Re: RPC over HTTP

[Martin Mačok <martin.macok () underground cz>]

On Fri, Mar 04, 2005 at 01:52:00PM -0500, Jon-Erik wrote:

> Here's the behind-the-firewall output from a -sV scan from version
> 3.81 on FreeBSD3.81

> 3389/tcp open     microsoft-rdp   Microsoft Terminal Service (Windows 2000 Server)

Could you run 
$ grep "Microsoft Terminal Service" /usr/share/nmap/nmap-service-probes'
?

It seems to me that you have different copy of that file than the one
from nmap-3.81 distribution (I can't explain the "(Windows 2000
Server)" string otherwise).

> 6001/tcp open     X11:1?
> 6002/tcp open     X11:2?
> 6004/tcp open     X11:4?

When the version scan failes to identify the service then it can't do
much more than displaying the name of the well known port service which
is X11 for the 600x/tcp case (and not RPC). Take it as a *blind*
guess, or a hint if you want.

Could you post the SF: lines from the end of the output? Is it ncacn_*
service? If so, the attached patch should make the output a bit more
useful. Writing and contributing specialized DCE/RPC probes
for better identification would be nice too (hint!) ;-)

Martin Mačok
ICT Security Consultant

Attachment: nmap-3.81-sf_ncacn_tmp.patch
Description:

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org