Nmap Development mailing list archives
Re: Harnessing Service Discovery
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Thu, 27 Nov 2008 06:28:52 +0200
On Wed, 2008-11-26 at 16:05 -0700, David Fifield wrote:
On Mon, Nov 24, 2008 at 08:18:19PM +0200, Toni Ruottu wrote:The technologies can also be combined to improved port scanners. Port scanners can use service discovery as a source of information regarding open ports. In some cases a port scanner could avoid sending any packages, if a discovery service already revealed enough information regarding the interesting ports. Service discovery can also be used to get a list of target hosts/ports to scan. In a local network, port scanning the advertised hosts could be used to verify that the services are actually running, while in a foreign network, the advertisements might reveal interesting nodes to scan (or honey pots used for port scan detection!). ------------------------------------------------------------------------ To get my hands dirty on the subject, I wrote a simple script which uses Avahi Bonjour implementation to produce an Nmap compatible XML-file that can be opened in Zenmap for inspection. I have attached the script to this email for your convenience, but I also created a Bazaar repository to Launchpad.net for those of you who'd prefer getting a branch instead.Hi Toni. This is a neat idea. I checked out your branch and ran the program. There's a Mac OS X host on the local LAN. I attached the resulting bonmap-david.xml.
Looking at it now.
It found ports 22 and 5900 on the Mac, but missed 88 which was also open.
There is no guarantee of finding every open port. Only the advertised ones.
The local host is not running any kind of Zeroconf but port 9 on localhost was marked up, which it is not.
Many hosts seem to be advertising port 9. Port 9 is reserved for discard service, which is probably the most simple protocol running on top of TCP and UDP (see RFC863 [1]). However, I have seen none of the hosts actually implementing the protocol. Maybe it would be appropriate for Bonmap to filter out all results regarding port 9 and using that data only to mark that the host is up when on other ports were discovered. [1] http://www.faqs.org/rfcs/rfc863.html (btw: If you installed Avahi, you are running Zeroconf by now. ;-)
(I noticed the output doesn't differentiate TCP and UDP ports. Is that information available?)
No, it is not. I think this is simply because port numbers are assigned to services without differentiating between different transports. It is then up to the service to decide whether it wants to use TCP, UDP or both. It would be possible to build a database, which lists transports certain services typically use and relying on that information for the scan.
This technique of an external program generating Nmap XML can be very powerful when combined with Zenmap's scan aggregation. You could do a normal port scan and then supplement the results by loading a Bonmap file.
I have to try that out. I was hoping people would be creative.
This is an interesting area of study. I admit to being almost totally ignorant about Zeroconf/Bonjour/Avahi, but networks are changing all the time so we'll need tools to deal with all the new developments.
Indeed :-) --Toni _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Harnessing Service Discovery Toni Ruottu (Nov 24)
- Re: Harnessing Service Discovery David Fifield (Nov 26)
- Re: Harnessing Service Discovery Toni Ruottu (Nov 26)
- Re: Harnessing Service Discovery David Fifield (Nov 27)
- Re: Harnessing Service Discovery Toni Ruottu (Nov 26)
- Re: Harnessing Service Discovery David Fifield (Nov 26)