nmap improvements suggestion: portmapped services discovery

["Konstantin V. Gavrilenko" <mlists () arhont com>]

Hello list,

I guess, many of you have come across situations when the you scan an IP,
find some open ports, and notice that the discovered services should be
running on the different machines, or even different OS.

The most likely cause for this, is that ports are actually being portmapped
on the Firewall to several different machines running on the internal
network behind the firewall.
The other potential cause, is that the firewall tampers with the TCP/IP
options of the packets or the service having non standard, misleading banners.

Although, we have a correct information about the open ports and services
visible on that specific IP from the external side, it is misleading, to
say least, about the results of the actual tests performed later during -A
or -O. Which are in most cases are incorrect, due to the fact that open and
closed ports chosen for IPID, TCP SN, uptime, TTL etc can belong to
different hosts.


I couldn't find functionality of the nmap that would help users, to
identify such situations during runtime. Which is a pity, since it would be
a great addition to the scanner, to look on step further.

One of the things to overcome this problem is to either revert to hping2
and test each port, found by nmap, individually and compare the results. Or
scan each individual port with nmap separately and compare the results :)



So what I want to propose as improvement, is that for each individual port
responding with SA or RA, we should probe and generate:
- TCP Sequence index and class
- IPID Sequence class
- TCP timestamp (uptime value)
- TTL value returned is already included in XML output <reason_ttl>

I suggest to included this information within the individual <port  section
in the XML output.

<port protocol="tcp" portid="179"><state state="open" reason="syn-ack"
reason_ttl="56"/><service name="tcpwrapped" method="probed" conf="8" /></port>

Based on the obtained values, it would be possible to make decisions
whether the open services belong to the same host or not.
In the ideal situation, the values (TCPsequence_class and
IPIDsequence_class should be similar.  While values (TTL and uptime) should
be equal amongst all the services running on the host.

By comparing those values for individual services we can make a sound
decision whether the services are running on the same machine or not.

In my, non coder, opinion, it shouldn't be too difficult to implement since
all the necessary functions are already there in the code. So its just a
matter of extending their applicability  and some of the logic decision
upon obtained values.


What do you think?




-- 
Yours sincerely,
Konstantin V. Gavrilenko

Arhont Information Security Ltd

web:    http://www.arhont.com
        http://www.wi-foo.com
e-mail: k.gavrilenko () arhont com

tel: +44 (0) 870 44 31337
fax: +44 (0) 208 429 3111

PGP: Key ID - 0xE81824F4
PGP: Server - keyserver.pgp.com

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org