Nmap Development mailing list archives
Re: Service probes question
From: David Fifield <david () bamsoftware com>
Date: Tue, 21 Feb 2012 08:43:18 -0800
On Tue, Feb 21, 2012 at 11:03:59AM +0100, Eric Buggenhout wrote:
Hi list, I'm running the following scan : "nmap -p80 -sV XXX.XXX.XXX.XXX" and analysing the nmap traffic with wireshark. I see some GET and OPTION requests but after that there are some probes that generate "HTTP/1.1 400 Bad Request" so I checked out which probes were sent out. For example this data : 00:5a:00:00:01:00:00:00:01:36:01:2c:00:00:08:00:7f:ff:7f:08:00:00:00:01:00:20:00:3a:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:34:e6:00:00:00:01:00:00:00:00:00:00:00:00:28:43:4f:4e:4e:45:43:54:5f:44:41:54:41:3d:28:43:4f:4d:4d:41:4e:44:3d:76:65:72:73:69:6f:6e:29:29 Which maps to this in nmap-service-probes : Probe TCP oracle-tns q|\0Z\0\0\x01\0\0\0\x016\x01,\0\0\x08\0\x7F\xFF\x7F\x08\0\0\0\x01\0 \0:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\04\xE6\0\0\0\x01\0\0\0\0\0\0\0\0(CONNECT_DATA=(COMMAND=version))| rarity 7 ports 1035,1521,1522,1525,1526,1574,1748,1754,14238,20000 Why is nmap using this probe when I'm scanning on port 80?
It's because it has rarity 7. Nmap tries all probes with rarity 7 or lower by default. Use the --version-intensity option to change it. http://nmap.org/book/vscan-technique.html#vscan-selection-and-rarity You would be surprised how often weird services run on port 80, or how often useful classification results come from non-HTTP probes to HTTP services. There is even an example of an HTTP service matched by the oracle-tns probe in the file. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service probes question Eric Buggenhout (Feb 21)
- Re: Service probes question David Fifield (Feb 21)