Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: nse unusual-port ident bug
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 29 Nov 2011 01:56:04 +0100

On Sun, Nov 27, 2011 at 6:35 PM, David Fifield <david () bamsoftware com>wrote:

On Sat, Nov 26, 2011 at 07:07:11PM +0100, Patrik Karlsson wrote:
Hmm, the script design seemed like a good idea at the time of the writing
but now maybe not so much.
What happens is that the script loads the nmap-services file in order to
avoid duplicating service info into a static table.
It then runs as a portrule for each open port and attempts to match the
name of the service, as discovered by the service scan, against the entry
for that port number in the nmap-services file.
In this case, the entry in nmap-services says "auth" while the
service/version scan recognizes the port as "ident".
While, to the best of my knowledge, this is essentially the same service
there's a discrepancy between the entries in the file nmap-services and

I see two different solution:
1. Make sure that the service names in the two different files are
2. Create an alternative smaller table in the unusual-port script that
contains a subset of the services

Not sure how to proceed here, ideas and feedback is welcome.

The script can't rely solely on nmap-services. It needs its own
whitelist of acceptable services for different ports. Another example I
can think of is "http" on port 443, where nmap-services has "https".
There may be multiple acceptable service names for a given port number.

Factor out a function that takes a port number and a service name and
returns whether it's acceptable or not. "http" needs to be acceptable
for any port number for which shortport.http returns true. Here are some
test cases.

22/tcp          ssh             no output
25/tcp          smtp            no output
25/tcp          ssh             ssh unexpected
80/tcp          http            no output
100/tcp         http            http unexpected
113/tcp         ident           no output
113/tcp         auth            no output
443/tcp         ssl/http        no output
587/tcp         smtp            no output
8080/tcp        http            no output
9970/tcp        http            http unexpected

Maybe a later version of the script could also warn about the presence
or lack of SSL tunnelling.

80/tcp  open    ssl/http        unexpected ssl tunnel on port 80
443/tcp open    http            expected ssl tunnel on port 443

David Fifield

I just committed (r27260) an update to this script that allows whitelisting
by port number or service.
What it essentially means is that there is a table for tcp and udp ports
that each have a function that determines whether the port is unusual or
not. The same applies to the service name table. This allows us to make
corrections such as ident and also checking against ranges or specific
known ports for a particular service eg shortport.http.


Patrik Karlsson
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]