Nmap Development mailing list archives
RE: Nmap Service Detection Proposal
From: "Jay Freeman \(saurik\)" <saurik () saurik com>
Date: Mon, 28 Aug 2000 03:36:17 -0500
Fyoder: I've been rethinking it over, and I am starting to see an advantage to having a scan that just looks for service, as you are mentioning. This would allow a further scans that look for product and version to work on all of the ports that we already know the base protocol for.... I think I am going to move nmap+V in that direction for the next version. The file formats for the two files should end up being much easier to deal with at that point. The biggest obstacle I see actually comes from the aforementioned "220". SMTP servers also return codes starting with 220. You definitely have to do extended queries to make sure of that. You _could_ get the first line, see if it had 220 in it, then check for SMTP, and if it didn't have it assume it was an FTP site... then you get into looking for error codes as well.... I'm going to try a single file format that solves all the problems at once before I start splitting it into a second file, as if I can do that it is definitely going to require less redundancy in protocol checks (even if the file feels more cluttered). Sincerely, Jay Freeman (saurik) saurik () saurik com -----Original Message----- From: Jay Freeman (saurik) [mailto:saurik () saurik com] Sent: Sunday, August 27, 2000 10:57 AM To: Fyodor Cc: Nmap-Dev Subject: RE: Nmap Service Detection Proposal Fyoder: <.../> Jumping: What if I connect to a port, send GET /, and then WHAM, it realize it is some server I know about. Instead of trying a bunch of different scans, I can now immediately skip to detecting that server. BUT, I might have just totally lost the ability to get the version by sending a GET /, as the server might go into an error or quit state after getting undefined information. I would then want to disconnect and reconnect to the server to Sincerely, Jay Freeman (saurik) saurik () saurik com -----Original Message----- From: Fyodor [mailto:fyodor () insecure org] Sent: Sunday, August 27, 2000 5:09 AM To: Jay Freeman (saurik) Cc: Nmap-Dev Subject: RE: Nmap Service Detection Proposal On Sun, 27 Aug 2000, Jay Freeman (saurik) wrote: <.../>
I'm going to sit down sometime tomorrow (assuming I have some time, I
think
I do... have to work on a document with my partner, but that shouldn't
take
_that_ long) think of different ways to handle the jumping issues (if we think its HTTP, and fail, but now know it is some other protocol, but have to start over again, we know what kind of connection to jump to), and ways of using the ports for sorting help without being locked in by them at the same time.
I'm not sure I understand the need to jump. With my latest proposal, the idea is: 1) find port XX open 2) execute the probe(s) which registered that port (possibly in parallel) 3) If the registered probes fail, execute the other tests (possibly in parallel) until one succeeds. Could you give examples of cases where you think jumping would be a big help?
A few issues that need to be dealt with, however, are stuff like timeouts. Some services are just slower than others. I noticed this while building
[ ... ]
4 seconds I am going to get a reply, an example (I think, was a while ago) was sending a HELP command to a mail server to get more accurate/further version information
Well, this particular case wouldn't be neccessary if you were only looking for service type (and not version info). But you are probably right that some services may take particularly long even for the initial response we need for service-detection. If we need it, adding an optional timeout attribute to the probe line should not be a problem. <.../> Cheers, -F --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Nmap Service Detection Proposal Fyodor (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 27)
- RE: Nmap Service Detection Proposal Fyodor (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 28)
- RE: Nmap Service Detection Proposal Fyodor (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 27)
- <Possible follow-ups>
- Re: Nmap Service Detection Proposal Paul Tod Rieger (Aug 28)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 29)
- Re: Nmap Service Detection Proposal Fyodor (Aug 29)
- Re: Nmap Service Detection Proposal H D Moore (Aug 29)
- Re: Nmap Service Detection Proposal Paul Tod Rieger (Aug 28)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 29)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 29)