Nmap Development mailing list archives

[NSE] New script for PPTP version detection

From: "Thomas Buchanan" <TBuchanan () thecompassgrp net>
Date: Wed, 14 Nov 2007 10:29:30 -0600

Hello,

The Point-to-Point Tunneling Protocol (PPTP) RFC [1] defines fields in
the connection control setup packets for system hostname, vendor name,
and firmware version.  These seem like interesting things to try and
gather, so here's an NSE script that does just that.

Example output:

PORT     STATE SERVICE VERSION
1723/tcp open  pptp    YAMAHA Corporation (Firmware: 32838)
Service Info: Host: RT57i

PORT     STATE SERVICE VERSION
1723/tcp open  pptp    DrayTek (Firmware: 1)
Service Info: Host: Vigor

PORT     STATE SERVICE VERSION
1723/tcp open  pptp    Cisco Systems (Firmware: 4608)
Service Info: Host: main


The script doesn't have any heuristics, which could be useful.  For
example, Microsoft reports the operating system build number in the
firmware field, which could be compared to known values to identify what
generation of Windows a particular host is running.  If there's interest
in such heuristics, I'd be happy to add them as time allows.

Comments, questions, and feedback are very much appreciated!

Thanks,

Thomas

[1] http://www.ietf.org/rfc/rfc2637.txt

Attachment: PPTPversion.nse
Description: PPTPversion.nse


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE] New script for PPTP version detection Thomas Buchanan (Nov 14)
- Re: [NSE] New script for PPTP version detection Fyodor (Nov 14)