Nmap Development mailing list archives
Re: More Service Detection Notes (Skype)
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 26 Jul 2006 05:56:46 +0000
On Tue, 2006-07-25 at 22:19 -0700, doug () hcsw org wrote:
Hi nmap-dev! Thanks to Google's Summer of Code I was again able to spend the last week integrating your service detection submissions! Thank you to everybody who submitted. As usual, I've added a blog entry with an edited selection of my notes: http://www.hcsw.org/blog.pl?a=19&b=19 I discuss Skype 2.0, Cisco ACNS, protocols that consider remote source ports, outbound filtered tcp/25, and more. Enjoy, Doug
While discussing Skype v2 you wrote: "If we could bend version detection to have match lines depending on the results of 2 or more different probes then we could probably nail skype down quite easily." This is an excellent idea and shouldn't be that difficult to implement. For a few weeks now I've been using match skype m|(.*[^\0-\x04\s!-~]){10}|s p/Skype v2 random data/ to match Skype v2. For false positive checking I did a little empirical scanning -- 192k random hosts (not all up) on the Internet on ports 80, 443, 497, 1550, 5302, 6000-6020, 7000, 7100, 7101, 8000 turned up a single false positive. Another scan of 50k (all up) hosts at work on all 64k ports turned up 2 false positives (both telnet services on Cisco routers that don't exactly match the Cisco router telnet line for some reason). For false negative checking I scanned 10 hosts running Skype v2 on ports 80 and 443 500 times for each {10}, {11}, and {12}. The pattern matched 100% of the time as long as {10} was used. These may or may not be acceptable numbers depending on what and how a users uses the scans. All by itself it probably isn't something that should be included in the main distribution. As you've noted though, Skype isn't going to be the last protocol to be obfuscated or otherwise match this line. Being able to require two different probes to match would get us within acceptable margins. Together with the above match *and* "HTTP/1\.0 404 Not Found\r\n\r\n" we'd be able to match Skype very reliably. Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- More Service Detection Notes doug (Jul 25)
- Re: More Service Detection Notes (Skype) Brandon Enright (Jul 25)
- Re: More Service Detection Notes (Skype) doug (Jul 26)
- Re: More Service Detection Notes (Skype) Brandon Enright (Jul 26)
- Re: More Service Detection Notes (Skype) Fyodor (Jul 27)
- Re: More Service Detection Notes (Skype) Brandon Enright (Jul 27)
- Re: More Service Detection Notes (Skype) doug (Jul 26)
- Re: More Service Detection Notes (Skype) Brandon Enright (Jul 25)
- Re: More Service Detection Notes Fyodor (Aug 01)
- Re: More Service Detection Notes doug (Aug 01)
- Re: More Service Detection Notes Brandon Enright (Aug 02)
- Re: More Service Detection Notes Fyodor (Aug 02)