By Bri Hatch.
Summary: The newest version of Nmap can fingerprint the protocol and software versions that it discovers, giving you a more accurate picture of your network.
Most people have heard of Nmap, the ubiquitous portscanner and more, available athttp://www.insecure.org/nmap/.Recently, a new version of Nmap was released with a new and frequentlyrequested feature - version scanning.
Nmap-3.45 and later have the ability to test out open ports and discoverwhat version of software is running. The older versions could only tellyou what port was open, and what that port is traditionally used for. Whilethis is a good start, it is common for people to run services onnon-standard ports for a variety of reasons:
- Obscurity
- If your computer has port 22 open, it's probably an ssh server.However if you ran your ssh server on a port normally skipped bynmap, such as 27011, then it may be overlooked. As always,remember my mantra --Security with obscurity is good, relyingon security through obscurity is bad.
- Fooling firewalls
- Many firewalls will restrict to which ports it will allowyou to connect. For example a Squid proxy may only allow theCONNECT method to the official HTTPS port, 443. If you have aserver on the Internet to which you want to SSH through that proxy,then it would deny you access to the real SSH port, port 22. If youran an SSH server on port 443, however, it will allow you through,no questions asked.
Another example may be a dialup ISP, which doesn't allow you toconnect directly outbound to port 25, the SMTP port. If you wantedto not relay through your ISP, but connect to your company mail serverdirectly, you may want to run your mail server on an additional port,such as port 80.
These non-standard setups are more common than you might think, butold Nmap results would only tell you that port 80 was likely HTTP,and wouldn't let you know if something else were listening on thatport. Other tools, such as Nmap+v, or amap, were typically used toenumerate what service was actually listening on that port.
The new Nmap has the ability to test out the service directly.It has an extensive service fingerprint database, and a very fastparallel scanner. It has an efficient and effective methodology,minimising the number of tests that are required to fingerprint aservice. For example if it sees a SMTP-like banner, it will firsttry SMTP-related tests, and only continue on to HTTP tests if thosefirst tests fail.
It even has SSL support[1] so if a test determinesthat the port is SSL wrapped, it will restart the tests with fullblown SSL encryption. This allows it to determine a port isPOP3 inside SSL, for example.
Version detection will tell you as much as it can, including
- The protocol in use, for example
HTTP - The software product, for example
Apache - The version of the software, for example
Apache 1.3.27 - Any other subversion information, such as contains
PHP 4.3.2
To get version detection, you need to include the-sVflag tonmap. Alternatively, if you want the wholekitchen sink of options, you can use the-A argument,which will enable OS detection and everything else you could possibly want.
One important thing to note -- version detection will end up creatingfull blown TCP connections, three-way handshake and all. This meansthat you willnot be operating in a stealthy mode!
Here's a snippet of the new output:
#nmap -A -p 1-65535 www.NoSuchHostExistsIPromise.com[2] Starting nmap 3.45 Interesting ports PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 3.7.1p1 (Protocol 1.99) 25/tcp open smtp 80/tcp open http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a FrontPage/5.0.2.2510 PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a) 443/tcp open ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/ ...) 993/tcp open ssl/imap UW Imapd 2001.315 995/tcp open ssl/pop3 Openwall popa3d 8888/tcp open ssl/unknown 1 service unrecognised despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi SF-Port25-TCP:V=3.40PVT17%D=9/29%Time=3F78B3E0%r(NULL,27,"220\x20host\. SF:example.com\x20ESMTP\x20XahriaMail\r\n")%r(Help,27,"220\x20host\.exa SF:mple.com\x20ESMTP\x20XahriaMail\r\n"); Nmap run completed -- 1 IP address (1 host up) scanned in 10.339 seconds
Let's look at that output a line at a time:
PORT STATE SERVICE VERSION 21/tcp open ftp?
Nmap was unable to determine what was running on port 21. Itlists the port as 'ftp?' to tell you what's traditionally on this port,but no guarantees that it's FTP at all.
22/tcp open ssh OpenSSH 3.7.1p1 (Protocol 1.99)
Here's an example of a successful version string. Nmap was ableto determine that it's definitively running OpenSSH version 3.7.1p1[3], and accepts both SSHprotocol 1 and 2, which you can glean from theProtocol 1.99 section.
25/tcp open smtp
Port 25 is an SMTP server, as noted by the fact that the service namestmpdoes not have a question mark at the end. However Nmap was unable to determine exactlywhich SMTP server software was running, so the version field is empty.
80/tcp open http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a) 443/tcp open ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a) 993/tcp open ssl/imap UW Imapd 2001.315 995/tcp open ssl/pop3 Openwall popa3d
Here we see a machine that is giving out lots of unnecessary information. Port80 and 443 is running an HTTP server, in this case Apache 1.3.27, and tells us a lot aboutthe modules currently in use -- Similarly, we have both an SSLified[4] imap and pop3 server running. Lastly, we have here some port that is running an SSL server, but the servicebeing protected is not known.[5] This last part should be somewhat familiar to anyone who has usedNmap OS detection. Although the version scanning tests did not determinewhat was running on port 25 for sure, it did get enough information thatyou could submit back to insecure.org to let future versions recognisethe service. If you know what's running on this port[6],then you can submit this fingerprint at the URL that's listed. I'm very excited about the new version of Nmap. If you haven't checked it outyet, do so, and submit back any fingerprints you can! For more information about the internals of Nmap's version scanning, you mightwant to check out Fyodor's version scanning article athttp://www.insecure.org/nmap/versionscan.html. NOTES: [1] I helped implement the SSL support,so you'll excuse me if I pat myself on the back for this one. Whilethere are many Open Source projects out there where my code appears,this is by far the most cool one. [2] Hello, Verisign! [3]Whoops - someone should upgrade this to 3.7.1p2, since the p1 had some bad PAMcode built in that is vulnerable... [4] You'll note that I said theyare SSL enabled, I did not call them secure. While one, the Openwall popa3dserver, is a superb and secure product, UW Imapd doesn't instillconfidence in me. [5] The service was the following, if you'recurious: [6] In this case,it's Postfix with a custom ESMTP banner, which I use at every occasion. Bri Hatch is Chief Hacker atOnsight, Inc and author ofHacking Linux Exposed andBuilding Linux VPNs.Is it too late for the Wachowski brothers to include SSLified Nmapin Matrix Revolutions?Bri can be reached atbri@hackinglinuxexposed.com. Copyright Bri Hatch, 2003 This is the October 06, 2003 issue of theLinux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visithttp://lists.onsight.com/ or send email toLinux_Security-request@lists.onsight.com. mod_gzip,mod_sslPHPand it uses OpenSSL version 0.9.7a. Note that port 80 is cleartext HTTP, as noted bythe service namehttp, while port 443 is SSL-encrypted HTTP, aka HTTPS, asnoted by the service namessl/http. 8888/tcp open ssl/unknown
1 service unrecognised despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi SF-Port25-TCP:V=3.40PVT17%D=9/29%Time=3F78B3E0%r(NULL,27,"220\x20host\. SF:example.com\x20ESMTP\x20XahriaMail\r\n")%r(Help,27,"220\x20host\.exa SF:mple.com\x20ESMTP\x20XahriaMail\r\n");
$stunnel -d localhost:8888 -l /bin/echo -- echo Hello Fyodor