mailing list archives
Announce: nmap-2.54b4+V-2.3 - Now with FULL Protocol Auto-Detection!
From: "Jay Freeman \(saurik\)" <saurik () saurik com>
Date: Wed, 6 Sep 2000 03:05:47 -0500
All right, all sorts of new functionality. The big ones are support for
'\0' inside of regular expressions and string matches (required messing with
the supplied regex.c) and a new 'f' command that let's nmap+V use multiple
connections to attempt to gather data on ports that only respond to certain
requests. It still doesn't prioritize certain prompts depending on what
port it is looking at (in order to expedite a valid response), but that is
pretty far beyond the scope of my file format... will need to wait until I
have flushed out the next one I am working on; although I don't see this as
being that important of a feature anyway....
I used these new features to start scanning for protocols such as SSL, RPC,
Telnet, and NETBIOS. I also added Linuxconf, not sure why I didn't have
that one there before. BTW, when the SSL scan finds an SSL server it cuts
off rather abruptly, and (if you are using modssl anyway) the server prints
this to its log:
[05/Sep/2000 13:06:58 09686] [info] Spurious SSL handshake interrupt[Hint:
Usually just one of those OpenSSL confusions!?]
That should happen any time someone's connection is flaky, so it is unlikely
to be noticed or be considered a big problem by the administrator (and it
goes to a log that I, at least, never check anyway).
If you don't want to go all out and keep reconnecting to the server, you can
continue scanning using the existing methods by using -sV. To activate the
fork command and start doing extended testing, you need to specify -sVV. I
moved -sVV's old purpose (extraneous information) to -sVVV. The idea is
that the more "intrusive" you want your scan to be, the more V's you add at
the command line; although I am not sure if I made the right decision that
gathering extra information is really more "intrusive" than using multiple
connections. I kind of assume that if you care to get things such as the
<title/> tag of a web page, you likely are going to want to have the most
accurate protocol information possible.
As always, if you are using the connect() scan nmap+V will reuse the socket
(and internally deals with the organization issues of when to close what
sockets that are brought up by -sVV at the same time).
So as to take best benefit of the new features, I recommend you use -sVV
while doing version scans (personally, I hardly ever care about the few bits
of information that -sVVV returns, and it normally just gets in my way and
annoys me, but there are some times when I am interested).
I haven't tested this patch on FreeBSD or Solaris yet. Oh, and if you
switch the compiler to g++ you will get a few warnings on regex.c... I just
didn't have it in me today to squeeze out the last few signed/unsigned
issues (made enough modifications to that poor file for one day). Will have
to wait for the next version.
As before the patch can be found at:
An already patched copy of nmap-2.54b4 is at:
Now for some example output :-) :
(The 1047 ports scanned but not shown below are in state: closed)
Port State Service Protocol Version
21/tcp open ftp FTP wu-2.6.0(1)
22/tcp open ssh SSH 1.99-2.0.13
25/tcp open smtp SMTP Sendmail
37/tcp open time Time Wed Sep 6 02:22:36
53/tcp open domain
80/tcp open http HTTP Apache/1.3.12 (Unix)
<Title>: Horde System
88/tcp open kerberos-sec
98/tcp open linuxconf Linuxconf
109/tcp open pop-2 POP2 v4.55
110/tcp open pop-3 POP3 v7.64
111/tcp open sunrpc RPC
113/tcp open auth AUTH
119/tcp open nntp NNTP INN 2.2.2
139/tcp open netbios-ssn NETBIOS
143/tcp open imap2 IMAP WU IMAP4rev1 v12.264
443/tcp open https SSL
465/tcp open smtps SSL
587/tcp open submission SMTP Sendmail
993/tcp open imaps SSL
995/tcp open pop3s SSL
2401/tcp open cvspserver CVS
5432/tcp open postgres PostgreSQL
6667/tcp open irc IRC
Network: Internet Relay
8007/tcp open jserv
8009/tcp open ajp13 Ajp13
8888/tcp open sun-answerbook NetStreamer NrServer 0.17
Nmap run completed -- 1 IP address (1 host up) scanned in 132 seconds
Here are the relevant CHANGELOG entries:
** Version 2.54b4+V-2.3
-- Added the 'f' command: "fork". Using this will disconnect from the
remote host, clear the receieve buffer, optionally skip sections,
and reestablish the connection.
-- Replaced -sVV with -sVVV. -sVV is now for "intrusive" version scans.
The idea is that the more V's you have, the more "intrusive" you
are being. One V will create one TCP connection and attempt to get
as much protocol and version information as it can from that. Two
V's will use as many connections as neccessary to maximize accuracy.
Three V's will return extraneous information (a la -sVV before).
-- Used 'f' to reorganize and enhance the nmap-versions rules. Nmap+V
can now detect non-responsive protocols on non-standard ports!
-- Messed with the '?' command to support branching based on the level
of "intrusiveness". This is used to decide whether to simply go
through protocol detection tests in order, or do a global branch
based on port number (which greatly limits the scan's power).
-- Trimmed out a bunch of garbage from the shipped regex.c, and ported
it most of the way to C++ (still has a few signed/unsigned issues).
-- Messed with regex.c until it supported the ability to have '\0' in
the middle of both expressions and strings. Apparently the POSIX
people defined a regular expression to end with '\0'. In and of
itself, this would be solvable. I got a suggestion from Andy
Lutomirski <luto at mailandnews.com> to use "[^\001-\xff]", which
worked fine... except for that the POSIX people also decided that
regexec() wouldn't take a length argument either, so even if the
regular expression can match the string correctly, it can't be
given the string to match against anyway.
-- Changed the configure scripts to use the supplied regex.c for all
compiles regardless of whether the POSIX compliant ones were found
-- Added a few of nmap-versions rules using the new binary abilities:
SSL, RPC, Telnet, NETBIOS, and a small addition to Ajp13.
-- Running the version scan as port scans were generating the lists
was causing timing problems. SYN scan was getting all confused
and scanning the same ports over and over again. Then the extra
packets were making SYN scan do extra work to decide what data it
was actually supposed to be waiting for, and wasn't garbage. When
the scan would complete the data was always accurate, and the
version scan would normally complete for each port fast enough not
to cause many issues. When I started scanning using multiple
connections and different prompts that changed. When run with any
scan other than the vanilla TCP connect() scan, nmap+V will now
wait until all port processing is done before running its scans.
This sped things up considerably.
** Version 2.54v3+V-2.21
-- Added textual note that Jay Freeman (saurik) <saurik at saurik.com>
wrote the +V patch, so if you want to complain to someone about it,
you might want to talk to him and not Fyoder :).
-- Hopefully fixed a buffer overflow demonstrated in an exploit found
at: http://inferno.tusculum.edu/~typo/banfuq.c .
** Version 2.54b3+V-2.2
-- Ported nmap+V to 2.54b3.
-- Added binary support to nmap-versions parsing.
-- A few new nmap-versions entries (including Ajp13, which uses the
new binary support for the protocol detection).
** Version 2.53+V-2.1
-- Added a 'd' command to the nmap-versions parser which regex's out
four bytes in network order, converts it to host order, uses it as
an unsigned long, subtracts the number of seconds between 1900 and
1970, and runs it through ctime() for generating the version string.
-- If -sV is specified more than once new extended information is given,
currently the network of an IRC server, and the <title> of a web page.
Jay Freeman (saurik)
saurik () saurik com <mailto:saurik () saurik com>
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
- Announce: nmap-2.54b4+V-2.3 - Now with FULL Protocol Auto-Detection! Jay Freeman \(saurik\) (Sep 06)