Anders Thulin wrote:
There's also the issue of knowing "what's listening in an open port". Sample: web servers in ports 41254 or ldap servers on port 46254.Hi!Fingerprinting a TCP stack seems a fairly well understood technique by now, and there are several tools, more or less developed, for the task: nmap, ring, ICMP-based techniques, etc. A recent glance over the output from a dozen different finger servers suggests that fingerprinting might be done fairly well on application level, too, although possibly not always as exactly as for TCP/IP-based techniques: applications are easier to move around than TCP stacks are. Have there been any attempts to explore this area further? I've googled around, but not found anything obvious, except for observations of some fingerprints, such as responses to DNS SERVER_STATUS_REQUEST (a few respond with something else than 'not implemented'), and so on.
Amap can do this kind of fingerprinting (http://www.thehackerschoice.com/releases.php) and so does Nessus with the find_service plugin #10330 (http://cvs.nessus.org/cgi-bin/cvsweb.cgi/nessus-plugins/plugins/find_service/).
You might want to take a look at these too.
Javi
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
