Penetration Testing mailing list archives
Re: [PEN-TEST] Database of service output
From: Dave Cowen <dcowen () ENSTAR COM>
Date: Tue, 12 Dec 2000 14:56:44 -0600
We also looked through the nessus find-service plugin, The nessus plugin, according to their code, is highly beta and contains about 10 or more entries. The major problem is that they are only doing a strstr upon the retrieved banner to match the text at any point, see no regex. The other issue is that they only attempt to retrieve what ever banner is sent, nmap+v is better in this case. So we rewrote part of SARA to take nmap output, probe each open port for banner with 6 possible input strings and then perform a regex match in the backend to determine the service, if the service does not give a banner then we default to the service name given by IANA. So.. now we are trying to build a database of known banners for reference since SARA is an open source project and we are submitting are changes back to the author. We are going to be creating such a database on our public website so people can view what we currently have and can submit their own. If you find any flaw with my reasoning or can think of a better way please let me know. Thanks, Dave Cowen, CISSP Security Services Manager Enstar http://www.enstar.com Tel: 972-929-5267 Fax: 972-915-6969 Email: dcowen () enstar com -----Original Message----- From: Randall, Mark (ISSCalifornia) [mailto:MRandall () ISS NET] Sent: Monday, December 11, 2000 1:57 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: Database of service output I don't know about a database, but Nessus does exactly what you describe. It doesn't report services simply because of a connection to a port that is part of the IANA standards. It actually probes the running services. They call it "Smart service recognition" and have used it as one of the selling points for Nessus for quite some time. http://www.nessus.org/features.html Again, I don't know about an actual database...but nessus is open source, so you can certainly see how they're doing it.
-----Original Message----- From: Dave Cowen [mailto:dcowen () ENSTAR COM] Sent: Thursday, December 07, 2000 11:59 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Database of service output Hi, We are working on a project to modify popular scanners to detect services by their service output <if available> rather than trusting their port assignment. Do any of you know of such a database or list that exists today or would be willing to contribute to this project that will be given as an open source resource, first through SARA and then nmap. We believe that this tool will greatly reduce our time if having to check each port after a scan to verify the service listed is the service running. Thanks in advance, Dave Cowen, CISSP Security Services Manager Enstar http://www.enstar.com Tel: 972-929-5267 Fax: 972-915-6969 Email: dcowen () enstar com
Current thread:
- [PEN-TEST] Database of service output Dave Cowen (Dec 10)
- Re: [PEN-TEST] Database of service output Arturo Busleiman (Dec 13)
- <Possible follow-ups>
- Re: [PEN-TEST] Database of service output Randall, Mark (ISSCalifornia) (Dec 13)
- Re: [PEN-TEST] Database of service output Dave Cowen (Dec 13)
- Re: [PEN-TEST] Database of service output Renaud Deraison (Dec 14)