Re: does nmap already do this?

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Mike, your email came in somewhat mangled for me but I've tried to
reply below.

On Sat, 16 Aug 2008 00:46:26 +0000
mike <dmciscobgp () hotmail com> wrote:

> Hello
> I was scanning with nmap today and noticed something that could
> possibly be added (unless it already is somewhere and i don't see it) 
> why not include in the output after a scan in the nmap-services
> output section the name of the actual EXE/application that created
> the socket? i was scanning the machine my roommate has upstairs and i
> found these items: 1025/tcp open
> unknown                       syn-ack6646/tcp open
> Mcafee-Network-Agent          syn-ack9485/tcp open
> DISCover-Stream-Hub           syn-ack now i already realize the tcp
> port 1025 is an RPC based service that needs querying which nmap does
> not support for windows at the moment. the other services are what i
> want you to look at. it is a Hewlett-Packard machine. i actually went
> upstairs and did a verification of what applications actually created
> these sockets by doing a simple taskmgr dump. i simply added those
> service names to the file "nmap-services". what i wanted to show you
> was an application path example. here is the one for DISCover Stream
> Hub>> Application: C:\Program Files\DISC\DiscStreamHub.exeParent:
> Hub>> C:\Program Files\DISC\DISCover.exeProtocol: TCP InDestination:
> Hub>> 0.0.0.0::9485 now i don't want nmap to clutter the output afer
> Hub>> a scan with EVERYTHING! i simply feel it would be quite nice to
> Hub>> have the name of the application or path that created the
> Hub>> listening socket. anyone agree? i am not the coder here, so i
> Hub>> am simply throwing out the idea to you guys. think about it. if
> Hub>> you had the exact name of the path and what opened the socket,
> Hub>> you could go right into trying to run your exploits or whatever
> Hub>> else you care to use. it takes the guesswork out of alot of
> Hub>> things as far as how these application paths would be added to
> Hub>> nmap,i simply recommend we add them to a database just like any
> Hub>> other way we submit things here. ok, i did my part. the idea is
> Hub>> out there, so embrace it or shoot it down thank you Mike

If I understand what you're saying, you weren't using -sV or -A.  It
sounds like you did a scan and Nmap mapped the port numbers to service
names via nmap-services file.

Nmap has a "version scan" option that you can enable by using -sV.  In
this mode, Nmap connects to each open port, sends a series of probes,
and tries to determine what application has that port open.

In your case you might get matches, you might get unknown service
fingerprints (submit those!) or you might not get any output (unknown
service).  We always want to improve service fingerprinting by adding
more probes and matches so any help there will be much appreciated.

As for including the actual executable name... for the most part that
is a dangerous thing to do.  Vendors often change names, paths, get
bought by other companies, etc.  The underlying protocol and port
though rarely changes.  Suppose we saw port 6881 open.  Should we say
bittorrent.exe?  Azureus.exe?  java.exe?  Often there is no way to
determine the "correct" executable name and assuming that it will stay
static from version to version is a mistake.

If I'm completely off-base with this email or didn't understand what
you're suggesting feel free to reply to the list and say so.  I'd like
to fully flesh out your idea.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkimJg4ACgkQqaGPzAsl94Ia5ACdH/MQ0rqytDe8FzIYe77uy/XH
3IEAni0aSitMkc1BMi0jcqhpPSYk29fi
=meR6
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org