Nmap Development mailing list archives
Re: nmap+V
From: H D Moore <hdm () secureaustin com>
Date: Thu, 24 Aug 2000 01:57:26 -0500
Paul Tod Rieger wrote:
Fyodor <fyodor () insecure org> wrote:What are others doing? Nessus has mentioned in various announcements that they detect services rather than rely on static port mapping. Has anyone looked into their approach? Sharing service detection mechanisms/scripts with Nessus or other scanners would be a plus.
The syntax needs to be powerful enough to handle the vast majority of protocols. Ideally, it could even handle binary protocols like SMB
There are some issues with this, namely DoS attacks caused by the 'detection' packets. An example are some wind0z3 SQL boxes that have port 6666 open, but if you make a connection to that port and send ASCII data it crashes whatever service was listening on that port. Some protocols are always in a specific state based on what data they have already received, what probe packets do you send to determine which service it is, and not inadvertently set the daemon/service into a mode where it wont respond to the same string it would if that string was the first thing you sent? If this doesnt make sense, imagine a service like SMTP, where sending a specific string will put it into DATA mode where it will accept anything. If you send a command to determine what version/type this service is and change the response of the service by doing so (no return code after SMTP is in data mode), then your detection routine is self-defeating. What will your detection packets show in the system's log files? Invalid requests will normally be logged (a HTTP GET request to an unknown RPC port?). While I agree that nmap+V is "nifty", I think it is pushing nmap in a direction that would be better handled via scripts/plugins/etc. Wouldn't a modularized plugin output/filtering/processing system make all of this a non-issue and allow people developing things like version and banner detection do so without needing to "taint" core nmap development? Most of the above doesn't apply to currently known services, but I think these are issues that need to be kept in mind while the infrastructure is still being designed.
Nessus has "bind/version" and seems to do in-depth analysis of ftp and finger.
<offtopic> Nessus is a great "blanket" tool, but I feel that some things would be better accomplished by other tools and integrated. For instance, nessus has a plugin called nmap_wrapper which simply calls nmap and parses the results. What if you already did a long-painful-through-a-portsentried-firewall scan and would rather nessus use your scan logs? I have a rewritten wrapper which does that and will send a copy to anyone that wants it. Command-line nessus usage with it is broken due to the nessus preferences file being rebuilt with default settings when run that way, but GUI scans work great. Whisker should replace all of the cgi checks and SSL web/port detection/scanning is a place where it lacks the most. My solution was to use native perl ssl modules with a modified whisker and a nessus plugin which called whisker... </offtopic>
As for version scanning with nmap, I'd like to see banner scanning as well. The regexp parsing leaves out too much information for me. For instance, I not only want to know what version of Sendmail is running but also the hostname and the date; not only what version of Apache is running but also where the root document is (another machine?), when was it last modified, and what exactly is that spammer trying to sell me. :-)
A 40Mb spam-correlating, linguistic-analyzing, banner-detecting nmap....
(For my requirements, maybe rain.forest.puppy's "nmap stubs" in Perl would automate nmap (-O, -I, -sR), ftp, binfo, finger, and telnet 80 for me, but the http://www.angio.net/security/rfp link on http://www.insecure.org/nmap/ doesn't seem to work....)
http://www.wiretrip.net/rfp/ -HD PS. I apologize for the ramble, sleep deprivation doing it's worst... http://www.digitaloffense.net/ (tools site) --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Re: nmap+V Paul Tod Rieger (Aug 23)
- Re: nmap+V H D Moore (Aug 23)
- Re: nmap+V Fyodor (Aug 24)
- Re: nmap+V Ryan Permeh (Aug 24)
- Re: nmap+V Fyodor (Aug 24)
- RE: nmap+V Jay Freeman (saurik) (Aug 26)
- nmap output & processing modules H D Moore (Aug 27)
- <Possible follow-ups>
- Re: nmap+V Paul Tod Rieger (Aug 24)
- Re: nmap+V H D Moore (Aug 23)