mailing list archives
Re: regarding set_port_version probestates
From: David Fifield <david () bamsoftware com>
Date: Sat, 8 Jan 2011 20:53:36 -0800
On Sat, Jan 01, 2011 at 03:47:13PM +0200, Toni Ruottu wrote:
On Sat, Jan 1, 2011 at 2:40 PM, Toni Ruottu <toni.ruottu () iki fi> wrote:
I am trying to find a way to express protocol/version assumptions from
NSE scripts. Sometimes exploring host A reveals information about host
B. For example host A could be running Gnutella and it might tell me
it is connected to host B's port 12345. This information justifies
running any gnutella protocol scripts against B:12345, but it does not
justify reporting B:12345 as being open nor does it justify reporting
that B:12345 is a gnutella server. A could be evil or broken.
Ofcourse, if we get to run gnutella scripts against B:12345 we may be
able to identify it as open or gnutella. On the other hand reporting
these assumptions to user may be useful as long as it is made clear
that they might be wrong. Can I use one of the probestates for this?
Also, can I state such assumptions from when I am running nmap from
the command-line. If I am looking for a gnutella server I might want
to assume that all open ports are gnutella servers, or maybe my friend
told me to scan his gnutella server on some funny port.
I'm afraid there's no easy way to do that. What I would do is make a
copy of nmap-services, edit the relevant service name to be "gnutella"
or whatever, and then run Nmap again with --servicedb. If there was a
version probe I wanted to use, I would edit it to use ports 1-65535 and
then use --versiondb.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/