Nmap Development mailing list archives
PATCH: Option to skip NULL probe
From: doug () hcsw org
Date: Thu, 28 Feb 2008 13:12:29 -0800
Hi nmap-dev, I'm attaching a simple but useful patch to Nmap that does nothing except scratch my own itch of impatience. As you might be aware, against TCP ports version detection will first apply a "NULL probe" to the service. This actually isn't a real probe. Nmap just connects to the service and waits for data to be sent to it. For most protocols like SSH, FTP, SMTP, etc, etc, this works fine because the server will send a banner or whatever and we will get our data back immediately. However, for services like HTTP (and I can't think of many others), correctly written daemons [1] will wait for the client to issue a request first. So against such services Nmap will wait for 6s [2] before applying a real probe. The patch I'm attaching adds an option: --version-skip-null. This option skips the NULL probe and immediately jumps to the first real probe applicable to the service. [3] Normal: doug@eclipse:~/nmap/svn/nmap$ ./nmap -sV -p 80 -P0 hcsw.org Starting Nmap 4.53 ( http://nmap.org ) at 2008-02-28 12:48 PST Interesting ports on hcsw.org (65.98.116.106): PORT STATE SERVICE VERSION 80/tcp open http Anti-Web httpd 3.0.7 (Best httpd out there!) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.540 seconds That took just over 6 seconds. With the new option: doug@eclipse:~/nmap/svn/nmap$ ./nmap -sV -p 80 -P0 --version-skip-null hcsw.org Starting Nmap 4.53 ( http://nmap.org ) at 2008-02-28 12:48 PST Interesting ports on hcsw.org (65.98.116.106): PORT STATE SERVICE VERSION 80/tcp open http Anti-Web httpd 3.0.7 (Best httpd out there!) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.626 seconds That took just over 0 seconds. Best, Doug [1] Though there are dozens of httpds matched in nmap-service-probes that just blurt out data without seeing any request, completely in disregard of HTTP RFCs. We will still match these OK thanks to the "NULL probe cheat". See the version detection docs. [2] This amount of time depends on the totalwaitms line for the probe in question. Without this line, it defaults to 5s. The NULL probe has it set at 6s because it works better for certain smtpd configurations. [3] Maybe it would be worthwhile "special-caseing" HTTP so that we always skip the NULL probe against port 80?
Attachment:
nmap-4.53-skip-null.patch
Description:
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- PATCH: Option to skip NULL probe doug (Feb 28)