Nmap Development mailing list archives
Re: Comments on OS detection 2nd generation (soft fingerprinting)
From: "Joshua D. Abraham" <jabra () ccs neu edu>
Date: Sat, 27 May 2006 00:40:23 -0400
On 26.May.2006 09:18PM -0700, Fyodor wrote:
On Fri, May 26, 2006 at 11:52:15PM -0400, Joshua D. Abraham wrote:Nmap actually does have that capability. Doug added it last year. But the version detection signatures need to be augmented. Look at Josh's mail:Are you referring to my banner patch?I'm referring to the (relatively) new o// d// and h// fields that Nmap can now use to determine the OS family, device type, and host name during version detection if the app (intentionally or accidently) reveals that information and the signature was carefully enough written to detect it. These are documented here: http://www.insecure.org/nmap/vscan/vscan-fileformat.html#id248104I think that if the user could have access to the banner that they would be able to determine this information more easily.If Nmap recognizes the service but misses useful information from the banner, we should rewrite the signature to include that information (in the i// extra information field if we can't parse it more specifically). If Nmap doesn't recognize the service, you do get the banner (if the service gave one) in the form of a version fingerprint in both normal and XML output.
What I mean is that if with my banner patch the user could extract the banner from an nmap scan easily and it would make submitting to this type of a survey easy for users. We would just need to write up a quick perl script to parse the xml file simply extracting the ssh banner.
Again, I'm sure there might be other services say for windows or something that might be of use as well.You mean where the banner caries useful information that Nmap version detection doesn't pick up on? Then report those cases and we'll update the relevant signatures to report the extra information. To just say "we'll just print out whatever data the service spews at us and hope the user can figure it out" would be, I think, a copout.
What I was suggesting is that the user may want to verify the version detection and sometimes the banner is a useful way of doing so.
Therefore, if we had people able to have the scan with the banner included in the xml we could parse that in a survey or something.We may very well do that. We'll just erase the existing ssh signatures from a copy of nmap-service-probes, run our scans, and then collect the banner information from the version detection fingerprint in the XML or normal output.
-- Joshua D. Abraham Northeastern University College of Computer and Information Science www.ccs.neu.edu/home/jabra _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Re: Comments on OS detection 2nd generation, (continued)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Brandon Enright (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 27)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 27)