Nmap Development mailing list archives
Re: match lines and serialnumberd probe
From: Samuel Benson <nmap_ml () digitalescape info>
Date: Tue, 25 May 2010 00:00:27 -0500
On May 24, 2010, at 3:30 PM, Patrik Karlsson wrote:
On 24 maj 2010, at 21.28, David Fifield wrote:On Sun, May 23, 2010 at 07:56:19PM +0200, Patrik Karlsson wrote:On 18 maj 2010, at 17.10, David Fifield wrote:Probe UDP serialnumberd q|\x53\x4e\x51\x55\x45\x52\x59\x3a \x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x3a\x57\x38\x58\x4c\x63\x50\x3a\x78\x73\x76\x72| rarity 8 ports 626 That looked mysterious until I saw it was all ASCII; it's the same as Probe UDP serialnumberd q|SNQUERY: 127.0.0.1:W8XLcP:xsvr| So the only part that looks strange is the W8XLcP: that might be your own serial number or something. I can't test this because I don't have OS X Server. So I want to add this probe, and maybe add it as a UDP payload, once we can determine if that field varies and how. Perhaps we can replace it with a dummy value like AAAAAA.I've replaced the probe with the following, and it still works: q|SNQUERY: 127.0.0.1:AAAAAA:xsvr| I'm sending you the complete response off-list just in case.Okay, thanks. I added the probe, and had it print out the (rather long) numbers that are in the response. My hope is that by displaying them, someone will be inspired to find out what they all mean. I like to make the first match line as specific as possible, so that any deviations (that might disclose version differences) will be reported as new fingerprints. I also made a UDP payload from the probe. I'd appreciate if you would test nmap -sV -p 626 -sU <target> nmap -sn -PU636 <target>The probe works good but not the payload. I changed 636 to 626 but I don't see any packets coming in to the target. Probably has something to do with my virtualization again..... Anyone with access to a real OS X server that could give it a go?
Host OS: 10.6.3 x86_64 Target: 10.5.8 PPC As far as I can tell, the payload does work. I see the payload packet being sent from laptop to the server, and the server is replying. The problem I think nmap would run into in parsing the reply, is serialnumberd isn't sending a response packet to the originating host. According to tcpdump, the response packed is being sent to a multicast address, in this case 224.0.0.1:626, which if you think about it would be the best way to detect duplicate serial numbers on a network, especially if the servers are unconfigured, or using a self assigned ip. Of note; if scanning the secondary nic of the server, the primary nic would be the one transmitting the reply to 224.0.0.1:626. If running several scans with a fair amount of time differential between them, the response payload does change, :ivI7BE:xsvr , and :BE5BO9:xsvr , and :bGPXii:xsvr are responses garnered from the same host. Also of note, when the respone packet hits the network my secondary server also replies, as is expected, and answers to the SNQUERY with a SNRESPS packet shaped much differently, SNRESPS:ldap.digitalescape.info:0xA87896E21BF70D3AECB9120C54A1D8B52E2B8932:xsvr:0xC5CF122CD26B2A2C39BF90D8E7D895B60166366A:0x4bca7500:0xB0013005AD4FA83E433D450B87D684DE55D7B273:ldap.digitalescape.info but interestingly enough, directly to the primary server which issues the SNQUERY request, not to the multicast address. Hope this was helpful. -Sam
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev///Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- match lines and serialnumberd probe Patrik Karlsson (May 09)
- Re: match lines and serialnumberd probe David Fifield (May 18)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 23)
- Re: match lines and serialnumberd probe David Fifield (May 24)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 24)
- Re: match lines and serialnumberd probe Samuel Benson (May 24)
- Re: match lines and serialnumberd probe David Fifield (May 25)
- Re: match lines and serialnumberd probe Samuel Benson (May 25)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 25)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 23)
- Re: match lines and serialnumberd probe David Fifield (May 18)