Nmap Announce mailing list archives
Re: Nmap 2.30BETA20 Released
From: Fyodor <fyodor () insecure org>
Date: Sat, 22 Apr 2000 15:00:51 -0700 (PDT)
Andrew Brown wrote:
attached is a patch that allows nmap to detect cisco equipment in a way similar to a syn scan. here's a demo:
Cool! I'm sure many people on the list will find that useful. I am also going to put up a web list archive that people can use to find patches like these. I generally don't add single-product-specific or application-specific features into Nmap since it would likely soon become too big for me to maintain.
i mainly hacked it in around the syn scan code, but with only one port in mind: 1999/tcp. cisco's will usually not have any processes listening on this port and will respond with the expected reset packet. the trick is that ciscos put six bytes of data (that are not accounted for in the ip packet length or tcp data length numbers) at the end of the reset packet that say "cisco\0".
Neat. Interestingly, some Macs also stick text at the end of their Reset packets. Here is an except from a mail Lamont Granquist sent me in October '98 (machine names masked): ** Begin Except *** also, can't you do reasonably reliable OS detection on Macs even without open ports? if you send a SYN to a closed port on a Mac it looks like: 18:43:14.946987 notmac.washington.edu.49724 > macos.washington.edu.ftp: S 1970247439:1970247439(0) win 2048 4500 0028 c05e 0000 ff06 65ec 805f 4a32 E..(@^....el._J2 805f 4a94 c23c 0015 756f 970f 68da 2823 ._J.B<..uo..hZ(# 5002 0800 8526 2d69 0000 0000 0000 P....&-i...... 18:43:14.948939 macos.washington.edu.ftp > notmac.washington.edu.49724: R 0:17(17) ack 262533098 win 0 (DF) 4500 0039 7d86 4000 ff06 68b3 805f 4a94 E..9}.@...h3._J. 805f 4a32 0015 c23c 0000 0000 756f 9710 ._J2..B<....uo.. 5014 0000 d92d 2d69 6e6f 2074 6370 2c20 P...Y--ino tcp, 7265 7365 742f 6163 6b reset/ack that "no tcp, reset/ack" string should stick out, you'd think... ** End Excerpt ** I think he tested against Macos 7.1, 7.5.5, and 8.0
there's also a small patch to services.c to ignore a couple of protocol types sometimes found in /etc/services that nmap doesn't handle
This has been applied for the next version of Nmap.
i'd also like to suggest that you distribute the "massive" services file that i've been maintaining for a year or so at http://www.graffiti.com/services
As a side note, I hope people on the list realize that they can easily choose their favorite services files with nmap. The default nmap-services comes with nmap and is generally installed in /usr/local/lib/nmap or /usr/lib/nmap . But if you copy the file at the URL above to ~/.nmap/nmap-services , nmap will give preference to that. If you don't want to store the file in ~/.nmap , you can set the NMAPDIR environmental variable to the directory for these configuration files. You can use the same approach for custom rpc number files and OS fingerprint files. I am going to look into merging the tcp ports from your list into nmap-services. On the one hand, it is nice to have more ports identified. But on the other hand it changes the default nmap tcp scan from 1519 ports to 3573. So scans will take about twice as long. I wonder how often any of these extra ports are used? I have added the URL to your service list to the top of nmap-services. Cheers, Fyodor
Current thread:
- Nmap 2.30BETA20 Released Fyodor (Apr 10)
- Re: Nmap 2.30BETA20 Released nmap-hackers (Apr 13)
- Re: Nmap 2.30BETA20 Released Andrew Brown (Apr 20)
- Re: Nmap 2.30BETA20 Released Max Vision (Apr 21)
- Re: Nmap 2.30BETA20 Released Jeffrey Paul (Apr 21)
- Re: Nmap 2.30BETA20 Released Max Vision (Apr 21)
- Re: Nmap 2.30BETA20 Released Andrew Brown (Apr 21)
- Re: Nmap 2.30BETA20 Released Max Vision (Apr 21)
- Re: Nmap 2.30BETA20 Released Justin (Apr 21)
- Re: Nmap 2.30BETA20 Released Andrew Brown (Apr 21)
- Re: Nmap 2.30BETA20 Released Dragos Ruiu (Apr 21)
- Re: Nmap 2.30BETA20 Released Fyodor (Apr 22)
- <Possible follow-ups>
- Re: Nmap 2.30BETA20 Released Alek O. Komarnitsky (N-CSC) (Apr 21)