Re: nmap+V

[H D Moore <hdm () secureaustin com>]

Paul Tod Rieger wrote:
> Fyodor <fyodor () insecure org> wrote:
>
> > What are others doing?  Nessus has mentioned in various announcements
> > that they detect services rather than rely on static port mapping.  Has
> > anyone looked into their approach?  Sharing service detection
> > mechanisms/scripts with Nessus or other scanners would be a plus.

> > The syntax needs to be powerful enough to handle the vast majority of
> > protocols.  Ideally, it could even handle binary protocols like SMB

There are some issues with this, namely DoS attacks caused by the
'detection' packets.  An example are some wind0z3 SQL boxes that have
port 6666 open, but if you make a connection to that port and send ASCII
data it crashes whatever service was listening on that port.

Some protocols are always in a specific state based on what data they
have already received, what probe packets do you send to determine which
service it is, and not inadvertently set the daemon/service into a mode
where it wont respond to the same string it would if that string was the
first thing you sent?  If this doesnt make sense, imagine a service like
SMTP, where sending a specific string will put it into DATA mode where
it will accept anything.  If you send a command to determine what
version/type this service is and change the response of the service by
doing so (no return code after SMTP is in data mode), then your
detection routine is self-defeating.

What will your detection packets show in the system's log files? 
Invalid requests will normally be logged (a HTTP GET request to an
unknown RPC port?).  While I agree that nmap+V is "nifty", I think it is
pushing nmap in a direction that would be better handled via
scripts/plugins/etc.  Wouldn't a modularized plugin
output/filtering/processing system make all of this a non-issue and
allow people developing things like version and banner detection do so
without needing to "taint" core nmap development?

Most of the above doesn't apply to currently known services, but I think
these are issues that need to be kept in mind while the infrastructure
is still being designed. 

> Nessus has "bind/version" and seems to do in-depth analysis of ftp and
> finger.

<offtopic>
Nessus is a great "blanket" tool, but I feel that some things would be
better accomplished by other tools and integrated.  For instance, nessus
has a plugin called nmap_wrapper which simply calls nmap and parses the
results.  What if you already did a
long-painful-through-a-portsentried-firewall scan and would rather
nessus use your scan logs?  I have a rewritten wrapper which does that
and will send a copy to anyone that wants it.  Command-line nessus usage
with it is broken due to the nessus preferences file being rebuilt with
default settings when run that way, but GUI scans work great.  Whisker
should replace all of the cgi checks and SSL web/port detection/scanning
is a place where it lacks the most.  My solution was to use native perl
ssl modules with a modified whisker and a nessus plugin which called
whisker...
</offtopic>

> As for version scanning with nmap, I'd like to see banner scanning as well.
> The regexp parsing leaves out too much information for me.  For instance, I
> not only want to know what version of Sendmail is running but also the
> hostname and the date; not only what version of Apache is running but also
> where the root document is (another machine?), when was it last modified,
> and what exactly is that spammer trying to sell me.  :-)

A 40Mb spam-correlating, linguistic-analyzing, banner-detecting nmap....

> (For my requirements, maybe rain.forest.puppy's "nmap stubs" in Perl would
> automate nmap (-O, -I, -sR), ftp, binfo, finger, and telnet 80 for me, but
> the http://www.angio.net/security/rfp link on http://www.insecure.org/nmap/
> doesn't seem to work....)

http://www.wiretrip.net/rfp/

-HD


PS.  I apologize for the ramble, sleep deprivation doing it's worst...


http://www.digitaloffense.net/ (tools site)

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).