named probes

[Patrik Karlsson <patrik () cqure net>]

Hi all,

I recently mentioned an idea, in one of many mssql mails, about implementing named probes.
I'm starting a new thread regarding this idea incase someone missed it in between all the mssql stuff.

What I would like to achieve is to address the problem that the "force patch" attempts to solve, but in a slightly 
different way.
By adding support for running one or more probes by name, one could target a number of ports and only run the probes 
specified on the command line in order to do a very quick fingerprint.
Instead of forcing scripts to run against each open port, the scripts would only run if the services were properly 
detected as the targeted ones.

The following example attempts to detect ms-sql or oracle servers running in the following port spans 1433-1500 and 
1521-1600.
Once detected the correct brute script will be launched against the service.
nmap -sV -p 1433-1500,1521-1600 1.2.3.4 --probes ms-sql-s,oracle-tns --script oracle-brute,ms-sql-brute

The following example attempts to fingerprint any http-servers running on the ports 80,443 or 8080, 8443.
For each detected http-server the http-title script is executed
nmap -sV -p 80,443,8080,8433 --probes GetRequest --script http-title

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/