Slashdot Mirror
Nmap Gets Version Detection
Anonymous Coward writes "Up until now, everyone's favorite port scanner, nmap has had decent OS detection (through TCP fingerprinting) and service identification based on the open port, but the latest version, 3.45 released today, has version detection for each service! This means not only can nmap tell you that httpd is running on port 80, but that it is `apache httpd version 2.0.39`! While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for, this should make the jobs of admins everywhere easier and keep us all more on our toes when it comes to security. Fyodor has also published a paper on how the version detection works."
In the past, my kit contained THC's Amap, Ofir Arkin's Xprobe, and of course, Fyodor's nmap. Its good to see all of these toys (or at least the functionality) coming into one wrapper. I really like Xprobe's probabilistic model for O/S detection. Its a shame that what's good for the hacker is good for the cracker . . .
Oh, and by the way, is anyone watching the global 593 spike?
trustedworlds.net - gaming, security, and the gunk that lives in between
While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for
hmmm I think NMAP will only report the version that service will respond. I can make my Apache instance respond with anything, for e.g. "saqib webserver ver. 9.0"
Version detection can also be very helpful
It is good to know that NMAP support version detection. There have been mny instance in the past, especially during the recent virus outbreaks, where I wished I could find the Service version.
Consensus is good, but informed dictatorship is better
This will be great to see if people have wonkyed their port numbers to try to obfuscate what they're doing, like running smtp on 10025 or something silly. You'll be able to check that there is an MTA on 25 and SSH on 22.
Most likely the #1 Unfunny Meta/Moderator on
You'd be surprised at how many companies operate that way. A company I used to work for blocked SSH but allowed Telnet access to the outside world. Seems kind of backwards to me.
Stupid troll
Nmap is a superb tool for scanning large networks. Could that be abused? Yes, but so what? Should we banish cars, since they can be used in bank heists? Should LSD be illegal, just because a large percentage of the population is retarded?
Want a list of machines that's infected with msblast? Nmap your network.
Want a list of machine that are vulnerable to the latest rdp hole in Windows? Nmap your network.
Want a list of servers running an exploitable ssh version? Nmap your network.
Any good administrator of any reasonably sized network, should know and use nmap.
How small a thought it takes to fill a whole life
Slashdot Trolls better hunker down, Fyodor has new weaponry! And we all know what happened last time he went blackhat.
Being a system admin for a college, having this updated tool out for the world really doesn't bother me. Honestly, I'd rather have it in my hands to know what's running on my server, than to be ignorant and hope everything is ok. It also is a good tool to for testing things like if your firewall is configured properly. After all... all the script k1dd13z are going to have these programs too, so it's best to know what you've got exposed to the internet. Besides, in a lot of the programs out there, you can turn off the server identification so that when you connect, you don't know what the host is running for programs. Apache does this (I know because I turned it off myself). And you could probably even hack the source code to them if you really wanted. My FTP server at home just says "Go away!" when you connect so you don't even even see which program is running, much less what version.
Now for a *real* tool for making sure your sytems are up to date, try Nessus. It not only scans your system for what programs are running (using nmap no less), but it finds out what versions they are if they can, and it tries to run common exploits on them too! I use it perodically just to make sure that all the bases are covered so that none of the holes for common exploits on the internet are left open.
-Through the server, over the router, off the firewall... Nothing but 'Net!
How can this new feature of nmap be used to haxxxor kids personal computers and post personal information about them far and wide, since that is Fyodor's MO.
Spoil sport... :)
I put a timed block on all ips that port scan me persistantly, I doubt the heuristics will even change. Once it's a distributed scan I'm screwed...
Certainly be useful for the internal audits though.
Q.
Insert Signature Here
I submitted a story, and it got rejected. Guess /. hasn't patched up yet, so they don't want us to know about it.
Still, that makes it two remote root holes in the default install now I believe...
couldn't one of these people that write these security scanners use the same principles to generate a samba.conf, just by sniffing the network, this'd make life about 6000% easier!
What? I don't like what you are saying? Duality? That sounds like a unchristian idea. You are either with us or against us. You are either for terror or for freedom.
How do you know good from bad? As GBW said: you just know.
Ya, it could have to do with data security and not network security. Although I could think of better ways to solve this!
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
Slashdot has an interview with security legend Fyodor, admin of the famed insecure.org and author of the world's most affordable port scanner, nmap.
The best part of this interview is that Slashdot does not often interview criminals. Many Slashdot readers know that Fyodor used his tool to illegally attack a college student in 2002, for his personal amusement but also to the benefit of Slashdot's admins. For those that don't know the story, I will present a brief summary.
*Those individuals interested in independently verifying the facts presented in this article should skip to the "Verification" section near the end.
Sdem had created a hoax account entitled electricmonk, and used it to post this comment pronouncing that we was actually a cute Linux booth babe. "electricmonk" left an email at Yahoo and encouraged Slashdot readers to get in touch.
Fyodor proceeded to do so, boasting of his previous exploits with women he'd met online. He was even helpful enough to attach a picture.
This is where the story turns ugly. Sdem responded with a truthful email, in which he advised Fyodor that the whole thing was a hoax. After that, sdem posted a log of his exploits to sid=20721 (trolltalk), mentioning that he had tricked Fyodor and referring to many of the biters as "wankers". This apparently really set Fyodor off, and he began to plot criminal revenge.
First, Fyodor dug through insecure.org's referrer logs to find what IP address had requested the picture of Fyodor & his paramour. Using this information (and the logged User-Agent), Fyodor knew from the get-go Sdem's IP address and O/S. From this point, he launched nmap against Sdem's box and was greeted with the holy grail of sorts for BlackHats: an open X windows server on port 6000.
Sdem had been running an X-windows server for Windows on his Win2k box. Fyodor was able to bypass the authentication on the X-windows server and used the X-windows server to take complete screen captures of Sdem's machine whilst sniffing and recording keystrokes.
Fyodor proceeded to take hours worth of screen captures, including information on a "secret troll irc server" that sdem was using. Fyodor wrote a detailed writeup of what he observed, including an irc robot used on the server to detect new Slashdot stories for the purpose of early posting. Fyodor also mined and posted as much information about Sdem as he could find, including his real name and contact information. Jamie McCarthy used this illegally obtained information shortly after it was posted to log on to the irc server, monitor the bot, and modify Slashdot in order to break the story monitor.
Fyodor even submitted his "troll hunting" story to Slashdot, though it was rejected.
After he was done hacking Sdem's computer, Fyodor posted his screen captures and a log of his breakin to www.insecure.org/tmp/trolls. The content was removed 24 hours later. He went on to boast in sid=20721 about his "troll hunting finale". While sid 20721 is regularly cleaned, a cache of Fyodor's boasting about his illegal break-in is available here. Very interesting reading.
So, while Fyodor's interview is no doubt very interesting, I think that, as an accomplished (and due to the lack of prosecution very successful) criminal, the nature of questions given to Fyodor in the interview don't do justice to the type of expertise this man has in illegally penetrating computers across state lines and getting away with it. I'm sure that many companies would like to have a man of this caliber at their disposal in order to infiltrate and destroy their competitor's IT infrastructure.
Of course, no sane person would use this man's software without compiling it from inspected source, given his history. Fortunately the folks at Redhat pore over his code with a fine toothed comb before including it in their distribution, so if you've ever wanted to peer into the mind of a madman, I encourage you to take a look at Redhat's copy of nmap.
Also if anyone has a cached copy o
I'm not worried about your systems, I worried about the careless admins with unpatched boxes. It seems like this makes it so easy to:
1. Pick an exploit on your favorite security site.
2. Write a script that scans the Internet for boxes running the service and version that match the exploit.
3. Initiate exploit when match is found.
At least with anonymous versions, the attacker wasn't necessarily sure what he was up against (or had to work a little harder for it).