Nmap Service Detection Proposal

[Fyodor <fyodor () insecure org>]

Hi guys,

Here is a proposed grammar for Nmap service detection.  The main idea is
that the nmap-service-magic file contains a list of "probes".  Each probe
contains the following information:

1) A list of common ports for the services detected by the probe (for
   implementation optimization only -- an open port will first be tested 
   with probes that list that port number)).

2) A string to be sent to the port right after connection establishment
   (if TCP).  The string can include escaped binary chars.

3) A list of (case insensitive) regular expressions to match against the
   response and the protocol name the regexp relates to.  The regexps. can
   contain escaped binary chars as well.

What I like about this solution is that it leaves the probe definitions
very simple and easy to read, modify, maintain, add to, etc.  I also
believe that it can be implemented efficiently.

The question is whether it is powerful enough.  I suspect that the vast
majority of protocols could be detected via a sufficiently clever probe
string and regex match.  Can anyone think of any protocols that could not
be detected by method but could with a more powerful (think
"C") syntax?  And RPC services don't count because we can get them with
the existing RPC grinder.

Lets look at a few example of services that might be challenging:

Netbios-ssn // NetBIOS Session Service
netbios-ns  // NetBIOS Name Service
x11
lpd
pcanywhere
orasrv      // Oracle

Could anyone he knows one of these protocols well send to the list an
example of a probe that could be sent & regexp that would recognize the
response as belonging to the given service?  Keep in mind that inducing
errors may be the easiest detection method.  Of course, composing a binary
"wire" example and testing against the given service makes the best demo.  
Or if you have an English suggestion (eg a certain X11 or Netbios-ns call
that should always elicit a distinct respnose), chime in!

Or if you want to suggest another protocol that could present a serious
challenge, let us know.  Maybe someone can think of a way to ID it.  Its
important that we identify any fatal problems before we spend a lot of
time implenting this and creating service-specific "probes".

As far as the actual nmap-service-magic file grammer, we could either do
something custom or use XML.  Here is a custom example:

# The catch-all HTTP probe (which leads to distinctive error msgs from 
# many services
Probe TCP=21,22,23,25,80,110,118,1080,8080 SEND="GET / HTTP/1.0\r\n\r\n"
ftp  220.*ftp
pop3 +OK
ssh  ssh-
smtp smtp
nntp posting ok
http http/1

# Probe X11.  I made up the hext values, presumably they would
# correspond to xome sort of X request 
PROBE TCP=6000-6010 SEND="\x32\x28\x14\x29\x71\xB4"
x11  \x31\x72\x98


A possible XML alternative would be:

<SERVICEPROBE TCP="21,22,23,25,80,110,1080,8080" SEND="GET /HTTP/1.0\r\n\r\n">
<SERVICE NAME="ftp" REGEX="220.*ftp" />
<SERVICE NAME="pop3" REGEX="+OK" />
...
</SERVICEPROBE>
<SERVICEPROBE TCP="6000-6010" SEND="\x32\x28\x14\x29\x71\xB4" />
<SERVICE NAME="x11" REGEX="\x31\x72\x98" />
</SERVICEPROBE>

Of course if we did use XML we would need a high quality free XML parsing
library.  Is libxml the way to go or are there better ones that any of you
recommend?

Cheers,
-F




---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).