Nmap Development mailing list archives
Re: Why port 22 has been removed from Probe TCP GenericLines?
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 23 Sep 2015 10:33:47 -0500
Ryan, I'm not sure which version you're comparing with. I looked back as far as April 2005 and port 22 has not been listed in the ports for GenericLines. That is not to say that the GenericLines probe will not be sent, though! Here's the rundown of how Nmap will try to get a version for port 22: 1. NULL probe. Nmap connects and waits totalwaitms (currently 6 seconds) for a banner. This banner is matched against the (currently 593) match lines for that probe. 2. Port-specific probes. If any probes have port 22 listed in the "ports" directive, they will be tried first. This is usually reserved for protocol-specific stuff like GetRequest to port 80 or a Docker probe to port 2375. There are no probes that list port 22 because the standard protocol for that port (SSH) begins with a server banner. 3. Remaining probes by rarity. Probes which are likely to get a response from many common services are sent first, and probes that are specifically targeted to individual services are sent last or not at all. GenericLines has a rarity of 1, meaning that it will be the first one sent (since it is also at the top of the file). 4. If the service was matched as "ssl", then reconnect with a SSL/TLS tunnel and start over at 1. At any point, if a match is found, then the process stops and no further probes are sent. I wrote a little Perl script to check the order of probes sent to any particular port, which I'm attaching for anyone who is interested. The output for port 22/tcp is: TCP 1: GenericLines GetRequest SSLSessionReq 3: DNSVersionBindReq Help 4: HTTPOptions RPCCheck SMBProgNeg X11Probe 5: RTSPRequest Kerberos SIPOptions 6: FourOhFourRequest LPDString LDAPBindReq LANDesk-RC TerminalServer NCP NotesRPC WMSRequest afp 7: DNSStatusRequest TLSSessionReq oracle-tns 8: Hello SSLv23SessionReq DistCCD JavaRMI Radmin NessusTPv10 Verifier VerifierAdvanced Socks5 Socks4 ms-sql-s HELP4STOMP Memcache firebird ibm-db2-das ibm-db2 pervasive-relational pervasive-btrieve ajp SqueezeCenter_CLI Arucer dominoconsole informix drda ibm-mqseries apple-iphoto mongodb redis-server memcached riak-pbc tarantool couchbase-data epmd vp3 minecraft-ping docker tor-versions 9: NessusTPv12 NessusTPv11 mydoom WWWOFFLEctrlstat OfficeScan beast2 hp-pjl ZendJavaBridge gkrellm vmware-esx metasploit-xmlrpc metasploit-msgrpc hazelcast-http erlang-node teamspeak-tcpquery-ver xmlsysd Note that with the default settings (--version-intensity 7), the large number of probes at rarity 8 and 9 will not be sent. Dan On Wed, Sep 23, 2015 at 1:19 AM, ryan chou <jkryanchou () gmail com> wrote:
Hi I download the latest version nmap-services-probe to compare with old version, and found the port 22 has been removed from Probe TCP GenericLines ports list. So could anyone tell me the reason about this modification? According to this modification, the method to get fingerprint of port 22 could only be scanned with TCP NULL which was just only setup up connections on target. Why not keeping both Probe NULL and Probe GenericLInes? As far as i thought, they both could get the fingerprint from port 22. _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Attachment:
probe-order.pl
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Why port 22 has been removed from Probe TCP GenericLines? ryan chou (Sep 22)
- Re: Why port 22 has been removed from Probe TCP GenericLines? Daniel Miller (Sep 23)