Penetration Testing mailing list archives

Re: [PEN-TEST] Database of service output

From: Dave Cowen <dcowen () ENSTAR COM>
Date: Tue, 12 Dec 2000 14:56:44 -0600

We also looked through the nessus find-service plugin,
                                                                        The
nessus plugin, according to their code, is highly beta and contains about 10
or more entries. The major problem is that they are only doing a strstr upon
the retrieved banner to match the text at any point, see no regex. The other
issue is that they only attempt to retrieve what ever banner is sent, nmap+v
is better in this case. So we rewrote part of SARA to take nmap output,
probe each open port for banner with 6 possible input strings and then
perform a regex match in the backend to determine the service, if the
service does not give a banner then we default to the service name given by
IANA. So.. now we are trying to build a database of known banners for
reference since SARA is an open source project and we are submitting are
changes back to the author. We are going to be creating such a database on
our public website so people can view what we currently have and can submit
their own.

If you find any flaw with my reasoning or can think of a better way please
let me know.

Thanks,
Dave Cowen, CISSP
Security Services Manager
Enstar
http://www.enstar.com
Tel: 972-929-5267
Fax: 972-915-6969
Email: dcowen () enstar com


-----Original Message-----
From: Randall, Mark (ISSCalifornia) [mailto:MRandall () ISS NET]
Sent: Monday, December 11, 2000 1:57 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: Database of service output


I don't know about a database, but Nessus does exactly what you describe.
It doesn't report services simply because of a connection to a port that is
part of the IANA standards.  It actually probes the running services.  They
call it "Smart service recognition" and have used it as one of the selling
points for Nessus for quite some time.

http://www.nessus.org/features.html

Again, I don't know about an actual database...but nessus is open source, so
you can certainly see how they're doing it.

-----Original Message-----
From: Dave Cowen [mailto:dcowen () ENSTAR COM]
Sent: Thursday, December 07, 2000 11:59 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Database of service output


Hi,
    We are working on a project to modify popular scanners to detect
services by their service output <if available> rather than
trusting their
port assignment.
Do any of you know of such a database or list that exists
today or would be
willing to contribute to this project that will be given as
an open source
resource, first through
SARA and then nmap. We believe that this tool will greatly
reduce our time
if having to check each port after a scan to verify the
service listed is
the service running.

Thanks in advance,
Dave Cowen, CISSP
Security Services Manager
Enstar
http://www.enstar.com
Tel: 972-929-5267
Fax: 972-915-6969
Email: dcowen () enstar com

Current thread:

[PEN-TEST] Database of service output Dave Cowen (Dec 10)
- Re: [PEN-TEST] Database of service output Arturo Busleiman (Dec 13)
- <Possible follow-ups>
- Re: [PEN-TEST] Database of service output Randall, Mark (ISSCalifornia) (Dec 13)
- Re: [PEN-TEST] Database of service output Dave Cowen (Dec 13)
  - Re: [PEN-TEST] Database of service output Renaud Deraison (Dec 14)