mailing list archives
Re: nse unusual-port ident bug
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 29 Nov 2011 01:56:04 +0100
On Sun, Nov 27, 2011 at 6:35 PM, David Fifield <david () bamsoftware com>wrote:
On Sat, Nov 26, 2011 at 07:07:11PM +0100, Patrik Karlsson wrote:
Hmm, the script design seemed like a good idea at the time of the writing
but now maybe not so much.
What happens is that the script loads the nmap-services file in order to
avoid duplicating service info into a static table.
It then runs as a portrule for each open port and attempts to match the
name of the service, as discovered by the service scan, against the entry
for that port number in the nmap-services file.
In this case, the entry in nmap-services says "auth" while the
service/version scan recognizes the port as "ident".
While, to the best of my knowledge, this is essentially the same service
there's a discrepancy between the entries in the file nmap-services and
I see two different solution:
1. Make sure that the service names in the two different files are
2. Create an alternative smaller table in the unusual-port script that
contains a subset of the services
Not sure how to proceed here, ideas and feedback is welcome.
The script can't rely solely on nmap-services. It needs its own
whitelist of acceptable services for different ports. Another example I
can think of is "http" on port 443, where nmap-services has "https".
There may be multiple acceptable service names for a given port number.
Factor out a function that takes a port number and a service name and
returns whether it's acceptable or not. "http" needs to be acceptable
for any port number for which shortport.http returns true. Here are some
22/tcp ssh no output
25/tcp smtp no output
25/tcp ssh ssh unexpected
80/tcp http no output
100/tcp http http unexpected
113/tcp ident no output
113/tcp auth no output
443/tcp ssl/http no output
587/tcp smtp no output
8080/tcp http no output
9970/tcp http http unexpected
Maybe a later version of the script could also warn about the presence
or lack of SSL tunnelling.
80/tcp open ssl/http unexpected ssl tunnel on port 80
443/tcp open http expected ssl tunnel on port 443
I just committed (r27260) an update to this script that allows whitelisting
by port number or service.
What it essentially means is that there is a table for tcp and udp ports
that each have a function that determines whether the port is unusual or
not. The same applies to the service name table. This allows us to make
corrections such as ident and also checking against ranges or specific
known ports for a particular service eg shortport.http.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/