Re: service fingerprinting question

[Brandon Enright <bmenrigh () ucsd edu>]

On Wed, 23 May 2007 15:26:16 -0400
Jonathan Smith <smithj () rpath com> wrote:
> Currently, when I do an nmap scan of an rPath-based box, nmap correctly
> determines that lighttpd is running on ports 8003 (ssl) and 8004 (!ssl).
> However, I am wondering if perhaps more specific information could be
> obtained, since it is actually an administration console being run on
> those ports. Does nmap have an interface for obtaining information via
> XML-RPC, or by examining any of the content served by lighttpd?
>
> smithj

Jonathan,

The service fingerprinting engine has been optimized for speed and
simplicity.  The engine connects to a port, sends a probe, and waits for a
response.  The response are then matched against a long list of regular
expressions.  If the admin console leaks a lot of information in the
response to the initial probe (HTTP GET for example) then some of the
information would be able to be retrieved in the regular expression.

If the service requires any level of interaction beyond this then it is a
candidate for an NSE script (available in development builds/SVN).  NSE
scripts can interact with a target service and can gather whatever
information is made available.

The best way to figure out how to interact with the service is probable to
use telnet or netcat and send it HTTP probes.  If you can't get much
information out of this, you can watch the traffic from a management session
to the console with a tool like Wireshark.

Brandon


-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu

Attachment: signature.asc
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org