Nmap Development mailing list archives
RE: Nmap Service Detection Proposal
From: "Jay Freeman \(saurik\)" <saurik () saurik com>
Date: Tue, 29 Aug 2000 10:18:39 -0500
The finger protocol is trivial to the point where it is almost impossible to correctly detect :(. You connect to it, give it a string of space-delineated usernames (possibly with an "@hostname"), and end with a line feed. The server then returns either information for each of these users in a non-standardized format, or returns a non-standardized error message. Searching for the formats given by each finder daemon is the most powerful way to do it. I connected to a few finger servers, and queried for "hello@[something I expect it to return results for]". Here were the results (blotted out some hostnames with "xXxXx"): ++++++ Welcome to Linux version 2.0.30 at xXxXx ! 5:54am up 6 days, 20:23, 0 users, load average: 1.43, 1.51, 1.48 finger: hello: no such user. ++++++ ++++++ finger: hello: no such user. ++++++ ++++++ [xXxXx] Login Name TTY Idle When Where hello ??? ++++++ ++++++ This is xXxXx finger server. Sorry, user hello not found ++++++ The RFC verifies this: <quote> 2.5. Expected RUIP response For the most part, the output of an RUIP doesn't follow a strict specification, since it is designed to be read by people instead of programs. It should mainly strive to be informative. Output of ANY query is subject to the discussion in the security section. </quote> "finger.c", as you suggest, is just a simple program that connects to the host at port 79, then sends its query, and bricks back its result. You could point it at an FTP server and it would return the FTP banner. To prove it, I redirected port 79 to port 21. [root(3)@ironclad rfc]# finger hello () saurik com [saurik.com] 220 ironclad.saurik.com FTP server (Version wu-2.6.0(1) Fri Feb 4 23:37:48 EST 2000) ready. 530 Please login with USER and PASS.
From this point finger is just sitting there waiting for the server to
disconnect it. Sincerely, Jay Freeman (saurik) saurik () saurik com -----Original Message----- From: Paul Tod Rieger [mailto:prie () abl com] Sent: Tuesday, August 29, 2000 1:50 AM To: nmap-dev () insecure org Subject: Re: Nmap Service Detection Proposal Fyodor <fyodor () insecure org> wrote:
I suspect that the vast majority of protocols could be detected via a sufficiently clever probe string and regex match. Can anyone think of any protocols that could not be detected by method but could with a more powerful (think "C") syntax?
http://www.attrition.org/tools/other/binfo.c may help with 53/domain. Can 79/finger be probed with string/regex? (Or maybe finger.c would be needed?) Tod abl.com --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Nmap Service Detection Proposal Fyodor (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 27)
- RE: Nmap Service Detection Proposal Fyodor (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 28)
- RE: Nmap Service Detection Proposal Fyodor (Aug 27)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 27)
- <Possible follow-ups>
- Re: Nmap Service Detection Proposal Paul Tod Rieger (Aug 28)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 29)
- Re: Nmap Service Detection Proposal Fyodor (Aug 29)
- Re: Nmap Service Detection Proposal H D Moore (Aug 29)
- Re: Nmap Service Detection Proposal Paul Tod Rieger (Aug 28)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 29)
- RE: Nmap Service Detection Proposal Jay Freeman (saurik) (Aug 29)