0

I'd like to elaborate a little bit on this question and, particularly, on this answer. Let's suppose I have a fixed list of services to check, say: ('ftp', 'ssh', 'http'). Opening a socket to port 22 of a remote server:

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = s.connect_ex(('my_remote_server', 22))

if(result == 0) :
    print s.recv(256)
s.close()

I get the following output:

'SSH-2.0-OpenSSH_6.1p1 Debian-4\r\n'

So I can guess there's a ssh service listening on that port. Therefore my question is: where or how can I find the welcome messages (or similar) for different kind of services? Are these regulated in some way? In the case of ssh, does it always start with SSH-?

Community
  • 1
  • 1
José Tomás Tocino
  • 9,873
  • 5
  • 44
  • 78

2 Answers2

1

The response you get from a server depens both on the exact protocol and server configuration.

HTTP has a Server header for example, but many server out on the internet lies about what server is responding, to throw off malicious hackers trying to exploit server-specific flaws. Moreover, the server remains silent until the client has sent a request; your code has to send something before there is any response.

The best you can do is try out different protocols and see if the other side responds sensibly. Trying to send an SSH handshake to a HTTP port is likely to result in a HTTP/1.0 400 Bad Request response, for example.

In other words, there is no ready-made solution for this, you'll have to create your own heuristics based on what protocols you are trying to detect.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
1

The best you can do is probably search for the string ssh(/ftp/http) and conclude based on that. Even that would be a guess, of course, as this can usually be changed(see here) with a config parameter and it is considered good security practice to change it so as to not expose the server program/version.

navjotk
  • 818
  • 1
  • 9
  • 15