Nmap Gets Version Detection

Anonymous Coward writes "Up until now, everyone's favorite port scanner, nmap has had decent OS detection (through TCP fingerprinting) and service identification based on the open port, but the latest version, 3.45 released today, has version detection for each service! This means not only can nmap tell you that httpd is running on port 80, but that it is `apache httpd version 2.0.39`! While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for, this should make the jobs of admins everywhere easier and keep us all more on our toes when it comes to security. Fyodor has also published a paper on how the version detection works."

Worrysome?

[mrtroy]

If you plan your network security through obscurity...thats asking for trouble.

If you hope nobody can hack you or cause any problems with your servers because you assume they dont know what you are running...that is a problem.

How about being accountable, upgrading and securing your system, instead of being alarmed that "suddenly" (like they couldnt before) people can see specifically what you are running.

Hats off to nmap...first matrix reloaded, now a drastic improvement! Who knows, matrix revolutions may be sporting a new nmap!

Re:Worrysome?

[notsewmit]

You'd be surprised at how many companies operate that way. A company I used to work for blocked SSH but allowed Telnet access to the outside world. Seems kind of backwards to me.

Re:Worrysome?

[Karamchand]

While of course it is not good practice to rely on a single method to secure one's network and then dream about it beeing "unhackable", security by obscurity might be part of a good security concept.

Jay Beale (from Bastille Linux) wrote a nice article about security through obscurity a while ago.

Re:Worrysome?

[cygnusx]

Perhaps they didn't want traffic they couldn't sniff through their network?

Re:Worrysome?

[mrtroy]

Ya, it could have to do with data security and not network security. Although I could think of better ways to solve this!

Re:Worrysome?

[TheGreenLantern]

It's not worrisome because this information is suddenly available. A real hacker can get this information any number of other ways. It's worrisome because suddenly a million script kiddies can now get this information as well, and will now have a better chance of choosing the correct point-and-click tool to exploit the identified box.

Re:Worrysome?

[hendridm]

I'm not worried about your systems, I worried about the careless admins with unpatched boxes. It seems like this makes it so easy to:

1. Pick an exploit on your favorite security site.
2. Write a script that scans the Internet for boxes running the service and version that match the exploit.
3. Initiate exploit when match is found.

At least with anonymous versions, the attacker wasn't necessarily sure what he was up against (or had to work a little harder for it).

Re:Worrysome?

[cygnusx]

I think it has something to do with the fact that telnet can be used for a lot of things. I mean you can telnet to an HTTP server, SMTP server, etc

You're confusing telnet-the-app and telnet-the-protocol. When companies block telnet, they usually block telnet-the-protocol. You can still use the app to connect to arbitary port 80s. If you can't, it means http has been blocked as well.

Re:Worrysome?

[ryanr]

What I usually tell people is don't rely on obscurity, but go ahead and take advantage of it.

Re:Worrysome?

[duffbeer703]

Thanks for the insight, oh great one.

Now let's assume that your lines of business are humming (or struggling) along with the incompetently designed apps written by stupid programmers. The designers and programmers have moved along and you, the reasonably competent and intelligent replacement has to make the spaghetti junk work.

If your "solution" is to shut down the company for a few months and rebuild perfectly designed SOAP/XML web services with LDAP and relational database backends written in whatever sexy programming language strikes your fancy, you'll be the one searching the want ads.

Plenty of large and important applications are doing nasty things like combining the output of jobs written 30 years ago on some mainframe in some nasty proprietary programming language with some Windows batch file routine and the output of SQL queries to get it into a new accounting system. ...And sometimes the glue code is written in something nasty like C-shell scripts from an old Digital Unix box. ...Oh, yeah, the "documentation" of the new system was written by some H1-B project manager based on IM conversations with a code monkey in Banglarore.

The world looks alot prettier in CSI 101, doesn't it?

Tool convergence?

[Maradine]

In the past, my kit contained THC's Amap, Ofir Arkin's Xprobe, and of course, Fyodor's nmap. Its good to see all of these toys (or at least the functionality) coming into one wrapper. I really like Xprobe's probabilistic model for O/S detection. Its a shame that what's good for the hacker is good for the cracker . . .

Oh, and by the way, is anyone watching the global 593 spike?

slashdotted

While Nmap does many things (remote OS detection via TCP/IP fingerprinting, ping sweeps, uptime calculation, protocol scans, etc.), its raison d'etre has always been port scanning. Point Nmap at a remote machine, and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of more than 2,200 "well-known" services, Nmap would explain that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accurate -- the vast majority of daemons listening on port 25 are, in fact, mail servers. But you shouldn't bet your security on this! People can and do run services on strange ports. Perhaps their main web server was already on port 80, so they picked a different port for a staging/test server. Maybe they think hiding a vulnerable service on some obscure port will prevent "evil hackers" from finding it. Even more common lately is that people are choosing ports based not on the service they want to run but based on what will get through the firewall. When ISPs blocked port 80 after major Microsoft IIS worms CodeRed and Nimda, hordes of users responded by moving their personal web servers to different ports. When companies block telnet access due to its horrific security risks, I have seen users simply run telnetd on the secure shell (SSH) port instead.
Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments of your companies or clients, you really what to know which mail and DNS servers are running, as well as the version number if possible. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to.

Yet another good reason for determining service/version numbers is that many services share the same port number - making a guess based on the nmap-services table even less accurate. Anyone who has done much scanning knows that you often find services listening on unregistered ports - these are a complete mystery without version detection. In addition, filtered UDP ports often look the same to a simple port scanner as open ports. But if they respond to the service-specific probes sent by Nmap version detection, you know for sure that they are open (and in many cases exactly what is running).

The new Nmap version scanning subsystem tries to answer all these questions by connecting to open ports and interrogating them for this information using probes that the specific services understand. This allows Nmap to give a much more details assessment of what is really running, rather than just what port numbers are open. Here is a real example:

# nmap -A -T4 -F www.insecure.org

Starting nmap 3.40PVT16 ( http://www.insecure.org/nmap/ ) at 2003-09-06 19:49 PDT
Interesting ports on www.insecure.org (205.217.153.53):
(The 1206 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.1p1 (protocol 1.99)
25/tcp open smtp Qmail smtpd
53/tcp open domain ISC Bind 9.2.1
80/tcp open http Apache httpd 2.0.39 ((Unix) mod_perl/1.99_07-dev Perl/v5.6.1)
113/tcp closed auth
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 108.307 days (since Wed May 21 12:27:44 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 34.962 seconds

Now I don't claim that Nmap is the first program to ever implement this sort of port interrogation. Jay Freeman (AKA Saurik) posted an Nmap patch he calls Nmap+V more than three years ago. Even if Nmap+V was rather slow and cryptic at the time, it demonstrated the value of advanced port interrogation. It has improved substantially since then. There is also the excellent THC Amap, and Nessus even has a (very) rudimentary service detection framework. While we could have saved months of work by simply integrating one of these open source implementations

not worried

[stonebeat.org]

While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for

hmmm I think NMAP will only report the version that service will respond. I can make my Apache instance respond with anything, for e.g. "saqib webserver ver. 9.0"

Version detection can also be very helpful
It is good to know that NMAP support version detection. There have been mny instance in the past, especially during the recent virus outbreaks, where I wished I could find the Service version.

Re:not worried

[Rich]

I can make my Apache instance respond with anything, for e.g. "saqib webserver ver. 9.0"

Unfortunately I can then come along and run hmap to detect what it really is using finger printing techniques. Concealing server names and versions gives only a very small increase in security and can make management of multiple servers harder (as it's more difficult to check you patched everything). Rich.

nmap malicious?

[Improv]

Gosh, who could possibly imagine that, with the
addition of version detection, the most 'white hat'
tool out there that could never possibly be used for
anything bad suddenly becomes a 'black hat' tool..
It's a complete 180!

Re:nmap malicious?

[CausticWindow]

Stupid troll

Nmap is a superb tool for scanning large networks. Could that be abused? Yes, but so what? Should we banish cars, since they can be used in bank heists? Should LSD be illegal, just because a large percentage of the population is retarded?

Want a list of machines that's infected with msblast? Nmap your network.

Want a list of machine that are vulnerable to the latest rdp hole in Windows? Nmap your network.

Want a list of servers running an exploitable ssh version? Nmap your network.

Any good administrator of any reasonably sized network, should know and use nmap.

Re:nmap malicious?

[Improv]

Sheesh, no need to get all self-righteous on me.
I know that nmap is useful for more than
black hat purposes, I use it myself, blah blah.
If you look through my post, you'll find nowhere
that I'm suggesting banning it, making it illegal,
or anything like that. Instead, what my post,
intending to be humorous, was about, was simply
stating that it IS used for blackhat things too,
and version detection doesn't change things that
much with regards to that.

It's great that you're a crusader against people
who would take useful things away from us through
laws, but, as in any such thing, be careful where
you're aiming -- friendly fire isn't a good thing,
and you'll just make yourself and others in the
cause look like jerks who can't stop posturing
on who's the bigger crusader. Not useful.

Good second check.

[Bridog]

This will be great to see if people have wonkyed their port numbers to try to obfuscate what they're doing, like running smtp on 10025 or something silly. You'll be able to check that there is an MTA on 25 and SSH on 22.

Re:Good second check.

[caluml]

It's trivial to see that anyway. telnet host.that.youre.unsure.of 10025
Trying 2001:618:15:226::237...
Connected to gk.
Escape character is '^]'.
220 gk.umtstrial.co.uk ESMTP Postfix
quit
221 Bye
Connection closed by foreign host.

Great

[essdodson]

This, on top of it being in the matrix will have every pimply 13 year old trying to haxor the gibson.

No use for worms, only for (h|cr)acking

[lougarou]

Security through obscurity never worked that much, will work much worse now. However, I do not see worms using such tools to propagate better. Worms just try to infect everyone and do not care about being glued in honeypots.

Worrisome? No.

[sonicattack]

While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for [...]

By the same logic, one might consider it "worrisome" that there even exists software packages like "Nessus" and "Saint".

Adding features such as version detection to a tool that can be used for both good and bad purposed shouldn't be considered "worrisome". It is just something that makes the tool better, for good and for bad. And unless we are talking about software which by design always causes destructive damage when used, I will always consider it a good thing that there are such excellent security auditing tools available to the public. With all respect, sorry to hear that someone finds this "worrisome".

Re:Worrisome? No.

[Kurt+Gray]

I agree. It's not like there aren't already sniffers out there that already do version detection. This is useful to me as an admin because I want to know everything about how my ports appear to the outside world.

But version detection doesn't seem to matter to the average skr1pt kiddie. After looking at many system logs and firewall logs it seems that many hax0r-type kids don't bother running a version detector and hand-picking an exploit based on server version but rather they use battering-ram style try-all-known-exploits scripts regardless of what the target system is. Just look at your own httpd logs and you'll occasionally find a single IP address attempting to call up a whole series of URLs for known CGI, Frontpage, and IIS exploits ... version be damned they'll try all exploits anyway and see what happens, and my guess is these kids get into more systems than the version detecting cat burglar types.

Just out of curiousity...

[Gandhian_Rage]

Does this make it easier for fyodor to listen for an open X11 server?

Speaking of versions

[ChiefArcher]

Speaking of bad versions.

0 Day SSH EXPLOIT out today..
CVS DIFF patch Here

Details are sketchy here

Redhat and others haven't released patches yet.

ChiefArcher

Re:Speaking of versions

[DeadMeat+(TM)]

Still, that makes it two remote root holes in the default install now I believe...

The Internet Storm Center says it "may not be exploitable on . . . OpenBSD". ('course, you should probably patch anyway.)

So it just does banner detection?

That's good and all, but the thing is that most vendors don't increment version numbers. Take the sendmail header overflows from earlier this year: Sun, RedHat, SuSE, HPUX all had patches for the bundled apache server, but those just fixed the binaries - they did not update the banner info. This is of dubious value because of that.

Unfortunately, there is no easy answer to this dilemna for security professionals - do you trust the banner info and get a bunch of false positives? Do you attempt an exploit and possibly crash the machine (not as likely with this sendmail header overflow, but moreso in the case of the apache chunked encoding overflow)? Or do you log onto each host (or use an agent based check system, like NetworkShell)?

Perhaps Fyodor should tackle these questions and not hack pranksters in his spare time.

leet

[grub]

Cool! That version detection works!

Starting nmap V. 3.45 ( www.insecure.org/nmap/ )
Interesting ports on test.grub.net (10.0.1.24):

Port State Service Version
22/tcp open ssh (c) SCO
80/tcp open http (c) SCO
443/tcp open https (c) SCO

UH OH

Slashdot Trolls better hunker down, Fyodor has new weaponry! And we all know what happened last time he went blackhat.

worrisome? nah!

[EvilOpie]

Being a system admin for a college, having this updated tool out for the world really doesn't bother me. Honestly, I'd rather have it in my hands to know what's running on my server, than to be ignorant and hope everything is ok. It also is a good tool to for testing things like if your firewall is configured properly. After all... all the script k1dd13z are going to have these programs too, so it's best to know what you've got exposed to the internet. Besides, in a lot of the programs out there, you can turn off the server identification so that when you connect, you don't know what the host is running for programs. Apache does this (I know because I turned it off myself). And you could probably even hack the source code to them if you really wanted. My FTP server at home just says "Go away!" when you connect so you don't even even see which program is running, much less what version.

Now for a *real* tool for making sure your sytems are up to date, try Nessus. It not only scans your system for what programs are running (using nmap no less), but it finds out what versions they are if they can, and it tries to run common exploits on them too! I use it perodically just to make sure that all the bases are covered so that none of the holes for common exploits on the internet are left open.

Catch it the same way as the rest

[quinkin]

I always assume that the remote servers will send the most malicious data possible.

Spoil sport... :)

I put a timed block on all ips that port scan me persistantly, I doubt the heuristics will even change. Once it's a distributed scan I'm screwed...

Certainly be useful for the internal audits though.

Q.

Re:Catch it the same way as the rest

[Torne]

So you just scan reeeealllly slowly. nmap has options to do this. I spent a while tuning nmap's parameters until it no longer alerts my university's administrators when I port scan.

Re:worrisome? nah!

[EvilOpie]

When you have to keep track of many different servers of different OSes, sometimes you forget things, or stuff that you thought you turned off you find out you didn't. It happens to the best of us.

It's the first thing I always do when I put a new server on the network. It never hurts to do a double-check to make sure that your servers are behaving the way that you think they are. Just like it doesn't hurt to reboot a linux box perodically to make sure that all your startup scrips work as expected in case of a power outage or whatever.

Re:Why OS detection?

[vadim_t]

Duh, it's for finding the OS other machines are running. If you're troubleshooting something, and have a network with 500 computers to check, then being able to automatically see what OS is running where can be very useful.

To put a simple example, you might scan a network for Linux hosts running Samba to then verify that they aren't running a vulnerable version.

HTTP "detection"

[msgmonkey]

Unless you tell specify otherwise dont all httpd servers report their version in the "server" response header?

Yin and Yang

[Esion+Modnar]

It's the duality inherent in most things. nmap can be used for good/bad. Any tool which is remotely useful is like this. The tools of a locksmith can be used to make your house more secure, or to break into it. A gun may be used by cop or crook. You get the idea...

SO?

[semanticgap]

There is nothing special about detecting the version of Apache, since Apache reports it in every response.

Take make sure noone can tell what you're running, put this in your config:

ServerTokens Prod
ServerSignature Off

Here is the documentation for ServerTokens and ServerSignature.

Re:Turn off version announment in apache.conf

[Neophytus]

HTTP/1.1 200 OK
Date: Tue, 16 Sep 2003 14:30:29 GMT
Server: Apache/1.3.26 (Unix) mod_gzip/1.3.19.1a mod_perl/1.27 mod_ssl/2.8.10 OpenSSL/0.9.7a
SLASH_LOG_DATA: shtml
X-Powered-By: Slash 2.003000
X-Bender: Shooting DNA at each other to make babies. I find it offensive!
Cache-Control: private
Pragma: private
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

Re:oops, they did it again....

[molarmass192]

When you support 10,000 servers and 30,000 desktops

There's no way to support this many machines alone. It's simply an impossible workload. As for making the lives of SKs easier, yep, it'll help em target machines, no doubt about it. There's a positive though, at least this tool is public and we're all aware of it now. It's the tools I don't know about that worry me.

Re:hardly useful for 'admin's but for others...

[drunk_as_in_beer]

"hrm, i wonder what version of apache i'm running at the moment... should i look in apache..? no.. i know, i'll scan myself"

you're obviously not an admin, and obviously don't do any serious work with computers at all.

who cares anymore ?

[TTL0]

the kids just run scripts. no one cares about what OS you are running much less what versions.

how many lines in your apache logs look like this ?

"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir
HTTP/1.0" 404 323
24.91.103.152 "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 323
24.91.103.152 "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
24.91.103.152 "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 ??

hats off to fyodor....

[ziggy_zero]

....did you know he drives a bimmer? I saw him on the road in Sunnyvale a few weeks ago - his license plate is ROOOOT. hahahaha

(seriously, i'm not making this up. i e-mailed him because he also had an insecure.org license plate holder so that kind of tipped me off. lo and behold, it was him.)