Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol)

[David Fifield <david () bamsoftware com>]

On Wed, Mar 17, 2010 at 08:04:55PM +0100, Michael Schierl wrote:
> Am 17.03.2010 05:32, schrieb David Fifield:
> > On Tue, Mar 16, 2010 at 10:22:56PM +0100, Michael Schierl wrote:
> > > [Please Cc: me as I am not subscribed to the list. Thanks.]
> >
> > > description = [[
> > > Detects the Java Debug Wire Protocol. This protocol is used by Java programs
> > > to be debugged via the network. It should not be open to the public internet,
> > > as it does not provide any security against malicious attackers who can inject
> > > their own bytecode into the debugged process.
> > > ]]
> >
> > This is nice! I don't think there will be a problem including it. Can
> > you post a sample of its output? 
>
> D:\Progs\Nmap>nmap -sT -p 9999 localhost -sV
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-17 19:54
> Westeuropäische Normalzeit
> Interesting ports on localhost (127.0.0.1):
> PORT     STATE SERVICE VERSION
> 9999/tcp open  jdwp    Java Debug Wire Protocol (Reference
> Implementation) version 1.6 1.6.0_17
>
> Service detection performed. Please report any incorrect results at
> http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 3.38 seconds
>
> > I think a comment explaining why you're
> > looking for "tcpwrapped" in the portrule would be good.
>
> -- JDWP will close the port if there is no valid handshake within 2 seconds,
> -- therefore the null probe will detect it as tcpwrapped.
>
> > Also, if there
> > is a link to online protocol documentation, please include it in the
> > script documentation.
>
> Added it. Updated script is attached.
>
> > Can you elaborate more on this comment? Is it because the first 14 bytes
> > of the response echo the request?
> >
> > >         -- make sure we get at least one more packet after the JDWP-Handshake response even if there is some delay;
> > >         -- the handshake resonse has 14 bytes, so wait for 18 bytes here.
>
> It is more of a timing issue. As soon as the server receives the
> JDWP-Handshake string, it will respond with JDWP-Handshake. Then it will
> parse the next command (a JDWP version request) and respond to it a few
> milliseconds later. When I did not set the number of bytes, I usually
> ended up with only the JDWP-Handshake string in the response (as the
> script seems to stop responding as soon as reading would block). But I
> really want to have the answer to the version response as well, so I
> just wait for a few more bytes (18 as every possible response will be at
> least 4 bytes long).

I just committed your script in r17015. Thanks for contributing it.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/