RE: Nmap Service Detection Proposal

["Jay Freeman \(saurik\)" <saurik () saurik com>]

Fyoder:

I've been rethinking it over, and I am starting to see an advantage to
having a scan that just looks for service, as you are mentioning.  This
would allow a further scans that look for product and version to work on all
of the ports that we already know the base protocol for....  I think I am
going to move nmap+V in that direction for the next version.  The file
formats for the two files should end up being much easier to deal with at
that point.

The biggest obstacle I see actually comes from the aforementioned "220".
SMTP servers also return codes starting with 220.  You definitely have to do
extended queries to make sure of that.  You _could_ get the first line, see
if it had 220 in it, then check for SMTP, and if it didn't have it assume it
was an FTP site... then you get into looking for error codes as well....
I'm going to try a single file format that solves all the problems at once
before I start splitting it into a second file, as if I can do that it is
definitely going to require less redundancy in protocol checks (even if the
file feels more cluttered).

Sincerely,
Jay Freeman (saurik)
saurik () saurik com

-----Original Message-----
From: Jay Freeman (saurik) [mailto:saurik () saurik com]
Sent: Sunday, August 27, 2000 10:57 AM
To: Fyodor
Cc: Nmap-Dev
Subject: RE: Nmap Service Detection Proposal

Fyoder:

<.../>

Jumping:  What if I connect to a port, send GET /, and then WHAM, it realize
it is some server I know about.  Instead of trying a bunch of different
scans, I can now immediately skip to detecting that server.  BUT, I might
have just totally lost the ability to get the version by sending a GET /, as
the server might go into an error or quit state after getting undefined
information.  I would then want to disconnect and reconnect to the server to

Sincerely,
Jay Freeman (saurik)
saurik () saurik com

-----Original Message-----
From: Fyodor [mailto:fyodor () insecure org]
Sent: Sunday, August 27, 2000 5:09 AM
To: Jay Freeman (saurik)
Cc: Nmap-Dev
Subject: RE: Nmap Service Detection Proposal

On Sun, 27 Aug 2000, Jay Freeman (saurik) wrote:

<.../>

> I'm going to sit down sometime tomorrow (assuming I have some time, I
think
> I do... have to work on a document with my partner, but that shouldn't
take
> _that_ long) think of different ways to handle the jumping issues (if we
> think its HTTP, and fail, but now know it is some other protocol, but have
> to start over again, we know what kind of connection to jump to), and ways
> of using the ports for sorting help without being locked in by them at the
> same time.

I'm not sure I understand the need to jump.  With my latest proposal, the
idea is:

1) find port XX open
2) execute the probe(s) which registered that port (possibly in parallel)
3) If the registered probes fail, execute the other tests (possibly in
   parallel) until one succeeds.

Could you give examples of cases where you think jumping would be a big
help?

> A few issues that need to be dealt with, however, are stuff like timeouts.
> Some services are just slower than others.  I noticed this while building
[ ... ]
> 4 seconds I am going to get a reply, an example (I think, was a while ago)
> was sending a HELP command to a mail server to get more accurate/further
> version information

Well, this particular case wouldn't be neccessary if you were only looking
for service type (and not version info).  But you are probably right that
some services may take particularly long even for the initial response we
need for service-detection.  If we need it, adding an optional timeout
attribute to the probe line should not be a problem.

<.../>

Cheers,
-F


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).