Nmap Development mailing list archives

Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005

From: Fyodor <fyodor () insecure org>
Date: Thu, 10 Jan 2008 16:47:23 -0800

On Tue, Jan 08, 2008 at 06:54:02PM -0600, Tom Sellers wrote:

Based on the feedback from Doug and Fyodor I have generated a
probe/match set for Microsoft SQL Server 2000 and 2005.  MS SQL
Server's response to the probe includes the major and minor
software revision in hex.


Thanks Tom.  These are looking pretty good!  One nit is that the
version information should be in v// and not the program name (p//)
field.  Maybe including the year in the product name is OK
(e.g. Microsoft SQL Server 2005), but the build number and SP should
probably be in v// or i// fields as appropriate.  See
http://insecure.org/nmap/vscan/vscan-fileformat.html#vscan-db-match .

\x09\x00\x0b\xe2
   ^    ^  ^^  ^^
   |    |   Build number in hex - 0be2 = 3042
   |    |
   |    Spacer? (Its in every version)
   Major Revision = 9.

Software revision is 9.00.3042

This is where the hex to decimal conversion would be handy
as nmap could identify the base version, 2000 or 2005, and
then toss the specific build into an info string.


I'm not opposed to having such a conversion.  Doug can decide what is
best, because he does most of the nmap-service-probes work.  My mail
on the topic was just intended to note some potential issues.  If we
add a new converter, we should make it reasonably general.  For
example, to do the above you need to be able to handle 1-byte and
2-byte long numbers.  And we should be able to do 4-byte numbers too.

If it would be more efficient, the major version match lines
can be added and I will look into creating a lua script that
will query the port, extract the version and generate detailed
information.


In general, anything that can be done in version detection is more
efficient than doing it in NSE.  But NSE is more powerful and so you
need to use it for more complex cases.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Jan 08)
- RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Jan 08)
  - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Jan 09)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Jan 10)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 doug (Jan 13)
  - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Jan 13)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 doug (Jan 13)
  - RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Feb 07)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Feb 07)
    - RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Feb 08)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Feb 08)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Feb 27)
  - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Feb 28)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Feb 28)