3.2. Adding Service Signatures to NmapRecent versions of the popular port scanner Nmap can detect the type and version of services running on a network, as illustrated in Example 3-2. Example 3-2. Example Nmap version scan>nmap -sV 127.0.0.1 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2003-07-05 17:12 EDT Interesting ports on localhost (127.0.0.1): (The 1658 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.8.1p1 (protocol 2.0) Nmap run completed -- 1 IP address (1 host up) scanned in 1.104 seconds This scan is implemented as a series of probes and responses in the file nmap-service-probes. This file defines the probes that will be sent to the service to elicit some response, as well as a series of regular expressions against which to match responses to determine which services are running and, where possible, their versions. At a high level, the version-scanning methodology follows this process:
If the port is a TCP port, connect to it and listen. This is called the NULL probe. Many services will return a banner on connection. If a match is made, processing stops.
If no match is given, or if the protocol is UDP, probes defined in the nmap-service-probes file will be attempted if the protocol and the port ranges in the file match. If a response matching a probe is found, processing stops. If a soft match occurs (whereby a service is recognized, but not its type or version), follow-on probes will be limited to relevant ones.
If no match is found, each probe in the nmap-service-probes file will be tried, regardless of the ports on which the service usually runs. This will be limited where a soft match has already occurred.
If SSL was found, Nmap will connect using SSL (if available) to run the version-detection process again.
If a service responds to a probe sent during this process, but Nmap does not recognize the response, Nmap prints a fingerprint for the service that you can use to report the signature to the Nmap developers, as shown in Example 3-3. You can use this, together with the version and service information, to include a signature that recognizes this service in the nmap-service-probes file in the future. Example 3-3. Nmap unrecognized service>nmap -sV -p 4738 127.0.0.1 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2003-07-05 17:39 EDT Interesting ports on localhost (127.0.0.1): PORT STATE SERVICE VERSION 4738/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/ servicefp-submit.cgi : SF-Port4738-TCP:V=3.50%D=7/5%Time=40E9CA80%P=i686-pc-linux-gnu%r(NULL,59," SF:Login\x20with\x20USER\x20<name>\x20followed\x20by\x20PASS\x20<password> SF:\x20or\x20ANON\r\nCheck\x20privileges\x20with\x20PRIVS\r\n")%r(GenericL SF:ines,59,"Login\x20with\x20USER\x20<name>\x20followed\x20by\x20PASS\x20< SF:password>\x20or\x20ANON\r\nCheck\x20privileges\x20with\x20PRIVS\r\n")%r SF:(GetRequest,59,"Login\x20with\x20USER\x20<name>\x20followed\x20by\x20PA SF:SS\x20<password>\x20or\x20ANON\r\nCheck\x20privileges\x20with\x20PRIVSSF:r\n") %r(HTTPOptions,59,"Login\x20with\x20USER\x20<name>\x20followed\x20 SF:by\x20PASS\x20<password>\x20or\x20ANON\r\nCheck\x20privileges\x20with\x <cut> Nmap run completed -- 1 IP address (1 host up) scanned in 75.504 seconds At this point we have several options:
Submit the signature to the URL provided and wait for the next version of Nmap. If responses were received from the probes sent, and the service is something that could be expected to be running on someone else's environment, this might be the best choice.
Create a working match and/or probe statement, and submit that to Fyodor at 3.2.1. The nmap-service-probes FileThe keywords contained in the nmap-service-probes file are listed in Table 3-5.
3.2.1.1 ProbesA probe entry consists of the values shown in Table 3-6.
Here are some example probe strings:
Probe TCP NULL q||
Send nothing, waiting the amount of time specified in totalwaitms.
Probe TCP GenericLines q|\r\n\r\n|
Send carriage return, newline, carriage return, newline.
Probe UDP DNSStatusRequest q|\0\0\x10\0\0\0\0\0\0\0\0\0|
Send the binary string 0x00 0x00 0x10 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00. 3.2.1.2 MatchesA match entry consists of the values defined in Table 3-7.
Nmap uses the Perl Compatible Regular Expressions (libpcre) library for evaluating regular expressions. Perl regular expressions are documented at http://www.perldoc.com/perl5.8.0/pod/perlrel. Here are some example match strings:
match ssh m/^SSH-([.\d]+)-OpenSSH[_-](\S+)/ v/OpenSSH/$2/protocol $1/
Match strings such as SSH-1.5-OpenSSH-3.4p1, reading the version string (3.4p1) and protocol (1.5) into the $2 and $1 variables, respectively.
match ftp m/^220[- ].*FTP server \(Version (wu-[-.\w]+)/s v/WU-FTPD/$1//
Match strings such as 220 FTP server (Version wu-2.6.0) and extract the version wu-2.6.0.
match mysql m/^.\0\0\0\n(4\.[-.\w]+)\0...\0/s v/MySQL/$1//
Match the version of MySQL 4.x from the binary response. 3.2.1.3 Soft matchesA soft match occurs when a service can be identified, but no additional information can be derived. A soft-match entry consists of the values defined in Table 3-8.
Here are some example soft-match strings:
softmatch ftp m/^220[- ].*ftp server.*\r\n/i
softmatch imap m/^\* OK [-.\w,:+ ]+imap[-.\w,:+ ]+\r\n$/i 3.2.1.4 portsports is a comma-separated list of ports, as well as port ranges (e.g., 35067-35090) on which the service will commonly run. This is used to ensure that probing is done efficiently, and therefore the ports entry should follow the Probe entry in nmap-service-probes. 3.2.1.5 sslportssslports is a comma-separated list of ports, as well as port ranges (e.g., 55522-55525) on which the service will commonly run over SSL. This is used to ensure that probing is done efficiently, and therefore the sslports entry should follow the Probe and ports enTRies in nmap-service-probes. 3.2.1.6 totalwaitmstotalwaitms is used to specify the timeout for a Probe. It is not needed unless the service you are probing does not respond immediately. If it is used, it should follow the Probe entry.
|