Nmap Announce mailing list archives
Patch to add "Version scan".
From: "Jay Freeman \(saurik\)" <saurik () cyberuniverse com>
Date: Mon, 15 May 2000 06:04:36 -0500
nmap-type people: Was checking what mail daemons a friend of mine installed on a new server he just setup last week, and had to ask myself: Why isnt there a tool to do stuff like this all at once?. Finally decided that if anything should, nmap should, and added the functionality as a new scan type: -sV. Didnt attach the patch since all the stuff I added to make regular expressions work on systems without regexec() (which I am only somewhat confident I did right) made the patch over 200k, so if anyone is interested in this functionally (still havent totally convinced myself that many people would really use this ) it is available at: ftp://ftp.saurik.com/pub/nmap/nmap+V . I already spent a bunch of time finding different FTP servers, e-mail servers, etc. and adding their output styles to the nmap-versions file, so the system should already be rather usable. Here is an example of the output it generates (hosts changed to protect the innocent): [root(2)@ironclad nmap-2.53+V]# ./nmap -sS -sV -FV xxxxxx Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ ) Interesting ports on xxxxxx.xxxxxxxxxx.xxx.xx.xx (xxx.xxx.xx.xx): (The 3 ports scanned but not shown below are in state: closed) Port State Service Version 21/tcp open ftp System V Release 4.0 25/tcp open smtp Sendmail 5.x/SMI-4.1 80/tcp open http Apache/1.3.3 110/tcp open pop-3 UCB 1.831beta Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds [root(2)@ironclad nmap-2.53+V]# ./nmap -sS -sV -FV xxx Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ ) Interesting ports on xxxxxxxxxx.xxxxxxxxxx.xxx.xx.xx (xxx.xxx.xxx.x): (The 2 ports scanned but not shown below are in state: closed) Port State Service Version 21/tcp open ftp wu-2.6.0(1) 22/tcp open ssh 1.99-2.0.13 (non-commercial) 25/tcp open smtp Sendmail 8.9.3/8.9.3 110/tcp open pop-3 v7.64 143/tcp open imap2 WU IMAP4rev1 v12.264 Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds [root(4)@ironclad nmap-2.53+V]# I added the following command line options: -sV = Activates the version scan. -FS = Same as -F. -FV = Scans only ports that have entries in nmap-versions. And I also added a file nmap-versions. Here is a snippit: - 25 256 2 "HELP\n" + "^220 [^ ]+ (ESMTP |)(Sendmail .+)(;| ready at)" 2 + "^220 [^ ]+ WindowsNT SMTP Server (.+) ESMTP ready" 1 "MS SMTP" General idea: - <port> <read buffer length> <max subexpression> [send this] + <regular expression> <subexpression to take> [product name] + + - <next port> . A line in the incorrect format is ignored. Way it works is after nmap finds a port open, during posportupdate() I call getversioninfoz() which scans the nmap-versions file for an entry for that port. If it finds one, then it sends the string, allocates the requested bytes of buffer, and builds an array for storing the returned matches from regexec(). It then reads as much data as it can from the port, loops through all the expressions in nmap-versions for it, compiles and runs each of them on the data, and if one matches the requested match entry is used as the version string (possibly concatenated after the product string). In the case of a TCP connect() scan, I am currently just reusing the sockets that have already been connected with to the server (to minimize the number of full connections made, easy to remove this functionality, though, if people object to it). The patch adds the necessary functionality, modifies the *.in scripts to handle the needed regular expression support (along with an included regex.c which will hopefully replace the functionality if it is missing in the system libraries), modifies the documentation (adds the new options, makes changes to the current documentation to use -FS instead of -F). Things I havent done are modify the foreign language versions of the manual pages, or update any of the HTML files (my copy of man2html works very differently from the one that Fyoder uses to generate the distributions :-) ). Oh, and the version information currently only comes up on the regular output methods, wasnt sure how to add it to the machine-readable output without breaking some machine that was trying to read the output. Might be better for that one to be looked at by someone who _actually_ machine reads that output:-). Couple things I am thinking about that I would like opinions on before I continue working on this: - Decoupling port numbers from the nmap-version entries. Might be useful to simply associate the entries in the file to a protocol, like FTP, and then have a section that maps ports to protocols (for instances where one protocol is often found on multiple ports). - More complex tree based scanning. Something like this would require a different file format for nmap-versions, but it might allow for scanning some daemons that require deeper levels of protocol operation before a result is obtained. - Intrusive scanning Some protocols are easy to get version results for if you are just willing to go the extra distance such as IRC. Send a USER/NICK, log onto the server, and the version springs right up. I can definitely see how people might not want to go quite this far while performing a scan, however. Maybe actually attempting to log into daemons could be controlled by a command line option - Longer, more detailed version information. The first server in my example output actually yields Apache/1.3.3 (Unix) FrontPage/4.0.4.3 in the Server: header. My server returns a whopping Apache/1.3.12 (Unix) (Red Hat/Linux) DAV/0.9.15 tomcat/1.0 mod_perl/1.21 PHP/3.0.14 mod_ssl/2.6.2 OpenSSL/0.9.4. I truncated it down to the simple Apache/1.3.3 in the included regular expression. Maybe another command line option to yield as much information as can be found in cases like this (and therefore prioritizing certain marked expressions) Sincerely, Jay Freeman (saurik) saurik () saurik com <mailto:saurik () saurik com>
Current thread:
- Patch to add "Version scan". Jay Freeman (saurik) (May 15)
- <Possible follow-ups>
- Re: Patch to add "Version scan". Alek O. Komarnitsky (N-CSC) (May 15)