Nmap Development mailing list archives
Harnessing Service Discovery
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Mon, 24 Nov 2008 20:18:19 +0200
hello The question about similarities and differences between port scanning and service discovery technologies has been bothering me for a while. The trust relationships in these two cases seem different. Port scanning is able to detect ports that the system administrator did not want people to know about or did not care to advertise. Port scanning also gives a real picture about how the system actually works. System administrators can try to fool port scanners or detect their use. Port scanning is usually active. I.e. port scanners send network packets to the target. Passive port scanning is also possible, but isn't usually equally effective, unless the scanning is done on a router that forwards lots of traffic. Service discovery technologies (like Bonjour [1]) are configured by system administrators, or they may be automatically configured by certain services. From an ethical point of view, connecting to a port which is actively advertised, is usually considered to be OK (At least as long as one follows the protocol ;-). There is however no guarantee for the advertised services to be available. Also, the advertisements could have been created by an evil administrator in hopes of getting connections from innocent users with vulnerable client software. Receiving service advertisements is passive. Although some designs might require the user to authenticate or send ACKs for received advertisements. These techniques may be used to protect the computing environment or to provide statistics about it's use.
From a trust point of view, port scanning is safer for the user because
he doesn't have to trust the administrator to provide him with correct information about the services. From administrators point of view, service discovery technologies are better as they empower her to lead or mislead the poor user as she wants. When combining these technologies together is discussed, one could think of discovery service based on port scanning. This is kind of a sledge hammer approach, but it is certainly relevant for some use cases and has received some attention from researchers recently [2]. The technologies can also be combined to improved port scanners. Port scanners can use service discovery as a source of information regarding open ports. In some cases a port scanner could avoid sending any packages, if a discovery service already revealed enough information regarding the interesting ports. Service discovery can also be used to get a list of target hosts/ports to scan. In a local network, port scanning the advertised hosts could be used to verify that the services are actually running, while in a foreign network, the advertisements might reveal interesting nodes to scan (or honey pots used for port scan detection!). [1] http://en.wikipedia.org/wiki/Bonjour_(software) [2] http://gnunet.org/download/bootstrap.pdf ------------------------------------------------------------------------ To get my hands dirty on the subject, I wrote a simple script which uses Avahi Bonjour implementation to produce an Nmap compatible XML-file that can be opened in Zenmap for inspection. I have attached the script to this email for your convenience, but I also created a Bazaar repository to Launchpad.net for those of you who'd prefer getting a branch instead. To try out the software on Ubuntu I'd do the following: sudo apt-get install zenmap avahi-utils bzr cd /tmp bzr branch lp:bonmap cd bonmap ./bonmap > mylan.xml zenmap mylan.xml I'd expect Bonmap to work on any Linux based systems that are able to run Python and Avahi. I apologize for not supporting <your favorite platform name here>. Check https://launchpad.net/bonmap/ if you wish. best regards --Toni
Attachment:
bonmap
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Harnessing Service Discovery Toni Ruottu (Nov 24)
- Re: Harnessing Service Discovery David Fifield (Nov 26)
- Re: Harnessing Service Discovery Toni Ruottu (Nov 26)
- Re: Harnessing Service Discovery David Fifield (Nov 27)
- Re: Harnessing Service Discovery Toni Ruottu (Nov 26)
- Re: Harnessing Service Discovery David Fifield (Nov 26)