Re: [patch] SecurID Administration daemon match

[David Fifield <david () bamsoftware com>]

On Mon, Nov 30, 2009 at 06:22:52PM -0500, Matt Selsky wrote:
> Add match for RSA SecurID Administration Daemon.  This is based on the
> contents of the SSL certificate returned by the daemon.
>
> diff --git a/nmap-service-probes b/nmap-service-probes
> index 7e6d9e0..808f263 100644
> --- a/nmap-service-probes
> +++ b/nmap-service-probes
> @@ -6550,6 +6550,8 @@ match tor m|^\x16\x03\0\0\*\x02\0\0&\x03\0.*T[oO][rR]1.*[\x00-\x20]([-\w_.]+) <i
>  match ssl/sophos m|^\x16\x03\0.*Router\$([a-zA-Z0-9_-]+).*Sophos EM Certification Manager|s p/Sophos Message Router/ 
> h/$1/
>  match ssl/sophos m|^\x16\x03\0.*Sophos EM Certification Manager|s p/Sophos Message Router/
>  
> +match sdadmind m|Security Dynamics Technologies, Inc. Primary CA Root 
> 10\x1e\x17\r011002154405Z\x17\r210927154405Z041200\x06\x03U\x04\x03\x13\)Security Dynamics Technologies ACE/Server| 
> p/SecurID Administration Daemon/
> +
>  # Generic: TLSv1 Handshake error
>  match ssl m|^\x15\x03\0\0\x02\x02\($| p/TLSv1/

Does version detection return a result or a fingerprint for this service
after reconnecting with SSL? Is it really an SSL-wrapped service, or
does it just happen to respond to the SSLSessionReq probe?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/