Nmap Development mailing list archives
Re: pgsql-brute and PostgreSQL match lines
From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 22 May 2010 13:43:02 -0500
On 2/6/10 4:51 PM, Patrik Karlsson wrote:
Hi all, I just finished pgsql-brute.nse, a script that allows password guessing against PostgreSQL servers and the supporting pgsql.lua library used for both version 2 and 3 of the protocol. While developing the script I also noticed that the fingerprinting of PostgreSQL running version 3 of the protocol could be improved a lot as error messages contains the file in which the error occurred and the line number. Currently, the SMBProgNeg probe triggers the error "Unsupported frontend protocol" with this information, but a to generic match always returns "PostgreSQL DB". Yesterday I therefore started installing quite a few virtual machines in order to pull the error messages of from a number of different PostgreSQL DB versions. Half way through it, HD Moore announced this on Twitter: http://blog.metasploit.com/2010/02/postgres-fingerprinting.html Well, what are the odds? Anyway, I've looked at the code and that plugin is basing it's matching on the error message returned by an incorrect login. I suppose this is possible now with the new library, and could benefit from the fingerprinting already done, but it's more intrusive and requires a version script (as more than one packet is sent) rather than the the use of the existing SMBProgNeg probe. I've collected fingerprints from the following versions and so far they've all returned a different line number for the same error message: - PostgreSQL 8.0.21 - FreeBSD - PostgreSQL 8.1.17 - FreeBSD - PostgreSQL 8.2.13 - FreeBSD - PostgreSQL 8.3.7 - FreeBSD - PostgreSQL 8.4.0 - FreeBSD - PostgreSQL 8.4.2 - Linux - PostgreSQL 8.4.2 - Windows The attached patch adds those fingerprints and kills the generic wide match that prevents this detailed matching from being done. The matches currently match the whole server response rather than the file name and line number, but the error packet is static enough I believe. Have a look under ErrorResponse here for more details: http://developer.postgresql.org/pgdocs/postgres/protocol-message-formats.html //Patrik
Anyone have any objections to me adding a softmatch to the nmap-service-probes file that would identify the service as PostgreSQL while still printing the fingerprint block? The line I had in mind was softmatch postresql m|E\0\0\0\x84SFATAL\0C0A000\0Munsupported frontend protocol 65363| p/PostgreSQL DB/ This would help me with my service queries against the XML files while still providing the fingerprint block so that we can continue to refine the detection. Thanks much, Tom _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: pgsql-brute and PostgreSQL match lines Tom Sellers (May 22)
- Re: pgsql-brute and PostgreSQL match lines David Fifield (May 24)