FW: Automatic Protocol Identification on Scanned Ports

["James D. Watson" <jwatson0 () erols com>]

FWIW,

I'm working on a separate program that takes nmap output and tries to verify
protocols running on the mapped end.  It does this by executing arbitrarily
deep levels of the protocol (depth of protocol is separate for each module)

o  The user gets to say how deep they want to go (full depth of
implementation (see below) or just a few steps)

o  The user gets to say what protocols they want to attempt against what
ports (see further below).

o  In cases where it's doable, the program makes a guess about the validity
of the protocol implementation on the far end.

Protocol Depth
e.g., time.  Time has depth of one: it makes the connection (TCP or UDP,
user selectable) and gets a response.  If the user wants a verification
guess, the program takes the time bytes it got back and evaluates them
against local time.  If it's within some range, the verification guess is
positive.

e.g., HTTP.  Also a depth of one: it makes the connection (HTTP/1.0 or 1.1,
user selectable) and gets a response.  Verification guess (if chosen) is
based on what kinds of headers are returned.  Reasonable ones or bizarre.



What Protocols to Attempt
User can say "go with well-known programs against well-known ports" so it'll
try TELNET on 23, HTTP on 80, etc. but will not try other combinations.
However, they can also provide a many-to-many mapping, or
complete-to-complete.  (e.g., useful if something is running on 6663; could
be IRC, could be HTTP, etc. etc.)


I plan to announce availability via NMAP list and GTK list, but it's not
ready yet.  (looking at July or August)  Below is some information about a
theoretical endeavor someone else was taking.

Hope this sounds useful.  I'd be happy to hear "Me too"s or "waste of
time"s -- but probably best to send them directly to me and not clutter the
list.



Cheers,
Jim


-----Original Message-----
From: James D. Watson [mailto:jwatson0 () erols com]
Sent: Thursday, March 02, 2000 1:59 PM
To: Izar Tarandach
Subject: RE: Automatic Protocol Identification on Scanned Ports


Thank you for your quick response!

I think I'm "good-to-go" for now, but will remember your offer of help if
things get tough in the future.

Thanks again,

cheers,
Jim

-----Original Message-----
From: Izar Tarandach [mailto:izar () bos bindview com]
Sent: Thursday, March 02, 2000 1:32 PM
To: James D. Watson
Subject: Re: Automatic Protocol Identification on Scanned Ports



Mine was more of a theoretical thing. I was looking for ways to do it
efficiently. If you're interested, or if you need any help, I'd be glad
to.

I am not planning to put out any code in the near future, connected to
my paper.

cheers,

--izar


On Thu, 2 Mar 2000, James D. Watson wrote:

> Good afternoon,
>
> [Like your vnmap, by the way.]
>
> Someone at work dropped me a word that you have been working on auto proto
> id off of scanned ports and dropped me a copy of your paper.
>
> I was, um, well, dismayed :-) because I'd been working on the same thing.
> It's a GTK+/GNOMEed app, blahblahblah.  My interface is virtually complete
> but without on-line Help, and I was implementing protocols a bit
differently
> than you.  I only have one done as a proof of concept, but the interface
is
> generic, so the others I decide to add would be straightforward to do.
>
> I'm curious if you're still working on yours, if you're done, if you've
> published, etc.  Can't seem to find it myself, and I don't know where my
> co-worker learned about it.
>
> I'm probably considering dropping my devel if you're far along...
>
> Thanks for your time,
> Jim
>
> jwatson0 () erols com