Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Recent changes to -sV and softmatches

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 12 Feb 2018 23:52:33 -0600
Hi, Nmap devs and users!

Recently, I pushed a series of 3 changes that update the way Nmap does
service and application version detection. Hopefully, these will result in
better detection of services on unusual ports as well as speed up detection
of some services on very common ports. The full documentation for version
detection, including a description of the softmatch mechanism is in Nmap
Network Scanning chapter 7 [1].

First, r37130 aligns the code with the documentation. A softmatch is
supposed to limit subsequent probes to those that have a possibility of
matching the softmatched service. Instead, Nmap was continuing to send all
the probes with matching port numbers, even if they were not known to match
the softmatched service. The fix will reduce the number of probes sent by
only sending the most likely probes after a softmatch, speeding up service
detection.

Second, r37131 expands the --version-all option to really send all probes,
even if a softmatch is found. This will be useful for finding existing
probes that elicit a response from new services, even if Nmap doesn't know
how to match those services yet. The same applies to --version-intensity 9,
since --version-all is just an alias for that.

Last, r37138 allows Nmap to send likely (matching service) probes after a
softmatch even if the rarity exceeds the version intensity. In other words,
a softmatch causes Nmap to ignore --version-intensity or --version-light
options. Since the number of possible probes is already very limited due to
the softmatch (especially after the first change above), extending to
unusual probes will not add much extra time and ought to greatly improve
detection of services on unusual ports.

I welcome your feedback on these changes.

Dan

[1] Nmap Network Scanning, chapter 7: "Service and Application Version
Detection" https://nmap.org/book/vscan.html

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: