Re: Nmap 2.30BETA20 Released

[Max Vision <vision () whitehats com>]

On Thu, 20 Apr 2000, Andrew Brown wrote:
> i'd also like to suggest that you distribute the "massive" services
> file that i've been maintaining for a year or so at
>
>     http://www.graffiti.com/services
>
> as the nmap-services file.  it's basically a large merge of the iana
> port-numbers list and the services files from solaris, the bsds, a few
> linuxes, and some submissions i've gotten, giving a really nice big
> list.  it's really good for scanning *everything*.  :)

Hi-

I took some time to compare the differences between the services file
distributed with nmap 2.30beta20, and the new services file that you are
maintaining.  It looks like you have roughly triple the number of port
descriptions - good job!

I can see that these short descriptions will be useful in identifying open
ports in a scan - however I wish that contributors to your list (and any
port list) would drop more hints about what the services are.  
Personally, I only recognized several of the thousands of additional ports
on your list.  Mention of an OS or application name would help with the
research - especially for those of us performing external auditing who
don't always have the immediate luxury of 'lsof -i'. (That comes soon
enough, but usually not through discovering a new hole in a completely
unknown app :)

% egrep 'udp|tcp' nmap-services|wc
   2027   10260   93904
% egrep 'udp|tcp' services | wc
   6167   32613  322661

I saw a few port ranges that I wanted to draw attention to for anyone
using the service file:

lines/ description
   64/ tcp ports for x11 (6000-6063) - this is sort of overkill..
   64/ udp ports for x11 (6000-6063) - AFAIK X doesn't use UDP
  100/ VRML range (4200-4299) - 100 ports for what?
   91/ swx (7300-7390) - www.swx.com? what server software is this?
  ...couple other ranges like this should be looked at

Since I'm addressing problems - another issue is that most port lists
(including the IANA assignments) list identifiers that are somewhat
useless in the real world.  For example all of those ports with entries
for both TCP and UDP.  Most services don't use both transports.  For
example if you are scanning and see an open TCP port 137 - it's *not* the
netbios name service.  There are a ton of port identifiers like this that
might actually just slow down ligitimate auditing, or in some cases
confuse/mislead administrators who don't know any better..

For the benefit of less experienced netmapers, I would prefer to see
 netbios-ns         137/tcp           # netbios name service
be replaced by
 UNKNOWN            137/tcp           # daemon on priveledged port!@#$
and other appropriate accuracies.

Another option is to remove those entries, but I generally prefer to see
as much detail about the remote host as possible, as there are often
"rogue" daemons listening on ports one wouldn't expect - in particular
ftpd and httpd are sometimes bound in strange places by their owners.

-- 
Max Vision Network Security        <vision () whitehats com>
Network Security Assessment         http://maxvision.net/
100% Success Rate : Penetration Testing & Risk Mitigation
Free Visibility Analysis and Price Quote for Your Network