Nmap Development mailing list archives
Nessus Service Detection
From: Fyodor <fyodor () insecure org>
Date: Thu, 24 Aug 2000 00:55:49 -0700 (PDT)
Paul Tod Rieger mentioned that Nessus saves service info in Service/* keys so I grepped Nessus source for Service/www to find out where detection occurs. It is done by one of the plugins (find_service.c). Looking at the code, all it does is send an HTTP "GET" request to the server and detects the service based on the response/error code. This seems pretty crude and certainly won't handle all services, but one has to admit that he can detect an impressive # of common services with this one test. Here is what he does with the "GET" results: if(!strncmp(line, "http/1.", 7)) mark_http_server(desc, port, buffer); if(((u_char)buffer[0]==255) && ((u_char)buffer[1]==253)) mark_telnet_server(desc, port, line); else if(strstr(line, "smtp")) mark_smtp_server(desc, port, buffer); else if(strstr(buffer, "rmserver")||strstr(buffer, "realserver")) mark_rmserver(desc, port, line); else if(strstr(line, "ftp") && !strncmp(line, "220", 3)) mark_ftp_server(desc, port, line); else if(strstr(line, "ssh-")) mark_ssh_server(desc, port, line); else if(strstr(line, "+ok")) mark_pop_server(desc, port, line); else if(strstr(line, "* ok imap4")) mark_imap_server(desc, port, line); else if(strstr(line, "inn ")||strstr(line, "posting OK")) mark_nntp_server(desc, port, line); else if(strstr(buffer, "networking/linuxconf")) mark_linuxconf(desc, port, line); else if(strstr(buffer, "www-authenticate: basic realm=\"swat\"")) mark_swat_server(desc, port, line); else if(strstr(buffer, "vqServer") && strstr(buffer, "www-authenticate: basic realm=/")) mark_vqserver(desc,port, line); else if(strstr(buffer, "get: command not found")) mark_wild_shell(desc, port, line); else if(strstr(buffer, "netbus")) mark_netbus_server(desc, port, line); else if(strstr(line, "0 , 0 : error : unknown-error")) mark_auth_server(desc, port, line); else if(strstr(line, "http")&&strstr(buffer, "cache")&& strstr(line, "bad request")) mark_http_proxy(desc, port, line); else unknown[num_unknown++] = port; This approach is worth considering, but I really worry that such a thing would become unmaintainable when you expand it to many dozens of services covering hundreds or thousands of daemons that implement them. But it is a simple solution that might be able to handle a large fraction of the popular TCP ports. Still, I really liked the way Saurik isolated his Nmap+V detection in a config file. Cheers, Fyodor --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Nessus Service Detection Fyodor (Aug 24)
- <Possible follow-ups>
- Re: Nessus Service Detection Alek O. Komarnitsky (N-CSC) (Aug 24)