From: Jay Freeman (saurik) [saurik@saurik.com] Sent: Wednesday, September 06, 2000 4:06 AM To: Nmap-Hackers Cc: Fyodor Subject: Announce: nmap-2.54b4+V-2.3 - Now with FULL Protocol Auto-Detection! All right, all sorts of new functionality. The big ones are support for '\0' inside of regular expressions and string matches (required messing with the supplied regex.c) and a new 'f' command that let's nmap+V use multiple connections to attempt to gather data on ports that only respond to certain requests. It still doesn't prioritize certain prompts depending on what port it is looking at (in order to expedite a valid response), but that is pretty far beyond the scope of my file format... will need to wait until I have flushed out the next one I am working on; although I don't see this as being that important of a feature anyway.... I used these new features to start scanning for protocols such as SSL, RPC, Telnet, and NETBIOS. I also added Linuxconf, not sure why I didn't have that one there before. BTW, when the SSL scan finds an SSL server it cuts off rather abruptly, and (if you are using modssl anyway) the server prints this to its log: [05/Sep/2000 13:06:58 09686] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] That should happen any time someone's connection is flaky, so it is unlikely to be noticed or be considered a big problem by the administrator (and it goes to a log that I, at least, never check anyway). If you don't want to go all out and keep reconnecting to the server, you can continue scanning using the existing methods by using -sV. To activate the fork command and start doing extended testing, you need to specify -sVV. I moved -sVV's old purpose (extraneous information) to -sVVV. The idea is that the more "intrusive" you want your scan to be, the more V's you add at the command line; although I am not sure if I made the right decision that gathering extra information is really more "intrusive" than using multiple connections. I kind of assume that if you care to get things such as the tag of a web page, you likely are going to want to have the most accurate protocol information possible. As always, if you are using the connect() scan nmap+V will reuse the socket (and internally deals with the organization issues of when to close what sockets that are brought up by -sVV at the same time). So as to take best benefit of the new features, I recommend you use -sVV while doing version scans (personally, I hardly ever care about the few bits of information that -sVVV returns, and it normally just gets in my way and annoys me, but there are some times when I am interested). I haven't tested this patch on FreeBSD or Solaris yet. Oh, and if you switch the compiler to g++ you will get a few warnings on regex.c... I just didn't have it in me today to squeeze out the last few signed/unsigned issues (made enough modifications to that poor file for one day). Will have to wait for the next version. As before the patch can be found at: ftp://ftp.saurik.com/pub/nmap/nmap+V An already patched copy of nmap-2.54b4 is at: ftp://ftp.saurik.com/pub/nmap/nmap+V.tgz Now for some example output :-) : (The 1047 ports scanned but not shown below are in state: closed) Port State Service Protocol Version 21/tcp open ftp FTP wu-2.6.0(1) 22/tcp open ssh SSH 1.99-2.0.13 (non-commercial) 25/tcp open smtp SMTP Sendmail 8.10.0/8.10.0 37/tcp open time Time Wed Sep 6 02:22:36 2000 53/tcp open domain 80/tcp open http HTTP Apache/1.3.12 (Unix) <Title>: Horde System 88/tcp open kerberos-sec 98/tcp open linuxconf Linuxconf 109/tcp open pop-2 POP2 v4.55 110/tcp open pop-3 POP3 v7.64 111/tcp open sunrpc RPC 113/tcp open auth AUTH 119/tcp open nntp NNTP INN 2.2.2 139/tcp open netbios-ssn NETBIOS 143/tcp open imap2 IMAP WU IMAP4rev1 v12.264 443/tcp open https SSL 465/tcp open smtps SSL 587/tcp open submission SMTP Sendmail 8.10.0/8.10.0 993/tcp open imaps SSL 995/tcp open pop3s SSL 2401/tcp open cvspserver CVS 5432/tcp open postgres PostgreSQL 6667/tcp open irc IRC 2.8/hybrid-5.3+TS4-rel1.0 Network: Internet Relay 8007/tcp open jserv 8009/tcp open ajp13 Ajp13 8888/tcp open sun-answerbook NetStreamer NrServer 0.17 Nmap run completed -- 1 IP address (1 host up) scanned in 132 seconds Here are the relevant CHANGELOG entries: ** Version 2.54b4+V-2.3 -- Added the 'f' command: "fork". Using this will disconnect from the remote host, clear the receieve buffer, optionally skip sections, and reestablish the connection. -- Replaced -sVV with -sVVV. -sVV is now for "intrusive" version scans. The idea is that the more V's you have, the more "intrusive" you are being. One V will create one TCP connection and attempt to get as much protocol and version information as it can from that. Two V's will use as many connections as neccessary to maximize accuracy. Three V's will return extraneous information (a la -sVV before). -- Used 'f' to reorganize and enhance the nmap-versions rules. Nmap+V can now detect non-responsive protocols on non-standard ports! -- Messed with the '?' command to support branching based on the level of "intrusiveness". This is used to decide whether to simply go through protocol detection tests in order, or do a global branch based on port number (which greatly limits the scan's power). -- Trimmed out a bunch of garbage from the shipped regex.c, and ported it most of the way to C++ (still has a few signed/unsigned issues). -- Messed with regex.c until it supported the ability to have '\0' in the middle of both expressions and strings. Apparently the POSIX people defined a regular expression to end with '\0'. In and of itself, this would be solvable. I got a suggestion from Andy Lutomirski <luto at mailandnews.com> to use "[^\001-\xff]", which worked fine... except for that the POSIX people also decided that regexec() wouldn't take a length argument either, so even if the regular expression can match the string correctly, it can't be given the string to match against anyway. -- Changed the configure scripts to use the supplied regex.c for all compiles regardless of whether the POSIX compliant ones were found or not. -- Added a few of nmap-versions rules using the new binary abilities: SSL, RPC, Telnet, NETBIOS, and a small addition to Ajp13. -- Running the version scan as port scans were generating the lists was causing timing problems. SYN scan was getting all confused and scanning the same ports over and over again. Then the extra packets were making SYN scan do extra work to decide what data it was actually supposed to be waiting for, and wasn't garbage. When the scan would complete the data was always accurate, and the version scan would normally complete for each port fast enough not to cause many issues. When I started scanning using multiple connections and different prompts that changed. When run with any scan other than the vanilla TCP connect() scan, nmap+V will now wait until all port processing is done before running its scans. This sped things up considerably. ** Version 2.54v3+V-2.21 -- Added textual note that Jay Freeman (saurik) <saurik at saurik.com> wrote the +V patch, so if you want to complain to someone about it, you might want to talk to him and not Fyoder :). -- Hopefully fixed a buffer overflow demonstrated in an exploit found at: http://inferno.tusculum.edu/~typo/banfuq.c . ** Version 2.54b3+V-2.2 -- Ported nmap+V to 2.54b3. -- Added binary support to nmap-versions parsing. -- A few new nmap-versions entries (including Ajp13, which uses the new binary support for the protocol detection). ** Version 2.53+V-2.1 -- Added a 'd' command to the nmap-versions parser which regex's out four bytes in network order, converts it to host order, uses it as an unsigned long, subtracts the number of seconds between 1900 and 1970, and runs it through ctime() for generating the version string. -- If -sV is specified more than once new extended information is given, currently the network of an IRC server, and the <title> of a web page. Sincerely, Jay Freeman (saurik) saurik@saurik.com <mailto:saurik@saurik.com> -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).