Implement service version detection via response fingerprinting #3
Description
Summary
Go beyond basic banner grabbing by implementing response fingerprinting to accurately identify service names and versions running on open ports.
Motivation
- Banner grabbing only works when services voluntarily disclose version info
- Many services suppress banners or return misleading information
- Accurate version detection is essential for vulnerability assessment
- Fingerprinting provides reliable identification even with non-standard configurations
Proposed Approach
-
Probe database:
- Build a probe-response signature database (inspired by Nmap's nmap-service-probes)
- TCP and UDP protocol-specific probes
- Regex-based response matching with confidence scores
- Start with common protocols: HTTP, SSH, FTP, SMTP, MySQL, PostgreSQL, Redis
-
Fingerprinting engine:
- Send protocol-specific probe packets
- Match responses against signature database
- Confidence scoring (exact match, partial match, fuzzy match)
- Fallback to banner grab when no probe matches
-
Protocol-specific detection:
- HTTP: Server header, response patterns, default pages
- SSH: Protocol version string parsing (RFC 4253)
- TLS: Certificate inspection and cipher suite analysis
- DNS: Version query (version.bind)
-
Output:
- Service name, version, and confidence percentage
- CPE (Common Platform Enumeration) identifiers where possible
Acceptance Criteria
- Probe database with signatures for top 20 services
- Fingerprinting engine with confidence scoring
- Accurate detection for HTTP, SSH, FTP, SMTP, MySQL at minimum
- Integration with existing scan output formats