Nmap Development mailing list archives

Re: bizarre false positive (?) in service detection

From: doug () hcsw org
Date: Fri, 13 Apr 2007 17:32:42 -0700

Hi nmap-dev, Jason, Brandon,

Thanks for the match line. Looks good to me! I will add it to the next
nmap-service-probes patch which I hope to make in the next week or so.

Best,

Doug


On Fri, Apr 13, 2007 at 06:23:36PM +0000 or thereabouts, Brandon Enright wrote:

On Fri, 13 Apr 2007 11:33:27 -0500
"DePriest, Jason R." <jrdepriest () gmail com> wrote:
... snip ...



But the signature for the service did have this bit added to it that
was missing without the EHLO probe:
(hello,2E,"220\x20\x20DP-6020\r\n250-Hello\r\n250-DSN\r\n250\x20CONNEG\r\n")


Okay I've attached a patch against the svn version of nmap-service-probes.

It produces output like this:

-----------------------------------------
$ sudo ./nmap -sV --datadir=. 127.0.0.1              

Starting Nmap 4.21ALPHA4 ( http://insecure.org ) at 2007-04-13 18:13 UTC
Interesting ports on localhost (127.0.0.1):
Not shown: 1701 closed ports
PORT    STATE SERVICE         VERSION
22/tcp  open  ssh             OpenSSH 4.5 (protocol 2.0)
25/tcp  open  smtp            Panasonic smtpd DP-6020 (Panasonic printer)
902/tcp open  ssl/vmware-auth VMware GSX Authentication Daemon 1.10 (Uses
VNC)
Service Info: Device: printer

Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up)
scanned in 6.141 seconds
----------------------------------------

I don't know enough about Fyodor or Doug's philosophy on what is a
reasonable addition to the service probes file to comment on whether or not
this patch will make it into any release.  It should work for you though.

Brandon

--- nmap/nmap-service-probes  2007-04-13 17:11:38.000000000 +0000
+++ nmap-working/nmap-service-probes  2007-04-13 18:20:20.000000000 +0000
@@ -4653,6 +4653,15 @@
 match nameserver m|^\0\x06\x01\0\0\x01\0\0\x03\x03\x02$| p/Solaris Internet Name Server/ i/IEN 116/ o/Solaris/
 
 ##############################NEXT PROBE##############################
+Probe TCP Hello q|EHLO\r\n|
+rarity 5
+ports 25,587
+sslports 465
+totalwaitms 7500
+
+match smtp m|^220\s+(DP-\d+)\r\n250-Hello\r\n250-DSN\r\n| p/Panasonic smtpd/ v/$1/ i/Panasonic printer/ d/printer/
+
+##############################NEXT PROBE##############################
 Probe TCP Help q|HELP\r\n|
 rarity 3
 ports 1,7,21,25,79,113,515,587,12345,2401,2627,3000,3493,6666-6670,22490


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Attachment: signature.asc
Description: Digital signature


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)
  - Re: bizarre false positive (?) in service detection Brandon Enright (Apr 12)
    - Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)
    - Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 13)
    - Re: bizarre false positive (?) in service detection Brandon Enright (Apr 13)
    - Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 13)
    - Re: bizarre false positive (?) in service detection Brandon Enright (Apr 13)
    - Re: bizarre false positive (?) in service detection doug (Apr 13)