|
Nmap Development
mailing list archives
Nmap Service Detection Proposal
From: Fyodor <fyodor () insecure org>
Date: Sun, 27 Aug 2000 01:29:13 -0700 (PDT)
Hi guys,
Here is a proposed grammar for Nmap service detection. The main idea is
that the nmap-service-magic file contains a list of "probes". Each probe
contains the following information:
1) A list of common ports for the services detected by the probe (for
implementation optimization only -- an open port will first be tested
with probes that list that port number)).
2) A string to be sent to the port right after connection establishment
(if TCP). The string can include escaped binary chars.
3) A list of (case insensitive) regular expressions to match against the
response and the protocol name the regexp relates to. The regexps. can
contain escaped binary chars as well.
What I like about this solution is that it leaves the probe definitions
very simple and easy to read, modify, maintain, add to, etc. I also
believe that it can be implemented efficiently.
The question is whether it is powerful enough. I suspect that the vast
majority of protocols could be detected via a sufficiently clever probe
string and regex match. Can anyone think of any protocols that could not
be detected by method but could with a more powerful (think
"C") syntax? And RPC services don't count because we can get them with
the existing RPC grinder.
Lets look at a few example of services that might be challenging:
Netbios-ssn // NetBIOS Session Service
netbios-ns // NetBIOS Name Service
x11
lpd
pcanywhere
orasrv // Oracle
Could anyone he knows one of these protocols well send to the list an
example of a probe that could be sent & regexp that would recognize the
response as belonging to the given service? Keep in mind that inducing
errors may be the easiest detection method. Of course, composing a binary
"wire" example and testing against the given service makes the best demo.
Or if you have an English suggestion (eg a certain X11 or Netbios-ns call
that should always elicit a distinct respnose), chime in!
Or if you want to suggest another protocol that could present a serious
challenge, let us know. Maybe someone can think of a way to ID it. Its
important that we identify any fatal problems before we spend a lot of
time implenting this and creating service-specific "probes".
As far as the actual nmap-service-magic file grammer, we could either do
something custom or use XML. Here is a custom example:
# The catch-all HTTP probe (which leads to distinctive error msgs from
# many services
Probe TCP=21,22,23,25,80,110,118,1080,8080 SEND="GET / HTTP/1.0\r\n\r\n"
ftp 220.*ftp
pop3 +OK
ssh ssh-
smtp smtp
nntp posting ok
http http/1
# Probe X11. I made up the hext values, presumably they would
# correspond to xome sort of X request
PROBE TCP=6000-6010 SEND="\x32\x28\x14\x29\x71\xB4"
x11 \x31\x72\x98
A possible XML alternative would be:
<SERVICEPROBE TCP="21,22,23,25,80,110,1080,8080" SEND="GET /HTTP/1.0\r\n\r\n">
<SERVICE NAME="ftp" REGEX="220.*ftp" />
<SERVICE NAME="pop3" REGEX="+OK" />
...
</SERVICEPROBE>
<SERVICEPROBE TCP="6000-6010" SEND="\x32\x28\x14\x29\x71\xB4" />
<SERVICE NAME="x11" REGEX="\x31\x72\x98" />
</SERVICEPROBE>
Of course if we did use XML we would need a high quality free XML parsing
library. Is libxml the way to go or are there better ones that any of you
recommend?
Cheers,
-F
---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
 By Date 
By Thread
Current thread:
- Nmap Service Detection Proposal Fyodor (Aug 27)
|
Intro
