Nmap Development mailing list archives
Re: addition to -sV service detection switch
From: MadHat <madhat () unspecific com>
Date: Sat, 27 Mar 2004 11:45:07 -0600
On Mar 27, 2004, at 8:45 AM, Cemil Degirmenci wrote:
MadHat wrote:What would be the difference from the existing probes? I know on the http probes I discussed other requests methods and the reason GET was used first is that more servers respond to it than any other web server "verb".As far as i know the version.bind txt chaos record is not asked by nmap . Some people change this record or deactivate it, but this like symantec:
as far as I can tell, that is what it is sending... nmap -sUV -PS53 -T4 -p53 ns1.symantec.com Password:Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-27 09:34 CST
Interesting ports on ns1.symantec.com (198.6.49.5): PORT STATE SERVICE VERSION 53/tcp open domain? 53/udp open domain?1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port53-UDP:V=3.50%D=3/27%Time=40659EFA%P=powerpc-apple- darwin7.2.0%r(DN SF: SVersionBindReq,5E,"\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07version\x04bind SF: \0\0\x10\0\x03\x07VERSION\x04BIND\0\0\x10\0\x03\0\0\0\0\0\('Symantec's\
SF:x20DNS\x20version\x20of\x20course!\x20\x20Doh!");It doesn't match because Fyodor has it looking for specific version info and not free form entries like this, but you can see the response in the fingerprint. Also if you look at the nmap-service-probes file, you can see what is being sent for testing DNS.
Probe UDP DNSVersionBindReq q|\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03|
If you sniff what you are sending with what you send, it should be very similar, if not exactly the same.
cemil@fusie:~/nmap-3.50$ host -c chaos -t txt version.bind ns1.symantec.com.VERSION.BIND text "Symantec's DNS version of course! Doh!"but this is the exception... and if someone has changed this record there are some funny things to see :)
---------------------------------------------------------------------For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- addition to -sV service detection switch Cemil Degirmenci (Mar 26)
- Re: addition to -sV service detection switch MadHat (Mar 26)
- Re: addition to -sV service detection switch Cemil Degirmenci (Mar 27)
- Message not available
- Re: addition to -sV service detection switch MadHat (Mar 27)
- Re: addition to -sV service detection switch MadHat (Mar 26)