Patch to add "Version scan".

["Jay Freeman \(saurik\)" <saurik () cyberuniverse com>]

nmap-type people:

Was checking what mail daemons a friend of mine installed on a new server he
just setup last week, and had to ask myself: “Why isn’t there a tool to do
stuff like this all at once?”.  Finally decided that if anything should,
nmap should, and added the functionality as a new scan type: -sV.  Didn’t
attach the patch since all the stuff I added to make regular expressions
work on systems without regexec() (which I am only somewhat confident I did
right) made the patch over 200k, so if anyone is interested in this
functionally (still haven’t totally convinced myself that many people would
really use this…) it is available at: ftp://ftp.saurik.com/pub/nmap/nmap+V .
I already spent a bunch of time finding different FTP servers, e-mail
servers, etc. and adding their output styles to the nmap-versions file, so
the system should already be rather usable.  Here is an example of the
output it generates (hosts changed to protect the innocent):

[root(2)@ironclad nmap-2.53+V]# ./nmap -sS -sV -FV xxxxxx

Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ )
Interesting ports on xxxxxx.xxxxxxxxxx.xxx.xx.xx (xxx.xxx.xx.xx):
(The 3 ports scanned but not shown below are in state: closed)
Port       State       Service             Version
21/tcp     open        ftp                 System V Release 4.0
25/tcp     open        smtp                Sendmail 5.x/SMI-4.1
80/tcp     open        http                Apache/1.3.3
110/tcp    open        pop-3               UCB 1.831beta

Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds
[root(2)@ironclad nmap-2.53+V]# ./nmap -sS -sV -FV xxx

Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ )
Interesting ports on xxxxxxxxxx.xxxxxxxxxx.xxx.xx.xx (xxx.xxx.xxx.x):
(The 2 ports scanned but not shown below are in state: closed)
Port       State       Service             Version
21/tcp     open        ftp                 wu-2.6.0(1)
22/tcp     open        ssh                 1.99-2.0.13 (non-commercial)
25/tcp     open        smtp                Sendmail 8.9.3/8.9.3
110/tcp    open        pop-3               v7.64
143/tcp    open        imap2               WU IMAP4rev1 v12.264

Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
[root(4)@ironclad nmap-2.53+V]#

I added the following command line options:

-sV = Activates the version scan.
-FS = Same as -F.
-FV = Scans only ports that have entries in nmap-versions.

And I also added a file nmap-versions.  Here is a snippit:

- 25 256 2 "HELP\n"
+ "^220 [^ ]+ (ESMTP |)(Sendmail .+)(;| ready at)" 2
+ "^220 [^ ]+ WindowsNT SMTP Server (.+) ESMTP ready" 1 "MS SMTP"

General idea:

- <port> <read buffer length> <max subexpression> [send this]
+ <regular expression> <subexpression to take> [product name]
+ …
+ …
- <next port> ….

A line in the incorrect format is ignored.

Way it works is after nmap finds a port open, during posportupdate() I call
getversioninfoz() which scans the nmap-versions file for an entry for that
port.  If it finds one, then it sends the string, allocates the requested
bytes of buffer, and builds an array for storing the returned matches from
regexec().  It then reads as much data as it can from the port, loops
through all the expressions in nmap-versions for it, compiles and runs each
of them on the data, and if one matches the requested match entry is used as
the version string (possibly concatenated after the product string).  In the
case of a TCP connect() scan, I am currently just reusing the sockets that
have already been connected with to the server (to minimize the number of
full connections made, easy to remove this functionality, though, if people
object to it).

The patch adds the necessary functionality, modifies the *.in scripts to
handle the needed regular expression support (along with an included regex.c
which will hopefully replace the functionality if it is missing in the
system libraries), modifies the documentation (adds the new options, makes
changes to the current documentation to use -FS instead of -F).  Things I
haven’t done are modify the foreign language versions of the manual pages,
or update any of the HTML files (my copy of man2html works very differently
from the one that Fyoder uses to generate the distributions :-) ).  Oh, and
the version information currently only comes up on the regular output
methods, wasn’t sure how to add it to the machine-readable output without
breaking some machine that was trying to read the output.  Might be better
for that one to be looked at by someone who _actually_ machine reads that
output:-).

Couple things I am thinking about that I would like opinions on before I
continue working on this:

- Decoupling port numbers from the nmap-version entries.
Might be useful to simply associate the entries in the file to a protocol,
like FTP, and then have a section that maps ports to protocols (for
instances where one protocol is often found on multiple ports).

- More complex tree based scanning.
Something like this would require a different file format for nmap-versions,
but it might allow for scanning some daemons that require deeper levels of
protocol operation before a result is obtained.

- Intrusive scanning…
Some protocols are easy to get version results for if you are just willing
to go the extra distance… such as IRC.  Send a USER/NICK, log onto the
server, and the version springs right up.  I can definitely see how people
might not want to go quite this far while performing a scan, however.  Maybe
actually attempting to log into daemons could be controlled by a command
line option…

- Longer, more detailed version information.
The first server in my example output actually yields “Apache/1.3.3 (Unix)
FrontPage/4.0.4.3” in the Server: header.  My server returns a whopping
“Apache/1.3.12 (Unix)  (Red Hat/Linux) DAV/0.9.15 tomcat/1.0 mod_perl/1.21
PHP/3.0.14 mod_ssl/2.6.2 OpenSSL/0.9.4”.  I truncated it down to the simple
“Apache/1.3.3” in the included regular expression.  Maybe another command
line option to yield as much information as can be found in cases like this
(and therefore prioritizing certain marked expressions)…

Sincerely,
Jay Freeman (saurik)
saurik () saurik com <mailto:saurik () saurik com>