httpx |
Key features: Multi-threaded reliable probing, https↔http auto-fallback, pipeline-friendly, custom fingerprint file -cff, CPE output, built-in Wappalyzer dataset for technology detection -td.
WhatWeb — Web Scanner
| Property | Details |
|---|---|
| License | GPL-2.0 (⚠️ copyleft, avoids NPSL but has copyleft restrictions) |
| Language | Ruby |
| Plugin Count | 1800+ plugins |
| Latest Version | v0.6.4 (2026-04-03) |
| Activity | 6.7k stars, still updated in 2026 — active |
| GitHub | https://github.com/urbanadventurer/WhatWeb |
Key features: Tiered probing (stealthy→aggressive→heavy), single-request identification; multiple log formats (XML/JSON/SQL/MongoDB/ElasticSearch); Google Dork integration; fuzzy matching.
Wappalyzer — Web Technology Fingerprints
| Property | Details |
|---|---|
| License | GPL-3.0 (⚠️ copyleft) |
| Language | JavaScript/Node.js |
| Function | Web technology stack identification — CMS, frameworks, e-commerce, JS libraries, analytics tools, web servers |
| Activity | Core repository active; fingerprint dataset reused by many tools |
| GitHub | https://github.com/wappalyzer/wappalyzer |
Key features: Browser extension + CLI; CPE support; industry de facto standard; fingerprint rules in src/technologies/ (regex matching HTML/JS/headers/cookies/meta/DNS, etc.).
TideFinger — Chinese CMS Fingerprint Database
| Property | Details |
|---|---|
| License | ❌ Not explicitly declared (no LICENSE file in repository) |
| Language | Python |
| Fingerprint Count | ~5,900 CMS fingerprints + ~2,119 fofa rules |
| Activity | 26 commits, last commit 2021-08 — no longer maintained |
| GitHub | https://github.com/TideSec/TideFinger |
Key features: Integrates Wappalyzer, webanalyzer, fofa, WhatWeb rules; traditional + modern detection methods (MD5/URL/Header/Regex/Directory matching); suitable for Chinese CMS identification.
⚠️ License risk: TideFinger has no LICENSE file, creating legal uncertainty—not recommended for commercial use. Also note that the original TophantTechnology/ARL repository has been deleted; community-maintained forks (e.g., Aabyss-Team/ARL) use the MIT license.
Comprehensive Comparison Table
| # | Library | License | Type | Language | OS FP | Service/Web Coverage | Latest Version | Activity | Avoids NPSL |
|---|---|---|---|---|---|---|---|---|---|
| 1 | fingerprintx | Apache-2.0 | Service FP | Go | None | 51 protocols (TCP/UDP) | v1.1.19 (2026-01) | Medium | ✅ Permissive |
| 2 | p0f | Apache-2.0 | Passive OS FP | C | ✅ Passive | TCP/IP+HTTP | v3.09b (2016) | Low (unmaintained) | ✅ Permissive |
| 3 | masscan | AGPL-3.0 | Port scan+banner | C | None | ~13 protocol banners | Active dev | High | ⚠️ Copyleft |
| 4 | ZMap+ZGrab2 | Apache-2.0 | Internet-scale scan | C+Go | None | Single-packet + app handshake | v4.3.4 (2025-05) | High | ✅ Permissive |
| 5 | naabu | MIT | Port scan | Go | None | -sV reuses nmap DB | v2.x | Very High | ⚠️ SV still NPSL |
| 6 | JA4+ | BSD-3+FoxIO1.1 | Network FP standard | Rust/Py/C | ✅ (JA4T/TScan) | TLS/HTTP/SSH/TCP/DHCP | v0.18.x | High | ⚠️ Partially permissive |
| 7 | TideFinger | Unclear | Chinese CMS FP | Python | None | Web (CMS) ~5,900 | No release | Low (2021) | ❌ Unclear license |
| 8 | Wappalyzer | GPL-3.0 | Web tech FP | JS | None | Web tech stack | Active dev | High | ⚠️ Copyleft |
| 9 | WhatWeb | GPL-2.0 | Web scanner | Ruby | None | 1800+ plugins | v0.6.4 (2026-04) | High | ⚠️ Copyleft |
| 10 | httpx | MIT | Web probe | Go | None | HTTP full dim. + Wappalyzer | v1.8.x | Very High | ✅ Permissive |
Fingerprint Capability Comparison (vs Nmap)
OS Fingerprint Dimension (vs nmap-os-db)
| Solution | Capability | vs Nmap |
|---|---|---|
| nmap-os-db | Active TCP/IP stack probing, 6,036+ fingerprints | Baseline (most comprehensive) |
| p0f | Passive stack fingerprint, built-in p0f.fp | Passive, no alert generation; smaller but practical fingerprint DB; ideal when active probing is not possible |
| JA4T/JA4TScan | TCP fingerprint + DHCP fingerprint | Modern approach, identifies mainstream OS; ja4db.com growing; supports both active and passive |
| Others | No OS fingerprint capability | — |
Service Fingerprint Dimension (vs nmap-service-probes)
| Solution | Capability | vs Nmap |
|---|---|---|
| nmap-service-probes | 12,089+ signatures, 1,246+ protocols | Baseline (most comprehensive, but NPSL) |
| fingerprintx | 51 self-developed plugins | Cleanest NPSL alternative; covers mainstream databases/middleware/remote access/industrial protocols |
| masscan | ~13 protocol banners | Self-developed; more banner-oriented, less depth than Nmap |
| ZMap + ZGrab2 | ZGrab2 app layer handshake | Self-developed; requires pre-specified protocols, no auto-identification |
naabu -sV | Reuses nmap-service-probes | Does not avoid NPSL, just a Go wrapper around Nmap’s database |
Fully NPSL-Free Combination Stack
The following combination builds a complete system covering port scanning, service detection, OS identification, and web fingerprinting without touching any NPSL-licensed fingerprint libraries:
flowchart TD
A["NPSL-Free<br/>Fingerprint System"] --> B["Port Scan Layer"]
A --> C["Service FP Layer"]
A --> D["OS FP Layer"]
A --> E["Web FP Layer"]
B --> B1["ZMap<br/>Apache-2.0<br/>Internet SYN scan"]
B --> B2["naabu<br/>MIT<br/>Disable -sV"]
B --> B3["masscan<br/>AGPL-3.0<br/>Ultra-fast scan"]
C --> C1["fingerprintx<br/>Apache-2.0<br/>51 protocols"]
C --> C2["ZGrab2<br/>Apache-2.0<br/>App handshake"]
D --> D1["p0f<br/>Apache-2.0<br/>Passive TCP/IP"]
D --> D2["JA4T/JA4TScan<br/>BSD-3/FoxIO<br/>Next-gen TCP"]
E --> E1["httpx<br/>MIT<br/>HTTP full dim."]
E --> E2["WhatWeb<br/>GPL-2.0<br/>1800+ plugins"]
style A fill:#2196F3,color:#fff
style B fill:#4CAF50,color:#fff
style C fill:#4CAF50,color:#fff
style D fill:#4CAF50,color:#fff
style E fill:#4CAF50,color:#fffArchitecture explanation: Four-layer stack from bottom up. Port scanning uses ZMap (internet-scale), naabu without -sV (internal network), and masscan (note AGPL copyleft). Service fingerprinting centers on fingerprintx’s 51 self-developed protocol plugins, supplemented by ZGrab2 for application handshakes. OS fingerprinting pairs p0f’s passive sniffing with JA4T’s next-gen TCP fingerprints. Web fingerprinting is covered by httpx and WhatWeb for full-dimensional web technology stack detection.
Scenario-Based Recommendations
| Use Case | Recommended Solution | Reason |
|---|---|---|
| Service fingerprint (clean) | fingerprintx | Apache-2.0, 51 self-developed protocol plugins, no Nmap dependency |
| OS fingerprint (passive) | p0f | Apache-2.0, passive sniffing without alerts; but no longer maintained |
| OS fingerprint (modern) | JA4T/JA4TScan | Modern, active; note FoxIO license restrictions on commercial use |
| High-speed / full internet scan | ZMap + ZGrab2 | Apache-2.0, academically validated |
| High-speed port scan | masscan | AGPL-3.0, be aware of network copyleft clause |
| Web tech fingerprint | httpx | MIT, embedded Wappalyzer dataset |
| Deep web scan | WhatWeb | 1800+ plugins, GPL-2.0 |
| Port scan (MIT) | naabu (scan only) | MIT, but disable -sV to avoid triggering NPSL |
Combined Stack vs Nmap Coverage
| Capability Dimension | Nmap (NPSL) | NPSL-Free Combined Stack | Coverage |
|---|---|---|---|
| Port scanning | ✅ SYN/Connect/UDP | ✅ ZMap + naabu | 95% |
| Service detection | ✅ 12,089 sigs / 1,246 protocols | ⚠️ fingerprintx 51 protocols + ZGrab2 | ~60% |
| OS detection | ✅ 6,036 fingerprints | ⚠️ p0f passive + JA4T active | ~40% |
| Web fingerprinting | ❌ Mostly unsupported | ✅ httpx + WhatWeb (exceeds Nmap) | 200% |
| MAC OUI | ✅ 30,000+ | ❌ Must implement separately | 0% |
| NSE scripts | ✅ 600+ | ❌ No direct replacement | 0% |
Summary
Nmap’s NPSL license and its broad definition of fingerprint data file usage introduces significant compliance risks for projects building upon Nmap’s fingerprint databases. Key takeaways:
Understand NPSL boundaries: Reading or embedding
nmap-os-db/nmap-service-probesconstitutes a derivative work, requiring NPSL-compatible open-source release. Closed-source commercial products must purchase OEM licensing ($59,980~$119,980 one-time).naabu’s
-sVis a compliance trap: While naabu is MIT-licensed, its service version detection reuses Nmap’snmap-service-probes, keeping it under NPSL constraints when using this feature.Alternatives have matured: fingerprintx (51 self-developed protocols, Apache-2.0), p0f (passive OS fingerprinting, Apache-2.0), JA4+ (next-gen TCP fingerprint standard), ZMap+ZGrab2 (internet-scale scanning, Apache-2.0), httpx (web probing, MIT) are all production-ready solutions.
Combined approach works best: No single alternative can fully replace all of Nmap’s capabilities, but a four-layer stack combining port scanning + service fingerprinting + OS fingerprinting + web fingerprinting can cover core requirements without touching any NPSL-licensed fingerprint databases.
Gaps remain: The NPSL-Free combined stack still has gaps in service detection depth (~60% protocol coverage) and OS fingerprint scale (~40%). If you need Nmap-level fingerprint depth, you must either accept NPSL open-source obligations or purchase an OEM commercial license.