Nmap Development mailing list archives
Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol)
From: David Fifield <david () bamsoftware com>
Date: Wed, 17 Mar 2010 18:12:10 -0600
On Wed, Mar 17, 2010 at 08:04:55PM +0100, Michael Schierl wrote:
Am 17.03.2010 05:32, schrieb David Fifield:On Tue, Mar 16, 2010 at 10:22:56PM +0100, Michael Schierl wrote:[Please Cc: me as I am not subscribed to the list. Thanks.]description = [[ Detects the Java Debug Wire Protocol. This protocol is used by Java programs to be debugged via the network. It should not be open to the public internet, as it does not provide any security against malicious attackers who can inject their own bytecode into the debugged process. ]]This is nice! I don't think there will be a problem including it. Can you post a sample of its output?D:\Progs\Nmap>nmap -sT -p 9999 localhost -sV Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-17 19:54 Westeuropäische Normalzeit Interesting ports on localhost (127.0.0.1): PORT STATE SERVICE VERSION 9999/tcp open jdwp Java Debug Wire Protocol (Reference Implementation) version 1.6 1.6.0_17 Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 3.38 secondsI think a comment explaining why you're looking for "tcpwrapped" in the portrule would be good.-- JDWP will close the port if there is no valid handshake within 2 seconds, -- therefore the null probe will detect it as tcpwrapped.Also, if there is a link to online protocol documentation, please include it in the script documentation.Added it. Updated script is attached.Can you elaborate more on this comment? Is it because the first 14 bytes of the response echo the request?-- make sure we get at least one more packet after the JDWP-Handshake response even if there is some delay; -- the handshake resonse has 14 bytes, so wait for 18 bytes here.It is more of a timing issue. As soon as the server receives the JDWP-Handshake string, it will respond with JDWP-Handshake. Then it will parse the next command (a JDWP version request) and respond to it a few milliseconds later. When I did not set the number of bytes, I usually ended up with only the JDWP-Handshake string in the response (as the script seems to stop responding as soon as reading would block). But I really want to have the answer to the version response as well, so I just wait for a few more bytes (18 as every possible response will be at least 4 bytes long).
I just committed your script in r17015. Thanks for contributing it. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Michael Schierl (Mar 12)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) jrf (Mar 12)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Brandon Enright (Mar 12)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Michael Schierl (Mar 13)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Michael Schierl (Mar 16)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Brandon Enright (Mar 16)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Michael Schierl (Mar 16)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) David Fifield (Mar 16)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) Michael Schierl (Mar 17)
- Re: Problems writing a nmap-service-probe for jdwp (Java debug wire protocol) David Fifield (Mar 17)