Re: Nmap 2.30BETA20 Released

[Max Vision <vision () whitehats com>]

On Fri, 21 Apr 2000, Jeffrey Paul wrote:
> Max Vision wrote:
> > For the benefit of less experienced netmapers, I would prefer to see
> >  netbios-ns         137/tcp           # netbios name service
> > be replaced by
> >  UNKNOWN            137/tcp           # daemon on priveledged port!@#$
> > and other appropriate accuracies.
>
> This kind of defeats the purpose.
Well not really - it corrects an outstanding error that could lead to
misunderstandings.  The "purpose" of the services file is to provide
suggestions about typical application protocols or daemons that would bind
to these ports.  Technically speaking, /etc/services is just "a mapping
between friendly textual names for internet services, and their underlying
assigned port numbers and protocol types".

For our purposes, the information about TCP 137 (sticking with this
exampple) is false.  It may be "assigned", but it is not something we will
encounter in the field.

Sticking with this same example, let's say Jane Admin scans her windows
machines with nmap internally.  Her policy permits netbios internally, so
she thinks nothing of the TCP137/netbios entry that pops up.  Turns out it
was actually BackOrifice2000.  Wouldn't it have been better if a little
flag came up "UNKNOWN - daemon on priveledged port"?  With my suggestion
it would :)

me> Another option is to remove those entries, but I generally prefer to
me> see as much detail about the remote host as possible, as there are
me> often "rogue" daemons listening on ports one wouldn't expect - in
me> particular ftpd and httpd are sometimes bound in strange places by
me> their owners.
me>
I made this comment to justify why one might *keep* the entries as
warnings ("unknown, priveledged port") versus outright *removal*.  I did
not imply that nmap should in any way deal with this :)

Max