Re: nmap+V

["Paul Tod Rieger" <prie () abl com>]

Fyodor <fyodor () insecure org> wrote:

> What are others doing?  Nessus has mentioned in various announcements
> that they detect services rather than rely on static port mapping.  Has
> anyone looked into their approach?  Sharing service detection
> mechanisms/scripts with Nessus or other scanners would be a plus.

Appendix A of http://www.nessus.org/doc/nasl.html lists the knowledge base
that Nessus can build up.  For instance, the key "Services/www" will return
the port number of the webserver (0 if none found).


> The syntax needs to be powerful enough to handle the vast majority of
> protocols.  Ideally, it could even handle binary protocols like SMB

The Nessus appendix only lists 19 "Services/*" keys (all ASCII).  Still,
it's a start.


> Remember, it only needs to be smart enough to detect what protocol
> is running (and perhaps version).  It doesn't need to do any in depth
> analysis of the protocol.

Nessus has "bind/version" and seems to do in-depth analysis of ftp and
finger.

As for version scanning with nmap, I'd like to see banner scanning as well.
The regexp parsing leaves out too much information for me.  For instance, I
not only want to know what version of Sendmail is running but also the
hostname and the date; not only what version of Apache is running but also
where the root document is (another machine?), when was it last modified,
and what exactly is that spammer trying to sell me.  :-)

(For my requirements, maybe rain.forest.puppy's "nmap stubs" in Perl would
automate nmap (-O, -I, -sR), ftp, binfo, finger, and telnet 80 for me, but
the http://www.angio.net/security/rfp link on http://www.insecure.org/nmap/
doesn't seem to work....)

Tod
abl.com



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).