Nmap service detection, http 1.1

[Jak0b <djgreiz () gmail com>]

Hi. I've been having some trouble running service detection on an
"Apache-Coyote/1.1" server.
The problem seems to have somthing to do with nmap's service detection
not supporting http 1.1,
or not supporting it correctly.

A typical tcp stream from nmap might look like this:

---

GET / HTTP/1.0

HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 606

<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD>
<BODY>
<FONT face="Helvetica">
<big><strong></strong></big><BR>

...(and so on)

---

Of cource this isn't working, as nmap (in this particular case) seems
to be using http 1.0, while
the server apparently requries http 1.1.

The service detection later fails. And my question is of course, does
nmap support http 1.1?
And if so, does it support it correctly or is it just this particular
server that
doesn't follow common standards?

Nmap output:

---

sudo nmap -PN -sV --version-all -p80 www.idg.se
Password:

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-24 03:00 CET
Interesting ports on 213.132.126.26:
PORT   STATE SERVICE VERSION
80/tcp open  http?
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port80-TCP:V=4.76%I=9%D=11/24%Time=492A0ADD%P=x86_64-unknown-linux-gnu%
SF:r(GetRequest,30C,"HTTP/1\.1\x20403\x20Forbidden\r\nCache-Control:\x20no
SF:-cache\r\nPragma:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nProxy-Connection:\x20close\r\nConnection:\x20close\r\nContent
SF:-Length:\x20606\r\n\r\n<HTML><HEAD>\n<TITLE>Access\x20Denied</TITLE>\n<
SF:/HEAD>\n<BODY>\n<FONT\x20face=\"Helvetica\">\n<big><strong></strong></b
SF:ig><BR>\n</FONT>\n<blockquote>\n<TABLE\x20border=0\x20cellPadding=1\x20
SF:width=\"80%\">\n<TR><TD>\n<FONT\x20face=\"Helvetica\">\n<big>Access\x20
SF:Denied\x20\(policy_denied\)</big>\n<BR>\n<BR>\n</FONT>\n</TD></TR>\n<TR
SF:><TD>\n<FONT\x20face=\"Helvetica\">\nYour\x20system\x20policy\x20has\x2
SF:0denied\x20access\x20to\x20the\x20requested\x20URL\.\n</FONT>\n</TD></T
SF:R>\n<TR><TD>\n<FONT\x20face=\"Helvetica\">\n\n</FONT>\n</TD></TR>\n<TR>
SF:<TD>\n<FONT\x20face=\"Helvetica\"\x20SIZE=2>\n<BR>\nFor\x20assistance,\
SF:x20contact\x20your\x20network\x20support\x20team\.\n</FONT>\n</TD></TR>
SF:\n</TABLE>\n</blockquote>\n</FONT>\n</BODY></HTML>\n")%r(FourOhFourRequ
SF:est,30C,"HTTP/1\.1\x20403\x20Forbidden\r\nCache-Control:\x20no-cache\r\
SF:nPragma:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\
SF:nProxy-Connection:\x20close\r\nConnection:\x20close\r\nContent-Length:\
SF:x20606\r\n\r\n<HTML><HEAD>\n<TITLE>Access\x20Denied</TITLE>\n</HEAD>\n<
SF:BODY>\n<FONT\x20face=\"Helvetica\">\n<big><strong></strong></big><BR>\n
SF:</FONT>\n<blockquote>\n<TABLE\x20border=0\x20cellPadding=1\x20width=\"8
SF:0%\">\n<TR><TD>\n<FONT\x20face=\"Helvetica\">\n<big>Access\x20Denied\x2
SF:0\(policy_denied\)</big>\n<BR>\n<BR>\n</FONT>\n</TD></TR>\n<TR><TD>\n<F
SF:ONT\x20face=\"Helvetica\">\nYour\x20system\x20policy\x20has\x20denied\x
SF:20access\x20to\x20the\x20requested\x20URL\.\n</FONT>\n</TD></TR>\n<TR><
SF:TD>\n<FONT\x20face=\"Helvetica\">\n\n</FONT>\n</TD></TR>\n<TR><TD>\n<FO
SF:NT\x20face=\"Helvetica\"\x20SIZE=2>\n<BR>\nFor\x20assistance,\x20contac
SF:t\x20your\x20network\x20support\x20team\.\n</FONT>\n</TD></TR>\n</TABLE
SF:>\n</blockquote>\n</FONT>\n</BODY></HTML>\n")%r(OfficeScan,316,"HTTP/1\
SF:.1\x20403\x20Forbidden\r\nCache-Control:\x20no-cache\r\nPragma:\x20no-c
SF:ache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nProxy-Connectio
SF:n:\x20Keep-Alive\r\nConnection:\x20Keep-Alive\r\nContent-Length:\x20606
SF:\r\n\r\n<HTML><HEAD>\n<TITLE>Access\x20Denied</TITLE>\n</HEAD>\n<BODY>\
SF:n<FONT\x20face=\"Helvetica\">\n<big><strong></strong></big><BR>\n</FONT
SF:>\n<blockquote>\n<TABLE\x20border=0\x20cellPadding=1\x20width=\"80%\">\
SF:n<TR><TD>\n<FONT\x20face=\"Helvetica\">\n<big>Access\x20Denied\x20\(pol
SF:icy_denied\)</big>\n<BR>\n<BR>\n</FONT>\n</TD></TR>\n<TR><TD>\n<FONT\x2
SF:0face=\"Helvetica\">\nYour\x20system\x20policy\x20has\x20denied\x20acce
SF:ss\x20to\x20the\x20requested\x20URL\.\n</FONT>\n</TD></TR>\n<TR><TD>\n<
SF:FONT\x20face=\"Helvetica\">\n\n</FONT>\n</TD></TR>\n<TR><TD>\n<FONT\x20
SF:face=\"Helvetica\"\x20SIZE=2>\n<BR>\nFor\x20assistance,\x20contact\x20y
SF:our\x20network\x20support\x20team\.\n</FONT>\n</TD></TR>\n</TABLE>\n</b
SF:lockquote>\n</FONT>\n</BODY></HTML>\n");

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 220.55 seconds

---

Nmap version: 4.76
My os: Linux version 2.6.27-ARCH

Have fun!
/J

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org