Nmap Development mailing list archives

Re: addition to -sV service detection switch

From: MadHat <madhat () unspecific com>
Date: Sat, 27 Mar 2004 11:45:07 -0600

On Mar 27, 2004, at 8:45 AM, Cemil Degirmenci wrote:

MadHat wrote:
What would be the difference from the existing probes? I know on thehttp probes I discussed other requests methods and the reason GET wasused first is that more servers respond to it than any other webserver "verb".
As far as i know the version.bind txt chaos record is not asked bynmap . Some people change this record or deactivate it, but this likesymantec:


as far as I can tell, that is what it is sending...
nmap -sUV -PS53 -T4 -p53  ns1.symantec.com
Password:

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-2709:34 CST

Interesting ports on ns1.symantec.com (198.6.49.5):
PORT   STATE SERVICE VERSION
53/tcp open  domain?
53/udp open  domain?

1 service unrecognized despite returning data. If you know theservice/version, please submit the following fingerprint athttp://www.insecure.org/cgi-bin/servicefp-submit.cgi :SF-Port53-UDP:V=3.50%D=3/27%Time=40659EFA%P=powerpc-apple-darwin7.2.0%r(DNSF:SVersionBindReq,5E,"\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07version\x04bindSF:\0\0\x10\0\x03\x07VERSION\x04BIND\0\0\x10\0\x03\0\0\0\0\0\('Symantec's\

SF:x20DNS\x20version\x20of\x20course!\x20\x20Doh!");

It doesn't match because Fyodor has it looking for specific versioninfo and not free form entries like this, but you can see the responsein the fingerprint. Also if you look at the nmap-service-probes file,you can see what is being sent for testing DNS.

Probe UDP DNSVersionBindReqq|\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03|

If you sniff what you are sending with what you send, it should be verysimilar, if not exactly the same.

cemil@fusie:~/nmap-3.50$ host -c chaos -t txt version.bindns1.symantec.com.
VERSION.BIND text "Symantec's DNS version of course!  Doh!"
but this is the exception... and if someone has changed this recordthere are some funny things to see :)



---------------------------------------------------------------------

For help using this (nmap-dev) mailing list, send a blank email tonmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

addition to -sV service detection switch Cemil Degirmenci (Mar 26)
- Re: addition to -sV service detection switch MadHat (Mar 26)
  - Re: addition to -sV service detection switch Cemil Degirmenci (Mar 27)
  - Message not available
    - Re: addition to -sV service detection switch MadHat (Mar 27)