Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: nse unusual-port ident bug
From: David Fifield <david () bamsoftware com>
Date: Sun, 27 Nov 2011 09:35:40 -0800

On Sat, Nov 26, 2011 at 07:07:11PM +0100, Patrik Karlsson wrote:
Hmm, the script design seemed like a good idea at the time of the writing
but now maybe not so much.
What happens is that the script loads the nmap-services file in order to
avoid duplicating service info into a static table.
It then runs as a portrule for each open port and attempts to match the
name of the service, as discovered by the service scan, against the entry
for that port number in the nmap-services file.
In this case, the entry in nmap-services says "auth" while the
service/version scan recognizes the port as "ident".
While, to the best of my knowledge, this is essentially the same service
there's a discrepancy between the entries in the file nmap-services and

I see two different solution:
1. Make sure that the service names in the two different files are properly
2. Create an alternative smaller table in the unusual-port script that
contains a subset of the services

Not sure how to proceed here, ideas and feedback is welcome.

The script can't rely solely on nmap-services. It needs its own
whitelist of acceptable services for different ports. Another example I
can think of is "http" on port 443, where nmap-services has "https".
There may be multiple acceptable service names for a given port number.

Factor out a function that takes a port number and a service name and
returns whether it's acceptable or not. "http" needs to be acceptable
for any port number for which shortport.http returns true. Here are some
test cases.

22/tcp          ssh             no output
25/tcp          smtp            no output
25/tcp          ssh             ssh unexpected
80/tcp          http            no output
100/tcp         http            http unexpected
113/tcp         ident           no output
113/tcp         auth            no output
443/tcp         ssl/http        no output
587/tcp         smtp            no output
8080/tcp        http            no output
9970/tcp        http            http unexpected

Maybe a later version of the script could also warn about the presence
or lack of SSL tunnelling.

80/tcp  open    ssl/http        unexpected ssl tunnel on port 80
443/tcp open    http            expected ssl tunnel on port 443

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]