Nmap Development mailing list archives
Re: RPC over HTTP
From: Martin Mačok <martin.macok () underground cz>
Date: Fri, 4 Mar 2005 22:35:42 +0100
On Fri, Mar 04, 2005 at 01:52:00PM -0500, Jon-Erik wrote:
Here's the behind-the-firewall output from a -sV scan from version 3.81 on FreeBSD3.81
3389/tcp open microsoft-rdp Microsoft Terminal Service (Windows 2000 Server)
Could you run $ grep "Microsoft Terminal Service" /usr/share/nmap/nmap-service-probes' ? It seems to me that you have different copy of that file than the one from nmap-3.81 distribution (I can't explain the "(Windows 2000 Server)" string otherwise).
6001/tcp open X11:1? 6002/tcp open X11:2? 6004/tcp open X11:4?
When the version scan failes to identify the service then it can't do much more than displaying the name of the well known port service which is X11 for the 600x/tcp case (and not RPC). Take it as a *blind* guess, or a hint if you want. Could you post the SF: lines from the end of the output? Is it ncacn_* service? If so, the attached patch should make the output a bit more useful. Writing and contributing specialized DCE/RPC probes for better identification would be nice too (hint!) ;-) Martin Mačok ICT Security Consultant
Attachment:
nmap-3.81-sf_ncacn_tmp.patch
Description:
--------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- RPC over HTTP Jon-Erik (Mar 03)
- Re: RPC over HTTP Martin Mačok (Mar 03)
- <Possible follow-ups>
- Re: RPC over HTTP Jon-Erik (Mar 04)
- Re: RPC over HTTP Martin Mačok (Mar 04)
- Re: RPC over HTTP Jon-Erik (Mar 04)
- Re: RPC over HTTP (ncacn_http) Martin Mačok (Mar 05)
- Re: RPC over HTTP Alan Jones (Mar 06)
- Re: RPC over HTTP Martin Mačok (Mar 07)
- Re: RPC over HTTP Jon-Erik (Mar 06)