Nmap Development mailing list archives
one of msdtc service fingerprints is too wide and matches SSL too
From: Martin Mačok <martin.macok () underground cz>
Date: Thu, 11 May 2006 10:46:49 +0200
I came across HTTPS server that gets misidentified as MSDTC: % nmap -sSV -P0 -p443 --version-trace XXX Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-05-11 10:32 CEST ... NSOCK (0.0750s) Read request from IOD #1 [XXX:443] (timeout: 6000ms) EID 18 NSOCK (6.0780s) Callback: READ TIMEOUT for EID 18 [XXX:443] NSOCK (6.0780s) Write request for 22 bytes to IOD #1 EID 27 [XXX:443]: OPTIONS / HTTP/1.0.... NSOCK (6.0780s) Read request from IOD #1 [XXX:443] (timeout: 5000ms) EID 34 NSOCK (6.0790s) Callback: WRITE SUCCESS for EID 27 [XXX:443] NSOCK (6.0810s) Callback: READ SUCCESS for EID 34 [XXX:443] (7 bytes): ....... ... PORT STATE SERVICE VERSION 443/tcp open msdtc Microsoft Distributed Transaction Coordinator % diff /usr/share/nmap/nmap-service-probes nmap-service-probes 3344c3344 < match msdtc m|^...\0..$|s p/Microsoft Distributed Transaction Coordinator/ o/Windows/ ---
# match msdtc m|^...\0..$|s p/Microsoft Distributed Transaction Coordinator/ o/Windows/
% NMAPDIR=. nmap -sSV -P0 -p443 --version-trace XXX Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-05-11 10:32 CEST NSOCK (0.0670s) TCP connection requested to XXX:443 (IOD #1) EID 8 NSOCK (0.0680s) nsock_loop() started (no timeout). 1 events pending NSOCK (0.0770s) Callback: CONNECT SUCCESS for EID 8 [XXX:443] NSOCK (0.0770s) Read request from IOD #1 [XXX:443] (timeout: 6000ms) EID 18 NSOCK (6.0770s) Callback: READ TIMEOUT for EID 18 [XXX:443] NSOCK (6.0770s) Write request for 22 bytes to IOD #1 EID 27 [XXX:443]: OPTIONS / HTTP/1.0.... NSOCK (6.0770s) Read request from IOD #1 [XXX:443] (timeout: 5000ms) EID 34 NSOCK (6.0780s) Callback: WRITE SUCCESS for EID 27 [XXX:443] NSOCK (6.0800s) Callback: READ SUCCESS for EID 34 [XXX:443] [EOF](7 bytes): ....... NSOCK (6.0800s) Read request from IOD #1 [XXX:443] (timeout: 4994ms) EID 42 NSOCK (6.0840s) Callback: READ EOF for EID 42 [XXX:443] NSOCK (6.0840s) TCP connection requested to XXX:443 (IOD #2) EID 48 NSOCK (6.0870s) Callback: CONNECT SUCCESS for EID 48 [XXX:443] NSOCK (6.0870s) Write request for 88 bytes to IOD #2 EID 59 [XXX:443] NSOCK (6.0870s) Read request from IOD #2 [XXX:443] (timeout: 5000ms) EID 66 NSOCK (6.0870s) Callback: WRITE SUCCESS for EID 59 [XXX:443] NSOCK (6.0980s) Callback: READ SUCCESS for EID 66 [XXX:443] (63 bytes): ....:...6..Db..i.8T.....8;4..._......A....{.5K....r.w......_... NSOCK (6.0980s) SSL/TCP connection requested to XXX:443 (IOD #3) EID 73 NSOCK (6.1200s) Callback: SSL-CONNECT SUCCESS for EID 73 [XXX:443] NSOCK (6.1200s) Read request from IOD #3 [XXX:443] (timeout: 6000ms) EID 82 NSOCK (12.1270s) Callback: READ TIMEOUT for EID 82 [XXX:443] NSOCK (12.1270s) Write request for 18 bytes to IOD #3 EID 91 [XXX:443]: GET / HTTP/1.0.... NSOCK (12.1270s) Read request from IOD #3 [XXX:443] (timeout: 5000ms) EID 98 NSOCK (12.1280s) Callback: WRITE SUCCESS for EID 91 [XXX:443] NSOCK (12.1310s) Callback: READ SUCCESS for EID 98 [XXX:443] [EOF](3725 bytes) ... PORT STATE SERVICE VERSION 443/tcp open ssl/http Oracle Application Server 10g httpd 10.1.2.0.2 I can provide full service fingerprint but it contains a hint idetifying my target and I can't talk about my pentests in public. I can provide it off-list if you need it. Martin Mačok ICT Security Consultant _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- one of msdtc service fingerprints is too wide and matches SSL too Martin Mačok (May 11)