Slashdot Mirror
Nmap Gets Version Detection
Anonymous Coward writes "Up until now, everyone's favorite port scanner, nmap has had decent OS detection (through TCP fingerprinting) and service identification based on the open port, but the latest version, 3.45 released today, has version detection for each service! This means not only can nmap tell you that httpd is running on port 80, but that it is `apache httpd version 2.0.39`! While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for, this should make the jobs of admins everywhere easier and keep us all more on our toes when it comes to security. Fyodor has also published a paper on how the version detection works."
If you plan your network security through obscurity...thats asking for trouble.
If you hope nobody can hack you or cause any problems with your servers because you assume they dont know what you are running...that is a problem.
How about being accountable, upgrading and securing your system, instead of being alarmed that "suddenly" (like they couldnt before) people can see specifically what you are running.
Hats off to nmap...first matrix reloaded, now a drastic improvement! Who knows, matrix revolutions may be sporting a new nmap!
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
I, for one, welcome our new version detecting port scanning overlords.
In the past, my kit contained THC's Amap, Ofir Arkin's Xprobe, and of course, Fyodor's nmap. Its good to see all of these toys (or at least the functionality) coming into one wrapper. I really like Xprobe's probabilistic model for O/S detection. Its a shame that what's good for the hacker is good for the cracker . . .
Oh, and by the way, is anyone watching the global 593 spike?
trustedworlds.net - gaming, security, and the gunk that lives in between
While Nmap does many things (remote OS detection via TCP/IP fingerprinting, ping sweeps, uptime calculation, protocol scans, etc.), its raison d'etre has always been port scanning. Point Nmap at a remote machine, and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of more than 2,200 "well-known" services, Nmap would explain that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accurate -- the vast majority of daemons listening on port 25 are, in fact, mail servers. But you shouldn't bet your security on this! People can and do run services on strange ports. Perhaps their main web server was already on port 80, so they picked a different port for a staging/test server. Maybe they think hiding a vulnerable service on some obscure port will prevent "evil hackers" from finding it. Even more common lately is that people are choosing ports based not on the service they want to run but based on what will get through the firewall. When ISPs blocked port 80 after major Microsoft IIS worms CodeRed and Nimda, hordes of users responded by moving their personal web servers to different ports. When companies block telnet access due to its horrific security risks, I have seen users simply run telnetd on the secure shell (SSH) port instead.
Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments of your companies or clients, you really what to know which mail and DNS servers are running, as well as the version number if possible. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to.
Yet another good reason for determining service/version numbers is that many services share the same port number - making a guess based on the nmap-services table even less accurate. Anyone who has done much scanning knows that you often find services listening on unregistered ports - these are a complete mystery without version detection. In addition, filtered UDP ports often look the same to a simple port scanner as open ports. But if they respond to the service-specific probes sent by Nmap version detection, you know for sure that they are open (and in many cases exactly what is running).
The new Nmap version scanning subsystem tries to answer all these questions by connecting to open ports and interrogating them for this information using probes that the specific services understand. This allows Nmap to give a much more details assessment of what is really running, rather than just what port numbers are open. Here is a real example:
# nmap -A -T4 -F www.insecure.org
Starting nmap 3.40PVT16 ( http://www.insecure.org/nmap/ ) at 2003-09-06 19:49 PDT
Interesting ports on www.insecure.org (205.217.153.53):
(The 1206 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.1p1 (protocol 1.99)
25/tcp open smtp Qmail smtpd
53/tcp open domain ISC Bind 9.2.1
80/tcp open http Apache httpd 2.0.39 ((Unix) mod_perl/1.99_07-dev Perl/v5.6.1)
113/tcp closed auth
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 108.307 days (since Wed May 21 12:27:44 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 34.962 seconds
Now I don't claim that Nmap is the first program to ever implement this sort of port interrogation. Jay Freeman (AKA Saurik) posted an Nmap patch he calls Nmap+V more than three years ago. Even if Nmap+V was rather slow and cryptic at the time, it demonstrated the value of advanced port interrogation. It has improved substantially since then. There is also the excellent THC Amap, and Nessus even has a (very) rudimentary service detection framework. While we could have saved months of work by simply integrating one of these open source implementations
While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for
hmmm I think NMAP will only report the version that service will respond. I can make my Apache instance respond with anything, for e.g. "saqib webserver ver. 9.0"
Version detection can also be very helpful
It is good to know that NMAP support version detection. There have been mny instance in the past, especially during the recent virus outbreaks, where I wished I could find the Service version.
Consensus is good, but informed dictatorship is better
Gosh, who could possibly imagine that, with the
addition of version detection, the most 'white hat'
tool out there that could never possibly be used for
anything bad suddenly becomes a 'black hat' tool..
It's a complete 180!
For every problem, there is at least one solution that is simple, neat, and wrong.
This will be great to see if people have wonkyed their port numbers to try to obfuscate what they're doing, like running smtp on 10025 or something silly. You'll be able to check that there is an MTA on 25 and SSH on 22.
Most likely the #1 Unfunny Meta/Moderator on
This, on top of it being in the matrix will have every pimply 13 year old trying to haxor the gibson.
scott
Security through obscurity never worked that much, will work much worse now. However, I do not see worms using such tools to propagate better. Worms just try to infect everyone and do not care about being glued in honeypots.
- Ok... Why OS detection? Don't you know what OS you run? ;-)
Warning: This sig contains a small bug. ==> *
While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for [...]
By the same logic, one might consider it "worrisome" that there even exists software packages like "Nessus" and "Saint".
Adding features such as version detection to a tool that can be used for both good and bad purposed shouldn't be considered "worrisome". It is just something that makes the tool better, for good and for bad. And unless we are talking about software which by design always causes destructive damage when used, I will always consider it a good thing that there are such excellent security auditing tools available to the public. With all respect, sorry to hear that someone finds this "worrisome".
Does this make it easier for fyodor to listen for an open X11 server?
Speaking of bad versions.
0 Day SSH EXPLOIT out today..
CVS DIFF patch Here
Details are sketchy here
Redhat and others haven't released patches yet.
ChiefArcher
That's good and all, but the thing is that most vendors don't increment version numbers. Take the sendmail header overflows from earlier this year: Sun, RedHat, SuSE, HPUX all had patches for the bundled apache server, but those just fixed the binaries - they did not update the banner info. This is of dubious value because of that.
Unfortunately, there is no easy answer to this dilemna for security professionals - do you trust the banner info and get a bunch of false positives? Do you attempt an exploit and possibly crash the machine (not as likely with this sendmail header overflow, but moreso in the case of the apache chunked encoding overflow)? Or do you log onto each host (or use an agent based check system, like NetworkShell)?
Perhaps Fyodor should tackle these questions and not hack pranksters in his spare time.
Trolling is a art,
"hrm, i wonder what version of apache i'm running at the moment... should i look in apache..? no.. i know, i'll scan myself"
Comment: Yes I realise the username 'fuckfuck101' makes me sound intelligent, no you cannot buy it from me.
NMap suggestions are all from these malicious users, I guarantee this add-on was suggested by 'blackhat'
Comment: Yes I realise the username 'fuckfuck101' makes me sound intelligent, no you cannot buy it from me.
Slashdot Trolls better hunker down, Fyodor has new weaponry! And we all know what happened last time he went blackhat.
Being a system admin for a college, having this updated tool out for the world really doesn't bother me. Honestly, I'd rather have it in my hands to know what's running on my server, than to be ignorant and hope everything is ok. It also is a good tool to for testing things like if your firewall is configured properly. After all... all the script k1dd13z are going to have these programs too, so it's best to know what you've got exposed to the internet. Besides, in a lot of the programs out there, you can turn off the server identification so that when you connect, you don't know what the host is running for programs. Apache does this (I know because I turned it off myself). And you could probably even hack the source code to them if you really wanted. My FTP server at home just says "Go away!" when you connect so you don't even even see which program is running, much less what version.
Now for a *real* tool for making sure your sytems are up to date, try Nessus. It not only scans your system for what programs are running (using nmap no less), but it finds out what versions they are if they can, and it tries to run common exploits on them too! I use it perodically just to make sure that all the bases are covered so that none of the holes for common exploits on the internet are left open.
-Through the server, over the router, off the firewall... Nothing but 'Net!
How can this new feature of nmap be used to haxxxor kids personal computers and post personal information about them far and wide, since that is Fyodor's MO.
Um, I think we all know exactly what he has up his sleeve.
Spoil sport... :)
I put a timed block on all ips that port scan me persistantly, I doubt the heuristics will even change. Once it's a distributed scan I'm screwed...
Certainly be useful for the internal audits though.
Q.
Insert Signature Here
Being a system admin for a college, having this updated tool out for the world really doesn't bother me. Honestly, I'd rather have it in my hands to know what's running on my server, than to be ignorant and hope everything is ok.
So... you're the sysadmin and you need nmap to tell you what you're running on your server?
I'm against picketing, but I don't know how to show it.
if this works into the script kiddies stock toolbox, then maybe they'll stop pounding my damn web server looking for backdoors that are 2 major OS versions old.
or maybe i should finally break down and write that script to fire off an auto-email to the administration contact each time some zombie comes knocking.
// "Can't clowns and pirates just -try- to get along?"
When you have to keep track of many different servers of different OSes, sometimes you forget things, or stuff that you thought you turned off you find out you didn't. It happens to the best of us.
It's the first thing I always do when I put a new server on the network. It never hurts to do a double-check to make sure that your servers are behaving the way that you think they are. Just like it doesn't hurt to reboot a linux box perodically to make sure that all your startup scrips work as expected in case of a power outage or whatever.
-Through the server, over the router, off the firewall... Nothing but 'Net!
Maybe you should install something secure such as Linux instead of MS crapware?
Unless you tell specify otherwise dont all httpd servers report their version in the "server" response header?
I always turn off the version announcement on Apache, you know, when you hit a 404 page, it tells you the version number in the footer. I *assume* this will thwart Nmap's attempts at reading this, yes? I can't think of anywhere else Apache tells this. It's a simple edit of Apache.conf to turn it off.
CB
free ipod and free gmail!
couldn't one of these people that write these security scanners use the same principles to generate a samba.conf, just by sniffing the network, this'd make life about 6000% easier!
You forgot one of the general purpose tools. NetCat! I quite frequently use it as a basic port scanner, or service detector, especially when I don't have access to the other tools you mention. Cough. Windows platform. Cough.
It's the duality inherent in most things. nmap can be used for good/bad. Any tool which is remotely useful is like this. The tools of a locksmith can be used to make your house more secure, or to break into it. A gun may be used by cop or crook. You get the idea...
They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...
This sounds like the perfect tool for you to keep track of all those machines...
There is nothing special about detecting the version of Apache, since Apache reports it in every response.
Take make sure noone can tell what you're running, put this in your config:
ServerTokens Prod
ServerSignature Off
Here is the documentation for ServerTokens and ServerSignature.
grisha.org
If the server is used to host student shell accounts, then absolutely. Students do some wacky things... I know I did.
] D
# nmap -A -T4 -F 192.168.1.109
Interesting ports on tiger (192.168.1.109):
(The 1191 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
7/tcp open echo
9/tcp open discard?
19/tcp open chargen?
21/tcp open ftp
22/tcp open ssh?
23/tcp open telnet?
25/tcp open smtp
53/tcp open domain?
80/tcp open http?
110/tcp open pop-3?
113/tcp open auth?
143/tcp open imap
513/tcp open login?
565/tcp open whoami?
567/tcp open banyan-rpc?
993/tcp open imaps?
995/tcp open pop3s?
7070/tcp open realserver?
8080/tcp open http-proxy?
17007/tcp open isode-dua?
9 services unrecognized despite returning data.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Slashdot has an interview with security legend Fyodor, admin of the famed insecure.org and author of the world's most affordable port scanner, nmap.
The best part of this interview is that Slashdot does not often interview criminals. Many Slashdot readers know that Fyodor used his tool to illegally attack a college student in 2002, for his personal amusement but also to the benefit of Slashdot's admins. For those that don't know the story, I will present a brief summary.
*Those individuals interested in independently verifying the facts presented in this article should skip to the "Verification" section near the end.
Sdem had created a hoax account entitled electricmonk, and used it to post this comment pronouncing that we was actually a cute Linux booth babe. "electricmonk" left an email at Yahoo and encouraged Slashdot readers to get in touch.
Fyodor proceeded to do so, boasting of his previous exploits with women he'd met online. He was even helpful enough to attach a picture.
This is where the story turns ugly. Sdem responded with a truthful email, in which he advised Fyodor that the whole thing was a hoax. After that, sdem posted a log of his exploits to sid=20721 (trolltalk), mentioning that he had tricked Fyodor and referring to many of the biters as "wankers". This apparently really set Fyodor off, and he began to plot criminal revenge.
First, Fyodor dug through insecure.org's referrer logs to find what IP address had requested the picture of Fyodor & his paramour. Using this information (and the logged User-Agent), Fyodor knew from the get-go Sdem's IP address and O/S. From this point, he launched nmap against Sdem's box and was greeted with the holy grail of sorts for BlackHats: an open X windows server on port 6000.
Sdem had been running an X-windows server for Windows on his Win2k box. Fyodor was able to bypass the authentication on the X-windows server and used the X-windows server to take complete screen captures of Sdem's machine whilst sniffing and recording keystrokes.
Fyodor proceeded to take hours worth of screen captures, including information on a "secret troll irc server" that sdem was using. Fyodor wrote a detailed writeup of what he observed, including an irc robot used on the server to detect new Slashdot stories for the purpose of early posting. Fyodor also mined and posted as much information about Sdem as he could find, including his real name and contact information. Jamie McCarthy used this illegally obtained information shortly after it was posted to log on to the irc server, monitor the bot, and modify Slashdot in order to break the story monitor.
Fyodor even submitted his "troll hunting" story to Slashdot, though it was rejected.
After he was done hacking Sdem's computer, Fyodor posted his screen captures and a log of his breakin to www.insecure.org/tmp/trolls. The content was removed 24 hours later. He went on to boast in sid=20721 about his "troll hunting finale". While sid 20721 is regularly cleaned, a cache of Fyodor's boasting about his illegal break-in is available here. Very interesting reading.
So, while Fyodor's interview is no doubt very interesting, I think that, as an accomplished (and due to the lack of prosecution very successful) criminal, the nature of questions given to Fyodor in the interview don't do justice to the type of expertise this man has in illegally penetrating computers across state lines and getting away with it. I'm sure that many companies would like to have a man of this caliber at their disposal in order to infiltrate and destroy their competitor's IT infrastructure.
Of course, no sane person would use this man's software without compiling it from inspected source, given his history. Fortunately the folks at Redhat pore over his code with a fine toothed comb before including it in their distribution, so if you've ever wanted to peer into the mind of a madman, I encourage you to take a look at Redhat's copy of nmap.
Also if anyone has a cached copy o
When you support 10,000 servers and 30,000 desktops
There's no way to support this many machines alone. It's simply an impossible workload. As for making the lives of SKs easier, yep, it'll help em target machines, no doubt about it. There's a positive though, at least this tool is public and we're all aware of it now. It's the tools I don't know about that worry me.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
When doing vulnerability assessments of your companies or clients...
A.k.a your intended victims.
I always wondered how netcraft and nmap could
determine how many days a server has been up.
Does Apache give out this info?
emerge sync && emerge -u nmap
what kind of dreamland has portage stocking ebuilds the day release? be thankful if it gets in there by next week ^_^
Because there can be differences in what you think is on the machine, and what it actually doing. The very definition of being hacked.
www.Nessus.org
This film was so informative!!!!
I mean, now I know that the three most used password are God, Sex and.....uuuuuuh *scraching head*, Sex??? No, wait....uuuuh.Damn, I should review it once again.....
Anyway, with all this knowledge I'm sure there isn't a single Gibson in the whole world(no punt;oPPP) that I'll be unable to h4x0r.....
1. No sig. 2. ???? 3. Profit!!!
If you need NMAP to tell you what your web servers are runnig I can't imagine you havent already been 0|/\||\|3d.
I would love to be able to fake this stuff. I mean if I could make my linux/apache/proftpd servers look like they were running OS/2 with IIS6.0 on wine on cygwin and wsftpserve 16-bit, I think that would be cool. It would have to be able to stand up to a certain level of scrutiny to be useable but it would confuse the hell outa attackers.
... if the college is providing network access in student housing, there really is no way to tell what's going on unless the network is scanned regularly.
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
[I can picture a world without war, without hate. I can picture us attacking that world because they'd never expect it.]
/. censors, worrysome.
-
when i set up my internet cafe, i "nmap"-ed it from the other shop to see what ports where open on my router.
/join some.net /list -min 100
if you want a portscanning progi for windows check out this guys web site:
www.bluebitter.de
there you can find a command-line portscanner and a GUI version.
have fun. and if you want to know why worms are spreading so quickly dispite all this 5 years of security blah-blah on the internet, its mainly because of two:
1) scare people so they buy hardware firewalls
2) IRC (internet Relay Chat) with real/valid email adresses + portscan the chatters IP.
1. MIRC:
2.
3. get all ip addresses of users > port.list.
4. portscan for 137 138 ports open * port.list
5. ?
6. exploit open ports. easy.
3)?
"money is becomeing a language and all languages are a game. do you talk money?"
p.s. slashdot just eat the smaller-then-sign where the * is.
the kids just run scripts. no one cares about what OS you are running much less what versions.
/scripts/root.exe?/c+dir HTTP/1.0" 404 284 /MSADC/root.exe?/c+dir HTTP/1.0" 404 282 /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 323 /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339 /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 ??
how many lines in your apache logs look like this ?
"GET
"GET
"GET
"GET
"GET
"GET
HTTP/1.0" 404 323
24.91.103.152 "GET
24.91.103.152 "GET
24.91.103.152 "GET
Sanity is the trademark of a weak mind. -- Mark Harrold
hmmmmm... what could it mean?
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Microsoft IIS webserver 6.0
Device type: general purpose
Running: Linux 1.X
OS details: Linux 1.3.20 (X86)
I'm sorry if SOME of you guys work in tiny IT shops and don't know what it's like to support a huge corporation with global network and a follow-the-sun support model. You come do my job for a while, then maybe you'll see what a pain in the ass constant patching can be.
....did you know he drives a bimmer? I saw him on the road in Sunnyvale a few weeks ago - his license plate is ROOOOT. hahahaha
(seriously, i'm not making this up. i e-mailed him because he also had an insecure.org license plate holder so that kind of tipped me off. lo and behold, it was him.)
I belong to the ______ generation.
And if you believe this journal by sllort is true, read his username backward. Sllort and Sdem have a long history of pretending they have been hacked. Sdem is also the one impersonating security expert Theo de Raadt here
A patch to provide this functionality has been around for the last three years. While it may be 'worrysome' for people to have the versions of their software exposed, it's even more worrysome for people to run versions of software that haven't been patched.
Woe be to those who are still running old versions of SSH.
Hey, you can use nmap to make sure all your services have been patched (and you can see what unauthorized service that Bob in accounting out in Fresno is running on his desktop).
I realize that the "Powers that Be" (layoffs, etc) are making your job next to impossible, but it's tools like nmap (and other "hacker" tools) that take up the slack when the vendor fails to supply a reasonable toolkit.
If something like this can help you stay one step ahead of the script kiddies, you should be thankful for it.
Read, L
Starting nmap 3.45 ( http://www.insecure.org/nmap ) at 2003-09-16 14:13 Central Daylight Time Warning: OS detection will be MUCH less reliable because we did not find at lea st 1 open and 1 closed TCP port Interesting ports on 216.250.128.12: (The 1209 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 443/tcp open ssl OpenSSL Device type: general purpose Running (JUST GUESSING) : Microsoft Windows NT/2K/XP (86%) Aggressive OS guesses: Microsoft Windows 2000 Advanced Server SP3 (86%) No exact OS matches for host (test conditions non-ideal). Nmap run completed -- 1 IP address (1 host up) scanned in 63.906 seconds
Can this kind of detection see through the fake stylings of a honeypot to appear vulnerable?
I can see the beginnings of an arms race here... NMAP developers racing to accurately identify ports and services, and honeypot developers racing to obscure their "honeypotness" while maintaining believable outputs. Seems like two security methods working at cross-purposes.
Just a thought.
GMFTatsujin
Here's an amusing item about vulnerability scanners and version strings. A reminder how silly it is to focus on trivia like this.
When you support 10,000 servers and 30,000 desktops for UNIX alone..
Suck down a spoonful of warm, creamy poop.
Intial post to nmap-hackers way back then:r s/2000/ Apr-Jun/0076.html
n map-dev/2003/Jul- Sep/0104.html
a p-dev/2003/Jul- Sep/0117.html
http://lists.insecure.org/lists/nmap-hacke
Also to note is that it is a hell of a lot more powerful than Fyodor's implementation:
http://lists.insecure.org/lists/
Latest version announcement:
http://lists.insecure.org/lists/nm
*sigh* weird spaces got added to those links:
/ Apr-Jun/0076.html - Sep/0104.html - Sep/0117.html
The spaces are STILL there in the link captions, but not in the links themselves... I think slash is doing something weird...
http://lists.insecure.org/lists/nmap-hackers/2000
http://lists.insecure.org/lists/nmap-dev/2003/Jul
http://lists.insecure.org/lists/nmap-dev/2003/Jul
Sadly, Slashdot featuring CSS is a similar concept to Hell featuring snowmen.
Hi Fyodor. Congratulations on the improvements to nmap.
i'm sick and tired of reading all these ad hominem attacks against fyodor. the fact is that nmap is a brilliant tool regardless of its author's actions. if fyodor robbed a liquor store, nmap would still be brilliant. if jeffery dahmer wrote it, nmap would still be brilliant.
talk about the software, not the man.
This is all fine and dandy, but if you have a penetration testing defense device, it still makes no difference. I know only of the one from Melior (www.ddos.com), and the nmap scan with v3.54 does nothing differently.