Re: [ISN] Nmap Version Detection Rocks

From: InfoSec News (isn@private)
Date: Wed Oct 15 2003 - 23:23:46 PDT

  • Next message: InfoSec News: "RE: [ISN] Homeland Security chief mulls SEC cybersecurity filings"

    Forwarded from: Brian Hatch <bri@private>
    
    [Mr. Hatch PGP signs all his posts, but it appears that this message
    has a detached signature, and it didn't carry over.  - WK]
    
    
    > Just a nit, but the -sV scan was first available in nmap 2.53 not
    > 3.45. Up until 3.45 it was a secondary patch that needed to be
    > applied.
    
    It is that fact - that it wasn't part of the default distribution -
    that meant it wasn't available in most distributions/rpms/etc.  While
    most of us are more than happy to go compiling our software manually
    (for all of the, what, 1 minute of interactive work it requires) the
    majority of the world doesn't, and that was the target audience of
    this article.
    
    Ironically (or perhaps not) I got a lot of email from 'full time unix
    penetration testers' that were excited because they'd never had such a
    tool.  Sure, they've searched extensively, even written things
    themselves, but none that were very good.  I hope these pen testers
    weren't getting paid very much.  However it show that Nmap+V wasn't
    known by the average Joe/Poser.
    
    
    > Not to denigrate all the incredibly cool work/improvements Fyodor
    > has made on fingerprints in the latest versions, but... Jay (saurik)
    > Freeman's nmap+V banner grab patch has been around since April 2000,
    > a.k.a. Nmap 2.53.  -sV scans have been a staple for some security
    > people for quite a while.
    
    Nmap+V was great, and I also frequently used amap.  However neither of
    these was built in.  Fyodor has a nack (one might almost call it an
    obsession) with building extreemly modular, extreemly fast
    parallelized code, and his Nmap version scanning is better than
    anything out there.
    
    Also, Fyodor was able to look at the existing tools and see what
    worked and what didn't.  Even though it came in later than others,
    it's the fastest and most extensible, because it was able to take a
    look at the past implementations.
    
    > It has just been finally recoded into c from c++ and put in the main
    > distribution. It has been improved a little and yes it is still
    > cool.
    
    Actually, Fyodor's stuff is completely written from scratch, I
    believe.
    
    > Thank you, Fyodor for all the improvements, and Jay for the original
    > prototype.
    
    Jay was also on the 'nmap council' and offered lots of ideas and
    suggestions during the development - he's certainly to be commended.
    
    
    
    --
    Brian Hatch                  Hard work has a
       Systems and                future payoff, but
       Security Engineer          laziness pays off now.
    http://www.onsight.com/
    
    Every message PGP signed
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Oct 16 2003 - 02:32:54 PDT