Re: Version detection of Ldap Service using nmap

[MadHat <madhat () unspecific com>]

On Dec 4, 2003, at 11:18 PM, Anil Kumar D.K wrote:
> Hi all,
>
> I am trying to find version of ldap service using nmap.
>
> nmap 10.10.40.223 -p389 -A
>
> For Microsoft Active directory, I am getting the right information.  
> (As the match string already exists in nmap-service-probes file)
>
> I would like to find version of ldap service of the following vendors
> Critical Path Directory Service 4.2
> Siemens Directory DirX 6.0
>
> For Critical Path Directory Service 4.2, I got the service finger  
> print as below
>
> D:\nmap-3.48>nmap 10.10.40.223 -p1702 -A
> Starting nmap 3.48 ( http://www.insecure.org/nmap ) at 2003-12-05  
> 10:35 India Standard Time
> Warning:  OS detection will be MUCH less reliable because we did not  
> find at least 1 open and 1 closed TCP port
> Interesting ports on EWSMC280 (10.10.40.223):
> PORT     STATE SERVICE VERSION
> 1702/tcp open  unknown
> 1 service unrecognized despite returning data. If you know the  
> service/version,please submit the following fingerprint at  
> http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
> SF-Port1702-TCP:V=3.48%D=12/ 
> 5%Time=3FD01237%r(LDAPBindReq,E,"0\x0c\x02\x01
> SF:\x01a\x07\n\x01\0\x04\0\x04\0");
> Device type: general purpose
> Running: Microsoft Windows 95/98/ME|NT/2K/XP
> OS details: Microsoft Windows Millennium Edition (Me), Windows 2000  
> Professional
>  or Advanced Server, or Windows XP
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 13.570  
> seconds
>
> I have submitted the fingerprint to  
> http://www.insecure.org/cgi-bin/servicefp-submit.cgi
> I tried to use the match string  
> "0\x0c\x02\x01\x01a\x07\n\x01\0\x04\0\x04\0" in the  
> nmap-service-probes for Ldap service
> But this string matches even for openLDAP 1.4.x
>
> Is there any way to get a unique string for each ldap product?
> Any help will be really appreciated.

If they return the exact same thing, it is not going to be possible.   
The only other option is to try and figure out a different probe to  
send to get a different response from each lpad server.  The problem  
then comes in on wether it works with the most ldap servers.  You don't  
want 3 or 4 probes for a single service, then it takes a lot longer if  
the service is not known or even when it is.  You want one probe that  
elicits the most data to be able to fingerprint the most number of  
unique servers accurately.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org