Re: [NSE][PATCH] OpenSSL bindings for NSE

[Sven Klemm <sven () c3d2 de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi v4lkyrius,

> I first noticed this in auth.log when I got port scanned by a friend a
> while back. My firewall rules have reflected this observation ever
> since.
> Defeats the purpose of nmap, does it not?
>
> For example:
>
>   pluto: # nmap -A -p 22 localhost
>
>   Starting Nmap 4.60 ( http://nmap.org ) at 2008-11-26 06:05 EST
>   Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
>   Interesting ports on localhost (127.0.0.1):
>   PORT   STATE SERVICE VERSION
>   22/tcp open  ssh     OpenSSH 5.0 (protocol 2.0)
>   Warning: OSScan results may be unreliable because we could not find
> at least 1 open and 1 closed port
>   Device type: general purpose
>   Running: Linux 2.6.X
>   OS details: Linux 2.6.17 - 2.6.24
>   Uptime: 0.217 days (since Wed Nov 26 00:52:52 2008)
>   Network Distance: 0 hops
>
>   OS and Service detection performed. Please report any incorrect
> results at http://nmap.org/submit/ .
>   Nmap done: 1 IP address (1 host up) scanned in 1.360 seconds
>
>   pluto:/var/log # tail messages | grep sshd
>   Nov 26 06:05:29 pluto sshd[7947]: Did not receive identification
> string from 127.0.0.1
>   Nov 26 06:05:30 pluto sshd[7951]: Protocol major versions differ for
> 127.0.0.1: SSH-2.0-OpenSSH_5.0 vs. SSH-1.5-NmapNSE_1.0
>   pluto:/ # iptables -I INPUT -p tcp -m string --string "NmapNSE"
> --algo bm -j DROP
>   pluto:/ # iptables -I INPUT -p tcp -m string --string "NmapNSE"
> --algo bm -j LOG --log-prefix "n00b nmap scan: "
>   pluto:/ # nmap -A -p22 localhost
>
>   Starting Nmap 4.60 ( http://nmap.org ) at 2008-11-26 06:08 EST
>   Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
>   ^C
>   pluto:/var/log # grep n00b firewall | tail -1
>   Nov 26 06:08:35 pluto kernel: n00b nmap scan: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> DST=127.0.0.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=6129 DF PROTO=TCP
> SPT=27995 DPT=22 WINDOW=257 RES=0x00 ACK PSH URGP=0
>
>
> Frankly, I'm surprised no one has so much as mentioned this before (at
> least publicly, according to Google). They say discretion is the
> polite word for hypocrisy. ;-)

the fact that nmap advertises itself has been discussed, here:
http://seclists.org/nmap-dev/2008/q2/0505.html . There are a few place
were nmap does this advertising, e.g. the NSE http, ssh1 and ssh2
libraries do it.
Your solution to drop TCP connections based on arbitrary strings
doesn't seem like a good idea to me.

Cheers,
Sven

- --
Sven Klemm
http://cthulhu.c3d2.de/~sven/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkvvrcACgkQevlgTHEIT4alagCfZCu+O9HG4jsiPebHZvvi0XGy
fOwAn2NOkPkFl7szY2GGxiAAJlQJ8Xzx
=Sr1B
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org