Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nmap Gets Version Detection

Posted by CmdrTaco on from the dropping-your-pants dept.

Anonymous Coward writes "Up until now, everyone's favorite port scanner, nmap has had decent OS detection (through TCP fingerprinting) and service identification based on the open port, but the latest version, 3.45 released today, has version detection for each service! This means not only can nmap tell you that httpd is running on port 80, but that it is `apache httpd version 2.0.39`! While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for, this should make the jobs of admins everywhere easier and keep us all more on our toes when it comes to security. Fyodor has also published a paper on how the version detection works."

18 of 172 comments (clear)

  1. Worrysome? by mrtroy · · Score: 4, Insightful

    If you plan your network security through obscurity...thats asking for trouble.

    If you hope nobody can hack you or cause any problems with your servers because you assume they dont know what you are running...that is a problem.

    How about being accountable, upgrading and securing your system, instead of being alarmed that "suddenly" (like they couldnt before) people can see specifically what you are running.

    Hats off to nmap...first matrix reloaded, now a drastic improvement! Who knows, matrix revolutions may be sporting a new nmap!

    --
    [I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
    1. Re:Worrysome? by cygnusx · · Score: 2, Insightful

      Perhaps they didn't want traffic they couldn't sniff through their network?

    2. Re:Worrysome? by TheGreenLantern · · Score: 2, Insightful

      It's not worrisome because this information is suddenly available. A real hacker can get this information any number of other ways. It's worrisome because suddenly a million script kiddies can now get this information as well, and will now have a better chance of choosing the correct point-and-click tool to exploit the identified box.

      --

      It hurts when I pee.
    3. Re:Worrysome? by ryanr · · Score: 2, Insightful

      What I usually tell people is don't rely on obscurity, but go ahead and take advantage of it.

    4. Re:Worrysome? by Anonymous Coward · · Score: 1, Insightful

      Spoken with the abolute black-and-white certainty of someone who has never been responsible for an inherited legacy system.

    5. Re:Worrysome? by duffbeer703 · · Score: 2, Insightful

      Thanks for the insight, oh great one.

      Now let's assume that your lines of business are humming (or struggling) along with the incompetently designed apps written by stupid programmers. The designers and programmers have moved along and you, the reasonably competent and intelligent replacement has to make the spaghetti junk work.

      If your "solution" is to shut down the company for a few months and rebuild perfectly designed SOAP/XML web services with LDAP and relational database backends written in whatever sexy programming language strikes your fancy, you'll be the one searching the want ads.

      Plenty of large and important applications are doing nasty things like combining the output of jobs written 30 years ago on some mainframe in some nasty proprietary programming language with some Windows batch file routine and the output of SQL queries to get it into a new accounting system. ...And sometimes the glue code is written in something nasty like C-shell scripts from an old Digital Unix box. ...Oh, yeah, the "documentation" of the new system was written by some H1-B project manager based on IM conversations with a code monkey in Banglarore.

      The world looks alot prettier in CSI 101, doesn't it?

      --
      Conformity is the jailer of freedom and enemy of growth. -JFK
  2. No use for worms, only for (h|cr)acking by lougarou · · Score: 3, Insightful

    Security through obscurity never worked that much, will work much worse now. However, I do not see worms using such tools to propagate better. Worms just try to infect everyone and do not care about being glued in honeypots.

  3. Worrisome? No. by sonicattack · · Score: 5, Insightful

    While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for [...]

    By the same logic, one might consider it "worrisome" that there even exists software packages like "Nessus" and "Saint".

    Adding features such as version detection to a tool that can be used for both good and bad purposed shouldn't be considered "worrisome". It is just something that makes the tool better, for good and for bad. And unless we are talking about software which by design always causes destructive damage when used, I will always consider it a good thing that there are such excellent security auditing tools available to the public. With all respect, sorry to hear that someone finds this "worrisome".

    1. Re:Worrisome? No. by Kurt+Gray · · Score: 2, Insightful

      I agree. It's not like there aren't already sniffers out there that already do version detection. This is useful to me as an admin because I want to know everything about how my ports appear to the outside world.

      But version detection doesn't seem to matter to the average skr1pt kiddie. After looking at many system logs and firewall logs it seems that many hax0r-type kids don't bother running a version detector and hand-picking an exploit based on server version but rather they use battering-ram style try-all-known-exploits scripts regardless of what the target system is. Just look at your own httpd logs and you'll occasionally find a single IP address attempting to call up a whole series of URLs for known CGI, Frontpage, and IIS exploits ... version be damned they'll try all exploits anyway and see what happens, and my guess is these kids get into more systems than the version detecting cat burglar types.

  4. Re:worrisome? nah! by EvilOpie · · Score: 4, Insightful

    When you have to keep track of many different servers of different OSes, sometimes you forget things, or stuff that you thought you turned off you find out you didn't. It happens to the best of us.

    It's the first thing I always do when I put a new server on the network. It never hurts to do a double-check to make sure that your servers are behaving the way that you think they are. Just like it doesn't hurt to reboot a linux box perodically to make sure that all your startup scrips work as expected in case of a power outage or whatever.

    --
    -Through the server, over the router, off the firewall... Nothing but 'Net!
  5. Re:Why OS detection? by vadim_t · · Score: 2, Insightful

    Duh, it's for finding the OS other machines are running. If you're troubleshooting something, and have a network with 500 computers to check, then being able to automatically see what OS is running where can be very useful.

    To put a simple example, you might scan a network for Linux hosts running Samba to then verify that they aren't running a vulnerable version.

  6. Re:nmap malicious? by Improv · · Score: 2, Insightful

    Sheesh, no need to get all self-righteous on me.
    I know that nmap is useful for more than
    black hat purposes, I use it myself, blah blah.
    If you look through my post, you'll find nowhere
    that I'm suggesting banning it, making it illegal,
    or anything like that. Instead, what my post,
    intending to be humorous, was about, was simply
    stating that it IS used for blackhat things too,
    and version detection doesn't change things that
    much with regards to that.

    It's great that you're a crusader against people
    who would take useful things away from us through
    laws, but, as in any such thing, be careful where
    you're aiming -- friendly fire isn't a good thing,
    and you'll just make yourself and others in the
    cause look like jerks who can't stop posturing
    on who's the bigger crusader. Not useful.

    --
    For every problem, there is at least one solution that is simple, neat, and wrong.
  7. Yin and Yang by Esion+Modnar · · Score: 2, Insightful

    It's the duality inherent in most things. nmap can be used for good/bad. Any tool which is remotely useful is like this. The tools of a locksmith can be used to make your house more secure, or to break into it. A gun may be used by cop or crook. You get the idea...

    --

    They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...
  8. Re:not worried by Rich · · Score: 2, Insightful
    I can make my Apache instance respond with anything, for e.g. "saqib webserver ver. 9.0"

    Unfortunately I can then come along and run hmap to detect what it really is using finger printing techniques. Concealing server names and versions gives only a very small increase in security and can make management of multiple servers harder (as it's more difficult to check you patched everything). Rich.

  9. Re:Speaking of versions by DeadMeat+(TM) · · Score: 3, Insightful
    Still, that makes it two remote root holes in the default install now I believe...
    The Internet Storm Center says it "may not be exploitable on . . . OpenBSD". ('course, you should probably patch anyway.)
  10. Re:oops, they did it again.... by molarmass192 · · Score: 3, Insightful

    When you support 10,000 servers and 30,000 desktops

    There's no way to support this many machines alone. It's simply an impossible workload. As for making the lives of SKs easier, yep, it'll help em target machines, no doubt about it. There's a positive though, at least this tool is public and we're all aware of it now. It's the tools I don't know about that worry me.

    --

    Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
  11. Re:hardly useful for 'admin's but for others... by drunk_as_in_beer · · Score: 2, Insightful

    "hrm, i wonder what version of apache i'm running at the moment... should i look in apache..? no.. i know, i'll scan myself"

    you're obviously not an admin, and obviously don't do any serious work with computers at all.

    --
    --Drunk as in Beer
  12. who cares anymore ? by TTL0 · · Score: 3, Insightful

    the kids just run scripts. no one cares about what OS you are running much less what versions.

    how many lines in your apache logs look like this ?

    "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
    "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
    "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
    "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
    "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
    "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir
    HTTP/1.0" 404 323
    24.91.103.152 "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 323
    24.91.103.152 "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
    24.91.103.152 "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 ??

    --
    Sanity is the trademark of a weak mind. -- Mark Harrold