Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Question on --version-intensity and -sR interaction
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 4 Mar 2011 18:12:40 -0600

On Fri, Mar 4, 2011 at 4:55 PM, Fyodor <fyodor () insecure org> wrote:

When service detection is enabled, RPC scan (-sR) only runs against
ports which were determined (by service detection) to be "rpcbind".
This can only happen in response to three probes: tcp "RPCCheck", tcp
"NotesRPC", or udp "RPCCheck".

Maybe this is just a documentation issue, then. The man page says
It takes all the TCP/UDP ports found open and floods them with SunRPC
program NULL commands in an attempt to determine whether they are RPC
ports, and if so, what program and version number they serve up. Thus
you can effectively obtain the same info as rpcinfo -p even if the
target's portmapper is behind a firewall (or protected by TCP
which seems to contradict what you said about only if they are
detected as "rpcbind."

In addition to the RPC scan, version detection can enable the version
detection category of NSE scripts.

If someone wanted to prevent this step, could they not use --script "not all"?

Does the "rpcbind" limitation resolve your issue, or is RPC scan still
likely to present a problem?

This probably solves it. I'll have to do some testing to be sure. If
that is the case, then the man page

Have you also limited the probes in the file, or are you using the
file as is?

I'm using the file as-is. The services I've crashed before have IIRC
been running on ports without specific probes assigned.

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]