Nmap Development mailing list archives
nmap improvements suggestion: portmapped services discovery
From: "Konstantin V. Gavrilenko" <mlists () arhont com>
Date: Fri, 27 Mar 2009 15:11:36 +0000
Hello list, I guess, many of you have come across situations when the you scan an IP, find some open ports, and notice that the discovered services should be running on the different machines, or even different OS. The most likely cause for this, is that ports are actually being portmapped on the Firewall to several different machines running on the internal network behind the firewall. The other potential cause, is that the firewall tampers with the TCP/IP options of the packets or the service having non standard, misleading banners. Although, we have a correct information about the open ports and services visible on that specific IP from the external side, it is misleading, to say least, about the results of the actual tests performed later during -A or -O. Which are in most cases are incorrect, due to the fact that open and closed ports chosen for IPID, TCP SN, uptime, TTL etc can belong to different hosts. I couldn't find functionality of the nmap that would help users, to identify such situations during runtime. Which is a pity, since it would be a great addition to the scanner, to look on step further. One of the things to overcome this problem is to either revert to hping2 and test each port, found by nmap, individually and compare the results. Or scan each individual port with nmap separately and compare the results :) So what I want to propose as improvement, is that for each individual port responding with SA or RA, we should probe and generate: - TCP Sequence index and class - IPID Sequence class - TCP timestamp (uptime value) - TTL value returned is already included in XML output <reason_ttl> I suggest to included this information within the individual <port section in the XML output. <port protocol="tcp" portid="179"><state state="open" reason="syn-ack" reason_ttl="56"/><service name="tcpwrapped" method="probed" conf="8" /></port> Based on the obtained values, it would be possible to make decisions whether the open services belong to the same host or not. In the ideal situation, the values (TCPsequence_class and IPIDsequence_class should be similar. While values (TTL and uptime) should be equal amongst all the services running on the host. By comparing those values for individual services we can make a sound decision whether the services are running on the same machine or not. In my, non coder, opinion, it shouldn't be too difficult to implement since all the necessary functions are already there in the code. So its just a matter of extending their applicability and some of the logic decision upon obtained values. What do you think? -- Yours sincerely, Konstantin V. Gavrilenko Arhont Information Security Ltd web: http://www.arhont.com http://www.wi-foo.com e-mail: k.gavrilenko () arhont com tel: +44 (0) 870 44 31337 fax: +44 (0) 208 429 3111 PGP: Key ID - 0xE81824F4 PGP: Server - keyserver.pgp.com _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nmap improvements suggestion: portmapped services discovery Konstantin V. Gavrilenko (Mar 27)