Re: Why port 22 has been removed from Probe TCP GenericLines?

[Daniel Miller <bonsaiviking () gmail com>]

Ryan,

I'm not sure which version you're comparing with. I looked back as far as
April 2005 and port 22 has not been listed in the ports for GenericLines.
That is not to say that the GenericLines probe will not be sent, though!
Here's the rundown of how Nmap will try to get a version for port 22:

1. NULL probe. Nmap connects and waits totalwaitms (currently 6 seconds)
for a banner. This banner is matched against the (currently 593) match
lines for that probe.

2. Port-specific probes. If any probes have port 22 listed in the "ports"
directive, they will be tried first. This is usually reserved for
protocol-specific stuff like GetRequest to port 80 or a Docker probe to
port 2375. There are no probes that list port 22 because the standard
protocol for that port (SSH) begins with a server banner.

3. Remaining probes by rarity. Probes which are likely to get a response
from many common services are sent first, and probes that are specifically
targeted to individual services are sent last or not at all. GenericLines
has a rarity of 1, meaning that it will be the first one sent (since it is
also at the top of the file).

4. If the service was matched as "ssl", then reconnect with a SSL/TLS
tunnel and start over at 1.

At any point, if a match is found, then the process stops and no further
probes are sent.

I wrote a little Perl script to check the order of probes sent to any
particular port, which I'm attaching for anyone who is interested. The
output for port 22/tcp is:

TCP
  1: GenericLines GetRequest SSLSessionReq
  3: DNSVersionBindReq Help
  4: HTTPOptions RPCCheck SMBProgNeg X11Probe
  5: RTSPRequest Kerberos SIPOptions
  6: FourOhFourRequest LPDString LDAPBindReq LANDesk-RC TerminalServer NCP
NotesRPC WMSRequest afp
  7: DNSStatusRequest TLSSessionReq oracle-tns
  8: Hello SSLv23SessionReq DistCCD JavaRMI Radmin NessusTPv10 Verifier
VerifierAdvanced Socks5 Socks4 ms-sql-s HELP4STOMP Memcache firebird
ibm-db2-das ibm-db2 pervasive-relational pervasive-btrieve ajp
SqueezeCenter_CLI Arucer dominoconsole informix drda ibm-mqseries
apple-iphoto mongodb redis-server memcached riak-pbc tarantool
couchbase-data epmd vp3 minecraft-ping docker tor-versions
  9: NessusTPv12 NessusTPv11 mydoom WWWOFFLEctrlstat OfficeScan beast2
hp-pjl ZendJavaBridge gkrellm vmware-esx metasploit-xmlrpc
metasploit-msgrpc hazelcast-http erlang-node teamspeak-tcpquery-ver xmlsysd

Note that with the default settings (--version-intensity 7), the large
number of probes at rarity 8 and 9 will not be sent.

Dan

On Wed, Sep 23, 2015 at 1:19 AM, ryan chou <jkryanchou () gmail com> wrote:

> Hi
>
>     I download the latest version nmap-services-probe to compare with old
> version, and found the port 22 has been removed from Probe TCP GenericLines
> ports list. So could anyone tell me the reason about this modification?
>
>     According to this modification,  the method to get fingerprint of port
> 22 could only be scanned with TCP NULL which was just only setup up
> connections on target. Why not keeping both Probe NULL and Probe
> GenericLInes? As far as i thought, they both could get the fingerprint from
> port 22.
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/

Attachment: probe-order.pl
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/