+------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery | | Published by Onsight, Inc. | | | | 06-October-2003 | | http://www.hackinglinuxexposed.com/articles/20031006.html | +------------------------------------------------------------------+ This issue sponsored by Onsight, Inc, your source for open-source solutions. Onsight offers on-site training on Linux software development, Linux, Unix, and Network Security, Basic/Advanced Perl programming, CGIs and Dynamic Web Content, Tcl/Tk, and XML. All courses are hands-on, designed by real-world consultants and fully customizable. Every Onsight instructor is a seasoned consultant able to provide back-end web programming, network security, system administration and other support services. For more information, visit http://www.onsight.com -------------------------------------------------------------------- Nmap Version Detection Rocks By Brian Hatch Summary: The newest version of Nmap can fingerprint the protocol and software versions that it discovers, giving you a more accurate picture of your network. ------ Most people have heard of Nmap, the ubiquitous portscanner and more. Recently, a new version of Nmap was released with a new and frequently requested feature - version scanning. Nmap-3.45 and later have the ability to test out open ports and discover what version of software is running. The older versions could only tell you what port was open, and what that port is traditionally used for. While this is a good start, it is common for people to run services on non-standard ports for a variety of reasons: Obscurity If your computer has port 22 open, it's probably an ssh server. However if you ran your ssh server on a port normally skipped by nmap, such as 27011, then it may be overlooked. As always, remember my mantra -- "Security with obscurity is good, relying on security through obscurity is bad." (http:// www.hackinglinuxexposed.com/articles/20020312.wml) Fooling firewalls Many firewalls will restrict to which ports it will allow you to connect. For example a Squid proxy may only allow the CONNECT method to the official HTTPS port, 443. If you have a server on the Internet to which you want to SSH through that proxy, then it would deny you access to the real SSH port, port 22. If you ran an SSH server on port 443, however, it will allow you through, no questions asked. Another example may be a dialup ISP, which doesn't allow you to connect directly outbound to port 25, the SMTP port. If you wanted to not relay through your ISP, but connect to your company mail server directly, you may want to run your mail server on an additional port, such as port 80. These non-standard setups are more common than you might think, but old Nmap results would only tell you that port 80 was likely HTTP, and wouldn't let you know if something else were listening on that port. Other tools, such as Nmap+v, or amap, were typically used to enumerate what service was actually listening on that port. The new Nmap has the ability to test out the service directly. It has an extensive service fingerprint database, and a very fast parallel scanner. It has an efficient and effective methodology, minimising the number of tests that are required to fingerprint a service. For example if it sees a SMTP-like banner, it will first try SMTP-related tests, and only continue on to HTTP tests if those first tests fail. It even has SSL support[1] so if a test determines that the port is SSL wrapped, it will restart the tests with full blown SSL encryption. This allows it to determine a port is POP3 inside SSL, for example. Version detection will tell you as much as it can, including * The protocol in use, for example HTTP * The software product, for example Apache * The version of the software, for example Apache 1.3.27 * Any other subversion information, such as contains PHP 4.3.2 To get version detection, you need to include the -sV flag to nmap. Alternatively, if you want the whole kitchen sink of options, you can use the -V argument, which will enable OS detection and everything else you could possibly want. One important thing to note -- version detection will end up creating full blown TCP connections, three-way handshake and all. This means that you will not be operating in a stealthy mode! Here's a snippet of the new output: # nmap -A -p 1-65535 www.NoSuchHostExistsIPromise.com [2] Starting nmap 3.45 Interesting ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 3.7.1p1 (Protocol 1.99) 25/tcp open smtp 80/tcp open http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a FrontPage/5.0.2.2510 PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a) 443/tcp open ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/ ...) 993/tcp open ssl/imap UW Imapd 2001.315 995/tcp open ssl/pop3 Openwall popa3d 8888/tcp open ssl/unknown 1 service unrecognised despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi SF-Port25-TCP:V=3.40PVT17%D=9/29%Time=3F78B3E0%r(NULL,27,"220\x20host\. SF:example.com\x20ESMTP\x20XahriaMail\r\n")%r(Help,27,"220\x20host\.exa SF:mple.com\x20ESMTP\x20XahriaMail\r\n"); Nmap run completed -- 1 IP address (1 host up) scanned in 10.339 seconds Let's look at that output a line at a time: PORT STATE SERVICE VERSION 21/tcp open ftp? Nmap was unable to determine what was running on port 21. It lists the port as 'ftp?' to tell you what's traditionally on this port, but no guarantees that it's FTP at all. 22/tcp open ssh OpenSSH 3.7.1p1 (Protocol 1.99) Here's an example of a successful version string. Nmap was able to determine that it's definitively running OpenSSH version 3.7.1p1[3], and accepts both SSH protocol 1 and 2, which you can glean from the Protocol 1.99 section. 25/tcp open smtp Port 25 is an SMTP server, as noted by the fact that the service name stmp does not have a question mark at the end. However Nmap was unable to determine exactly which SMTP server software was running, so the version field is empty. 80/tcp open http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a) 443/tcp open ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a) 993/tcp open ssl/imap UW Imapd 2001.315 995/tcp open ssl/pop3 Openwall popa3d Here we see a machine that is giving out lots of unnecessary information. Port 80 and 443 is running an HTTP server, in this case Apache 1.3.27, and tells us a lot about the modules currently in use -- mod_gzip, mod_ssl PHP and it uses OpenSSL version 0.9.7a. Note that port 80 is cleartext HTTP, as noted by the service name http, while port 443 is SSL-encrypted HTTP, aka HTTPS, as noted by the service name ssl/http. Similarly, we have both an SSLified[4] imap and pop3 server running. 8888/tcp open ssl/unknown Lastly, we have here some port that is running an SSL server, but the service being protected is not known.[5] 1 service unrecognised despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi SF-Port25-TCP:V=3.40PVT17%D=9/29%Time=3F78B3E0%r(NULL,27,"220\x20host\. SF:example.com\x20ESMTP\x20XahriaMail\r\n")%r(Help,27,"220\x20host\.exa SF:mple.com\x20ESMTP\x20XahriaMail\r\n"); This last part should be somewhat familiar to anyone who has used Nmap OS detection. Although the version scanning tests did not determine what was running on port 25 for sure, it did get enough information that you could submit back to insecure.org to let future versions recognise the service. If you know what's running on this port[6], then you can submit this fingerprint at the URL that's listed. I'm very excited about the new version of Nmap. If you haven't checked it out yet, do so, and submit back any fingerprints you can! For more information about the internals of Nmap's version scanning, you might want to check out Fyodor's version scanning article at http://www.insecure.org/nmap/versionscan.html. NOTES: [1] I helped implement the SSL support, so you'll excuse me if I pat myself on the back for this one. While there are many Open Source projects out there where my code appears, this is by far the most cool one. [2] Hello, Verisign! [3] Whoops - someone should upgrade this to 3.7.1p2, since the p1 had some bad PAM code built in that is vulnerable... [4] You'll note that I said they are SSL enabled, I did not call them secure. While one, the Openwall popa3d server, is a superb and secure product, UW Imapd doesn't instill confidence in me. [5] The service was the following, if you're curious: $ stunnel -d localhost:8888 -l /bin/echo -- echo Hello Fyodor [6] In this case, it's Postfix with a custom ESMTP banner, which I use at every occasion. ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. Is it too late for the Wachowski brothers to include SSLified Nmap in Matrix Revolutions? Brian can be reached at brian@private -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-request@private Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2003, Brian Hatch. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 08 2003 - 11:43:52 PDT