Nmap Development mailing list archives
Regarding "Windows XP identd" in nmap-service-probes (r2839)
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Fri, 30 Jan 2009 23:14:07 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We often get compromised Windows machines running some IRC bot that also run some fake identd. Sometimes this fake ident matches "Windows XP identd" with the match-line: match ident m|^ : USERID : UNIX : [a-z]{4,8}\r\n$| p/Windows XP identd/ o/Windows/ It seems the only unique requirement here is a username in the 4-8 char range followed by a \r\n instead of just a \n. Here is an example of a fake identd in action: $ telnet !$ 113 telnet x.y.230.221 113 Trying x.y.230.221... Connected to x.y.230.221. Escape character is '^]'. 1, 1 : USERID : UNIX : ckilzyfc ^] telnet> Connection closed. $ telnet x.y.230.221 113 Trying x.y.230.221... Connected to x.y.230.221. Escape character is '^]'. 1, 1 : USERID : UNIX : ekedvig ^] telnet> Connection closed. So my gripe is that the match line isn't really all that specific and as far as I know, there is no "Windows XP identd" anyways. Just about any fake identd running on Windows has a good chance of matching. I'm torn though -- I want to either remove the match line or add a i/**BACKDOOR**/ to the match. The problem with the first option is that it appears to be removing functionality, even if the functionality isn't always accurate. The problem with the second is that **BACKDOOR** may not always be accurate either. Ideas? Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmDicAACgkQqaGPzAsl94KYQwCfetnsSxgQLqqPVpiZM7w6cjTS NO4AnRnTmrSoh66R5BTej9Zg9v306h5c =uhS8 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Regarding "Windows XP identd" in nmap-service-probes (r2839) Brandon Enright (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Fyodor (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Kris Katterjohn (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Fyodor (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Kris Katterjohn (Jan 31)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Kris Katterjohn (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Fyodor (Jan 30)