Nmap Development mailing list archives
Re: bizarre false positive (?) in service detection
From: doug () hcsw org
Date: Fri, 13 Apr 2007 17:32:42 -0700
Hi nmap-dev, Jason, Brandon, Thanks for the match line. Looks good to me! I will add it to the next nmap-service-probes patch which I hope to make in the next week or so. Best, Doug On Fri, Apr 13, 2007 at 06:23:36PM +0000 or thereabouts, Brandon Enright wrote:
On Fri, 13 Apr 2007 11:33:27 -0500 "DePriest, Jason R." <jrdepriest () gmail com> wrote: ... snip ...But the signature for the service did have this bit added to it that was missing without the EHLO probe: (hello,2E,"220\x20\x20DP-6020\r\n250-Hello\r\n250-DSN\r\n250\x20CONNEG\r\n")Okay I've attached a patch against the svn version of nmap-service-probes. It produces output like this: ----------------------------------------- $ sudo ./nmap -sV --datadir=. 127.0.0.1 Starting Nmap 4.21ALPHA4 ( http://insecure.org ) at 2007-04-13 18:13 UTC Interesting ports on localhost (127.0.0.1): Not shown: 1701 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.5 (protocol 2.0) 25/tcp open smtp Panasonic smtpd DP-6020 (Panasonic printer) 902/tcp open ssl/vmware-auth VMware GSX Authentication Daemon 1.10 (Uses VNC) Service Info: Device: printer Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 6.141 seconds ---------------------------------------- I don't know enough about Fyodor or Doug's philosophy on what is a reasonable addition to the service probes file to comment on whether or not this patch will make it into any release. It should work for you though. Brandon
--- nmap/nmap-service-probes 2007-04-13 17:11:38.000000000 +0000 +++ nmap-working/nmap-service-probes 2007-04-13 18:20:20.000000000 +0000 @@ -4653,6 +4653,15 @@ match nameserver m|^\0\x06\x01\0\0\x01\0\0\x03\x03\x02$| p/Solaris Internet Name Server/ i/IEN 116/ o/Solaris/ ##############################NEXT PROBE############################## +Probe TCP Hello q|EHLO\r\n| +rarity 5 +ports 25,587 +sslports 465 +totalwaitms 7500 + +match smtp m|^220\s+(DP-\d+)\r\n250-Hello\r\n250-DSN\r\n| p/Panasonic smtpd/ v/$1/ i/Panasonic printer/ d/printer/ + +##############################NEXT PROBE############################## Probe TCP Help q|HELP\r\n| rarity 3 ports 1,7,21,25,79,113,515,587,12345,2401,2627,3000,3493,6666-6670,22490
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)
- Re: bizarre false positive (?) in service detection Brandon Enright (Apr 12)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 13)
- Re: bizarre false positive (?) in service detection Brandon Enright (Apr 13)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 13)
- Re: bizarre false positive (?) in service detection Brandon Enright (Apr 13)
- Re: bizarre false positive (?) in service detection doug (Apr 13)
- Re: bizarre false positive (?) in service detection Brandon Enright (Apr 12)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)