Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security

Nmap Gets Version Detection 172

Anonymous Coward writes "Up until now, everyone's favorite port scanner, nmap has had decent OS detection (through TCP fingerprinting) and service identification based on the open port, but the latest version, 3.45 released today, has version detection for each service! This means not only can nmap tell you that httpd is running on port 80, but that it is `apache httpd version 2.0.39`! While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for, this should make the jobs of admins everywhere easier and keep us all more on our toes when it comes to security. Fyodor has also published a paper on how the version detection works."
This discussion has been archived. No new comments can be posted.

Nmap Gets Version Detection

Comments Filter:
  • Worrysome? (Score:5, Insightful)

    by mrtroy ( 640746 ) on Tuesday September 16, 2003 @09:48AM (#6974680)
    If you plan your network security through obscurity...thats asking for trouble.

    If you hope nobody can hack you or cause any problems with your servers because you assume they dont know what you are running...that is a problem.

    How about being accountable, upgrading and securing your system, instead of being alarmed that "suddenly" (like they couldnt before) people can see specifically what you are running.

    Hats off to nmap...first matrix reloaded, now a drastic improvement! Who knows, matrix revolutions may be sporting a new nmap!
    • Re:Worrysome? (Score:3, Interesting)

      by notsewmit ( 655779 ) *
      You'd be surprised at how many companies operate that way. A company I used to work for blocked SSH but allowed Telnet access to the outside world. Seems kind of backwards to me.
      • Re:Worrysome? (Score:2, Insightful)

        by cygnusx ( 193092 )
        Perhaps they didn't want traffic they couldn't sniff through their network?

        • Re:Worrysome? (Score:3, Interesting)

          by mrtroy ( 640746 )
          Ya, it could have to do with data security and not network security. Although I could think of better ways to solve this!
      • by Anonymous Coward
        You'd be surprised at how many companies operate that way. A company I used to work for blocked SSH but allowed Telnet access to the outside world. Seems kind of backwards to me.

        I'm working for such a company. But when I told them to open SSH for me, they did. They were only blocking it because no one was using it.

        I think it has something to do with the fact that telnet can be used for a lot of things. I mean you can telnet to an HTTP server, SMTP server, etc. How would you block telnet specifically?
        • Telnet the protocol, sure. But there's also a standard telnet server port. This is how you login remotely and where the problems are.

          Too bad SSH wasn't invented sooner, everything would be using it instead of Telnet.
        • Re:Worrysome? (Score:3, Informative)

          by cygnusx ( 193092 )
          I think it has something to do with the fact that telnet can be used for a lot of things. I mean you can telnet to an HTTP server, SMTP server, etc

          You're confusing telnet-the-app and telnet-the-protocol. When companies block telnet, they usually block telnet-the-protocol. You can still use the app to connect to arbitary port 80s. If you can't, it means http has been blocked as well.
    • If you hope nobody can hack you or cause any problems with your servers because you assume they dont know what you are running...that is a problem.

      That is a problem indeed, but given the number of bad sys ads out there (without whom many networks would not have sys ads) it sure has to be a concern for someone.

    • Re:Worrysome? (Score:5, Informative)

      by Karamchand ( 607798 ) on Tuesday September 16, 2003 @10:09AM (#6974885)
      While of course it is not good practice to rely on a single method to secure one's network and then dream about it beeing "unhackable", security by obscurity might be part of a good security concept.

      Jay Beale (from Bastille Linux) wrote a nice article about security through obscurity [bastille-linux.org] a while ago.
      • Re:Worrysome? (Score:3, Insightful)

        by ryanr ( 30917 ) *
        What I usually tell people is don't rely on obscurity, but go ahead and take advantage of it.
      • I see obscurity as nothing but a bonus. There exist numerous utilities to not only portscan, but to determine what service is on a particular port, what OS you are running, et cetera. So obscurity is nothing but a free layer of annoyance to skript kiddie "crackers" who don't actually know anything. For anyone competent attacking your system, obscurity will make no difference whatsoever because they won't be making any assumptions.
    • Re:Worrysome? (Score:3, Insightful)

      It's not worrisome because this information is suddenly available. A real hacker can get this information any number of other ways. It's worrisome because suddenly a million script kiddies can now get this information as well, and will now have a better chance of choosing the correct point-and-click tool to exploit the identified box.
      • It's worrisome because suddenly a million script kiddies can now get this information as well, and will now have a better chance of choosing the correct point-and-click tool to exploit the identified box.

        There have to be point-and-click tools to tell what a server is running anyway, it's not like it's the hardest thing in the world to do. Look:

        1. Right-click on page.
        2. Select 'View Page Info'.
        3. Click the Headers tab.
        4. Look at the response headers.

        Dood! I just "hacked" Slashdot into telling me they ar

    • Re:Worrysome? (Score:2, Interesting)

      by hendridm ( 302246 )
      I'm not worried about your systems, I worried about the careless admins with unpatched boxes. It seems like this makes it so easy to:

      1. Pick an exploit on your favorite security site.
      2. Write a script that scans the Internet for boxes running the service and version that match the exploit.
      3. Initiate exploit when match is found.

      At least with anonymous versions, the attacker wasn't necessarily sure what he was up against (or had to work a little harder for it).
    • It is slightly worrysome to even good admins. Security comes in layers, so even if your security isn't breached with the loss of one layer, it does weaken the overall security picture. Even if you're pretty sure your setup is unhackable, there's no reason to make it any easier on an intruder by advertising exactly what configuration of hardware and software you use.
    • If you hope nobody can hack you or cause any problems with your servers because you assume they dont know what you are running...that is a problem.

      It's universally considered a bad idea to emit version strings. But you're right, it's also a bad idea to place to count on obscurity. Good security assumes that an intruder knows exactly what you're running, because inevitably one will come along who makes the right set of assumptions.

      Here's an amusing item [counterpane.com] about vulnerability scanners and version strings. A

  • by Anonymous Coward
    I, for one, welcome our new version detecting port scanning overlords.
  • Tool convergence? (Score:5, Interesting)

    by Maradine ( 194191 ) * on Tuesday September 16, 2003 @09:48AM (#6974683) Homepage
    In the past, my kit contained THC's Amap, Ofir Arkin's Xprobe, and of course, Fyodor's nmap. Its good to see all of these toys (or at least the functionality) coming into one wrapper. I really like Xprobe's probabilistic model for O/S detection. Its a shame that what's good for the hacker is good for the cracker . . .

    Oh, and by the way, is anyone watching the global 593 spike?
  • slashdotted (Score:5, Informative)

    by Anonymous Coward on Tuesday September 16, 2003 @09:48AM (#6974685)
    While Nmap does many things (remote OS detection via TCP/IP fingerprinting, ping sweeps, uptime calculation, protocol scans, etc.), its raison d'etre has always been port scanning. Point Nmap at a remote machine, and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of more than 2,200 "well-known" services, Nmap would explain that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accurate -- the vast majority of daemons listening on port 25 are, in fact, mail servers. But you shouldn't bet your security on this! People can and do run services on strange ports. Perhaps their main web server was already on port 80, so they picked a different port for a staging/test server. Maybe they think hiding a vulnerable service on some obscure port will prevent "evil hackers" from finding it. Even more common lately is that people are choosing ports based not on the service they want to run but based on what will get through the firewall. When ISPs blocked port 80 after major Microsoft IIS worms CodeRed and Nimda, hordes of users responded by moving their personal web servers to different ports. When companies block telnet access due to its horrific security risks, I have seen users simply run telnetd on the secure shell (SSH) port instead.
    Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments of your companies or clients, you really what to know which mail and DNS servers are running, as well as the version number if possible. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to.

    Yet another good reason for determining service/version numbers is that many services share the same port number - making a guess based on the nmap-services table even less accurate. Anyone who has done much scanning knows that you often find services listening on unregistered ports - these are a complete mystery without version detection. In addition, filtered UDP ports often look the same to a simple port scanner as open ports. But if they respond to the service-specific probes sent by Nmap version detection, you know for sure that they are open (and in many cases exactly what is running).

    The new Nmap version scanning subsystem tries to answer all these questions by connecting to open ports and interrogating them for this information using probes that the specific services understand. This allows Nmap to give a much more details assessment of what is really running, rather than just what port numbers are open. Here is a real example:

    # nmap -A -T4 -F www.insecure.org

    Starting nmap 3.40PVT16 ( http://www.insecure.org/nmap/ ) at 2003-09-06 19:49 PDT
    Interesting ports on www.insecure.org (205.217.153.53):
    (The 1206 ports scanned but not shown below are in state: filtered)
    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 3.1p1 (protocol 1.99)
    25/tcp open smtp Qmail smtpd
    53/tcp open domain ISC Bind 9.2.1
    80/tcp open http Apache httpd 2.0.39 ((Unix) mod_perl/1.99_07-dev Perl/v5.6.1)
    113/tcp closed auth
    Device type: general purpose
    Running: Linux 2.4.X|2.5.X
    OS details: Linux Kernel 2.4.0 - 2.5.20
    Uptime 108.307 days (since Wed May 21 12:27:44 2003)

    Nmap run completed -- 1 IP address (1 host up) scanned in 34.962 seconds

    Now I don't claim that Nmap is the first program to ever implement this sort of port interrogation. Jay Freeman (AKA Saurik) posted an Nmap patch he calls Nmap+V more than three years ago. Even if Nmap+V was rather slow and cryptic at the time, it demonstrated the value of advanced port interrogation. It has improved substantially since then. There is also the excellent THC Amap, and Nessus even has a (very) rudimentary service detection framework. While we could have saved months of work by simply integrating one of these open source implementations
    • # nmap -A -T4 -F www.insecure.org

      Starting nmap 3.40PVT16 ( http://www.insecure.org/nmap/ ) at 2003-09-06 19:49 PDT
      Interesting ports on www.insecure.org (205.217.153.53):
      (The 1206 ports scanned but not shown below are in state: filtered)
      PORT STATE SERVICE VERSION
      22/tcp open ssh OpenSSH 3.1p1 (protocol 1.99)
      25/tcp open smtp Qmail smtpd
      53/tcp open domain ISC Bind 9.2.1
      80/tcp open http Apache httpd 2.0.39 ((Unix) mod_perl/1.99_07-dev Perl/v5.6.1)
      113/tcp closed auth
      Device type: gene

  • not worried (Score:5, Interesting)

    by stonebeat.org ( 562495 ) on Tuesday September 16, 2003 @09:49AM (#6974690) Homepage
    While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for

    hmmm I think NMAP will only report the version that service will respond. I can make my Apache instance respond with anything, for e.g. "saqib webserver ver. 9.0"

    Version detection can also be very helpful
    It is good to know that NMAP support version detection. There have been mny instance in the past, especially during the recent virus outbreaks, where I wished I could find the Service version.
    • Re:not worried (Score:3, Insightful)

      by Rich ( 9681 )
      I can make my Apache instance respond with anything, for e.g. "saqib webserver ver. 9.0"

      Unfortunately I can then come along and run hmap to detect what it really is using finger printing techniques. Concealing server names and versions gives only a very small increase in security and can make management of multiple servers harder (as it's more difficult to check you patched everything). Rich.

    • Yeah, I think the version detection is based on the service cooperating. I just scanned a test machine, and postfix wouldn't return a version.

      I remember playing with a tool (whose name escapes me) that tried to identify what version of SMTP server you were running. It would run through all the commands, note the responses, etc. and then tell you what you were running. Seemed to work fairly well.

      Maybe a more generic version could be incorperated into nmap, for all services (not just SMTP) when the ser

  • by Improv ( 2467 ) <pgunn01@gmail.com> on Tuesday September 16, 2003 @09:49AM (#6974700) Homepage Journal
    Gosh, who could possibly imagine that, with the
    addition of version detection, the most 'white hat'
    tool out there that could never possibly be used for
    anything bad suddenly becomes a 'black hat' tool..
    It's a complete 180!
    • Stupid troll

      Nmap is a superb tool for scanning large networks. Could that be abused? Yes, but so what? Should we banish cars, since they can be used in bank heists? Should LSD be illegal, just because a large percentage of the population is retarded?

      Want a list of machines that's infected with msblast? Nmap your network.

      Want a list of machine that are vulnerable to the latest rdp hole in Windows? Nmap your network.

      Want a list of servers running an exploitable ssh version? Nmap your network.

      Any good adm

      • Re:nmap malicious? (Score:3, Insightful)

        by Improv ( 2467 )
        Sheesh, no need to get all self-righteous on me.
        I know that nmap is useful for more than
        black hat purposes, I use it myself, blah blah.
        If you look through my post, you'll find nowhere
        that I'm suggesting banning it, making it illegal,
        or anything like that. Instead, what my post,
        intending to be humorous, was about, was simply
        stating that it IS used for blackhat things too,
        and version detection doesn't change things that
        much with regards to that.

        It's great that you're a crusader against people
        who would take u
      • Holy didn't-see-the-sarcasm, Batman!

        Sigh.
    • Yin and Yang (Score:3, Insightful)

      It's the duality inherent in most things. nmap can be used for good/bad. Any tool which is remotely useful is like this. The tools of a locksmith can be used to make your house more secure, or to break into it. A gun may be used by cop or crook. You get the idea...
      • Re:Yin and Yang (Score:1, Interesting)

        by Anonymous Coward
        It's the duality inherent in most things. nmap can be used for good/bad.

        What? I don't like what you are saying? Duality? That sounds like a unchristian idea. You are either with us or against us. You are either for terror or for freedom.

        How do you know good from bad? As GBW said: you just know.

    • by Anonymous Coward
      Um Fyodor is a BlackHat [slashdot.org]!
  • Good second check. (Score:5, Interesting)

    by Bridog ( 410044 ) <blb8@@@po...cwru...edu> on Tuesday September 16, 2003 @09:50AM (#6974703)
    This will be great to see if people have wonkyed their port numbers to try to obfuscate what they're doing, like running smtp on 10025 or something silly. You'll be able to check that there is an MTA on 25 and SSH on 22.
    • by caluml ( 551744 )
      It's trivial to see that anyway. telnet host.that.youre.unsure.of 10025
      Trying 2001:618:15:226::237...
      Connected to gk.
      Escape character is '^]'.
      220 gk.umtstrial.co.uk ESMTP Postfix
      quit
      221 Bye
      Connection closed by foreign host.
      • Yeah, being worried over nmap version detection is rather sad. What version of openSSH do you use? telnet to port 22 and look for yourself - Often tells you the OS too unless sshd is configured otherwise. Telnet is probably the biggest threat out there because it's available everywhere, and do we quake in fear over telnet? hardly. nmap is just a port scanning tool if your actually planning on doing something aside from casual. If I saw a strange port open I'd probably start messing with netcat before I
  • Great (Score:3, Funny)

    by essdodson ( 466448 ) on Tuesday September 16, 2003 @09:51AM (#6974718) Homepage
    This, on top of it being in the matrix will have every pimply 13 year old trying to haxor the gibson.
  • by lougarou ( 34028 ) on Tuesday September 16, 2003 @09:52AM (#6974722) Homepage
    Security through obscurity never worked that much, will work much worse now. However, I do not see worms using such tools to propagate better. Worms just try to infect everyone and do not care about being glued in honeypots.

  • - Ok... Why OS detection? Don't you know what OS you run? ;-)

    • by vadim_t ( 324782 )
      Duh, it's for finding the OS other machines are running. If you're troubleshooting something, and have a network with 500 computers to check, then being able to automatically see what OS is running where can be very useful.

      To put a simple example, you might scan a network for Linux hosts running Samba to then verify that they aren't running a vulnerable version.
    • I know what OS I'M running. But I don't know what one your're running. Yet.
  • Worrisome? No. (Score:5, Insightful)

    by sonicattack ( 554038 ) on Tuesday September 16, 2003 @09:52AM (#6974727) Homepage
    While this is a little bit worrisome because of what malicious purposes people might use nmap's version detection for [...]

    By the same logic, one might consider it "worrisome" that there even exists software packages like "Nessus" and "Saint".

    Adding features such as version detection to a tool that can be used for both good and bad purposed shouldn't be considered "worrisome". It is just something that makes the tool better, for good and for bad. And unless we are talking about software which by design always causes destructive damage when used, I will always consider it a good thing that there are such excellent security auditing tools available to the public. With all respect, sorry to hear that someone finds this "worrisome".
    • Re:Worrisome? No. (Score:3, Insightful)

      by Kurt Gray ( 935 )
      I agree. It's not like there aren't already sniffers out there that already do version detection. This is useful to me as an admin because I want to know everything about how my ports appear to the outside world.

      But version detection doesn't seem to matter to the average skr1pt kiddie. After looking at many system logs and firewall logs it seems that many hax0r-type kids don't bother running a version detector and hand-picking an exploit based on server version but rather they use battering-ram style try-a
  • Does this make it easier for fyodor to listen for an open X11 server?
  • Speaking of versions (Score:5, Informative)

    by ChiefArcher ( 1753 ) on Tuesday September 16, 2003 @09:53AM (#6974742) Homepage Journal
    Speaking of bad versions.

    0 Day SSH EXPLOIT out today..
    CVS DIFF patch Here [freebsd.org]

    Details are sketchy here [netsys.com]

    Redhat and others haven't released patches yet.

    ChiefArcher
    • by keesh ( 202812 ) *
      I submitted a story, and it got rejected. Guess /. hasn't patched up yet, so they don't want us to know about it.

      Still, that makes it two remote root holes in the default install now I believe...
    • The buffer->alloc field is not accessed in xrealloc() or in fatal() so I don't see how this patch fixes anything? Either this is not the correct fix or the bug is vapour. I still have to find evidence of an exploit or at least some reference to where the affected code could be... or maybe I'm just missing something - can somebody with more low-level ssh knowledge enlighten me?
  • by Anonymous Coward on Tuesday September 16, 2003 @09:54AM (#6974754)
    That's good and all, but the thing is that most vendors don't increment version numbers. Take the sendmail header overflows from earlier this year: Sun, RedHat, SuSE, HPUX all had patches for the bundled apache server, but those just fixed the binaries - they did not update the banner info. This is of dubious value because of that.

    Unfortunately, there is no easy answer to this dilemna for security professionals - do you trust the banner info and get a bunch of false positives? Do you attempt an exploit and possibly crash the machine (not as likely with this sendmail header overflow, but moreso in the case of the apache chunked encoding overflow)? Or do you log onto each host (or use an agent based check system, like NetworkShell)?

    Perhaps Fyodor should tackle these questions and not hack pranksters [slashdot.org] in his spare time.
    • Exactly! Actually, the rpm version number gets updated, but not the version of the software itself, i.e. (example) 1.2.3-23 is updated to 1.2.3-24. "1.2.3" is the version of the software (i.e. what you get e.g. from ftp.sendmail.org) and "-23, -24, etc. is the internal vendor (SuSE, RedHat) version number of the particular rpm package. The new "Enterprise" versions (SuSE Linux Enterprise Server, RedHat Advanced Server) explicitly have the purpose to NOT update any packages, but ONLY fix bugs in them. That i
  • leet (Score:4, Funny)

    by grub ( 11606 ) <slashdot@grub.net> on Tuesday September 16, 2003 @09:54AM (#6974756) Homepage Journal
    Cool! That version detection works!
    Starting nmap V. 3.45 ( www.insecure.org/nmap/ )
    Interesting ports on test.grub.net (10.0.1.24):

    Port State Service Version
    22/tcp open ssh (c) SCO
    80/tcp open http (c) SCO
    443/tcp open https (c) SCO
  • UH OH (Score:5, Interesting)

    by Anonymous Coward on Tuesday September 16, 2003 @09:59AM (#6974804)
    Slashdot Trolls better hunker down, Fyodor has new weaponry! And we all know what happened last time he went blackhat [slashdot.org].
  • worrisome? nah! (Score:5, Interesting)

    by EvilOpie ( 534946 ) * on Tuesday September 16, 2003 @09:59AM (#6974805) Homepage
    Being a system admin for a college, having this updated tool out for the world really doesn't bother me. Honestly, I'd rather have it in my hands to know what's running on my server, than to be ignorant and hope everything is ok. It also is a good tool to for testing things like if your firewall is configured properly. After all... all the script k1dd13z are going to have these programs too, so it's best to know what you've got exposed to the internet. Besides, in a lot of the programs out there, you can turn off the server identification so that when you connect, you don't know what the host is running for programs. Apache does this (I know because I turned it off myself). And you could probably even hack the source code to them if you really wanted. My FTP server at home just says "Go away!" when you connect so you don't even even see which program is running, much less what version.

    Now for a *real* tool for making sure your sytems are up to date, try Nessus [nessus.org]. It not only scans your system for what programs are running (using nmap no less), but it finds out what versions they are if they can, and it tries to run common exploits on them too! I use it perodically just to make sure that all the bases are covered so that none of the holes for common exploits on the internet are left open.
    • Being a system admin for a college, having this updated tool out for the world really doesn't bother me. Honestly, I'd rather have it in my hands to know what's running on my server, than to be ignorant and hope everything is ok.

      So... you're the sysadmin and you need nmap to tell you what you're running on your server?
      • Re:worrisome? nah! (Score:4, Insightful)

        by EvilOpie ( 534946 ) * on Tuesday September 16, 2003 @10:10AM (#6974899) Homepage
        When you have to keep track of many different servers of different OSes, sometimes you forget things, or stuff that you thought you turned off you find out you didn't. It happens to the best of us.

        It's the first thing I always do when I put a new server on the network. It never hurts to do a double-check to make sure that your servers are behaving the way that you think they are. Just like it doesn't hurt to reboot a linux box perodically to make sure that all your startup scrips work as expected in case of a power outage or whatever.
      • If the server is used to host student shell accounts, then absolutely. Students do some wacky things... I know I did.
        • ... if the college is providing network access in student housing, there really is no way to tell what's going on unless the network is scanned regularly.
      • Because there can be differences in what you think is on the machine, and what it actually doing. The very definition of being hacked.
  • The real question is (Score:1, Interesting)

    by Anonymous Coward
    How can this new feature of nmap be used to haxxxor kids personal computers and post personal information about them far and wide, since that is Fyodor's MO.
  • by quinkin ( 601839 ) on Tuesday September 16, 2003 @10:04AM (#6974845)
    I always assume that the remote servers will send the most malicious data possible.

    Spoil sport... :)

    I put a timed block on all ips that port scan me persistantly, I doubt the heuristics will even change. Once it's a distributed scan I'm screwed...

    Certainly be useful for the internal audits though.

    Q.

    • So you just scan reeeealllly slowly. nmap has options to do this. I spent a while tuning nmap's parameters until it no longer alerts my university's administrators when I port scan.
      • Thats why I modded my heuristics to be ip/port anomoly based and take days/weeks (he says vaguely) to time out unless under heavy load. So you need a botnet to scan me effectively.

        I update after almost every new nmap function, or at least when I manage to poke a hole.

        Keeps the kiddies out...

        Q.


  • if this works into the script kiddies stock toolbox, then maybe they'll stop pounding my damn web server looking for backdoors that are 2 major OS versions old.

    or maybe i should finally break down and write that script to fire off an auto-email to the administration contact each time some zombie comes knocking.
  • HTTP "detection" (Score:3, Informative)

    by msgmonkey ( 599753 ) on Tuesday September 16, 2003 @10:16AM (#6974940)
    Unless you tell specify otherwise dont all httpd servers report their version in the "server" response header?
  • I always turn off the version announcement on Apache, you know, when you hit a 404 page, it tells you the version number in the footer. I *assume* this will thwart Nmap's attempts at reading this, yes? I can't think of anywhere else Apache tells this. It's a simple edit of Apache.conf to turn it off.

    CB
    • HTTP/1.1 200 OK
      Date: Tue, 16 Sep 2003 14:30:29 GMT
      Server: Apache/1.3.26 (Unix) mod_gzip/1.3.19.1a mod_perl/1.27 mod_ssl/2.8.10 OpenSSL/0.9.7a
      SLASH_LOG_DATA: shtml
      X-Powered-By: Slash 2.003000
      X-Bender: Shooting DNA at each other to make babies. I find it offensive!
      Cache-Control: private
      Pragma: private
      Connection: close
      Transfer-Encoding: chunked
      Content-Type: text/html; charset=iso-8859-1
  • Win + samba (Score:1, Interesting)

    by Anonymous Coward
    couldn't one of these people that write these security scanners use the same principles to generate a samba.conf, just by sniffing the network, this'd make life about 6000% easier!
  • SO? (Score:3, Informative)

    by semanticgap ( 468158 ) on Tuesday September 16, 2003 @10:30AM (#6975077)
    There is nothing special about detecting the version of Apache, since Apache reports it in every response.

    Take make sure noone can tell what you're running, put this in your config:

    ServerTokens Prod
    ServerSignature Off

    Here is the documentation for ServerTokens [apache.org] and ServerSignature [apache.org].
  • # nmap -A -T4 -F 192.168.1.109
    Interesting ports on tiger (192.168.1.109):
    (The 1191 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE VERSION
    7/tcp open echo
    9/tcp open discard?
    19/tcp open chargen?
    21/tcp open ftp
    22/tcp open ssh?
    23/tcp open telnet?
    25/tcp open smtp
    53/tcp open domain?
    80/tcp open http?
    110/tcp open pop-3?
    113/tcp open auth?
    143/tcp open imap
    513/tcp open login?
    565/tcp open whoami?
    567/tcp open banyan-rpc?
    993/tcp
  • by Anonymous Coward
    Slashdot has an interview with security legend Fyodor, admin of the famed insecure.org and author of the world's most affordable port scanner, nmap.

    The best part of this interview is that Slashdot does not often interview criminals. Many Slashdot readers know that Fyodor used his tool to illegally attack a college student in 2002, for his personal amusement but also to the benefit of Slashdot's admins. For those that don't know the story, I will present a brief summary.

    *Those individuals interested in ind
    • That post is a copy of a slashdot journal article [slashdot.org] posted months ago. The article has some problems, though, so I'll comment:

      The best part of this interview is that Slashdot does not often interview criminals.

      They do indeed! Kevin Mitnick is just one convicted criminal Slashdot has interviewed. If the alleged crime is relevant to computer technology, Slashdot will certainly do an interview. "Respectable journalists" interview criminals all the time.

      This is where the story turns ugly.

      Wrong. It w
  • When doing vulnerability assessments of your companies or clients...


    A.k.a your intended victims.

  • I always wondered how netcraft and nmap could
    determine how many days a server has been up.
    Does Apache give out this info?
    • I always wondered how netcraft and nmap could determine how many days a server has been up.

      I think it's done through TCP options, but I don't know the details offhand.

  • www.Nessus.org
  • by TTL0 ( 546351 ) on Tuesday September 16, 2003 @11:38AM (#6975808)
    the kids just run scripts. no one cares about what OS you are running much less what versions.

    how many lines in your apache logs look like this ?

    "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 284
    "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282
    "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
    "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292
    "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306
    "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir
    HTTP/1.0" 404 323
    24.91.103.152 "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 323
    24.91.103.152 "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 339
    24.91.103.152 "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305 ??
  • hmmmmm... what could it mean?

    PORT STATE SERVICE VERSION
    21/tcp closed ftp
    80/tcp open http Microsoft IIS webserver 6.0
    Device type: general purpose
    Running: Linux 1.X
    OS details: Linux 1.3.20 (X86)
  • by ziggy_zero ( 462010 ) on Tuesday September 16, 2003 @01:57PM (#6977536)
    ....did you know he drives a bimmer? I saw him on the road in Sunnyvale a few weeks ago - his license plate is ROOOOT. hahahaha

    (seriously, i'm not making this up. i e-mailed him because he also had an insecure.org license plate holder so that kind of tipped me off. lo and behold, it was him.)
  • A patch to provide this functionality has been around for the last three years. While it may be 'worrysome' for people to have the versions of their software exposed, it's even more worrysome for people to run versions of software that haven't been patched.

    Woe be to those who are still running old versions of SSH.
  • Can this kind of detection see through the fake stylings of a honeypot to appear vulnerable?

    I can see the beginnings of an arms race here... NMAP developers racing to accurately identify ports and services, and honeypot developers racing to obscure their "honeypotness" while maintaining believable outputs. Seems like two security methods working at cross-purposes.

    Just a thought.
    GMFTatsujin

Do you suffer painful illumination? -- Isaac Newton, "Optics"

Working...