Re: Service probes question

[David Fifield <david () bamsoftware com>]

On Tue, Feb 21, 2012 at 11:03:59AM +0100, Eric Buggenhout wrote:
> Hi list,
>
>
> I'm running the following scan : "nmap -p80 -sV XXX.XXX.XXX.XXX" and
> analysing the nmap traffic with wireshark.
> I see some GET and OPTION requests but after that there are some probes
> that generate "HTTP/1.1 400 Bad Request" so I checked out which probes were
> sent out.
>
> For example this data :
>
>
> 00:5a:00:00:01:00:00:00:01:36:01:2c:00:00:08:00:7f:ff:7f:08:00:00:00:01:00:20:00:3a:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:34:e6:00:00:00:01:00:00:00:00:00:00:00:00:28:43:4f:4e:4e:45:43:54:5f:44:41:54:41:3d:28:43:4f:4d:4d:41:4e:44:3d:76:65:72:73:69:6f:6e:29:29
>
>
> Which maps to this in nmap-service-probes :
>
> Probe TCP oracle-tns
> q|\0Z\0\0\x01\0\0\0\x016\x01,\0\0\x08\0\x7F\xFF\x7F\x08\0\0\0\x01\0
> \0:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\04\xE6\0\0\0\x01\0\0\0\0\0\0\0\0(CONNECT_DATA=(COMMAND=version))|
> rarity 7
> ports 1035,1521,1522,1525,1526,1574,1748,1754,14238,20000
>
>
>
>
> Why is nmap using this probe when I'm scanning on port 80?

It's because it has rarity 7. Nmap tries all probes with rarity 7 or
lower by default. Use the --version-intensity option to change it.

http://nmap.org/book/vscan-technique.html#vscan-selection-and-rarity

You would be surprised how often weird services run on port 80, or how
often useful classification results come from non-HTTP probes to HTTP
services. There is even an example of an HTTP service matched by the
oracle-tns probe in the file.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/