Nmap Development mailing list archives
Re: [NSE][PATCH] OpenSSL bindings for NSE
From: Sven Klemm <sven () c3d2 de>
Date: Fri, 28 Nov 2008 10:49:43 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi v4lkyrius,
I first noticed this in auth.log when I got port scanned by a friend a while back. My firewall rules have reflected this observation ever since. Defeats the purpose of nmap, does it not? For example: pluto: # nmap -A -p 22 localhost Starting Nmap 4.60 ( http://nmap.org ) at 2008-11-26 06:05 EST Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.0 (protocol 2.0) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.17 - 2.6.24 Uptime: 0.217 days (since Wed Nov 26 00:52:52 2008) Network Distance: 0 hops OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.360 seconds pluto:/var/log # tail messages | grep sshd Nov 26 06:05:29 pluto sshd[7947]: Did not receive identification string from 127.0.0.1 Nov 26 06:05:30 pluto sshd[7951]: Protocol major versions differ for 127.0.0.1: SSH-2.0-OpenSSH_5.0 vs. SSH-1.5-NmapNSE_1.0 pluto:/ # iptables -I INPUT -p tcp -m string --string "NmapNSE" --algo bm -j DROP pluto:/ # iptables -I INPUT -p tcp -m string --string "NmapNSE" --algo bm -j LOG --log-prefix "n00b nmap scan: " pluto:/ # nmap -A -p22 localhost Starting Nmap 4.60 ( http://nmap.org ) at 2008-11-26 06:08 EST Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. ^C pluto:/var/log # grep n00b firewall | tail -1 Nov 26 06:08:35 pluto kernel: n00b nmap scan: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=6129 DF PROTO=TCP SPT=27995 DPT=22 WINDOW=257 RES=0x00 ACK PSH URGP=0 Frankly, I'm surprised no one has so much as mentioned this before (at least publicly, according to Google). They say discretion is the polite word for hypocrisy. ;-)
the fact that nmap advertises itself has been discussed, here: http://seclists.org/nmap-dev/2008/q2/0505.html . There are a few place were nmap does this advertising, e.g. the NSE http, ssh1 and ssh2 libraries do it. Your solution to drop TCP connections based on arbitrary strings doesn't seem like a good idea to me. Cheers, Sven - -- Sven Klemm http://cthulhu.c3d2.de/~sven/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkkvvrcACgkQevlgTHEIT4alagCfZCu+O9HG4jsiPebHZvvi0XGy fOwAn2NOkPkFl7szY2GGxiAAJlQJ8Xzx =Sr1B -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: [NSE][PATCH] OpenSSL bindings for NSE Sven Klemm (Oct 08)
- Re: [NSE][PATCH] OpenSSL bindings for NSE David Fifield (Oct 08)
- Re: [NSE][PATCH] OpenSSL bindings for NSE Sven Klemm (Oct 08)
- Re: [NSE][PATCH] OpenSSL bindings for NSE David Fifield (Oct 08)
- Re: [NSE][PATCH] OpenSSL bindings for NSE David Fifield (Oct 08)
- Re: [NSE][PATCH] OpenSSL bindings for NSE Sven Klemm (Oct 08)
- <Possible follow-ups>
- Re: Re: [NSE][PATCH] OpenSSL bindings for NSE M M (Nov 27)
- Re: [NSE][PATCH] OpenSSL bindings for NSE Sven Klemm (Nov 28)
- Re: [NSE][PATCH] OpenSSL bindings for NSE Ron (Nov 28)
- Re: [NSE][PATCH] OpenSSL bindings for NSE M M (Nov 28)
- Re: [NSE][PATCH] OpenSSL bindings for NSE Sven Klemm (Nov 28)
- Re: [NSE][PATCH] OpenSSL bindings for NSE David Fifield (Oct 08)