nmap+V-2.0: (Partial) Protocol Auto-Detection !!

["Jay Freeman \(saurik\)" <saurik () saurik com>]

nmap-type people:

All right, this is the biggie :)!  I totally revamped the nmap-versions
configuration file format to the point where it is almost like a programming
language.  Send this, read 128 bytes, if the data matches this regular
expression then skip to section 3, if it matches this regular expression the
protocol is IRC, send logon information… etc.

It doesn’t try all protocols on all ports, but also (currently) doesn’t
start forking based on port number unless connecting to the port yields no
data.  So if there is an FTP or SMTP server or some such sitting on a
strange port, chances are it will be detected (assuming you scanned that
port:-) ).  The one protocol that really bothers me in this case is HTTP
(which might be rather common to find running on a strange port, and doesn’t
send data on connect).  To this end, I’m thinking about making the default
attempt to be to look for a web server of some sort.  Any opinions?

I already have entries in the file for various FTP, SMTP, POP, HTTP,
Eggdrop, SSH, IRC, and a few nutty ones, so it should work for practical
situations.  Especially now that it separates the protocol from the version,
so even if it doesn’t know what FTP server is running on the port, it should
be pretty reliable about knowing that it is an FTP server.
Patch can be found at ftp://ftp.saurik.com/pub/nmap/nmap+V , tarball at
ftp://ftp.saurik.com/pub/nmap/nmap-2.53+V.tgz .

Warning: This scan can be very intrusive :-), and any way you slice it is
definitely noticeable.

Not sure what to do next :-).  Definitely going to work on adding more
protocols… Might take a look at what nnmap-web can do and see if there’s
anything it can do that my general system isn’t good at, and then try to
generalize it into the nmap-versions file… (not sure if I can generalize the
support for the time protocol, which is the one that was mentioned).

Here is some example output (once again, hosts changed to protect the
innocent:-) ):

[root(2)@ironclad nmap-2.53+V]# ./nmap -sS -sV -FS xxxx.xxxxxx.xxx

Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ )
Interesting ports on xxxx.xxxxxx.xxx (xxx.xxx.xxx.xxx):
(The 1036 ports scanned but not shown below are in state: closed)
Port       State       Service             Protocol     Version
21/tcp     open        ftp                 FTP          wu-2.6.0(1)
22/tcp     open        ssh                 SSH          1.99-2.0.13
(non-commercial)
23/tcp     open        telnet
25/tcp     open        smtp                SMTP         Sendmail
8.10.0/8.10.0
37/tcp     open        time
53/tcp     open        domain
80/tcp     open        http                HTTP         Apache/1.3.12 (Unix)
98/tcp     open        linuxconf
109/tcp    open        pop-2               POP2         v4.55
110/tcp    open        pop-3               POP3         v7.64
111/tcp    open        sunrpc
113/tcp    open        auth                AUTH
119/tcp    open        nntp                NNTP         INN 2.2.2
139/tcp    open        netbios-ssn
143/tcp    open        imap2               IMAP         WU IMAP4rev1 v12.264
443/tcp    open        https
465/tcp    open        smtps
567/tcp    open        banyan-rpc
587/tcp    open        submission          SMTP         Sendmail
8.10.0/8.10.0
993/tcp    open        imaps
995/tcp    open        pop3s
2401/tcp   open        cvspserver          CVS
5432/tcp   open        postgres            PostgreSQL
6667/tcp   open        irc                 IRC
2.8/hybrid-5.3+TS4-rel1.0
8080/tcp   open        http-proxy          HTTP         Tomcat Web
Server/3.1
8888/tcp   open        sun-answerbook      NetStreamer  NrServer 0.17

Nmap run completed -- 1 IP address (1 host up) scanned in 102 seconds
[root(2)@ironclad nmap-2.53+V]# ./nmap -sS -sV -FV xxx.xxx.xxx.xx

Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ )
Interesting ports on xxxxxxx.xxxxxxxxxxxxxxxxxxxx.xxx (xxx.xxx.xxx.xx):
(The 12 ports scanned but not shown below are in state: closed)
Port       State       Service             Protocol     Version
21/tcp     open        ftp                 FTP          wu-2.5.0(1)
25/tcp     open        smtp                SMTP         Sendmail 8.9.3/8.9.3
80/tcp     open        http                HTTP         Apache/1.3.9 (Unix)
109/tcp    open        pop-2               POP2         v4.51
110/tcp    open        pop-3               POP3         v7.59
113/tcp    open        auth                AUTH
143/tcp    open        imap2               IMAP         WU IMAP4rev1 v12.250

Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds
[root(2)@ironclad nmap-2.53+V]#

Sincerely,
Jay Freeman (saurik)
saurik () saurik com <mailto:saurik () saurik com>