p-chan
September 17th, 2003, 00:48
Has anyone tryed it yet? I tryed the latest build for windows and only managed to blue screen the machine. I was scanning through a vpn (microsoft client and ras server) via an orinoco wireless card so I wasn't expecting it to work very well anyway. I haven't tryed it with the fbsd laptop yet. Does anyone think it would cause a problem with nessus?

andy

elmore
September 17th, 2003, 01:20
Don't think it will cause a problem with nessus. I've got the latest, the version stuff works ok. I'm sure fyodor and the crew will improve on this vastly once the appropriate identificationb db's get built out fully.

v902
September 17th, 2003, 01:25
Any thoughts on the idea itself? I can understand doing OS id since it's more complex to do but isn't doing App id just kind of pointless? Wouldn't it be faster to telnet in to that port or whatever into the port and see the reply and you'd gain more about what's actually running? No digs against Fyodor, he's doing great work :) Hell there's an OS ID for my cable modem :D I don't see how Nessus and nmap would screw with each other, probably be better for ya since they probably depend on some common dependacy [sic]

frisco
September 17th, 2003, 01:53
Any thoughts on the idea itself? I can understand doing OS id since it's more complex to do but isn't doing App id just kind of pointless?

Some protocols, like smtp and ssh are easily identifiable by sight - telnet to localhost port 22 or 25 and see what i mean. Others require a proper string first to respond correctly, or interpretation of some rather strange strings - telnet to https 443 or mysql 3306. Unless you've a photographic memory, you'll need to constantly refer to rfc's for lesser used protocols.

Independant of how easy it is to telnet in and figure out what a port is running, you'd still need to telnet in and be able to try every possible tcp/udp protocol and interpret the proper version string. Doing this by hand for a /8 is infeasible, so you'd need to script it. That's a big script with a bigger database of proper responses and version interpretations. As it falls in line with what nmap already does, it makes sense that nmap incorporate this functionality.

In short, i think it's a great idea.

However, it still must be used properly. Just as OS detection reporting an MS Win98 computer doesn't mean that machine is vulnerable to anything, so too service detection reporting Apache 1.2.4 doesn't mean that web server is vulnerable to anything either.

Kernel_Killer
September 17th, 2003, 03:43
Still haven't upgraded, and not sure if I really want to yet. Nothing really new. Same as namp3.30+v2.35 with different commands. I did try it on the OpenBSD portion of my laptop, and had no problems what so ever. I'm thinking the Windows port still hs bugs to be worked out as usual. :P