Nmap Announce mailing list archives
FW: Automatic Protocol Identification on Scanned Ports
From: "James D. Watson" <jwatson0 () erols com>
Date: Sat, 22 Apr 2000 16:06:45 -0400
FWIW, I'm working on a separate program that takes nmap output and tries to verify protocols running on the mapped end. It does this by executing arbitrarily deep levels of the protocol (depth of protocol is separate for each module) o The user gets to say how deep they want to go (full depth of implementation (see below) or just a few steps) o The user gets to say what protocols they want to attempt against what ports (see further below). o In cases where it's doable, the program makes a guess about the validity of the protocol implementation on the far end. Protocol Depth e.g., time. Time has depth of one: it makes the connection (TCP or UDP, user selectable) and gets a response. If the user wants a verification guess, the program takes the time bytes it got back and evaluates them against local time. If it's within some range, the verification guess is positive. e.g., HTTP. Also a depth of one: it makes the connection (HTTP/1.0 or 1.1, user selectable) and gets a response. Verification guess (if chosen) is based on what kinds of headers are returned. Reasonable ones or bizarre. What Protocols to Attempt User can say "go with well-known programs against well-known ports" so it'll try TELNET on 23, HTTP on 80, etc. but will not try other combinations. However, they can also provide a many-to-many mapping, or complete-to-complete. (e.g., useful if something is running on 6663; could be IRC, could be HTTP, etc. etc.) I plan to announce availability via NMAP list and GTK list, but it's not ready yet. (looking at July or August) Below is some information about a theoretical endeavor someone else was taking. Hope this sounds useful. I'd be happy to hear "Me too"s or "waste of time"s -- but probably best to send them directly to me and not clutter the list. Cheers, Jim -----Original Message----- From: James D. Watson [mailto:jwatson0 () erols com] Sent: Thursday, March 02, 2000 1:59 PM To: Izar Tarandach Subject: RE: Automatic Protocol Identification on Scanned Ports Thank you for your quick response! I think I'm "good-to-go" for now, but will remember your offer of help if things get tough in the future. Thanks again, cheers, Jim -----Original Message----- From: Izar Tarandach [mailto:izar () bos bindview com] Sent: Thursday, March 02, 2000 1:32 PM To: James D. Watson Subject: Re: Automatic Protocol Identification on Scanned Ports Mine was more of a theoretical thing. I was looking for ways to do it efficiently. If you're interested, or if you need any help, I'd be glad to. I am not planning to put out any code in the near future, connected to my paper. cheers, --izar On Thu, 2 Mar 2000, James D. Watson wrote:
Good afternoon, [Like your vnmap, by the way.] Someone at work dropped me a word that you have been working on auto proto id off of scanned ports and dropped me a copy of your paper. I was, um, well, dismayed :-) because I'd been working on the same thing. It's a GTK+/GNOMEed app, blahblahblah. My interface is virtually complete but without on-line Help, and I was implementing protocols a bit
differently
than you. I only have one done as a proof of concept, but the interface
is
generic, so the others I decide to add would be straightforward to do. I'm curious if you're still working on yours, if you're done, if you've published, etc. Can't seem to find it myself, and I don't know where my co-worker learned about it. I'm probably considering dropping my devel if you're far along... Thanks for your time, Jim jwatson0 () erols com
Current thread:
- FW: Automatic Protocol Identification on Scanned Ports James D. Watson (Apr 22)