Re: Nmap 2.30BETA20 Released

["Alek O. Komarnitsky (N-CSC)" <alek () ast lmco com>]

> From: Andrew Brown <atatat () atatdot net>
> Subject: Re: Nmap 2.30BETA20 Released
> To: Justin <jguyett () andrew cmu edu>
> Cc: nmap-hackers () insecure org
>
> > Idealy nmap would have a module to verify each servce it finds, so that
> > (for example) an open port 443 wouldn't be reported as ssl / http if it
> > isn't acting like a websserver.
>
> verifying that port 25 is an smtp server is relatively easy, likewise
> with 21 being ftp control, 22 being an ssh server, and 23 being a
> telnet server.  the daytime and time services are likewise very easy
> to detect since they just spew; they don't accept.
>
> verifying that port 443 is actually an https server is decidedly
> non-trivial, not the least of which is because it waits for the client
> to say something before dropping you.  it would require at least a
> minimal ssl stack, and some crypto tools, neither of which belong in
> the world's best port scanner.

FYI FWIW: nmap-web (URL listed below) has a checkbox that basically says:
   "try to tell me what is running on the port selected"
It does this by opening up a socket connection and snarfing what is
returned. Only a few well-defined services are setup (for instance,
it will send a "POST / HTTP/1.0" to port 80 to get the web server info),
but this could easily be expanded.

You can also define an EXPECTED string ... and if you do NOT get that;
then it will highlight it in red. This is useful for instance if you
have a 1,000+ machines and you want to know which ones are NOT running
sendmail8.9.3 ... useful to catch the "stranglers" so you know which
ones to fix.

alek

P.S. nmap-web is linked to from the nmap home page and is at:
        http://www.komar.org/komar/alek/  ->  Misc. Tech Stuff  ->  nmap-web