Nmap Development mailing list archives
Re: AFP probe
From: David Fifield <david () bamsoftware com>
Date: Wed, 6 Jan 2010 13:27:09 -0700
On Wed, Jan 06, 2010 at 09:21:51PM +0100, Patrik Karlsson wrote:
On 6 jan 2010, at 20.38, Matt Selsky wrote:On Jan 4, 2010, at 4:51 AM, Patrik Karlsson wrote:The SSLSessionReq probe fails to detect AFP on my Linux boxes (Netatalk) and on Snow Leopard. I'm submitting a patch containing new probe and match lines that detect AFP on these systems.I tried this against a netatalk 1.6.4 server with the following response: SF-Port548-TCP:V=5.10BETA2%I=7%D=1/6%Time=4B44E471%P=i386-apple-darwin10.2.0%r(afp,188,"\x01\x03\0\x01\0\0\0\0\0\0\x01x\0\0\0\0\0\x1c\0!\0V\0a\x80}\x SF:08manchego\0\x01a\x01q\0\0\0\0\x04unix\x04\x0eAFPVersion\x201\.1\x0eAFP SF:Version\x202\.0\x0eAFPVersion\x202\.1\x06AFP2\.2\x01\tDHCAST1280\0\x8f\ SF:xf8\xcc\x01H\x0c\xb32\(\n\x8c\xcc\|\x0f\x83\x02\xff\x01\x80\xc3\xc3\x81 SF:\x803\xe3\xc1\x80\x0b\xd3\xc1\x80\x0b\xb1a\x80\x0b\xe0\xe1\x80\x0b\xe1\ SF:xe1\x80\x0b\xd1\xe1\xc0\n\xc0\xe1p\x0bx\xc1\x1c\x0by\xc1\x17\x0b3\xff!\ SF:xcb\xff\xc4@\x7f\xff\x02\x80\x1e\0\x01\xff\xff\xff\xff\x80\0\0\x01\xff\ SF:xff\xff\xff\0\x02\x80\0\0\x02\x80\0\0\x07\xc0\0\0\x04@\0\0\x04@\0\0\x07 SF:\xc0\0\0\x05@\0\x0f\xf9\?\xfc\0\x02\x80\0\x0f\xfc\x7f\xfc0\0\x8f\xf8\xf SF:c\x01\xcf\xfc\xff3\xef\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\ SF:xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff SF:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x7f\xff\xff\xff\x1f\xff\xf SF:f\xff\x1f\xff\xff\xff\?\xff\xff\xfc\x7f\xff\xff\xfe\xff\xff\xff\xff\xff SF:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\0\x03\x80\0\0\x03\x80\0\0\ SF:x07\xc0\0\0\x07\xc0\0\0\x07\xc0\0\0\x07\xc0\0\0\x07\xc0\0\xff\xff\xff\x SF:ff\?\xfe\xff\xff\xff\xfc\x7f\xff\x83\xc74\x11\x83\xc74\x11\x83\xc74\x11 SF:\x83\xc74\x11\x01\x06\x01\x80;;7"); The nodename is manchego. Protocol versions supported (according to wireshark) AFPVersion 1.1 AFPVersion 2.0 AFPVersion 2.1 AFP2.2 Seems like we should push the nodename and the most recent version supported in the info line. -- MattYes, that's what previous matches do and what I was hoping to achieve with my match line. However, it seems as if my Netatalk has a higher AFP version (3.1) than yours. (I'm running Netatalk 2.0.3) My initial thought was to write a less strict match line which would match a larger signature base and would get the most recent version into the info line (assuming versions are listed in descending order). I ended up doing it the same way previous AFP matches were done. While this will require more match lines in the end it comes with the possibility of better being able to fingerprint the OS and service versions.
I've been doing it like you said, Patrik, adding separate match lines as long as we can get more information. It's a balancing act between matching lots of services with few signatures and getting lots of information with many signatures. It's best to start out being specific, because then people will (hopefully) submit corrections and grow the database, where as if you have one signature that says "Apple Filing Protocol," people will be satisfied with that and never make submissions that could help us be more specific. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- AFP probe Patrik Karlsson (Jan 04)
- Re: AFP probe Matt Selsky (Jan 06)
- Re: AFP probe Patrik Karlsson (Jan 06)
- Re: AFP probe David Fifield (Jan 06)
- Re: AFP probe Patrik Karlsson (Jan 06)
- Re: AFP probe David Fifield (Jan 12)
- Re: AFP probe David Fifield (Jan 18)
- Re: AFP probe Matt Selsky (Jan 06)