Fingerprinting: beyond nmap
May 30, 2005 by Fernando Duran
nmap is an excellent open source network scanner tool that is used for gathering network information in the form of hosts and services enumeration.
Here's an snippet of nmap discovering the open ports of one of my servers:
# nmap 127.0.0.1Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-05-30 23:23 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
But when nmap sees a port open it just names the standard service that usually runs in that (well-known) port, as listed for example in /etc/services .
Let's check this by changing the port that the target web server is listening to. In my case I'm running Apache2, so I edit the file /etc/apache2/ports.conf, and I change the "80" with "8888" for example. Then I restart the server: /etc/init.d/apache2 restart
Let's run nmap again:
# nmap 127.0.0.1Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-05-30 23:29 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
8888/tcp open sun-answerbook
So as we can see, nmap finds port 8888 open but declares the wrong server running in that port.
Amap to the rescue. (We'll forget about more complex vulnerability assessment tools like Nessus etc).
So I downloaded Amap,and installing is the standard "untar, configure and make" routine. Let's see what Amap has to say now:
./amap 127.0.0.1 8888
amap v5.0 (www.thc.org/thc-amap) started at 2005-05-30 23:34:14 - MAPPING modeProtocol on 127.0.0.1:8888/tcp matches http
Protocol on 127.0.0.1:8888/tcp matches http-apache-2Unidentified ports: none.
amap v5.0 finished at 2005-05-30 23:34:20
Amap is able to correctly identify the right service (and version!) running on the unconventional port. It uses signatures of the server responses to identify the right services. It's a fast scanning tool and complements nmap by using nmap's output as its input: Amap's README.
Since I have this server running (conveniently) http and smtp, let's see how we can gain more information by telneting into these services.
For the mail server:
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 localhost.localdomain ESMTP Postfix (Ubuntu)
So right away the mail server tells me what application is and even the Linux distribution.
We can now pass SMTP commands to the server. For example if we want to know if there's an user called "fernando":
vrfy fernando
252 fernando
It said "yes". Finally we disconnect:
quit
221 Bye
Connection closed by foreign host.
For the web server:
We telnet into its port (80 or to the one we changed) :
# telnet 127.0.0.1 8888
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
and pass some garbage:
blah
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found< </h1>
<p>The document has moved <a href="http://localhost.localdomain/apache2-default/">here</a>.</p>
<hr />
<address>Apache/2.0.50 (Ubuntu) PHP/4.3.8 Server at localhost.localdomain Port 80</address>
</body></html>
Connection closed by foreign host.
The web server returns an error page with lots of information about itself.
Another service that we can apply this technique of telneting plus passing commands is an FTP server; in this case we can try the SYST command to get information about the system.
