Re: More Service Detection notes: HTTP, FTP, DNS, etc

[Fyodor <fyodor () insecure org>]

On Mon, May 08, 2006 at 11:12:52PM -0700, doug () hcsw org wrote:
> Here are some more notes on this last batch of fingerprints:
>
> http://hcsw.org/blog.pl?a=13&b=16

> From your May 4 entry:

> In order to exploit this even further, I am considering a new probe
> that would attempt to always generate a 404 error from the server by
> requesting a URL that certainly shouldn't exist. Something like
>
> Probe TCP FourOhFourRequest q|GET /0wned/by/Nmap.txt HTTP/1.0\r\n\r\n|
>
> The trick will be in figuring out the ordering and probable ports
> that will cause the least (hopefully 0) impact on the existing match
> line database.

That sounds like a good idea to me.  What do you recommend in terms of
the ordering and probable ports?  I kinda have mixed feelings about
the way we have 3 web-server-type probes in a row in the file.  So
maybe we should put this a bit further down, but with a bunch of
common web server ports (like those we have for HTTPOptions)?

The next question is what the text string should be.
/0wned/by/Nmap.txt would be amusing for a few hours until I get
flooded by hate mail from admins who don't know what is going on and
think I hacked their server :).  A short non-threatening message like
"/nice/ports" or "/Trinity/was/here" might be OK :).  Though I suppose
a more practical string might be something hard to Google yet unlikely
to exist ("/pear") or inconspicuous (/robot.txt or /robots.text
instead of the real /robots.txt).

Cheers,
-F


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev