OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Nmap 2.30BETA20 Released
From: Andrew Brown (atatatatatdot.net)
Date: Fri Apr 21 2000 - 14:06:42 CDT

>> i'd also like to suggest that you distribute the "massive" services
>> file that i've been maintaining for a year or so at
>>
>> http://www.graffiti.com/services
>>
>> as the nmap-services file.
>
>Not necessarily a good or desireable thing. Even with the not-so-complete
>nmap services file, I usually find it reporting on services that aren't
>really running, simply because they're above 1023, or because someone
>decided to run a non-"standard" service on a privledged port. In fact,
>I'd almost like to see all the services on non-privledged ports be removed
>from the services file nmap uses. At least all except 6660-6670, 8000,
>8080, 12345, and other such common or critically important high ports.

scanning only ports below 1024 makes a certain amount of sense.
scanning below 1024 and, "oh, just these few" is arrogant. maybe you
are, but *most* people aren't running a chat server or web server on
some non-standard ports.

nmap could easily be changed to accept "-p priv" so that it would only
scan privileged ports...

>Idealy nmap would have a module to verify each servce it finds, so that
>(for example) an open port 443 wouldn't be reported as ssl / http if it
>isn't acting like a websserver.

verifying that port 25 is an smtp server is relatively easy, likewise
with 21 being ftp control, 22 being an ssh server, and 23 being a
telnet server. the daytime and time services are likewise very easy
to detect since they just spew; they don't accept.

verifying that port 443 is actually an https server is decidedly
non-trivial, not the least of which is because it waits for the client
to say something before dropping you. it would require at least a
minimal ssl stack, and some crypto tools, neither of which belong in
the world's best port scanner. 

-- 
|-----< "CODE WARRIOR" >-----|
codewarriordaemon.org             * "ah!  i see you have the internet
twofsonetgraffiti.com (Andrew Brown)                that goes *ping*!"
andrewcrossbar.com       * "information is power -- share the wealth."

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-helpinsecure.org . List run by ezmlm-idx (www.ezmlm.org).