Harnessing Service Discovery

[Toni Ruottu <toni.ruottu () iki fi>]

  hello


The question about similarities and differences between port scanning
and service discovery technologies has been bothering me for a while.
The trust relationships in these two cases seem different.

Port scanning is able to detect ports that the system administrator did
not want people to know about or did not care to advertise. Port
scanning also gives a real picture about how the system actually works.
System administrators can try to fool port scanners or detect their use.
Port scanning is usually active. I.e. port scanners send network packets
to the target. Passive port scanning is also possible, but isn't usually
equally effective, unless the scanning is done on a router that forwards
lots of traffic.

Service discovery technologies (like Bonjour [1]) are configured by
system administrators, or they may be automatically configured by
certain services. From an ethical point of view, connecting to a port
which is actively advertised, is usually considered to be OK (At least
as long as one follows the protocol ;-). There is however no guarantee
for the advertised services to be available. Also, the advertisements
could have been created by an evil administrator in hopes of getting
connections from innocent users with vulnerable client software.
Receiving service advertisements is passive. Although some designs might
require the user to authenticate or send ACKs for received
advertisements. These techniques may be used to protect the computing
environment or to provide statistics about it's use.

> From a trust point of view, port scanning is safer for the user because
he doesn't have to trust the administrator to provide him with correct
information about the services. From administrators point of view,
service discovery technologies are better as they empower her to lead or
mislead the poor user as she wants.

When combining these technologies together is discussed, one could think
of discovery service based on port scanning. This is kind of a sledge
hammer approach, but it is certainly relevant for some use cases and has
received some attention from researchers recently [2].

The technologies can also be combined to improved port scanners. Port
scanners can use service discovery as a source of information regarding
open ports. In some cases a port scanner could avoid sending any
packages, if a discovery service already revealed enough information
regarding the interesting ports.

Service discovery can also be used to get a list of target hosts/ports
to scan. In a local network, port scanning the advertised hosts could be
used to verify that the services are actually running, while in a
foreign network, the advertisements might reveal interesting nodes to
scan (or honey pots used for port scan detection!).

[1] http://en.wikipedia.org/wiki/Bonjour_(software)
[2] http://gnunet.org/download/bootstrap.pdf

------------------------------------------------------------------------

To get my hands dirty on the subject, I wrote a simple script which uses
Avahi Bonjour implementation to produce an Nmap compatible XML-file that
can be opened in Zenmap for inspection. I have attached the script to
this email for your convenience, but I also created a Bazaar repository
to Launchpad.net for those of you who'd prefer getting a branch instead.

To try out the software on Ubuntu I'd do the following:

sudo apt-get install zenmap avahi-utils bzr
cd /tmp
bzr branch lp:bonmap
cd bonmap
./bonmap > mylan.xml
zenmap mylan.xml

I'd expect Bonmap to work on any Linux based systems that are able to
run Python and Avahi. I apologize for not supporting <your favorite
platform name here>. Check https://launchpad.net/bonmap/ if you wish.


  best regards  --Toni

Attachment: bonmap
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org