Nmap Development mailing list archives
Re: Nmap Service Detection Proposal
From: Paul Tod Rieger <prie () abl com>
Date: Tue, 29 Aug 2000 02:13:19 -0400
In support of the need for service detection, http://www.sunworld.com/sunworldonline/swol-08-2000/swol-0818-unixsecurity.html points out that, in order to bypass those "pesky" corporate firewalls, "developers are more and more frequently building applications that run via port assignments that are well known and commonly used -- the HTTP and HTTPS ports (80 and 443, respectively)." Back to the subject: Fyodor <fyodor () insecure org> proposed:
that the nmap-service-magic file contains a list of "probes". Each probe contains the following information: 1) A list of common ports for the services detected by the probe (for implementation optimization only -- an open port will first be tested with probes that list that port number). 2) A string to be sent to the port right after connection establishment (if TCP). The string can include escaped binary chars. 3) A list of (case insensitive) regular expressions to match against the response and the protocol name the regexp relates to. The regexps. can contain escaped binary chars as well.
and gave an example of the nmap-service-magic file grammer:
# The catch-all HTTP probe (which leads to distinctive error msgs from # many services Probe TCP=21,22,23,25,80,110,118,1080,8080 SEND="GET / HTTP/1.0\r\n\r\n" ftp 220.*ftp pop3 +OK ssh ssh- smtp smtp nntp posting ok http http/1 # Probe X11. I made up the hext values, presumably they would # correspond to xome sort of X request PROBE TCP=6000-6010 SEND="\x32\x28\x14\x29\x71\xB4" x11 \x31\x72\x98
and in XML as well. All of this looks good to me, but, of course, I have a couple of questions: a) "an open port will first be tested" -- does this mean a port may be tested multiple times? Will this be stealthy? For instance, if port 21 really is FTP but wrapped under tcpd, multiple tests won't be able to identify it -- and they might look like aggressive/lame cracking attempts. (Also, tcpd may slow down response times even when connections are permitted....) Instead, if the service can't be identified from a single test, maybe it could just be flagged for closer inspection by the user. b) for ftp, pop3, ssh, and smtp -- if nmap grabs the line that contains the regexp match, aren't chances pretty good that you also have the product & version? (Also, your "220.*ftp" seems to take care of Saurik's concerns re: uniquely identifying FTP....) Tod abl.com --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Nmap Service Detection Proposal Fyodor (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 27)
- RE: Nmap Service Detection Proposal Fyodor (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 28)
- RE: Nmap Service Detection Proposal Fyodor (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 27)
- <Possible follow-ups>
- Re: Nmap Service Detection Proposal Paul Tod Rieger (Aug 28)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 29)
- Re: Nmap Service Detection Proposal Fyodor (Aug 29)
- Re: Nmap Service Detection Proposal H D Moore (Aug 29)
- Re: Nmap Service Detection Proposal Paul Tod Rieger (Aug 28)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 29)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 29)