Home page logo

Nmap Announce mailing list archives

Announce: nmap-2.54b4+V-2.3 - Now with FULL Protocol Auto-Detection!
From: "Jay Freeman \(saurik\)" <saurik () saurik com>
Date: Wed, 6 Sep 2000 03:05:47 -0500

All right, all sorts of new functionality.  The big ones are support for
'\0' inside of regular expressions and string matches (required messing with
the supplied regex.c) and a new 'f' command that let's nmap+V use multiple
connections to attempt to gather data on ports that only respond to certain
requests.  It still doesn't prioritize certain prompts depending on what
port it is looking at (in order to expedite a valid response), but that is
pretty far beyond the scope of my file format... will need to wait until I
have flushed out the next one I am working on; although I don't see this as
being that important of a feature anyway....

I used these new features to start scanning for protocols such as SSL, RPC,
Telnet, and NETBIOS.  I also added Linuxconf, not sure why I didn't have
that one there before.  BTW, when the SSL scan finds an SSL server it cuts
off rather abruptly, and (if you are using modssl anyway) the server prints
this to its log:

[05/Sep/2000 13:06:58 09686] [info]  Spurious SSL handshake interrupt[Hint:
Usually just one of those OpenSSL confusions!?]

That should happen any time someone's connection is flaky, so it is unlikely
to be noticed or be considered a big problem by the administrator (and it
goes to a log that I, at least, never check anyway).

If you don't want to go all out and keep reconnecting to the server, you can
continue scanning using the existing methods by using -sV.  To activate the
fork command and start doing extended testing, you need to specify -sVV.  I
moved -sVV's old purpose (extraneous information) to -sVVV.  The idea is
that the more "intrusive" you want your scan to be, the more V's you add at
the command line; although I am not sure if I made the right decision that
gathering extra information is really more "intrusive" than using multiple
connections.  I kind of assume that if you care to get things such as the
<title/> tag of a web page, you likely are going to want to have the most
accurate protocol information possible.

As always, if you are using the connect() scan nmap+V will reuse the socket
(and internally deals with the organization issues of when to close what
sockets that are brought up by -sVV at the same time).

So as to take best benefit of the new features, I recommend you use -sVV
while doing version scans (personally, I hardly ever care about the few bits
of information that -sVVV returns, and it normally just gets in my way and
annoys me, but there are some times when I am interested).

I haven't tested this patch on FreeBSD or Solaris yet.  Oh, and if you
switch the compiler to g++ you will get a few warnings on regex.c... I just
didn't have it in me today to squeeze out the last few signed/unsigned
issues (made enough modifications to that poor file for one day).  Will have
to wait for the next version.

As before the patch can be found at:

An already patched copy of nmap-2.54b4 is at:

Now for some example output :-) :

(The 1047 ports scanned but not shown below are in state: closed)
Port       State       Service             Protocol     Version
21/tcp     open        ftp                 FTP          wu-2.6.0(1)
22/tcp     open        ssh                 SSH          1.99-2.0.13
25/tcp     open        smtp                SMTP         Sendmail
37/tcp     open        time                Time         Wed Sep  6 02:22:36
53/tcp     open        domain
80/tcp     open        http                HTTP         Apache/1.3.12 (Unix)
  <Title>: Horde System
88/tcp     open        kerberos-sec
98/tcp     open        linuxconf           Linuxconf
109/tcp    open        pop-2               POP2         v4.55
110/tcp    open        pop-3               POP3         v7.64
111/tcp    open        sunrpc              RPC
113/tcp    open        auth                AUTH
119/tcp    open        nntp                NNTP         INN 2.2.2
139/tcp    open        netbios-ssn         NETBIOS
143/tcp    open        imap2               IMAP         WU IMAP4rev1 v12.264
443/tcp    open        https               SSL
465/tcp    open        smtps               SSL
587/tcp    open        submission          SMTP         Sendmail
993/tcp    open        imaps               SSL
995/tcp    open        pop3s               SSL
2401/tcp   open        cvspserver          CVS
5432/tcp   open        postgres            PostgreSQL
6667/tcp   open        irc                 IRC
  Network: Internet Relay
8007/tcp   open        jserv
8009/tcp   open        ajp13               Ajp13
8888/tcp   open        sun-answerbook      NetStreamer  NrServer 0.17

Nmap run completed -- 1 IP address (1 host up) scanned in 132 seconds

Here are the relevant CHANGELOG entries:

** Version 2.54b4+V-2.3

-- Added the 'f' command: "fork".  Using this will disconnect from the
   remote host, clear the receieve buffer, optionally skip sections,
   and reestablish the connection.

-- Replaced -sVV with -sVVV.  -sVV is now for "intrusive" version scans.
   The idea is that the more V's you have, the more "intrusive" you
   are being.  One V will create one TCP connection and attempt to get
   as much protocol and version information as it can from that.  Two
   V's will use as many connections as neccessary to maximize accuracy.
   Three V's will return extraneous information (a la -sVV before).

-- Used 'f' to reorganize and enhance the nmap-versions rules.  Nmap+V
   can now detect non-responsive protocols on non-standard ports!

-- Messed with the '?' command to support branching based on the level
   of "intrusiveness".  This is used to decide whether to simply go
   through protocol detection tests in order, or do a global branch
   based on port number (which greatly limits the scan's power).

-- Trimmed out a bunch of garbage from the shipped regex.c, and ported
   it most of the way to C++ (still has a few signed/unsigned issues).

-- Messed with regex.c until it supported the ability to have '\0' in
   the middle of both expressions and strings.  Apparently the POSIX
   people defined a regular expression to end with '\0'.  In and of
   itself, this would be solvable.  I got a suggestion from Andy
   Lutomirski <luto at mailandnews.com> to use "[^\001-\xff]", which
   worked fine... except for that the POSIX people also decided that
   regexec() wouldn't take a length argument either, so even if the
   regular expression can match the string correctly, it can't be
   given the string to match against anyway.

-- Changed the configure scripts to use the supplied regex.c for all
   compiles regardless of whether the POSIX compliant ones were found
   or not.

-- Added a few of nmap-versions rules using the new binary abilities:
   SSL, RPC, Telnet, NETBIOS, and a small addition to Ajp13.

-- Running the version scan as port scans were generating the lists
   was causing timing problems.  SYN scan was getting all confused
   and scanning the same ports over and over again.  Then the extra
   packets were making SYN scan do extra work to decide what data it
   was actually supposed to be waiting for, and wasn't garbage.  When
   the scan would complete the data was always accurate, and the
   version scan would normally complete for each port fast enough not
   to cause many issues.  When I started scanning using multiple
   connections and different prompts that changed.  When run with any
   scan other than the vanilla TCP connect() scan, nmap+V will now
   wait until all port processing is done before running its scans.
   This sped things up considerably.

** Version 2.54v3+V-2.21

-- Added textual note that Jay Freeman (saurik) <saurik at saurik.com>
   wrote the +V patch, so if you want to complain to someone about it,
   you might want to talk to him and not Fyoder :).

-- Hopefully fixed a buffer overflow demonstrated in an exploit found
   at: http://inferno.tusculum.edu/~typo/banfuq.c .

** Version 2.54b3+V-2.2

-- Ported nmap+V to 2.54b3.

-- Added binary support to nmap-versions parsing.

-- A few new nmap-versions entries (including Ajp13, which uses the
   new binary support for the protocol detection).

** Version 2.53+V-2.1

-- Added a 'd' command to the nmap-versions parser which regex's out
   four bytes in network order, converts it to host order, uses it as
   an unsigned long, subtracts the number of seconds between 1900 and
   1970, and runs it through ctime() for generating the version string.

-- If -sV is specified more than once new extended information is given,
   currently the network of an IRC server, and the <title> of a web page.

Jay Freeman (saurik)
saurik () saurik com <mailto:saurik () saurik com>

For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

  By Date           By Thread  

Current thread:
  • Announce: nmap-2.54b4+V-2.3 - Now with FULL Protocol Auto-Detection! Jay Freeman \(saurik\) (Sep 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]