Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

Re: [RFC] Output file option for capturing service and os fingerprints
From: Tom Sellers <nmap () fadedcode net>
Date: Thu, 19 Jun 2008 20:16:50 -0500
Michael Pattrick wrote:

Hey tom,

I just noticed that Brandon already posted a script for this, but I
wrote one too! lol

It lists all unidentified OS fingerprints(or all fingerprints if the
scan was -v or -d) and all unidentified services.
It requires the latest Nmap::Parser[1] and the output is like this:


perl getOS.pl scan.xml

IP: 10.0.0.2
SCAN(V=4.65%D=6/19%OT=14334%CT=%CU=42336%PV=Y%DS=1%G=N%M=0016D3%TM=485AFC95%P=x86_64-unknown-linux-gnu)
SEQ(SP=FA%GCD=1%ISR=103%TI=I%II=I%SS=S%TS=0)
OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)
...snip...
IE(R=Y%DFI=S%T=80%TOSI=Z%CD=Z%SI=S%DLI=S)

Unidentified service, TCP port 14334:
SF-Port14334-TCP:V=4.65%I=7%D=6/19%Time=485AFC82%P=x86_64-unknown-linux-gnu%r(GetRequest,20,"\xbf\x13\xde
...snip...
SF:r\x88\x97a\x0c")%r(SIPOptions,20,"\xfc\xac\|\xf8\xa9\x04\x07\xa5\x20\x1
SF:c\x88\xbc7k\]\xd1\xf3\xa7\xa8\x90\xb3qE\?\x8d\xa4\

I hope this is what you were thinking of.

Cheers,
Michael

[1] http://nmapparser.wordpress.com/


  multiple large network segments

and then check the files for unidentified services and devices.

I have some very basic c skills and looking at the code this change
looks like something I might be able to do. For the service portion
I think most of the changes would be in the program argument handling
section in nmap.cc, the output header file, some changes around
822 in output.cc, and then making sure the file is closed properly.

Any thoughts on this?  Oh, if there is already a simple way to do
this please break out the clue stick and fill me in.

Thanks,




Thanks to both of you for the info.  That should cover my needs nicely.

Tom

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]