Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: nse unusual-port ident bug
From: Fyodor <fyodor () insecure org>
Date: Tue, 29 Nov 2011 18:55:00 -0800

On Sat, Nov 26, 2011 at 07:07:11PM +0100, Patrik Karlsson wrote:

In this case, the entry in nmap-services says "auth" while the
service/version scan recognizes the port as "ident".  While, to the
best of my knowledge, this is essentially the same service there's a
discrepancy between the entries in the file nmap-services and
nmap-service-probes.

One thing that might help is to search the whole nmap-services entry
(including comments) for the discovered service name.  Aliases and
alternatives for a given port number are often listed in the comment
section of each line.  For example, port 113 looked like:

auth    113/tcp 0.012370        # ident, tap, Authentication Service

So you would have found ident there if you had searched the whole
line.  Of course I've now changed the name to ident for consistency
with version detection results, so this particular example is moot.
But there are many other cases where alternatives are listed in the
comments.  And if you find cases where they aren't, you could add them
to the comments (remember to edit /nmap-private-dev/nmap-services-all
rather than /nmap/nmap-services directly).  This could possibly avoid
the need for a whitelist (though a whitelist isn't really a bad idea
either).

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault