Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

RE: Nmap Service Detection Proposal
From: "Jay Freeman \(saurik\)" <saurik () saurik com>
Date: Tue, 29 Aug 2000 10:30:24 -0500
The finger protocol is trivial to the point where it is almost impossible to
correctly detect :(.  You connect to it, give it a string of
space-delineated usernames (possibly with an "@hostname"), and end with a
line feed.  The server then returns either information for each of these
users in a non-standardized format, or returns a non-standardized error
message.  Searching for the formats given by each finder daemon is the most
powerful way to do it.

I connected to a few finger servers, and queried for "hello () [something I
expect it to return results for]".  Here were the results (blotted out some
hostnames with "xXxXx"):

++++++

Welcome to Linux version 2.0.30 at xXxXx !

  5:54am  up 6 days, 20:23,  0 users,  load average: 1.43, 1.51, 1.48

finger: hello: no such user.
++++++

++++++
finger: hello: no such user.
++++++

++++++
[xXxXx]
Login       Name               TTY         Idle    When    Where
hello                 ???
++++++

++++++
This is xXxXx finger server.

Sorry, user hello not found
++++++

The RFC verifies this:

<quote>
2.5.  Expected RUIP response

   For the most part, the output of an RUIP doesn't follow a strict
   specification, since it is designed to be read by people instead of
   programs.  It should mainly strive to be informative.

   Output of ANY query is subject to the discussion in the security
   section.
</quote>

"finger.c", as you suggest, is just a simple program that connects to the
host at port 79, then sends its query, and bricks back its result.  You
could point it at an FTP server and it would return the FTP banner.  To
prove it, I redirected port 79 to port 21.

[root(3)@ironclad rfc]# finger hello () saurik com
[saurik.com]
220 ironclad.saurik.com FTP server (Version wu-2.6.0(1) Fri Feb 4 23:37:48
EST 2000) ready.
530 Please login with USER and PASS.


From this point finger is just sitting there waiting for the server to

disconnect it.

Sincerely,
Jay Freeman (saurik)
saurik () saurik com

-----Original Message-----
From: Paul Tod Rieger [mailto:prie () abl com]
Sent: Tuesday, August 29, 2000 1:50 AM
To: nmap-dev () insecure org
Subject: Re: Nmap Service Detection Proposal

Fyodor <fyodor () insecure org> wrote:


I suspect that the vast majority of protocols
could be detected via a sufficiently clever probe
string and regex match.  Can anyone think of any
protocols that could not be detected by method
but could with a more powerful (think "C") syntax?


http://www.attrition.org/tools/other/binfo.c may help with 53/domain.

Can 79/finger be probed with string/regex?  (Or maybe finger.c would be
needed?)

Tod
abl.com


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]