Re: don't understand the output of nmap -sV

[Luther Blissett <lblissett () paranoici org>]

On Sat, 2013-12-14 at 01:50 +0100, Lentes, Bernd wrote:
> Hi,
>
> i try to check if a SNMP service is available. I did the following:
>
> pc59093:~ # nmap -sU -sV -p161,162 pc53200
>
> The response was:
>
> Starting Nmap 4.75 ( http://nmap.org ) at 2013-12-13 21:59 CET
> Interesting ports on pc53200.xxxxxxxxxxxxx:
> PORT    STATE SERVICE VERSION
> 161/udp open  snmp    SNMPv3 server
> 162/udp open  snmp    SNMPv3 server
> 2 services unrecognized despite returning data. If you know the service/version, please submit the following 
> fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
> ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
> SF-Port161-UDP:V=4.75%I=7%D=12/13%Time=52AB752E%P=x86_64-suse-linux-gnu%r(
> SF:SNMPv3GetRequest,73,"0q\x02\x01\x030\x0f\x02\x02Ji\x02\x03\0\xff\xe3\x0
> SF:4\x01\0\x02\x01\x03\x04\$0\"\x04\x11\x80\0\x1f\x88\x80\xc0d\xa6d7\xcb\x
> SF:89H\0\0\0\0\x02\x02\x03\x19\x02\x03\x01i\xf2\x04\0\x04\0\x04\x0005\x04\
> SF:x11\x80\0\x1f\x88\x80\xc0d\xa6d7\xcb\x89H\0\0\0\0\x04\0\xa8\x1e\x02\x02
> SF:7\xf0\x02\x01\0\x02\x01\x000\x120\x10\x06\n\+\x06\x01\x06\x03\x0f\x01\x
> SF:01\x04\0A\x02\x01\n");
> ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
> SF-Port162-UDP:V=4.75%I=7%D=12/13%Time=52AB7551%P=x86_64-suse-linux-gnu%r(
> SF:SNMPv3GetRequest,56,"0T\x02\x01\x030\x0e\x02\x02Ji\x02\x02\x05\xdc\x04\
> SF:x01\0\x02\x01\x03\x04\x1a0\x18\x04\x07initial\x02\x01\x01\x02\x04\0\xb2
> SF:\x1d\x06\x04\0\x04\0\x04\x000#\x04\0\x04\0\xa8\x1d\x02\x027\xf0\x02\x01
> SF:\0\x02\x01\x000\x110\x0f\x06\n\+\x06\x01\x06\x03\x0f\x01\x01\x04\0A\x01
> SF:\0");
>
> Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 46.56 seconds
>
>
> On one hand, the response said it's a SNMPv3 server. On the other hand nmap said it can't recognize the service.
> That does not make sense to me.
>
> Thanks for any help

I'd say nmap just gave you a probable guess on the service running on
those ports according to the "SNMPv3" string found on the fingerprint.
However, since this specific fingerprint does not match nmap's fp
database, it alerts you to confirm that the service is really this and
to feedback community by sending your results. Once you and others have
done this nmap can grow it's certainty of service version.

 



-- 
010
001
111

Attachment: signature.asc
Description: This is a digitally signed message part