Nmap Development mailing list archives
Re: More Service Detection Notes (Skype)
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 26 Jul 2006 05:56:46 +0000
On Tue, 2006-07-25 at 22:19 -0700, doug () hcsw org wrote:
Hi nmap-dev! Thanks to Google's Summer of Code I was again able to spend the last week integrating your service detection submissions! Thank you to everybody who submitted. As usual, I've added a blog entry with an edited selection of my notes: http://www.hcsw.org/blog.pl?a=19&b=19 I discuss Skype 2.0, Cisco ACNS, protocols that consider remote source ports, outbound filtered tcp/25, and more. Enjoy, Doug
While discussing Skype v2 you wrote:
"If we could bend version detection to have match lines depending on the
results of 2 or more different probes then we could probably nail skype
down quite easily."
This is an excellent idea and shouldn't be that difficult to implement.
For a few weeks now I've been using
match skype m|(.*[^\0-\x04\s!-~]){10}|s p/Skype v2 random data/
to match Skype v2.
For false positive checking I did a little empirical scanning -- 192k
random hosts (not all up) on the Internet on ports 80, 443, 497, 1550,
5302, 6000-6020, 7000, 7100, 7101, 8000 turned up a single false
positive. Another scan of 50k (all up) hosts at work on all 64k ports
turned up 2 false positives (both telnet services on Cisco routers that
don't exactly match the Cisco router telnet line for some reason).
For false negative checking I scanned 10 hosts running Skype v2 on ports
80 and 443 500 times for each {10}, {11}, and {12}. The pattern matched
100% of the time as long as {10} was used.
These may or may not be acceptable numbers depending on what and how a
users uses the scans. All by itself it probably isn't something that
should be included in the main distribution.
As you've noted though, Skype isn't going to be the last protocol to be
obfuscated or otherwise match this line. Being able to require two
different probes to match would get us within acceptable margins.
Together with the above match *and* "HTTP/1\.0 404 Not Found\r\n\r\n"
we'd be able to match Skype very reliably.
Brandon
--
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- More Service Detection Notes doug (Jul 25)
- Re: More Service Detection Notes (Skype) Brandon Enright (Jul 25)
- Re: More Service Detection Notes (Skype) doug (Jul 26)
- Re: More Service Detection Notes (Skype) Brandon Enright (Jul 26)
- Re: More Service Detection Notes (Skype) Fyodor (Jul 27)
- Re: More Service Detection Notes (Skype) Brandon Enright (Jul 27)
- Re: More Service Detection Notes (Skype) doug (Jul 26)
- Re: More Service Detection Notes (Skype) Brandon Enright (Jul 25)
- Re: More Service Detection Notes Fyodor (Aug 01)
- Re: More Service Detection Notes doug (Aug 01)
- Re: More Service Detection Notes Brandon Enright (Aug 02)
- Re: More Service Detection Notes Fyodor (Aug 02)