Re: Question on --version-intensity and -sR interaction

[David Fifield <david () bamsoftware com>]

On Fri, Mar 04, 2011 at 05:51:11PM -0800, Fyodor wrote:
> On Fri, Mar 04, 2011 at 06:12:40PM -0600, Daniel Miller wrote:
> > which seems to contradict what you said about only if they are
> > detected as "rpcbind."
>
> Well, the "only if detected as rpcbind" behavior is only true if
> version detection is requested.  With just -sR, Nmap does as the man
> page suggests and sends a bunch of probes to every port.
>
> My feeling is that we should probably remove the -sR option, but keep
> RPC grinding as a part of version detection.  Even the Nmap man page
> acknowledges that "As version detection includes this and is much more
> comprehensive, -sR is rarely needed".  Even if all you need is RPC
> grinding, -sV is generally more efficient since it does the "is this
> service even RPC?" check first.

There were some bugs such that -sV didn't automatically specify all of
what -sR specified. Some examples from scanning NFS:

# nmap -sU 192.168.0.2 -p nfs -sV
PORT     STATE SERVICE VERSION
2049/udp open  nfs     2-4 (rpc #100003)
# nmap -sU 192.168.0.2 -p nfs -sR
PORT     STATE SERVICE        VERSION
2049/udp open  nfs (nfs V2-4) 2-4 (rpc #100003)
# nmap -sU 192.168.0.2 -p nfs -sVR
PORT     STATE SERVICE        VERSION
2049/udp open  nfs (nfs V2-4) 2-4 (rpc #100003)

Also XML output differed:
# nmap -sU 192.168.0.2 -p nfs -sV -oX -
<service name="nfs" version="2-4" extrainfo="rpc #100003" method="probed" conf="10"/>
# nmap -sU 192.168.0.2 -p nfs -sR -oX -
<service name="nfs" version="2-4" extrainfo="rpc #100003" method="probed" conf="10" rpcnum="100003" lowver="2" 
highver="4" proto="rpc"/>
# nmap -sU 192.168.0.2 -p nfs -sVR -oX -
<service name="nfs" version="2-4" extrainfo="rpc #100003" method="probed" conf="10" rpcnum="100003" lowver="2" 
highver="4" proto="rpc"/>

> Does anyone here use -sR without version detection (-sV or -A)?
> Removing command-line arguments is less popular than adding them, but
> it's something we need to do to keep Nmap (and its documentation) from
> getting too bloated and confusing.  So unless we hear from folks here
> who really like having -sR by itself, I think we'll undocument it.
> For compatibility, we'll probably make it an alias for -sV and print a
> warning that it is deprecated.

I removed -sR as a separate option and made it an alias for -sV. This
warning gets printed when you use -sR:
        WARNING: -sR is now an alias for -sV and activates version detection as well as RPC scan.
The output of -sV is now the same as -sVR used to be.

# nmap -sU 192.168.0.2 -p nfs -sV
PORT     STATE SERVICE        VERSION
2049/udp open  nfs (nfs V2-4) 2-4 (rpc #100003)
# nmap -sU 192.168.0.2 -p nfs -sV -oX -
<service name="nfs" version="2-4" extrainfo="rpc #100003" method="probed" conf="10" rpcnum="100003" lowver="2" 
highver="4" proto="rpc"/>

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/