Nmap Announce mailing list archives
nmap+V-2.0: (Partial) Protocol Auto-Detection !!
From: "Jay Freeman \(saurik\)" <saurik () saurik com>
Date: Wed, 17 May 2000 03:19:41 -0500
nmap-type people: All right, this is the biggie :)! I totally revamped the nmap-versions configuration file format to the point where it is almost like a programming language. Send this, read 128 bytes, if the data matches this regular expression then skip to section 3, if it matches this regular expression the protocol is IRC, send logon information etc. It doesnt try all protocols on all ports, but also (currently) doesnt start forking based on port number unless connecting to the port yields no data. So if there is an FTP or SMTP server or some such sitting on a strange port, chances are it will be detected (assuming you scanned that port:-) ). The one protocol that really bothers me in this case is HTTP (which might be rather common to find running on a strange port, and doesnt send data on connect). To this end, Im thinking about making the default attempt to be to look for a web server of some sort. Any opinions? I already have entries in the file for various FTP, SMTP, POP, HTTP, Eggdrop, SSH, IRC, and a few nutty ones, so it should work for practical situations. Especially now that it separates the protocol from the version, so even if it doesnt know what FTP server is running on the port, it should be pretty reliable about knowing that it is an FTP server. Patch can be found at ftp://ftp.saurik.com/pub/nmap/nmap+V , tarball at ftp://ftp.saurik.com/pub/nmap/nmap-2.53+V.tgz . Warning: This scan can be very intrusive :-), and any way you slice it is definitely noticeable. Not sure what to do next :-). Definitely going to work on adding more protocols Might take a look at what nnmap-web can do and see if theres anything it can do that my general system isnt good at, and then try to generalize it into the nmap-versions file (not sure if I can generalize the support for the time protocol, which is the one that was mentioned). Here is some example output (once again, hosts changed to protect the innocent:-) ): [root(2)@ironclad nmap-2.53+V]# ./nmap -sS -sV -FS xxxx.xxxxxx.xxx Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ ) Interesting ports on xxxx.xxxxxx.xxx (xxx.xxx.xxx.xxx): (The 1036 ports scanned but not shown below are in state: closed) Port State Service Protocol Version 21/tcp open ftp FTP wu-2.6.0(1) 22/tcp open ssh SSH 1.99-2.0.13 (non-commercial) 23/tcp open telnet 25/tcp open smtp SMTP Sendmail 8.10.0/8.10.0 37/tcp open time 53/tcp open domain 80/tcp open http HTTP Apache/1.3.12 (Unix) 98/tcp open linuxconf 109/tcp open pop-2 POP2 v4.55 110/tcp open pop-3 POP3 v7.64 111/tcp open sunrpc 113/tcp open auth AUTH 119/tcp open nntp NNTP INN 2.2.2 139/tcp open netbios-ssn 143/tcp open imap2 IMAP WU IMAP4rev1 v12.264 443/tcp open https 465/tcp open smtps 567/tcp open banyan-rpc 587/tcp open submission SMTP Sendmail 8.10.0/8.10.0 993/tcp open imaps 995/tcp open pop3s 2401/tcp open cvspserver CVS 5432/tcp open postgres PostgreSQL 6667/tcp open irc IRC 2.8/hybrid-5.3+TS4-rel1.0 8080/tcp open http-proxy HTTP Tomcat Web Server/3.1 8888/tcp open sun-answerbook NetStreamer NrServer 0.17 Nmap run completed -- 1 IP address (1 host up) scanned in 102 seconds [root(2)@ironclad nmap-2.53+V]# ./nmap -sS -sV -FV xxx.xxx.xxx.xx Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ ) Interesting ports on xxxxxxx.xxxxxxxxxxxxxxxxxxxx.xxx (xxx.xxx.xxx.xx): (The 12 ports scanned but not shown below are in state: closed) Port State Service Protocol Version 21/tcp open ftp FTP wu-2.5.0(1) 25/tcp open smtp SMTP Sendmail 8.9.3/8.9.3 80/tcp open http HTTP Apache/1.3.9 (Unix) 109/tcp open pop-2 POP2 v4.51 110/tcp open pop-3 POP3 v7.59 113/tcp open auth AUTH 143/tcp open imap2 IMAP WU IMAP4rev1 v12.250 Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds [root(2)@ironclad nmap-2.53+V]# Sincerely, Jay Freeman (saurik) saurik () saurik com <mailto:saurik () saurik com>
Current thread:
- nmap+V-2.0: (Partial) Protocol Auto-Detection !! Jay Freeman (saurik) (May 17)
- Re: nmap+V-2.0: (Partial) Protocol Auto-Detection !! Paulo Ribeiro (May 17)
- <Possible follow-ups>
- RE: nmap+V-2.0: (Partial) Protocol Auto-Detection !! Jay Freeman (saurik) (May 17)