Re: Nmap 2.30BETA20 Released

[Fyodor <fyodor () insecure org>]

Andrew Brown wrote:

> attached is a patch that allows nmap to detect cisco equipment in a
> way similar to a syn scan.  here's a demo:

Cool!  I'm sure many people on the list will find that useful.  I am also
going to put up a web list archive that people can use to find patches
like these.  I generally don't add single-product-specific or
application-specific features into Nmap since it would likely soon become
too big for me to maintain.

> i mainly hacked it in around the syn scan code, but with only one port
> in mind: 1999/tcp.  cisco's will usually not have any processes
> listening on this port and will respond with the expected reset
> packet.  the trick is that ciscos put six bytes of data (that are not
> accounted for in the ip packet length or tcp data length numbers) at
> the end of the reset packet that say "cisco\0".

Neat.  Interestingly, some Macs also stick text at the end of their
Reset packets.  Here is an except from a mail Lamont Granquist sent me 
in October '98 (machine names masked):

** Begin Except ***

also, can't you do reasonably reliable OS detection on Macs even without
open ports?  if you send a SYN to a closed port on a Mac it looks like:

18:43:14.946987 notmac.washington.edu.49724 >
macos.washington.edu.ftp: S 1970247439:1970247439(0) win 2048
         4500 0028 c05e 0000 ff06 65ec 805f 4a32  E..(@^....el._J2
         805f 4a94 c23c 0015 756f 970f 68da 2823  ._J.B<..uo..hZ(#
         5002 0800 8526 2d69 0000 0000 0000       P....&-i......
18:43:14.948939 macos.washington.edu.ftp >
notmac.washington.edu.49724: R 0:17(17) ack 262533098 win 0 (DF)
         4500 0039 7d86 4000 ff06 68b3 805f 4a94  E..9}.@...h3._J.
         805f 4a32 0015 c23c 0000 0000 756f 9710  ._J2..B<....uo..
         5014 0000 d92d 2d69 6e6f 2074 6370 2c20  P...Y--ino tcp, 
         7265 7365 742f 6163 6b                   reset/ack

that "no tcp, reset/ack" string should stick out, you'd think...

** End Excerpt **

I think he tested against Macos 7.1, 7.5.5, and 8.0

> there's also a small patch to services.c to ignore a couple of
> protocol types sometimes found in /etc/services that nmap doesn't
> handle

This has been applied for the next version of Nmap.

> i'd also like to suggest that you distribute the "massive" services
> file that i've been maintaining for a year or so at
>
>     http://www.graffiti.com/services

As a side note, I hope people on the list realize that they can easily
choose their favorite services files with nmap.  The default nmap-services
comes with nmap and is generally installed in /usr/local/lib/nmap or
/usr/lib/nmap .  But if you copy the file at the URL above to
~/.nmap/nmap-services , nmap will give preference to that.  If you don't
want to store the file in ~/.nmap , you can set the NMAPDIR environmental
variable to the directory for these configuration files.  You can use the
same approach for custom rpc number files and OS fingerprint files.

I am going to look into merging the tcp ports from your list into
nmap-services.  On the one hand, it is nice to have more ports
identified.  But on the other hand it changes the default nmap tcp scan
from 1519 ports to 3573.  So scans will take about twice as long.  I
wonder how often any of these extra ports are used?  I have added the URL
to your service list to the top of nmap-services.

Cheers,
Fyodor