Nmap Development mailing list archives
Re: service fingerprinting question
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 23 May 2007 20:40:45 +0000
On Wed, 23 May 2007 15:26:16 -0400 Jonathan Smith <smithj () rpath com> wrote:
Currently, when I do an nmap scan of an rPath-based box, nmap correctly determines that lighttpd is running on ports 8003 (ssl) and 8004 (!ssl). However, I am wondering if perhaps more specific information could be obtained, since it is actually an administration console being run on those ports. Does nmap have an interface for obtaining information via XML-RPC, or by examining any of the content served by lighttpd? smithj
Jonathan, The service fingerprinting engine has been optimized for speed and simplicity. The engine connects to a port, sends a probe, and waits for a response. The response are then matched against a long list of regular expressions. If the admin console leaks a lot of information in the response to the initial probe (HTTP GET for example) then some of the information would be able to be retrieved in the regular expression. If the service requires any level of interaction beyond this then it is a candidate for an NSE script (available in development builds/SVN). NSE scripts can interact with a target service and can gather whatever information is made available. The best way to figure out how to interact with the service is probable to use telnet or netcat and send it HTTP probes. If you can't get much information out of this, you can watch the traffic from a management session to the console with a tool like Wireshark. Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu
Attachment:
signature.asc
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- service fingerprinting question Jonathan Smith (May 23)
- Re: service fingerprinting question Brandon Enright (May 23)