Re: Question on --version-intensity and -sR interaction

[Daniel Miller <bonsaiviking () gmail com>]

On Fri, Mar 4, 2011 at 4:55 PM, Fyodor <fyodor () insecure org> wrote:
> When service detection is enabled, RPC scan (-sR) only runs against
> ports which were determined (by service detection) to be "rpcbind".
> This can only happen in response to three probes: tcp "RPCCheck", tcp
> "NotesRPC", or udp "RPCCheck".

Maybe this is just a documentation issue, then. The man page says
"""
It takes all the TCP/UDP ports found open and floods them with SunRPC
program NULL commands in an attempt to determine whether they are RPC
ports, and if so, what program and version number they serve up. Thus
you can effectively obtain the same info as rpcinfo -p even if the
target's portmapper is behind a firewall (or protected by TCP
wrappers)
"""
which seems to contradict what you said about only if they are
detected as "rpcbind."

> In addition to the RPC scan, version detection can enable the version
> detection category of NSE scripts.

If someone wanted to prevent this step, could they not use --script "not all"?

> Does the "rpcbind" limitation resolve your issue, or is RPC scan still
> likely to present a problem?

This probably solves it. I'll have to do some testing to be sure. If
that is the case, then the man page

> Have you also limited the probes in the file, or are you using the
> file as is?

I'm using the file as-is. The services I've crashed before have IIRC
been running on ports without specific probes assigned.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/