mailing list archives
Re: nse unusual-port ident bug
From: David Fifield <david () bamsoftware com>
Date: Sun, 27 Nov 2011 09:35:40 -0800
On Sat, Nov 26, 2011 at 07:07:11PM +0100, Patrik Karlsson wrote:
Hmm, the script design seemed like a good idea at the time of the writing
but now maybe not so much.
What happens is that the script loads the nmap-services file in order to
avoid duplicating service info into a static table.
It then runs as a portrule for each open port and attempts to match the
name of the service, as discovered by the service scan, against the entry
for that port number in the nmap-services file.
In this case, the entry in nmap-services says "auth" while the
service/version scan recognizes the port as "ident".
While, to the best of my knowledge, this is essentially the same service
there's a discrepancy between the entries in the file nmap-services and
I see two different solution:
1. Make sure that the service names in the two different files are properly
2. Create an alternative smaller table in the unusual-port script that
contains a subset of the services
Not sure how to proceed here, ideas and feedback is welcome.
The script can't rely solely on nmap-services. It needs its own
whitelist of acceptable services for different ports. Another example I
can think of is "http" on port 443, where nmap-services has "https".
There may be multiple acceptable service names for a given port number.
Factor out a function that takes a port number and a service name and
returns whether it's acceptable or not. "http" needs to be acceptable
for any port number for which shortport.http returns true. Here are some
22/tcp ssh no output
25/tcp smtp no output
25/tcp ssh ssh unexpected
80/tcp http no output
100/tcp http http unexpected
113/tcp ident no output
113/tcp auth no output
443/tcp ssl/http no output
587/tcp smtp no output
8080/tcp http no output
9970/tcp http http unexpected
Maybe a later version of the script could also warn about the presence
or lack of SSL tunnelling.
80/tcp open ssl/http unexpected ssl tunnel on port 80
443/tcp open http expected ssl tunnel on port 443
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/