Home page logo

Nmap Announce mailing list archives

Re: Nmap 2.30BETA20 Released
From: "Alek O. Komarnitsky (N-CSC)" <alek () ast lmco com>
Date: Fri, 21 Apr 2000 21:59:03 -0600 (MDT)

From: Andrew Brown <atatat () atatdot net>
Subject: Re: Nmap 2.30BETA20 Released
To: Justin <jguyett () andrew cmu edu>
Cc: nmap-hackers () insecure org

Idealy nmap would have a module to verify each servce it finds, so that
(for example) an open port 443 wouldn't be reported as ssl / http if it
isn't acting like a websserver.

verifying that port 25 is an smtp server is relatively easy, likewise
with 21 being ftp control, 22 being an ssh server, and 23 being a
telnet server.  the daytime and time services are likewise very easy
to detect since they just spew; they don't accept.

verifying that port 443 is actually an https server is decidedly
non-trivial, not the least of which is because it waits for the client
to say something before dropping you.  it would require at least a
minimal ssl stack, and some crypto tools, neither of which belong in
the world's best port scanner.

FYI FWIW: nmap-web (URL listed below) has a checkbox that basically says:
   "try to tell me what is running on the port selected"
It does this by opening up a socket connection and snarfing what is
returned. Only a few well-defined services are setup (for instance,
it will send a "POST / HTTP/1.0" to port 80 to get the web server info),
but this could easily be expanded.

You can also define an EXPECTED string ... and if you do NOT get that;
then it will highlight it in red. This is useful for instance if you
have a 1,000+ machines and you want to know which ones are NOT running
sendmail8.9.3 ... useful to catch the "stranglers" so you know which
ones to fix.


P.S. nmap-web is linked to from the nmap home page and is at:
        http://www.komar.org/komar/alek/  ->  Misc. Tech Stuff  ->  nmap-web

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]