Nmap Development mailing list archives
Re: does nmap already do this?
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 16 Aug 2008 00:57:44 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Mike, your email came in somewhat mangled for me but I've tried to reply below. On Sat, 16 Aug 2008 00:46:26 +0000 mike <dmciscobgp () hotmail com> wrote:
Hello I was scanning with nmap today and noticed something that could possibly be added (unless it already is somewhere and i don't see it) why not include in the output after a scan in the nmap-services output section the name of the actual EXE/application that created the socket? i was scanning the machine my roommate has upstairs and i found these items: 1025/tcp open unknown syn-ack6646/tcp open Mcafee-Network-Agent syn-ack9485/tcp open DISCover-Stream-Hub syn-ack now i already realize the tcp port 1025 is an RPC based service that needs querying which nmap does not support for windows at the moment. the other services are what i want you to look at. it is a Hewlett-Packard machine. i actually went upstairs and did a verification of what applications actually created these sockets by doing a simple taskmgr dump. i simply added those service names to the file "nmap-services". what i wanted to show you was an application path example. here is the one for DISCover Stream Hub>> Application: C:\Program Files\DISC\DiscStreamHub.exeParent: Hub>> C:\Program Files\DISC\DISCover.exeProtocol: TCP InDestination: Hub>> 0.0.0.0::9485 now i don't want nmap to clutter the output afer Hub>> a scan with EVERYTHING! i simply feel it would be quite nice to Hub>> have the name of the application or path that created the Hub>> listening socket. anyone agree? i am not the coder here, so i Hub>> am simply throwing out the idea to you guys. think about it. if Hub>> you had the exact name of the path and what opened the socket, Hub>> you could go right into trying to run your exploits or whatever Hub>> else you care to use. it takes the guesswork out of alot of Hub>> things as far as how these application paths would be added to Hub>> nmap,i simply recommend we add them to a database just like any Hub>> other way we submit things here. ok, i did my part. the idea is Hub>> out there, so embrace it or shoot it down thank you Mike
If I understand what you're saying, you weren't using -sV or -A. It sounds like you did a scan and Nmap mapped the port numbers to service names via nmap-services file. Nmap has a "version scan" option that you can enable by using -sV. In this mode, Nmap connects to each open port, sends a series of probes, and tries to determine what application has that port open. In your case you might get matches, you might get unknown service fingerprints (submit those!) or you might not get any output (unknown service). We always want to improve service fingerprinting by adding more probes and matches so any help there will be much appreciated. As for including the actual executable name... for the most part that is a dangerous thing to do. Vendors often change names, paths, get bought by other companies, etc. The underlying protocol and port though rarely changes. Suppose we saw port 6881 open. Should we say bittorrent.exe? Azureus.exe? java.exe? Often there is no way to determine the "correct" executable name and assuming that it will stay static from version to version is a mistake. If I'm completely off-base with this email or didn't understand what you're suggesting feel free to reply to the list and say so. I'd like to fully flesh out your idea. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkimJg4ACgkQqaGPzAsl94Ia5ACdH/MQ0rqytDe8FzIYe77uy/XH 3IEAni0aSitMkc1BMi0jcqhpPSYk29fi =meR6 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- does nmap already do this? mike (Aug 15)
- Re: does nmap already do this? Brandon Enright (Aug 15)
- Re: does nmap already do this? Michael Pattrick (Aug 15)
- Re: does nmap already do this? DePriest, Jason R. (Aug 15)
- Re: does nmap already do this? Brandon Enright (Aug 15)