[ISN] Nmap Version Detection Rocks

From: InfoSec News (isn@private)
Date: Wed Oct 08 2003 - 07:47:38 PDT

  • Next message: InfoSec News: "[ISN] Sidebar: CEO Responds on Firing"

    +------------------------------------------------------------------+
    |  Linux Security: Tips, Tricks, and Hackery                       |
    |  Published by Onsight, Inc.                                      |
    |                                                                  |
    |  06-October-2003                                                 |
    |  http://www.hackinglinuxexposed.com/articles/20031006.html       |
    +------------------------------------------------------------------+
    
    This issue sponsored by Onsight, Inc, your source for open-source
    solutions.
    
    Onsight offers on-site training on Linux software development, Linux,
    Unix, and Network Security, Basic/Advanced Perl programming, CGIs and
    Dynamic Web Content, Tcl/Tk, and XML. All courses are hands-on,
    designed by real-world consultants and fully customizable. Every
    Onsight instructor is a seasoned consultant able to provide back-end
    web programming, network security, system administration and other
    support services.
    
    For more information, visit http://www.onsight.com
    
    --------------------------------------------------------------------
    
    Nmap Version Detection Rocks
    By Brian Hatch
    
    Summary: The newest version of Nmap can fingerprint the protocol and
    software versions that it discovers, giving you a more accurate
    picture of your network.
                                   ------                                
    
    Most people have heard of Nmap, the ubiquitous portscanner and more.
    Recently, a new version of Nmap was released with a new and
    frequently requested feature - version scanning.
    
    Nmap-3.45 and later have the ability to test out open ports and
    discover what version of software is running. The older versions
    could only tell you what port was open, and what that port is
    traditionally used for. While this is a good start, it is common for
    people to run services on non-standard ports for a variety of
    reasons:
    
    Obscurity
        If your computer has port 22 open, it's probably an ssh server.
        However if you ran your ssh server on a port normally skipped by
        nmap, such as 27011, then it may be overlooked. As always,
        remember my mantra -- "Security with obscurity is good, relying
        on security through obscurity is bad." (http://
        www.hackinglinuxexposed.com/articles/20020312.wml)
       
    Fooling firewalls
        Many firewalls will restrict to which ports it will allow you to
        connect. For example a Squid proxy may only allow the CONNECT
        method to the official HTTPS port, 443. If you have a server on
        the Internet to which you want to SSH through that proxy, then it
        would deny you access to the real SSH port, port 22. If you ran
        an SSH server on port 443, however, it will allow you through, no
        questions asked.
       
        Another example may be a dialup ISP, which doesn't allow you to
        connect directly outbound to port 25, the SMTP port. If you
        wanted to not relay through your ISP, but connect to your company
        mail server directly, you may want to run your mail server on an
        additional port, such as port 80.
    
    These non-standard setups are more common than you might think, but
    old Nmap results would only tell you that port 80 was likely HTTP,
    and wouldn't let you know if something else were listening on that
    port. Other tools, such as Nmap+v, or amap, were typically used to
    enumerate what service was actually listening on that port.
    
    The new Nmap has the ability to test out the service directly. It has
    an extensive service fingerprint database, and a very fast parallel
    scanner. It has an efficient and effective methodology, minimising
    the number of tests that are required to fingerprint a service. For
    example if it sees a SMTP-like banner, it will first try SMTP-related
    tests, and only continue on to HTTP tests if those first tests fail.
    
    It even has SSL support[1] so if a test determines that the port is
    SSL wrapped, it will restart the tests with full blown SSL
    encryption. This allows it to determine a port is POP3 inside SSL,
    for example.
    
    Version detection will tell you as much as it can, including
    
      * The protocol in use, for example HTTP
      * The software product, for example Apache
      * The version of the software, for example Apache 1.3.27
      * Any other subversion information, such as contains PHP 4.3.2
    
    To get version detection, you need to include the -sV flag to nmap.
    Alternatively, if you want the whole kitchen sink of options, you can
    use the -V argument, which will enable OS detection and everything
    else you could possibly want.
    
    One important thing to note -- version detection will end up creating
    full blown TCP connections, three-way handshake and all. This means
    that you will not be operating in a stealthy mode!
    
    Here's a snippet of the new output:
    
      # nmap -A -p 1-65535 www.NoSuchHostExistsIPromise.com [2]
      
      Starting nmap 3.45
      Interesting ports
      PORT    STATE SERVICE  VERSION
       21/tcp  open  ftp?
       22/tcp  open  ssh      OpenSSH 3.7.1p1 (Protocol 1.99)
       25/tcp  open  smtp
       80/tcp  open  http     Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a
                                FrontPage/5.0.2.2510 PHP/4.3.2
                                mod_ssl/2.8.13 OpenSSL/0.9.7a)
       443/tcp open  ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/ ...)
       993/tcp open  ssl/imap UW Imapd 2001.315
       995/tcp open  ssl/pop3 Openwall popa3d
      8888/tcp open  ssl/unknown
      1 service unrecognised despite returning data. If you know the
      service/version, please submit the following fingerprint at
      http://www.insecure.org/cgi-bin/servicefp-submit.cgi
      
      SF-Port25-TCP:V=3.40PVT17%D=9/29%Time=3F78B3E0%r(NULL,27,"220\x20host\.
      SF:example.com\x20ESMTP\x20XahriaMail\r\n")%r(Help,27,"220\x20host\.exa
      SF:mple.com\x20ESMTP\x20XahriaMail\r\n");
    
      Nmap run completed -- 1 IP address (1 host up) scanned in 10.339 seconds
    
    Let's look at that output a line at a time:
    
    
      PORT    STATE SERVICE  VERSION
      21/tcp  open  ftp?
    
    Nmap was unable to determine what was running on port 21. It lists
    the port as 'ftp?' to tell you what's traditionally on this port, but
    no guarantees that it's FTP at all.
    
      22/tcp  open  ssh      OpenSSH 3.7.1p1 (Protocol 1.99)
    
    Here's an example of a successful version string. Nmap was able to
    determine that it's definitively running OpenSSH version 3.7.1p1[3],
    and accepts both SSH protocol 1 and 2, which you can glean from the
    Protocol 1.99 section.
    
      25/tcp  open  smtp
    
    Port 25 is an SMTP server, as noted by the fact that the service name
    stmp does not have a question mark at the end. However Nmap was
    unable to determine exactly which SMTP server software was running,
    so the version field is empty.
    
      80/tcp  open  http     Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a
                               PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a)
      443/tcp open  ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a
                               PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a)
      993/tcp open  ssl/imap UW Imapd 2001.315
      995/tcp open  ssl/pop3 Openwall popa3d
    
    Here we see a machine that is giving out lots of unnecessary
    information. Port 80 and 443 is running an HTTP server, in this case
    Apache 1.3.27, and tells us a lot about the modules currently in use
    -- mod_gzip, mod_ssl PHP and it uses OpenSSL version 0.9.7a. Note
    that port 80 is cleartext HTTP, as noted by the service name http,
    while port 443 is SSL-encrypted HTTP, aka HTTPS, as noted by the
    service name ssl/http.
    
    Similarly, we have both an SSLified[4] imap and pop3 server running.
    
      8888/tcp open  ssl/unknown
    
    Lastly, we have here some port that is running an SSL server, but the
    service being protected is not known.[5]
    
      1 service unrecognised despite returning data. If you know the
      service/version, please submit the following fingerprint at
      http://www.insecure.org/cgi-bin/servicefp-submit.cgi
      
      SF-Port25-TCP:V=3.40PVT17%D=9/29%Time=3F78B3E0%r(NULL,27,"220\x20host\.
      SF:example.com\x20ESMTP\x20XahriaMail\r\n")%r(Help,27,"220\x20host\.exa
      SF:mple.com\x20ESMTP\x20XahriaMail\r\n");
    
    This last part should be somewhat familiar to anyone who has used
    Nmap OS detection. Although the version scanning tests did not
    determine what was running on port 25 for sure, it did get enough
    information that you could submit back to insecure.org to let future
    versions recognise the service. If you know what's running on this
    port[6], then you can submit this fingerprint at the URL that's
    listed.
    
    I'm very excited about the new version of Nmap. If you haven't
    checked it out yet, do so, and submit back any fingerprints you can!
    
    For more information about the internals of Nmap's version scanning,
    you might want to check out Fyodor's version scanning article at
    http://www.insecure.org/nmap/versionscan.html.
    
    NOTES:
    
    [1] I helped implement the SSL support, so you'll excuse me if I pat
    myself on the back for this one. While there are many Open Source
    projects out there where my code appears, this is by far the most
    cool one.
    
    [2] Hello, Verisign!
    
    [3] Whoops - someone should upgrade this to 3.7.1p2, since the p1 had
    some bad PAM code built in that is vulnerable...
    
    [4] You'll note that I said they are SSL enabled, I did not call them
    secure. While one, the Openwall popa3d server, is a superb and secure
    product, UW Imapd doesn't instill confidence in me.
    
    [5] The service was the following, if you're curious:
    $ stunnel -d localhost:8888 -l /bin/echo -- echo Hello Fyodor
    
    [6] In this case, it's Postfix with a custom ESMTP banner, which I
    use at every occasion.
    
                                -------------                            
    Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking
    Linux Exposed and Building Linux VPNs. Is it too late for the
    Wachowski brothers to include SSLified Nmap in Matrix Revolutions?
    Brian can be reached at brian@private
    
    --------------------------------------------------------------------
    This newsletter is distributed by Onsight, Inc.
    
    The list is managed with MailMan (http://www.list.org). You can
    subscribe, unsubscribe, or change your password by visiting
    http://lists.onsight.com/ or by sending email to
    linux_security-request@private
    
    Archives of this and previous newsletters are available at
    http://www.hackinglinuxexposed.com/articles/
    
    --------------------------------------------------------------------
    
    Copyright 2003, Brian Hatch.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 08 2003 - 11:43:52 PDT