Nmap Development mailing list archives
Re: Determining UDP 161 port (SNMP) status using SNMPv3
From: Tom Sellers <nmap () fadedcode net>
Date: Wed, 18 Jun 2008 05:24:59 -0500
Fyodor wrote:
On Tue, Jun 17, 2008 at 11:04:37PM -0500, Tom Sellers wrote:I have attached a patch to nmap-service-probes that includes the probe/match combination that I spoke of earlier. It sends a SNMPv3 connection request that with the username sent to "public". The rarity has been set to 4, the same as the SNMPv1public probe.Hi Tom. That is great, but the match line may be too generic. It says:+match snmp m|^..\x02\x01\x030.\x02\x02\x20\x97\x02.{32,38}\x04\x06public\x04\0\x04\x00|s p/SNMPv3 server/For version detection purposes, it would be best if we could at least try to match individual SMTPv3 servers where possible. So if you know what is running on the remote host, maybe try to include as much context as you can with the match (this may be enough) and then include the details in the match line. Then, if you have another SMTPv3 server, maybe you will be able to match that separately. This way we know more than just that it is some snmpv3 server. Now it may turn out that SNMPv3 responses are so generic that we can't glean any more details. But it is best to start specific and then we can generalize it if needed when we receive correction reports at http://nmap.org/submit/ .
From what I can tell the packet is pretty generic, but there are two places where the packet has host specific information. One includes an encoded version of the MAC address, the other contains the first 4 bytes of the IANA SNMP private enterprise number for the manufacturer. The enterprise number is not in a format where the number is easy to put into i// strings but should be able to give us enough information to generate a variety of match lines over time. The problem with this is that I think that this field can be editted on the device itself. I will dig into this some more tonight and see if I can improve the submission. Thanks much, Tom _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Determining UDP 161 port (SNMP) status using SNMPv3 Tom Sellers (Jun 17)
- Re: Determining UDP 161 port (SNMP) status using SNMPv3 Fyodor (Jun 17)
- Re: Determining UDP 161 port (SNMP) status using SNMPv3 Tom Sellers (Jun 17)
- Re: Determining UDP 161 port (SNMP) status using SNMPv3 Fyodor (Jun 18)
- Re: Determining UDP 161 port (SNMP) status using SNMPv3 Tom Sellers (Jun 18)
- Re: Determining UDP 161 port (SNMP) status using SNMPv3 - Update patch Tom Sellers (Jun 21)
- Re: Determining UDP 161 port (SNMP) status using SNMPv3 - Update patch Fyodor (Jun 28)
- Re: Determining UDP 161 port (SNMP) status using SNMPv3 Tom Sellers (Jun 17)
- Re: Determining UDP 161 port (SNMP) status using SNMPv3 Fyodor (Jun 17)