Nmap Development mailing list archives
Re: Nessus Service Detection
From: "Alek O. Komarnitsky (N-CSC)" <alek () ast lmco com>
Date: Thu, 24 Aug 2000 06:36:03 -0600 (MDT)
From: Fyodor <fyodor () insecure org> Subject: Nessus Service Detection To: nmap-dev () insecure org Paul Tod Rieger mentioned that Nessus saves service info in Service/* keys so I grepped Nessus source for Service/www to find out where detection occurs. It is done by one of the plugins (find_service.c). Looking at the code, all it does is send an HTTP "GET" request to the server and detects the service based on the response/error code. This seems pretty crude and certainly won't handle all services, but one has to admit that he can detect an impressive # of common services with this one test. Here is what he does with the "GET" results: if(!strncmp(line, "http/1.", 7)) mark_http_server(desc, port, buffer); if(((u_char)buffer[0]==255) && ((u_char)buffer[1]==253)) mark_telnet_server(desc, port, line); else if(strstr(line, "smtp")) mark_smtp_server(desc, port, buffer); else if(strstr(buffer, "rmserver")||strstr(buffer, "realserver")) mark_rmserver(desc, port, line); else if(strstr(line, "ftp") && !strncmp(line, "220", 3)) mark_ftp_server(desc, port, line); else if(strstr(line, "ssh-")) mark_ssh_server(desc, port, line); else if(strstr(line, "+ok")) mark_pop_server(desc, port, line); else if(strstr(line, "* ok imap4")) mark_imap_server(desc, port, line); else if(strstr(line, "inn ")||strstr(line, "posting OK")) mark_nntp_server(desc, port, line); else if(strstr(buffer, "networking/linuxconf")) mark_linuxconf(desc, port, line); else if(strstr(buffer, "www-authenticate: basic realm=\"swat\"")) mark_swat_server(desc, port, line); else if(strstr(buffer, "vqServer") && strstr(buffer, "www-authenticate: basic realm=/")) mark_vqserver(desc,port, line); else if(strstr(buffer, "get: command not found")) mark_wild_shell(desc, port, line); else if(strstr(buffer, "netbus")) mark_netbus_server(desc, port, line); else if(strstr(line, "0 , 0 : error : unknown-error")) mark_auth_server(desc, port, line); else if(strstr(line, "http")&&strstr(buffer, "cache")&& strstr(line, "bad request")) mark_http_proxy(desc, port, line); else unknown[num_unknown++] = port; This approach is worth considering, but I really worry that such a thing would become unmaintainable when you expand it to many dozens of services covering hundreds or thousands of daemons that implement them. But it is a simple solution that might be able to handle a large fraction of the popular TCP ports. Still, I really liked the way Saurik isolated his Nmap+V detection in a config file. Cheers, Fyodor
FYI FWIW: nmap-web has some (very crude) version detection and in most cases, it simply reads a packet. In a few cases, it actually sends something (GET for httpd, quit for sendmail to be "nice", etc.). Because it is written in Perl, it was pretty easy to have "stub" routines for each port/service that "do" the right thing ... but it mostly looks for services on "standard" ports rather than being more exhaustive. However, this functionality has been incredibly useful to me in terms of assessing what is running on our 1,000+ node network, what needs to be upgraded, etc. I'd suggest that there aren't "that many" ports/sevices that are truly of interest ... and some simple tests similar to what is done above would provide useful information w/o much overhead. Trying to be all inclusive could result in major bloatware ... but I realize that there will always be another service that someone says they "gotta" have! ;-) I also like the isolation of the challenge/response strings into a config file since this makes it REALLY easy to tweek/add stuff if I want to (assuming I'm willing to learn the syntax). My two cents, alek P.S. BTW, I'm assuming there are some sort of timeouts imposed upon the socket reads (or any writes) ... you want the program to run FAST and not get hung up on ports that are open, but don't actually give you any information. However, I've had stuff such as ssh be a bit slow ... so its timeouted to nmap-web queries when there was actually something available there. So probably good idea to have this as either an option in the versions config file and/or settable on the command line (as other timeout options are now). PPS. The daytime (13) service (or you could use date) turns out to be kinda useful ... super-duper quick way to determine date/times on all of your machines ... and see which ones are outa whack. --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Nessus Service Detection Fyodor (Aug 24)
- <Possible follow-ups>
- Re: Nessus Service Detection Alek O. Komarnitsky (N-CSC) (Aug 24)