RE: Nmap Service Detection Proposal

["Jay Freeman \(saurik\)" <saurik () saurik com>]

The finger protocol is trivial to the point where it is almost impossible to
correctly detect :(.  You connect to it, give it a string of
space-delineated usernames (possibly with an "@hostname"), and end with a
line feed.  The server then returns either information for each of these
users in a non-standardized format, or returns a non-standardized error
message.  Searching for the formats given by each finder daemon is the most
powerful way to do it.

I connected to a few finger servers, and queried for "hello@[something I
expect it to return results for]".  Here were the results (blotted out some
hostnames with "xXxXx"):

++++++

Welcome to Linux version 2.0.30 at xXxXx !

  5:54am  up 6 days, 20:23,  0 users,  load average: 1.43, 1.51, 1.48

finger: hello: no such user.
++++++

++++++
finger: hello: no such user.
++++++

++++++
[xXxXx]
Login       Name               TTY         Idle    When    Where
hello                 ???
++++++

++++++
This is xXxXx finger server.

Sorry, user hello not found
++++++

The RFC verifies this:

<quote>
2.5.  Expected RUIP response

   For the most part, the output of an RUIP doesn't follow a strict
   specification, since it is designed to be read by people instead of
   programs.  It should mainly strive to be informative.

   Output of ANY query is subject to the discussion in the security
   section.
</quote>

"finger.c", as you suggest, is just a simple program that connects to the
host at port 79, then sends its query, and bricks back its result.  You
could point it at an FTP server and it would return the FTP banner.  To
prove it, I redirected port 79 to port 21.

[root(3)@ironclad rfc]# finger hello () saurik com
[saurik.com]
220 ironclad.saurik.com FTP server (Version wu-2.6.0(1) Fri Feb 4 23:37:48
EST 2000) ready.
530 Please login with USER and PASS.

> From this point finger is just sitting there waiting for the server to
disconnect it.

Sincerely,
Jay Freeman (saurik)
saurik () saurik com

-----Original Message-----
From: Paul Tod Rieger [mailto:prie () abl com]
Sent: Tuesday, August 29, 2000 1:50 AM
To: nmap-dev () insecure org
Subject: Re: Nmap Service Detection Proposal

Fyodor <fyodor () insecure org> wrote:

> I suspect that the vast majority of protocols
> could be detected via a sufficiently clever probe
> string and regex match.  Can anyone think of any
> protocols that could not be detected by method
> but could with a more powerful (think "C") syntax?

http://www.attrition.org/tools/other/binfo.c may help with 53/domain.

Can 79/finger be probed with string/regex?  (Or maybe finger.c would be
needed?)

Tod
abl.com


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).