Scan applications without default port

dgiorgio · November 8, 2023, 9:03pm

I have a server, with many postgres and oracle services, each service have your own port.
Below, part of the command result: nmap -p 1-65535 -T4 -A -v -sV --allports x.x.x.x

Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-08 17:15 -03
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating Ping Scan at 17:15
Scanning x.x.x.x (x.x.x.x) [2 ports]
Completed Ping Scan at 17:15, 1.64s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:15
Completed Parallel DNS resolution of 1 host. at 17:15, 0.06s elapsed
Initiating Connect Scan at 17:15
Scanning x.x.x.x (x.x.x.x) [65535 ports]
Discovered open port 80/tcp on x.x.x.x
Discovered open port 443/tcp on x.x.x.x
Discovered open port 22/tcp on x.x.x.x
Discovered open port 32769/tcp on x.x.x.x
Discovered open port 32782/tcp on x.x.x.x
Discovered open port 32792/tcp on x.x.x.x
Discovered open port 32777/tcp on x.x.x.x
Discovered open port 32785/tcp on x.x.x.x
Discovered open port 32778/tcp on x.x.x.x
Discovered open port 32788/tcp on x.x.x.x
Discovered open port 32770/tcp on x.x.x.x
Discovered open port 38000/tcp on x.x.x.x
Discovered open port 32771/tcp on x.x.x.x
Discovered open port 32774/tcp on x.x.x.x
Discovered open port 32791/tcp on x.x.x.x
Discovered open port 17005/tcp on x.x.x.x
Discovered open port 32768/tcp on x.x.x.x
Discovered open port 32776/tcp on x.x.x.x
Discovered open port 32789/tcp on x.x.x.x
Discovered open port 48702/tcp on x.x.x.x
Discovered open port 32772/tcp on x.x.x.x
Discovered open port 32775/tcp on x.x.x.x
Discovered open port 32783/tcp on x.x.x.x
Discovered open port 32869/tcp on x.x.x.x
Discovered open port 35500/tcp on x.x.x.x
Discovered open port 5555/tcp on x.x.x.x
Completed Connect Scan at 17:15, 12.07s elapsed (65535 total ports)
Initiating Service scan at 17:15
Overriding exclude ports option! Some undesirable ports may be version scanned!
Scanning 26 services on x.x.x.x (x.x.x.x)
Completed Service scan at 17:15, 28.82s elapsed (26 services on 1 host)
NSE: Script scanning x.x.x.x.
Initiating NSE at 17:15
Completed NSE at 17:15, 0.92s elapsed
Initiating NSE at 17:15
Completed NSE at 17:15, 1.70s elapsed
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
....

5555/tcp  open  postgresql PostgreSQL DB 13.2 - 13.4
17005/tcp open  postgresql PostgreSQL DB 13.2 - 13.4
32768/tcp open  postgresql PostgreSQL DB 13.2 - 13.4
32769/tcp open  oracle-tns Oracle TNS listener 18.0.0.0.0 (unauthorized)
32770/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
32771/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
32772/tcp open  postgresql PostgreSQL DB 13.2 - 13.4
32774/tcp open  postgresql PostgreSQL DB 9.4.13 - 9.4.15 or 9.4.22 - 9.4.26
32775/tcp open  postgresql PostgreSQL DB 13.2 - 13.4
32776/tcp open  postgresql PostgreSQL DB 10.0 - 10.1 or 10.8 - 10.14
32777/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
32778/tcp open  postgresql PostgreSQL DB 9.4.13 - 9.4.15 or 9.4.22 - 9.4.26
32782/tcp open  oracle-tns Oracle TNS listener 18.0.0.0.0 (unauthorized)
32783/tcp open  oracle-tns Oracle TNS listener 18.0.0.0.0 (unauthorized)
32785/tcp open  oracle-tns Oracle TNS listener 18.0.0.0.0 (unauthorized)
32788/tcp open  postgresql PostgreSQL DB 13.2 - 13.4
32789/tcp open  oracle-tns Oracle TNS listener 18.0.0.0.0 (unauthorized)
32791/tcp open  oracle-tns Oracle TNS listener 18.0.0.0.0 (unauthorized)
32792/tcp open  oracle-tns Oracle TNS listener 18.0.0.0.0 (unauthorized)
32869/tcp open  oracle-tns Oracle TNS listener 18.0.0.0.0 (unauthorized)
35500/tcp open  postgresql PostgreSQL DB 13.2 - 13.4
38000/tcp open  postgresql PostgreSQL DB 11.3 - 11.9
48702/tcp open  postgresql PostgreSQL DB 13.2 - 13.4
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.49 seconds

However, GVM does not check these ports, only 5432.
I have already changed the PostgreSQL port in scan configs.

cfi · November 9, 2023, 9:25am

The mentioned PostgreSQL: Port configuration is completely irrelevant for any service detection and not used for these (AFAICT it is a configuration option for compliance tests).

If the services are running on non-standard ports make sure that the ports in question are included in the used port list:

https://docs.greenbone.net/GSM-Manual/gos-22.04/en/scanning.html#creating-and-managing-port-lists

dgiorgio · November 9, 2023, 1:09pm

I have already configured it to scan all TCP ports.
Maybe there is no vulnerability?
Many databases have deprecated version (Postgres 9.4 and 9.6) and weak authentication, for example: postgres:postgres
I’ll start a “weak postgres” on port 5432 and scan again, to confirm this.

dgiorgio · November 9, 2023, 6:34pm

My analysis is right, GVM is not analyzing other postgres ports, only if it is 5432.

dgiorgio · November 9, 2023, 6:35pm

GVM result

cfi · November 10, 2023, 7:25am

It could be possible that this here doesn’t work against newer PostgreSQL versions anymore:

github.com

greenbone/openvas-scanner/blob/v22.7.6/nasl/nasl_builtin_find_service.c#L1986-L1989


      
          else if (!strncmp (line, "efatal", 6)
                   || !strncmp (line, "einvalid packet length",
                                strlen ("einvalid packet length")))
            mark_postgresql (desc, port);

You could try to modify postgresql_detect.nasl to replace:

  script_require_ports("Services/postgresql", 5432);

by:

  script_require_ports("Services/postgresql", "Services/unknown", 5432);

and:

port = unknownservice_get_port(default:5432);

with the following below as a follow-up to see if this is working out for your case.

dgiorgio · November 10, 2023, 4:55pm

I have other services that use non-default ports, postgres is an example.
It would be interesting if GVM detected the service running on each port.
Or ignore the default port, even if the scanner runs slowly.

cfi · November 14, 2023, 4:09pm

The detection of services is a huge and quite complex topic so this question can’t be answered in a generic way.

In the case of PostgreSQL from the example above the service detection is basically checking:

Any port marked by the scanner as Services/postgresql in the internal knowledge base
- Including all non-default ports
- Prerequisite: The port(s) needs to be found open via a port scan
The default port 5432/tcp

But if the scanner had stopped to mark these ports as Services/postgresql for unknown reasons (e.g. only reporting these as Services/unknown) only the default port is getting checked. That’s why the previous code suggestions for the PostgreSQL service detection was posted.

Other service detections might behave differently depending on how they have been implemented in the past, e.g.:

Generally only using a single default port without relying on the scanner
Using the more generic Services/unknown
…