Re: Kerberos probes for nmap

[Patrik Karlsson <patrik () cqure net>]

On 13 dec 2009, at 01.25, David Fifield wrote:

> On Sat, Nov 28, 2009 at 09:20:53PM +0100, Patrik Karlsson wrote:
> > I noticed that Kerberos get's detected fine when running against Windows but my Heimdal hosts are not detected. 
> > Running over TCP the RPCCheck probe seems to trigger an answer. Here's the signature:
> >
> > SF-Port88-TCP:V=5.10BETA1%I=7%D=11/28%Time=4B1181BB%P=i386-apple-darwin10.2.0%r(RPCCheck,55,"\0\0\0Q~O0M\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\
> > SF:x11\x18\x0f20091128200203Z\xa5\x05\x02\x03\x08i@\xa6\x03\x02\x01=\xa9\x
> > SF:15\x1b\x13<unspecified\x20realm>\xaa\x0b0\t\xa0\x03\x02\x01\0\xa1\x020\
> > SF:0");
>
> Thanks for checking this out. If the RPCCheck probe gets a response,
> then let's just add another match line instead of a whole new probe.
> Just follow the instructions at
> http://insecure.org/cgi-bin/submit.cgi?new-service
> Those submissions are due to be processed soon.
>
> It would be worth adding a new probe if the new probe could provide a
> lot more information, like a version number or server name. And then,
> it's best to make the match specific at first. Otherwise people will see
> "Kerberos" in the output and think, "good enough," and not submit
> fingerprints that might allow us to be more discriminating.
>
> David Fifield


Hi David,

I submitted the signature per your request. However, it's only valid for TCP which wasn't clear in my first post. 
Scanning port 88/UDP does currently not trigger any response at all, which was the main reason for submitting my 
previous patch.

--
Patrik Karlsson
http://www.cqure.net




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/