Re: Nmap Service Detection Proposal

[Fyodor <fyodor () insecure org>]

On Tue, 29 Aug 2000, Paul Tod Rieger wrote:

> a) "an open port will first be tested" -- does this mean a port may
> be tested multiple times?  

Yesh, although in most cases the actual service will correspond to the
registered port number, in which case only one connection will generally
be needed.

> Will this be stealthy?

Not really.  People who need stealth probably won't use it.  They can
assume all the open ports carry the expected service.  Also, you can
always use an anonymous dialup or bounce the service detection through a
series of open SOCKS proxies (note: nmap does not currently have code to
do that for you).

> Instead, if the service can't be identified from a single test,
> maybe it could just be flagged for closer inspection by the user.

Well, even a single test against each service may look pretty obvious in
target logs.  And I would like to have Nmap determine the service in
unexpected cases (this is the main purpose).  But perhaps there could be a
--servicescan_limit option that does what you are proposing.  I recently
added an undocumented --osscan_limit option which skips OS detection if it
is not likely to be useful (for example if no open ports are found).

Cheers,
-F



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).