-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
For our usage we are going to enhance Nessus’s service discovery
capabilities and provide this work back to the Nessus community.
We need Nessus to extracted, determine, or guesstimate information
about running remote services like service type, service version,
protocol version, and vendor if possible.
Below are my findings on Nessus’s service detection capabilities,
requests, and question.
Current FindServices capabilities:
This group of services appear to have header based detection built
into Nessus. Is this list complete?
chargen
echo
http-rpc-epmap
vnc
nntp
vqServer-admin
www
gopher
gnutella
realserver
smtp
ftp
ssh
http_proxy
pop1
pop2
pop3
imap
auth
postgresql
mysql
cvspserver
wild_shell
telnet
netbus
linuxconf
finger
gnuserv
The below 3 appears to have detection based code but only a note is
provided (Not registered in Nessus as a service)
vtun
time
socks_proxy
Normal service detection based on ports only (Non-ssl ports)
Port 4: Echo
Port 19: Chargen
Port 21: FTP
Port 22: SSH
Port 23: Telnet
Port 25: SMTP
Port 37: Time
Port 70: Gopher
Port 79: Finger
Port 80: HTTP
Port 98: Linuxconf
Port 109: POP2
Port 110: POP3
Port 113: AUTH
Port 119: NNTP
Port 143: IMAP
Port 220: IMAP3
Port 443: HTTPS
Port 465: SMTPS
Port 563: NNTPS
Port 593: Http-Rpc-Epmap
Port 901: SWAT
Port 993: IMAPS
Port 995: POP3S
Port 1080: SOCKS
Port 1109: KPOP
Port 2401: CVSpserver
Port 3128: Squid
Port 3306: MySQL
Port 5000: VTUN
Port 5432: Postgres
Port 8080: HTTP-Alt
SSL service detection based ports only
Port 261: Nsiiops = IIOP name service over tls/ssl
Port 443: HTTPS
Port 448: ddm-ssl
Port 465: SMTPS
Port 563: NNTPS
Port 585: imap4-ssl
Port 614: SSLshell
Port 636: LDAPS
Port 684: Corba IIOP SSL
Port 989: FTPS data
Port 990: FTPS control
Port 992: telnets
Port 993: IMAPS
Port 994: IRCS
Port 995: POP3S
Port 1241: Nessus
Port 2478: SecurSight Authentication Server
Port 2479: SecurSight Event Logging Server
Port 2482: Oracle GIOP SSL
Port 2484: Oracle TTC SSL
Port 2679: Sync Server SSL
Port 3077: Orbix 2000 Locator SSL
Port 3078: Orbix 2000 Locator SSL
Port 3269: Microsoft Global Catalog w/ LDAP/SSL
Port 3471: jt400 SSL
Port 5007: WSM Server SSL
Port 7135: IBM Tivoli Access Manager runtime environment - SSL
Server Port 8443: Tomcat
Port 9443: Websphere internal secure server
Port 19201: SilkPerformer agent (secure connection)
First questions:
1) What is the sequence of events Nessus goes through from when NMAP
returns an open port to the final XML/Text report output?
2) Do all open ports goes through a detection sequence?
3) If NMAP returns a standard non-ssl port what does Nessus do to
verify that generic port to service mapping?
4) If NMAP finds an oddball off-port running, what detection/connect
sequences does Nessus run through to try and map back that open port
to a known service? Does it try and pull a header or send data
requests to the port to map that data back to a known service?
5) Does Nessus try and detect if ports are normal or SSL?
Below is a starter list of things we need.
1) Run all standard services through sequences to get/guess service
versions.
2) Run all standard services through sequences to try and get vendor
information.
3) Run all oddball ports through a query/response sequence to try and
determine if it is a normal or SSL port.
4) Run all oddball ports through a query/response sequence to try and
determine if this is a standard service running on a custom port.
5) If no other information is available for an oddball port try and
determine the communications delivery methods (XML, ODL, HTTP).
I see many times something to the effect:
if (get_port_state(1433))
{
soctcp1433 = open_sock_tcp(1433);
if (soctcp1433)
{
data = "It is possible that Microsoft's SQL Server is installed on
the remote computer.";
security_warning(port:1433, data:data);
}
}
Is this adequate? Should items like this be improved upon? There
should definitely be detection sequences to determine things like
MSSQL Server, Oracle, Sybase, etc... running on off ports.
Request for comments:
I will be enhancing the FindService features to accomplish the above.
We will be giving these enhancements back to the Nessus community.
First we would like to see responses to the below questions:
1) What should be done to improve the existing features?
2) What new features should be added to improve the feature set?
3) What would people like to see as far as service detection
capabilities go?
4) How much of this information should be reported back in the Nessus
report? (FYI: We need all information the server gleamed returned
back to the client to be provided in the Nessus XML report)
Please provide feedback/recommendations so I can develop a list of
requirements to provide management and get to the real coding work.
ThanX in advance
Erik
*********************
Erik Anderson
Carmichael Security
Work: eanders@carmichaelsecurity.com
W/H/O: eanders@pobox.com
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
iQA/AwUBPjXC4GBNrGASwj07EQLh9QCg51/L7dBaCAy8xcvwVWNc9gQW82wAnRCL
X8vzV73rwT1LUxCuV7nxwjvR
=pQiv
-----END PGP SIGNATURE-----
Hash: SHA1
For our usage we are going to enhance Nessus’s service discovery
capabilities and provide this work back to the Nessus community.
We need Nessus to extracted, determine, or guesstimate information
about running remote services like service type, service version,
protocol version, and vendor if possible.
Below are my findings on Nessus’s service detection capabilities,
requests, and question.
Current FindServices capabilities:
This group of services appear to have header based detection built
into Nessus. Is this list complete?
chargen
echo
http-rpc-epmap
vnc
nntp
vqServer-admin
www
gopher
gnutella
realserver
smtp
ftp
ssh
http_proxy
pop1
pop2
pop3
imap
auth
postgresql
mysql
cvspserver
wild_shell
telnet
netbus
linuxconf
finger
gnuserv
The below 3 appears to have detection based code but only a note is
provided (Not registered in Nessus as a service)
vtun
time
socks_proxy
Normal service detection based on ports only (Non-ssl ports)
Port 4: Echo
Port 19: Chargen
Port 21: FTP
Port 22: SSH
Port 23: Telnet
Port 25: SMTP
Port 37: Time
Port 70: Gopher
Port 79: Finger
Port 80: HTTP
Port 98: Linuxconf
Port 109: POP2
Port 110: POP3
Port 113: AUTH
Port 119: NNTP
Port 143: IMAP
Port 220: IMAP3
Port 443: HTTPS
Port 465: SMTPS
Port 563: NNTPS
Port 593: Http-Rpc-Epmap
Port 901: SWAT
Port 993: IMAPS
Port 995: POP3S
Port 1080: SOCKS
Port 1109: KPOP
Port 2401: CVSpserver
Port 3128: Squid
Port 3306: MySQL
Port 5000: VTUN
Port 5432: Postgres
Port 8080: HTTP-Alt
SSL service detection based ports only
Port 261: Nsiiops = IIOP name service over tls/ssl
Port 443: HTTPS
Port 448: ddm-ssl
Port 465: SMTPS
Port 563: NNTPS
Port 585: imap4-ssl
Port 614: SSLshell
Port 636: LDAPS
Port 684: Corba IIOP SSL
Port 989: FTPS data
Port 990: FTPS control
Port 992: telnets
Port 993: IMAPS
Port 994: IRCS
Port 995: POP3S
Port 1241: Nessus
Port 2478: SecurSight Authentication Server
Port 2479: SecurSight Event Logging Server
Port 2482: Oracle GIOP SSL
Port 2484: Oracle TTC SSL
Port 2679: Sync Server SSL
Port 3077: Orbix 2000 Locator SSL
Port 3078: Orbix 2000 Locator SSL
Port 3269: Microsoft Global Catalog w/ LDAP/SSL
Port 3471: jt400 SSL
Port 5007: WSM Server SSL
Port 7135: IBM Tivoli Access Manager runtime environment - SSL
Server Port 8443: Tomcat
Port 9443: Websphere internal secure server
Port 19201: SilkPerformer agent (secure connection)
First questions:
1) What is the sequence of events Nessus goes through from when NMAP
returns an open port to the final XML/Text report output?
2) Do all open ports goes through a detection sequence?
3) If NMAP returns a standard non-ssl port what does Nessus do to
verify that generic port to service mapping?
4) If NMAP finds an oddball off-port running, what detection/connect
sequences does Nessus run through to try and map back that open port
to a known service? Does it try and pull a header or send data
requests to the port to map that data back to a known service?
5) Does Nessus try and detect if ports are normal or SSL?
Below is a starter list of things we need.
1) Run all standard services through sequences to get/guess service
versions.
2) Run all standard services through sequences to try and get vendor
information.
3) Run all oddball ports through a query/response sequence to try and
determine if it is a normal or SSL port.
4) Run all oddball ports through a query/response sequence to try and
determine if this is a standard service running on a custom port.
5) If no other information is available for an oddball port try and
determine the communications delivery methods (XML, ODL, HTTP).
I see many times something to the effect:
if (get_port_state(1433))
{
soctcp1433 = open_sock_tcp(1433);
if (soctcp1433)
{
data = "It is possible that Microsoft's SQL Server is installed on
the remote computer.";
security_warning(port:1433, data:data);
}
}
Is this adequate? Should items like this be improved upon? There
should definitely be detection sequences to determine things like
MSSQL Server, Oracle, Sybase, etc... running on off ports.
Request for comments:
I will be enhancing the FindService features to accomplish the above.
We will be giving these enhancements back to the Nessus community.
First we would like to see responses to the below questions:
1) What should be done to improve the existing features?
2) What new features should be added to improve the feature set?
3) What would people like to see as far as service detection
capabilities go?
4) How much of this information should be reported back in the Nessus
report? (FYI: We need all information the server gleamed returned
back to the client to be provided in the Nessus XML report)
Please provide feedback/recommendations so I can develop a list of
requirements to provide management and get to the real coding work.
ThanX in advance
Erik
*********************
Erik Anderson
Carmichael Security
Work: eanders@carmichaelsecurity.com
W/H/O: eanders@pobox.com
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
iQA/AwUBPjXC4GBNrGASwj07EQLh9QCg51/L7dBaCAy8xcvwVWNc9gQW82wAnRCL
X8vzV73rwT1LUxCuV7nxwjvR
=pQiv
-----END PGP SIGNATURE-----