Re: Nmap Service Detection Proposal

[Paul Tod Rieger <prie () abl com>]

In support of the need for service detection,

http://www.sunworld.com/sunworldonline/swol-08-2000/swol-0818-unixsecurity.html

points out that, in order to bypass those "pesky" corporate
firewalls,  "developers are more and more frequently building
applications that run via port assignments that are well known
and commonly used -- the HTTP and HTTPS ports (80 and 443,
respectively)."


Back to the subject:  Fyodor <fyodor () insecure org> proposed:

> that the nmap-service-magic file contains a list of "probes".  Each probe
> contains the following information:
>
> 1) A list of common ports for the services detected by the probe (for
>   implementation optimization only -- an open port will first be tested
>   with probes that list that port number).
>
> 2) A string to be sent to the port right after connection establishment
>   (if TCP).  The string can include escaped binary chars.
>
> 3) A list of (case insensitive) regular expressions to match against the
>   response and the protocol name the regexp relates to.  The regexps. can
>   contain escaped binary chars as well.


and gave an example of the nmap-service-magic file grammer:

> # The catch-all HTTP probe (which leads to distinctive error msgs from 
> # many services
> Probe TCP=21,22,23,25,80,110,118,1080,8080 SEND="GET / HTTP/1.0\r\n\r\n"
> ftp  220.*ftp
> pop3 +OK
> ssh  ssh-
> smtp smtp
> nntp posting ok
> http http/1
>
> # Probe X11.  I made up the hext values, presumably they would
> # correspond to xome sort of X request 
> PROBE TCP=6000-6010 SEND="\x32\x28\x14\x29\x71\xB4"
> x11  \x31\x72\x98


and in XML as well.  All of this looks good to me, but, of course,
I have a couple of questions:

a) "an open port will first be tested" -- does this mean a port may
be tested multiple times?  Will this be stealthy?  For instance, if
port 21 really is FTP but wrapped under tcpd, multiple tests won't
be able to identify it -- and they might look like aggressive/lame
cracking attempts.  (Also, tcpd may slow down response times even
when connections are permitted....)

Instead, if the service can't be identified from a single test,
maybe it could just be flagged for closer inspection by the user.


b) for ftp, pop3, ssh, and smtp -- if nmap grabs the line that
contains the regexp match, aren't chances pretty good that you also
have the product & version?  (Also, your "220.*ftp" seems to take
care of Saurik's concerns re: uniquely identifying FTP....)


Tod
abl.com


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).