Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nessus Service Detection

From: "Alek O. Komarnitsky (N-CSC)" <alek () ast lmco com>
Date: Thu, 24 Aug 2000 06:36:03 -0600 (MDT)
From: Fyodor <fyodor () insecure org>
Subject: Nessus Service Detection
To: nmap-dev () insecure org

Paul Tod Rieger mentioned that Nessus saves service info in Service/* keys
so I grepped Nessus source for Service/www to find out where detection
occurs.  It is done by one of the plugins (find_service.c).  Looking at
the code, all it does is send an HTTP "GET" request to the server and
detects the service based on the response/error code.  This seems pretty
crude and certainly won't handle all services, but one has to admit that
he can detect an impressive # of common services with this one test.  Here
is what he does with the "GET" results:

if(!strncmp(line, "http/1.", 7))
    mark_http_server(desc, port, buffer);


    if(((u_char)buffer[0]==255) && ((u_char)buffer[1]==253))
      mark_telnet_server(desc, port, line);
    else  if(strstr(line, "smtp"))
        mark_smtp_server(desc, port, buffer);
    else if(strstr(buffer, "rmserver")||strstr(buffer, "realserver"))
        mark_rmserver(desc, port, line);
    else if(strstr(line, "ftp") && !strncmp(line, "220", 3))
        mark_ftp_server(desc, port, line);
    else if(strstr(line, "ssh-"))
        mark_ssh_server(desc, port, line);
    else if(strstr(line, "+ok"))
        mark_pop_server(desc, port, line);
    else if(strstr(line, "* ok imap4"))
        mark_imap_server(desc, port, line);
      else if(strstr(line, "inn ")||strstr(line, "posting OK"))
        mark_nntp_server(desc, port, line);
    else if(strstr(buffer, "networking/linuxconf"))
        mark_linuxconf(desc, port, line);
   else if(strstr(buffer, "www-authenticate: basic realm=\"swat\""))
        mark_swat_server(desc, port, line);
   else if(strstr(buffer, "vqServer") &&
           strstr(buffer, "www-authenticate: basic realm=/"))
         mark_vqserver(desc,port, line);
   else if(strstr(buffer, "get: command not found"))
        mark_wild_shell(desc, port, line);
   else if(strstr(buffer, "netbus"))
        mark_netbus_server(desc, port, line);
   else if(strstr(line, "0 , 0 : error : unknown-error"))
        mark_auth_server(desc, port, line);
    else if(strstr(line, "http")&&strstr(buffer, "cache")&&
            strstr(line, "bad request"))
        mark_http_proxy(desc, port, line);
    else unknown[num_unknown++] = port;


This approach is worth considering, but I really worry that such a thing
would become unmaintainable when you expand it to many dozens of services
covering hundreds or thousands of daemons that implement them.  But it is
a simple solution that might be able to handle a large fraction of the
popular TCP ports.  Still, I really liked the way Saurik isolated his
Nmap+V detection in a config file.

Cheers,
Fyodor



FYI FWIW: nmap-web has some (very crude) version detection and
in most cases, it simply reads a packet. In a few cases, it actually
sends something (GET for httpd, quit for sendmail to be "nice", etc.).
Because it is written in Perl, it was pretty easy to have "stub" routines
for each port/service that "do" the right thing ... but it mostly looks
for services on "standard" ports rather than being more exhaustive. 
However, this functionality has been incredibly useful to me in terms
of assessing what is running on our 1,000+ node network, what needs
to be upgraded, etc.

I'd suggest that there aren't "that many" ports/sevices that
are truly of interest ... and some simple tests similar to what
is done above would provide useful information w/o much overhead.
Trying to be all inclusive could result in major bloatware ...
but I realize that there will always be another service that
someone says they "gotta" have!   ;-)

I also like the isolation of the challenge/response strings into
a config file since this makes it REALLY easy to tweek/add stuff
if I want to (assuming I'm willing to learn the syntax).

My two cents,
alek

P.S. BTW, I'm assuming there are some sort of timeouts imposed
upon the socket reads (or any writes) ... you want the program
to run FAST and not get hung up on ports that are open, but don't
actually give you any information. However, I've had stuff such as
ssh be a bit slow ... so its timeouted to nmap-web queries when there
was actually something available there. So probably good idea to have
this as either an option in the versions config file and/or settable
on the command line (as other timeout options are now).

PPS. The daytime (13) service (or you could use date) turns out
to be kinda useful ... super-duper quick way to determine date/times
on all of your machines ... and see which ones are outa whack.

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: