Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Nessus Service Detection

From: Fyodor <fyodor () insecure org>
Date: Thu, 24 Aug 2000 00:55:49 -0700 (PDT)

Paul Tod Rieger mentioned that Nessus saves service info in Service/* keys
so I grepped Nessus source for Service/www to find out where detection
occurs.  It is done by one of the plugins (find_service.c).  Looking at
the code, all it does is send an HTTP "GET" request to the server and
detects the service based on the response/error code.  This seems pretty
crude and certainly won't handle all services, but one has to admit that
he can detect an impressive # of common services with this one test.  Here
is what he does with the "GET" results:

if(!strncmp(line, "http/1.", 7))
    mark_http_server(desc, port, buffer);


    if(((u_char)buffer[0]==255) && ((u_char)buffer[1]==253))
      mark_telnet_server(desc, port, line);
    else  if(strstr(line, "smtp"))
        mark_smtp_server(desc, port, buffer);
    else if(strstr(buffer, "rmserver")||strstr(buffer, "realserver"))
        mark_rmserver(desc, port, line);
    else if(strstr(line, "ftp") && !strncmp(line, "220", 3))
        mark_ftp_server(desc, port, line);
    else if(strstr(line, "ssh-"))
        mark_ssh_server(desc, port, line);
    else if(strstr(line, "+ok"))
        mark_pop_server(desc, port, line);
    else if(strstr(line, "* ok imap4"))
        mark_imap_server(desc, port, line);
      else if(strstr(line, "inn ")||strstr(line, "posting OK"))
        mark_nntp_server(desc, port, line);
    else if(strstr(buffer, "networking/linuxconf"))
        mark_linuxconf(desc, port, line);
   else if(strstr(buffer, "www-authenticate: basic realm=\"swat\""))
        mark_swat_server(desc, port, line);
   else if(strstr(buffer, "vqServer") &&
           strstr(buffer, "www-authenticate: basic realm=/"))
         mark_vqserver(desc,port, line);
   else if(strstr(buffer, "get: command not found"))
        mark_wild_shell(desc, port, line);
   else if(strstr(buffer, "netbus"))
        mark_netbus_server(desc, port, line);
   else if(strstr(line, "0 , 0 : error : unknown-error"))
        mark_auth_server(desc, port, line);
    else if(strstr(line, "http")&&strstr(buffer, "cache")&&
            strstr(line, "bad request"))
        mark_http_proxy(desc, port, line);
    else unknown[num_unknown++] = port;


This approach is worth considering, but I really worry that such a thing
would become unmaintainable when you expand it to many dozens of services
covering hundreds or thousands of daemons that implement them.  But it is
a simple solution that might be able to handle a large fraction of the
popular TCP ports.  Still, I really liked the way Saurik isolated his
Nmap+V detection in a config file.

Cheers,
Fyodor


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Previous By Date Next
Previous By Thread Next

Current thread: