Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: bizarre false positive (?) in service detection

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 13 Apr 2007 15:54:28 +0000
On Fri, 13 Apr 2007 10:39:51 -0500
"DePriest, Jason R." <jrdepriest () gmail com> wrote:


With the skype line commented out of the service-probe file, nmap is
unable to determine what is running on the port.


Nmap should provide you with a service fingerprint for submission.
This service looks pretty easy to match so go ahead and submit it.



Which is sort of strange since
----
jrdepriest@ebizsrvb:/usr/local/share/nmap$ telnet <SCANNERTARGET> 25
Trying <SCANNERTARGET>...
Connected to <SCANNERTARGET>.
Escape character is '^]'.
220  DP-6020
EHLO
250-Hello
250-DSN
250 CONNEG
MAIL TO:
501 Syntax error in parameters
RCPT FROM:
503 Need MAIL before RCPT

554 command not support

554 command not support
Connection closed by foreign host.
----
See attached for nmap's fingerprint of the port.  I'll do some packet
captures if I get time to find a pattern.

Thanks for the suggestions.

-Jason



If you don't get a fingerprint it may be because we don't have a probe for
"EHLO".  Go ahead and try adding it to your service probes file like so:

Probe TCP Hello q|EHLO\r\n|
rarity 5
ports 25,587
sslports 465
totalwaitms 7500

If you are still having trouble getting a fingerprint let us know and we'll
try to figure it out.

Brandon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: