NPSL License Restrictions and Open-Source Fingerprint Alternatives

Nmap is the gold standard of network scanning, and its fingerprint databases (nmap-os-db, nmap-service-probes) represent over two decades of accumulated knowledge. However, since Nmap 7.90 (2021), Nmap’s license was changed from GPLv2 to NPSL (Nmap Public Source License), adding many restrictions beyond standard GPL terms.

This means: even open-source projects that read or embed Nmap’s fingerprint data files may constitute derivative works of Nmap and must be released under an NPSL-compatible license. For closed-source commercial products, the compliance risk is even more severe—either open-source the entire project under NPSL, or pay a one-time OEM license fee of $59,980~$119,980.

This article provides an in-depth analysis of NPSL’s key clauses, evaluates compliance risks across various use cases, and recommends fully NPSL-free open-source fingerprint alternative solutions.


NPSL License Deep Dive

Nmap transitioned from GPLv2 to NPSL starting with version 7.90 (initial version v0.92), and updated to NPSL v0.95 with version 7.94. NPSL is restructured on the basis of GPLv2 but adds several restrictions beyond standard GPLv2.

NPSL Core Features

FeatureDescription
Base LicenseBased on GPLv2, retains copyleft requirements
Additional Restriction 1Prohibits using Nmap technology in “competitive network scanning products”
Additional Restriction 2Derivative works must be published under an NPSL-compatible license
Additional Restriction 3Commercial embedded use requires OEM license purchase
Coverage ScopeSource code, binaries, and data files (nmap-os-db, nmap-service-probes, etc.)

Key Differences: NPSL vs Standard GPLv2

ClauseGPLv2NPSL
Derivative work licensingAny GPLv2-compatible licenseMust be NPSL-compatible
Commercial competitive productsNo restrictionExplicitly prohibited for competitive products
Data file coverageData files typically not coveredExplicitly covers fingerprint data files
Embedded useNo restrictionRequires OEM license
Network service clauseNoneNone (no AGPL-style network copyleft)

Note: NPSL does not have an AGPL-style “network service” clause. If your SaaS service only consumes Nmap scan results via REST APIs (without distributing modified code or embedding fingerprint data), the distribution clauses may not apply. However, this does not grant blanket permission to use Nmap fingerprint data files—see the next section for details.


Derivative Works and Compliance Risks

NPSL’s broad definition of “derivative work” is the most critical clause in the entire license, and also the source of the greatest compliance risk for developers.

Broad Definition of Derivative Works

NPSL explicitly states that the following actions constitute derivative works:

ActionConstitutes Derivative?Description
Modifying Nmap source code✅ YesStandard GPL derivative definition
Linking Nmap libraries✅ YesStandard GPL derivative definition
Reading Nmap data filesYesNPSL-specific: Any program that “reads or includes Covered Software data files, such as nmap-os-db or nmap-service-probes” is considered a derivative work
Invoking Nmap binary⚠️ Case-by-caseVia exec/subprocess with output parsing—legally controversial
Parsing Nmap XML output⚠️ Case-by-caseWhether output itself is covered by NPSL is disputed
Using Nmap fingerprint format for reference only❌ NoFormats themselves are not copyrightable
mermaid
flowchart TD
    A["Modified Nmap<br/>source code?"] --> B["Yes: Derivative work<br/>Must open-source<br/>under NPSL"]
    A --> C["No"]
    C --> D["Reads or embeds<br/>Nmap data files?"]
    D --> E["Yes: Derivative work<br/>NPSL-specific clause"]
    D --> F["No"]
    F --> G["Calls Nmap binary<br/>via subprocess?"]
    G --> H["Yes: Gray area<br/>Consult legal counsel"]
    G --> I["No: Not a<br/>derivative work"]
    style B fill:#f44336,color:#fff
    style E fill:#FF9800,color:#fff
    style H fill:#FF9800,color:#fff
    style I fill:#4CAF50,color:#fff

Decision tree explanation: Modifying Nmap source code (red) always constitutes a derivative work. Even without source modification, reading or embedding Nmap fingerprint data files (orange) still constitutes a derivative work—this is the critical clause where NPSL goes beyond standard GPL. Calling the Nmap binary via subprocess (orange) falls into a legal gray area. Completely avoiding Nmap code and data (green) is the safest approach.

Core Compliance Risks

The biggest risk point: NPSL explicitly states that any program that “reads or includes Covered Software data files, such as nmap-os-db or nmap-service-probes” is considered a derivative work of Nmap and must be released under an NPSL-compatible license. This means:

  1. Direct fingerprint database loading: If your tool directly reads nmap-os-db or nmap-service-probes files, your tool is a derivative work and must be open-sourced (NPSL-compatible)
  2. Embedding fingerprint data: Embedding Nmap fingerprint data into your binary (as some third-party libraries do) also constitutes a derivative work
  3. Commercial product restrictions: Even if open-sourced, derivative works cannot be used in “competitive network scanning products”
  4. naabu trap: naabu itself is MIT-licensed, but its -sV service detection feature directly uses nmap-service-probes, so it remains NPSL-constrained when using this feature

Commercial OEM Licensing

For projects that cannot comply with NPSL open-source requirements, Nmap offers commercial OEM licensing. Note that the license fee is a one-time permanent payment, with annual maintenance being optional.

License TierPermanent Fee (One-Time)Optional Annual MaintenanceUse Case
Small OEM$59,980$17,980/yearSmall teams / startups, below revenue threshold. First year with maintenance totals $77,960
Enterprise OEM$119,980$29,980/yearLarge enterprises, no revenue limit. First year with maintenance totals $149,960
Custom LicenseNegotiableNegotiableSpecial requirements (e.g., embedded device vendors)

Key benefits of OEM licensing:

  • Permits embedding Nmap technology in proprietary/closed-source products
  • Permits use in competitive products
  • Includes technical support
  • Permanent license fee is a one-time payment; annual maintenance is optional (includes upgrades and support)

Compliance Scenario Analysis

Use CaseCompliance MethodRisk Level
Personal learning / researchOpen-source under NPSL🟢 Low
Open-source security tool (GPLv2-compatible)Release under NPSL🟢 Low
Open-source tool (non-GPL license)Switch to NPSL or buy OEM🟡 Medium
Commercial product (closed-source)Must purchase OEM license🔴 High (violation without license)
Commercial product (open-source but non-NPSL)Buy OEM or switch to NPSL🔴 High
SaaS service (no binary distribution)NPSL has no network clause, but data file use still restricted🟡 Medium
Parsing Nmap XML output onlyLegal gray area, consult attorney🟡 Medium
Directly reading nmap-service-probesMust open-source under NPSL or buy OEM🔴 High

Key conclusion: If your project is a closed-source commercial product, or you do not wish to release your open-source project under NPSL, directly reading or embedding Nmap’s fingerprint databases (nmap-os-db, nmap-service-probes) presents serious compliance risks. This is the core motivation for seeking alternative fingerprint libraries.


Alternative Selection Criteria

When evaluating alternatives to Nmap’s fingerprint databases, consider the following dimensions:

DimensionWeightDescription
License Compliance★★★★★Released under permissive license (Apache-2.0/MIT/BSD) to fully avoid NPSL restrictions
Fingerprint Coverage★★★★☆Number of protocols/services/OS supported, whether fingerprints are self-developed (not dependent on Nmap)
Project Activity★★★★☆Recent commits, release frequency, issue response time
Language Ecosystem★★★☆☆Ease of integration into Go/Rust projects
Performance★★★☆☆Scan speed, concurrency capability
OS Fingerprint Support★★★☆☆Whether OS identification is supported (one of Nmap’s core strengths)

Service Fingerprint Alternatives

fingerprintx (Praetorian) — Best Alternative

PropertyDetails
LicenseApache-2.0 (✅ Permissive, avoids NPSL)
LanguageGo (99.9%)
Protocol Coverage51 self-developed service detection plugins, covering TCP/UDP
OS FingerprintNone (service layer only)
Latest Versionv1.1.19 (2026-01-01)
Activity147 commits, 26 releases, 140 dependents
GitHubhttps://github.com/praetorian-inc/fingerprintx

Supported protocols include: HTTP/HTTPS, SSH, RDP, MySQL, PostgreSQL, MSSQL, OracleDB, MongoDB, Redis, Kafka, MQTT, SMB, VNC, Telnet, DNS, LDAP, Modbus, IPMI, Diameter, SMPP, and vector databases ChromaDB/Milvus/Pinecone.

Key advantages:

  • Completely independent of nmap-service-probes, all plugins are self-developed—a truly clean NPSL alternative
  • JSON output, usable as a library
  • Fast mode prioritizes default service ports
  • Apache-2.0 license permits commercial closed-source use

masscan — High-Speed Scanning + Banner Grabbing

PropertyDetails
LicenseAGPL-3.0 (⚠️ copyleft, includes network service clause)
LanguageC
Protocol Coverage~13 protocol banner grabbers (FTP/HTTP/IMAP4/memcached/POP3/SMTP/SSH/SSL/SMBv1/v2/Telnet/RDP/VNC)
OS FingerprintNone
Latest Version1.3.x (actively maintained)
Activity892 commits, last commit 2026-04
GitHubhttps://github.com/robertdavidgraham/masscan

Key features: Self-developed async TCP/IP stack, 10 million packets/second on a single machine, can scan the entire internet in 5 minutes; output compatible with Nmap (XML/grepable/JSON); built-in banner grabbing (not dependent on Nmap libraries).

License risk: AGPL-3.0 includes a network service clause—if you provide the service over a network, you must open-source all code.

ZMap + ZGrab2 — Internet-Scale Scanning

PropertyZMapZGrab2
LicenseApache-2.0 (✅ Permissive)Apache-2.0 (✅ Permissive)
LanguageC (84.8%) + PythonGo
FunctionStateless single-packet probe (TCP SYN/ICMP/DNS/UPnP/BACNET)Application layer handshakes (HTTP/TLS/SSH/MySQL/Redis, etc.)
Latest Versionv4.3.4 (2025-05-12)Continuously updated
Activity1,411 commits, last commit 2026-05Active
GitHubhttps://github.com/zmap/zmaphttps://github.com/zmap/zgrab2

Key features: Scans a single IPv4 port in 45 minutes on gigabit ethernet, 5 minutes on 10G with netmap/PF_RING; widely cited in academic research (USENIX Security); ZGrab2 performs application layer handshakes but requires pre-specified protocols, no automatic identification.

NPSL Warning About naabu

Important warning: naabu itself (github.com/projectdiscovery/naabu) is MIT-licensed, but its service version detection (-sV) directly uses nmap-service-probes (NPSL!). Therefore, from a service fingerprint perspective, it does not truly avoid NPSL. If your project depends on naabu’s -sV functionality for service version identification, you remain NPSL-constrained. Only the port scanning portion can be safely used.


OS Fingerprint Alternatives

p0f — Passive OS Fingerprinting

PropertyDetails
LicenseApache-2.0 (✅ Permissive, avoids NPSL)
LanguageC
Protocol CoverageTCP/IP (SYN/SYN+ACK stack fingerprints), HTTP application layer fingerprints
OS FingerprintYes (passive) — identifies OS, system uptime, NAT/proxy detection, link type
Latest Versionv3.09b (2016)
Activity21 commits, last commit 2019-02 — essentially unmaintained
GitHubhttps://github.com/p0f/p0f

Key features: Purely passive sniffing (identifies OS from a single SYN), ideal for scenarios where Nmap’s active probing would be blocked or trigger alerts; provides unix socket API for third-party queries; MTU/uptime/NAT detection; includes p0f.fp fingerprint database.

Limitations: Project is no longer maintained, fingerprint database is not updated; passive mode cannot actively probe specific targets.

JA4+ (FoxIO) — Network Fingerprint Standard

PropertyDetails
LicenseMixed — JA4 (TLS Client) is BSD-3-Clause (✅ Permissive); JA4S/JA4L/JA4H/JA4X/JA4SSH/JA4T/JA4TS/JA4TScan are FoxIO License 1.1 (⚠️ No commercial resale)
LanguageRust / Python / C (Wireshark plugin) / Zeek
Protocol CoverageTLS, HTTP, SSH, X.509, TCP, DHCP/DHCPv6
OS FingerprintYes — JA4T (passive TCP fingerprint), JA4TScan (active TCP scan)
Latest VersionRust ~v0.18.5; Zeek v1.2 (2025-11)
Activity503 commits, last commit 2026-05, 49 tags
GitHubhttps://github.com/FoxIO-LLC/ja4

Key features: a_b_c token format preserves locality for substring search; widely integrated by Wireshark/Zeek/Cloudflare/AWS/Palo Alto; supports both active scanning and passive detection; fingerprint database ja4db.com under active development.

License note: JA4 core is BSD-3 (permissive); FoxIO License 1.1 for other methods is permissive for academic/internal use, but commercial product resale requires OEM authorization.


Port Scanning Alternatives

naabu (ProjectDiscovery)

PropertyDetails
LicenseMIT (✅ Permissive)
LanguageGo
FunctionSYN/CONNECT/UDP port scanning
OS FingerprintNone
Latest Versionv2.x (continuously updated)
Activity2,091 commits, last commit 2026-07-03 — very active
GitHubhttps://github.com/projectdiscovery/naabu

Key features: Lightweight, CDN/WAF exclusion, IPv4/IPv6, Shodan InternetDB passive enumeration, pipeline-friendly.

⚠️ Important warning: naabu is MIT-licensed, but its service version detection (-sV) directly uses nmap-service-probes (NPSL!). Therefore, from a service fingerprint perspective, it does not truly avoid NPSL. Only the port scanning portion can be safely used.

Port Scanner Comparison

FeatureNmapmasscanZMapnaabu
LicenseNPSLAGPL-3.0Apache-2.0MIT
Scan SpeedMediumExtremely fast (10M pps)Extremely fast (full net in 45min)Fast
SYN Scan
UDP ScanLimited✅ (modular)
Service Detection✅ (NPSL)Banner onlyZGrab2✅ (⚠️ NPSL)
OS Detection✅ (NPSL)
Avoids NPSL⚠️ Partial

Web Technology Fingerprint Alternatives

Nmap is not particularly strong in web technology fingerprinting. The following tools excel in this domain, and some have permissive licenses.

httpx (ProjectDiscovery) — Best Web Probe

PropertyDetails
LicenseMIT (✅ Permissive, avoids NPSL)
LanguageGo
FunctionURL/status code/title/TLS cert/CSP/CDN/JARM/favicon hash/Web Server/Technology detection (based on Wappalyzer dataset), screenshot, ASN
Latest Versionv1.8.x
Activity2,791 commits, last commit 2026-06, 65 tags — very active
GitHubhttps://github.com/projectdiscovery/httpx

Key features: Multi-threaded reliable probing, https↔http auto-fallback, pipeline-friendly, custom fingerprint file -cff, CPE output, built-in Wappalyzer dataset for technology detection -td.

WhatWeb — Web Scanner

PropertyDetails
LicenseGPL-2.0 (⚠️ copyleft, avoids NPSL but has copyleft restrictions)
LanguageRuby
Plugin Count1800+ plugins
Latest Versionv0.6.4 (2026-04-03)
Activity6.7k stars, still updated in 2026 — active
GitHubhttps://github.com/urbanadventurer/WhatWeb

Key features: Tiered probing (stealthy→aggressive→heavy), single-request identification; multiple log formats (XML/JSON/SQL/MongoDB/ElasticSearch); Google Dork integration; fuzzy matching.

Wappalyzer — Web Technology Fingerprints

PropertyDetails
LicenseGPL-3.0 (⚠️ copyleft)
LanguageJavaScript/Node.js
FunctionWeb technology stack identification — CMS, frameworks, e-commerce, JS libraries, analytics tools, web servers
ActivityCore repository active; fingerprint dataset reused by many tools
GitHubhttps://github.com/wappalyzer/wappalyzer

Key features: Browser extension + CLI; CPE support; industry de facto standard; fingerprint rules in src/technologies/ (regex matching HTML/JS/headers/cookies/meta/DNS, etc.).

TideFinger — Chinese CMS Fingerprint Database

PropertyDetails
LicenseNot explicitly declared (no LICENSE file in repository)
LanguagePython
Fingerprint Count~5,900 CMS fingerprints + ~2,119 fofa rules
Activity26 commits, last commit 2021-08 — no longer maintained
GitHubhttps://github.com/TideSec/TideFinger

Key features: Integrates Wappalyzer, webanalyzer, fofa, WhatWeb rules; traditional + modern detection methods (MD5/URL/Header/Regex/Directory matching); suitable for Chinese CMS identification.

⚠️ License risk: TideFinger has no LICENSE file, creating legal uncertainty—not recommended for commercial use. Also note that the original TophantTechnology/ARL repository has been deleted; community-maintained forks (e.g., Aabyss-Team/ARL) use the MIT license.


Comprehensive Comparison Table

#LibraryLicenseTypeLanguageOS FPService/Web CoverageLatest VersionActivityAvoids NPSL
1fingerprintxApache-2.0Service FPGoNone51 protocols (TCP/UDP)v1.1.19 (2026-01)Medium✅ Permissive
2p0fApache-2.0Passive OS FPC✅ PassiveTCP/IP+HTTPv3.09b (2016)Low (unmaintained)✅ Permissive
3masscanAGPL-3.0Port scan+bannerCNone~13 protocol bannersActive devHigh⚠️ Copyleft
4ZMap+ZGrab2Apache-2.0Internet-scale scanC+GoNoneSingle-packet + app handshakev4.3.4 (2025-05)High✅ Permissive
5naabuMITPort scanGoNone-sV reuses nmap DBv2.xVery High⚠️ SV still NPSL
6JA4+BSD-3+FoxIO1.1Network FP standardRust/Py/C✅ (JA4T/TScan)TLS/HTTP/SSH/TCP/DHCPv0.18.xHigh⚠️ Partially permissive
7TideFingerUnclearChinese CMS FPPythonNoneWeb (CMS) ~5,900No releaseLow (2021)❌ Unclear license
8WappalyzerGPL-3.0Web tech FPJSNoneWeb tech stackActive devHigh⚠️ Copyleft
9WhatWebGPL-2.0Web scannerRubyNone1800+ pluginsv0.6.4 (2026-04)High⚠️ Copyleft
10httpxMITWeb probeGoNoneHTTP full dim. + Wappalyzerv1.8.xVery High✅ Permissive

Fingerprint Capability Comparison (vs Nmap)

OS Fingerprint Dimension (vs nmap-os-db)

SolutionCapabilityvs Nmap
nmap-os-dbActive TCP/IP stack probing, 6,036+ fingerprintsBaseline (most comprehensive)
p0fPassive stack fingerprint, built-in p0f.fpPassive, no alert generation; smaller but practical fingerprint DB; ideal when active probing is not possible
JA4T/JA4TScanTCP fingerprint + DHCP fingerprintModern approach, identifies mainstream OS; ja4db.com growing; supports both active and passive
OthersNo OS fingerprint capability

Service Fingerprint Dimension (vs nmap-service-probes)

SolutionCapabilityvs Nmap
nmap-service-probes12,089+ signatures, 1,246+ protocolsBaseline (most comprehensive, but NPSL)
fingerprintx51 self-developed pluginsCleanest NPSL alternative; covers mainstream databases/middleware/remote access/industrial protocols
masscan~13 protocol bannersSelf-developed; more banner-oriented, less depth than Nmap
ZMap + ZGrab2ZGrab2 app layer handshakeSelf-developed; requires pre-specified protocols, no auto-identification
naabu -sVReuses nmap-service-probesDoes not avoid NPSL, just a Go wrapper around Nmap’s database

Fully NPSL-Free Combination Stack

The following combination builds a complete system covering port scanning, service detection, OS identification, and web fingerprinting without touching any NPSL-licensed fingerprint libraries:

mermaid
flowchart TD
    A["NPSL-Free<br/>Fingerprint System"] --> B["Port Scan Layer"]
    A --> C["Service FP Layer"]
    A --> D["OS FP Layer"]
    A --> E["Web FP Layer"]
    B --> B1["ZMap<br/>Apache-2.0<br/>Internet SYN scan"]
    B --> B2["naabu<br/>MIT<br/>Disable -sV"]
    B --> B3["masscan<br/>AGPL-3.0<br/>Ultra-fast scan"]
    C --> C1["fingerprintx<br/>Apache-2.0<br/>51 protocols"]
    C --> C2["ZGrab2<br/>Apache-2.0<br/>App handshake"]
    D --> D1["p0f<br/>Apache-2.0<br/>Passive TCP/IP"]
    D --> D2["JA4T/JA4TScan<br/>BSD-3/FoxIO<br/>Next-gen TCP"]
    E --> E1["httpx<br/>MIT<br/>HTTP full dim."]
    E --> E2["WhatWeb<br/>GPL-2.0<br/>1800+ plugins"]
    style A fill:#2196F3,color:#fff
    style B fill:#4CAF50,color:#fff
    style C fill:#4CAF50,color:#fff
    style D fill:#4CAF50,color:#fff
    style E fill:#4CAF50,color:#fff

Architecture explanation: Four-layer stack from bottom up. Port scanning uses ZMap (internet-scale), naabu without -sV (internal network), and masscan (note AGPL copyleft). Service fingerprinting centers on fingerprintx’s 51 self-developed protocol plugins, supplemented by ZGrab2 for application handshakes. OS fingerprinting pairs p0f’s passive sniffing with JA4T’s next-gen TCP fingerprints. Web fingerprinting is covered by httpx and WhatWeb for full-dimensional web technology stack detection.

Scenario-Based Recommendations

Use CaseRecommended SolutionReason
Service fingerprint (clean)fingerprintxApache-2.0, 51 self-developed protocol plugins, no Nmap dependency
OS fingerprint (passive)p0fApache-2.0, passive sniffing without alerts; but no longer maintained
OS fingerprint (modern)JA4T/JA4TScanModern, active; note FoxIO license restrictions on commercial use
High-speed / full internet scanZMap + ZGrab2Apache-2.0, academically validated
High-speed port scanmasscanAGPL-3.0, be aware of network copyleft clause
Web tech fingerprinthttpxMIT, embedded Wappalyzer dataset
Deep web scanWhatWeb1800+ plugins, GPL-2.0
Port scan (MIT)naabu (scan only)MIT, but disable -sV to avoid triggering NPSL

Combined Stack vs Nmap Coverage

Capability DimensionNmap (NPSL)NPSL-Free Combined StackCoverage
Port scanning✅ SYN/Connect/UDP✅ ZMap + naabu95%
Service detection✅ 12,089 sigs / 1,246 protocols⚠️ fingerprintx 51 protocols + ZGrab2~60%
OS detection✅ 6,036 fingerprints⚠️ p0f passive + JA4T active~40%
Web fingerprinting❌ Mostly unsupported✅ httpx + WhatWeb (exceeds Nmap)200%
MAC OUI✅ 30,000+❌ Must implement separately0%
NSE scripts✅ 600+❌ No direct replacement0%

Summary

Nmap’s NPSL license and its broad definition of fingerprint data file usage introduces significant compliance risks for projects building upon Nmap’s fingerprint databases. Key takeaways:

  1. Understand NPSL boundaries: Reading or embedding nmap-os-db/nmap-service-probes constitutes a derivative work, requiring NPSL-compatible open-source release. Closed-source commercial products must purchase OEM licensing ($59,980~$119,980 one-time).

  2. naabu’s -sV is a compliance trap: While naabu is MIT-licensed, its service version detection reuses Nmap’s nmap-service-probes, keeping it under NPSL constraints when using this feature.

  3. Alternatives have matured: fingerprintx (51 self-developed protocols, Apache-2.0), p0f (passive OS fingerprinting, Apache-2.0), JA4+ (next-gen TCP fingerprint standard), ZMap+ZGrab2 (internet-scale scanning, Apache-2.0), httpx (web probing, MIT) are all production-ready solutions.

  4. Combined approach works best: No single alternative can fully replace all of Nmap’s capabilities, but a four-layer stack combining port scanning + service fingerprinting + OS fingerprinting + web fingerprinting can cover core requirements without touching any NPSL-licensed fingerprint databases.

  5. Gaps remain: The NPSL-Free combined stack still has gaps in service detection depth (~60% protocol coverage) and OS fingerprint scale (~40%). If you need Nmap-level fingerprint depth, you must either accept NPSL open-source obligations or purchase an OEM commercial license.