Nmap Gets Version Detection

Anonymous Coward writes "Up until now, everyone's favorite port scanner, nmap has had decent OS detection (through TCP fingerprinting) and service identification based on the open port, but the latest version, 3.45 released today, has version detection for each service! This means not only can nmap tell you that httpd is running on port 80, but that it is `apache httpd version 2.0.39`! While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for, this should make the jobs of admins everywhere easier and keep us all more on our toes when it comes to security. Fyodor has also published a paper on how the version detection works."

Tool convergence?

[Maradine]

In the past, my kit contained THC's Amap, Ofir Arkin's Xprobe, and of course, Fyodor's nmap. Its good to see all of these toys (or at least the functionality) coming into one wrapper. I really like Xprobe's probabilistic model for O/S detection. Its a shame that what's good for the hacker is good for the cracker . . .

Oh, and by the way, is anyone watching the global 593 spike?

not worried

[stonebeat.org]

While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for

hmmm I think NMAP will only report the version that service will respond. I can make my Apache instance respond with anything, for e.g. "saqib webserver ver. 9.0"

Version detection can also be very helpful
It is good to know that NMAP support version detection. There have been mny instance in the past, especially during the recent virus outbreaks, where I wished I could find the Service version.

Good second check.

[Bridog]

This will be great to see if people have wonkyed their port numbers to try to obfuscate what they're doing, like running smtp on 10025 or something silly. You'll be able to check that there is an MTA on 25 and SSH on 22.

Re:Worrysome?

[notsewmit]

You'd be surprised at how many companies operate that way. A company I used to work for blocked SSH but allowed Telnet access to the outside world. Seems kind of backwards to me.

Re:nmap malicious?

[CausticWindow]

Stupid troll

Nmap is a superb tool for scanning large networks. Could that be abused? Yes, but so what? Should we banish cars, since they can be used in bank heists? Should LSD be illegal, just because a large percentage of the population is retarded?

Want a list of machines that's infected with msblast? Nmap your network.

Want a list of machine that are vulnerable to the latest rdp hole in Windows? Nmap your network.

Want a list of servers running an exploitable ssh version? Nmap your network.

Any good administrator of any reasonably sized network, should know and use nmap.

UH OH

Slashdot Trolls better hunker down, Fyodor has new weaponry! And we all know what happened last time he went blackhat.

worrisome? nah!

[EvilOpie]

Being a system admin for a college, having this updated tool out for the world really doesn't bother me. Honestly, I'd rather have it in my hands to know what's running on my server, than to be ignorant and hope everything is ok. It also is a good tool to for testing things like if your firewall is configured properly. After all... all the script k1dd13z are going to have these programs too, so it's best to know what you've got exposed to the internet. Besides, in a lot of the programs out there, you can turn off the server identification so that when you connect, you don't know what the host is running for programs. Apache does this (I know because I turned it off myself). And you could probably even hack the source code to them if you really wanted. My FTP server at home just says "Go away!" when you connect so you don't even even see which program is running, much less what version.

Now for a *real* tool for making sure your sytems are up to date, try Nessus. It not only scans your system for what programs are running (using nmap no less), but it finds out what versions they are if they can, and it tries to run common exploits on them too! I use it perodically just to make sure that all the bases are covered so that none of the holes for common exploits on the internet are left open.

Catch it the same way as the rest

[quinkin]

I always assume that the remote servers will send the most malicious data possible.

Spoil sport... :)

I put a timed block on all ips that port scan me persistantly, I doubt the heuristics will even change. Once it's a distributed scan I'm screwed...

Certainly be useful for the internal audits though.

Q.

Re:Catch it the same way as the rest

[Torne]

So you just scan reeeealllly slowly. nmap has options to do this. I spent a while tuning nmap's parameters until it no longer alerts my university's administrators when I port scan.

Re:Worrysome?

[mrtroy]

Ya, it could have to do with data security and not network security. Although I could think of better ways to solve this!

Re:Worrysome?

[hendridm]

I'm not worried about your systems, I worried about the careless admins with unpatched boxes. It seems like this makes it so easy to:

1. Pick an exploit on your favorite security site.
2. Write a script that scans the Internet for boxes running the service and version that match the exploit.
3. Initiate exploit when match is found.

At least with anonymous versions, the attacker wasn't necessarily sure what he was up against (or had to work a little harder for it).