PATCH: Option to skip NULL probe

[doug () hcsw org]

Hi nmap-dev,

I'm attaching a simple but useful patch to Nmap that does nothing
except scratch my own itch of impatience. As you might be aware,
against TCP ports version detection will first apply a "NULL probe"
to the service. This actually isn't a real probe. Nmap just connects
to the service and waits for data to be sent to it. For most protocols
like SSH, FTP, SMTP, etc, etc, this works fine because the server will
send a banner or whatever and we will get our data back immediately.
However, for services like HTTP (and I can't think of many others),
correctly written daemons [1] will wait for the client to issue a
request first. So against such services Nmap will wait for 6s [2]
before applying a real probe.  The patch I'm attaching adds an option:
--version-skip-null. This option skips the NULL probe and immediately
jumps to the first real probe applicable to the service. [3]

Normal:

doug@eclipse:~/nmap/svn/nmap$ ./nmap -sV -p 80 -P0 hcsw.org

Starting Nmap 4.53 ( http://nmap.org ) at 2008-02-28 12:48 PST
Interesting ports on hcsw.org (65.98.116.106):
PORT   STATE SERVICE VERSION
80/tcp open  http    Anti-Web httpd 3.0.7 (Best httpd out there!)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.540 seconds

That took just over 6 seconds.

With the new option:

doug@eclipse:~/nmap/svn/nmap$ ./nmap -sV -p 80 -P0 --version-skip-null hcsw.org

Starting Nmap 4.53 ( http://nmap.org ) at 2008-02-28 12:48 PST
Interesting ports on hcsw.org (65.98.116.106):
PORT   STATE SERVICE VERSION
80/tcp open  http    Anti-Web httpd 3.0.7 (Best httpd out there!)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.626 seconds

That took just over 0 seconds.

Best,

Doug

[1] Though there are dozens of httpds matched in nmap-service-probes that
just blurt out data without seeing any request, completely in disregard of
HTTP RFCs. We will still match these OK thanks to the "NULL probe cheat".
See the version detection docs.

[2] This amount of time depends on the totalwaitms line for the probe
in question. Without this line, it defaults to 5s. The NULL probe has
it set at 6s because it works better for certain smtpd configurations.

[3] Maybe it would be worthwhile "special-caseing" HTTP so that we always
skip the NULL probe against port 80?

Attachment: nmap-4.53-skip-null.patch
Description:

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org