Re: More Service Detection notes: HTTP, FTP, DNS, etc

[doug () hcsw org]

On Fri, May 19, 2006 at 02:35:49PM -0700 or thereabouts, Fyodor wrote:
> Actually, we may want to include some escaped characters as the way
> the 404 page returns them may give more details as to the service.
>
> Maybe "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0\r\n\r\n"
>
> Cheers,
> -F

The more I think about it, that looks like a really good probe! The
stranger we can make a request the more diverse and identifiable the
responses should be. That probe should elicit some interesting responses.
It will be very interesting to see how different HTTP based systems will
deal with the escaped characters in their 404 replies. Mixing ASCII
cases in the escape sequence is a really neat idea (%2C vs. %2e).

I'm attaching a simple patch to the nmap-service probes file. Here's the
probe:

Probe TCP FourOhFourRequest q|GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0\r\n\r\n|
rarity 6
ports 80-85,88,8000-8010,8080-8085,8880-8888
fallback GetRequest


I put the probe fairly far down in the file: immediatley after the X11Probe.
I figure this is the best place for it especially considering the skype v1.0
protocol that often runs on random ports - probes like this new FourOhFourRequest
won't slow down scans against this common service.

I also figured a GetRequest fallback is in order for the same reason HTTPOptions
and RTSPRequest have them.

We can also add more common HTTP ports if we ever need to.

Doug

Attachment: nmap-service-probes-fourohfourrequest.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev