Nmap Development mailing list archives
Re: match lines and serialnumberd probe
From: David Fifield <david () bamsoftware com>
Date: Tue, 25 May 2010 13:11:12 -0600
On Tue, May 25, 2010 at 12:00:27AM -0500, Samuel Benson wrote:
On May 24, 2010, at 3:30 PM, Patrik Karlsson wrote:The probe works good but not the payload. I changed 636 to 626 but I don't see any packets coming in to the target. Probably has something to do with my virtualization again..... Anyone with access to a real OS X server that could give it a go?Host OS: 10.6.3 x86_64 Target: 10.5.8 PPC As far as I can tell, the payload does work. I see the payload packet being sent from laptop to the server, and the server is replying. The problem I think nmap would run into in parsing the reply, is serialnumberd isn't sending a response packet to the originating host. According to tcpdump, the response packed is being sent to a multicast address, in this case 224.0.0.1:626, which if you think about it would be the best way to detect duplicate serial numbers on a network, especially if the servers are unconfigured, or using a self assigned ip.
So when you say the payload works, does that mean that the port is "open" in the scan nmap -sU -p 626 <target> If Nmap doesn't receive the response properly, it will be "open|filtered".
If running several scans with a fair amount of time differential between them, the response payload does change, :ivI7BE:xsvr , and :BE5BO9:xsvr , and :bGPXii:xsvr are responses garnered from the same host.
I don't see that type of data in the responses--the six alphanumeric bytes looks more like the request we send. Your example response, SNRESPS:ldap.digitalescape.info:0xA87896E21BF70D3AECB9120C54A1D8B52E2B8932:xsvr:0xC5CF122CD26B2A2C39BF90D8E7D895B60166366A:0x4bca7500:0xB0013005AD4FA83E433D450B87D684DE55D7B273:ldap.digitalescape.info doesn't match that either.
Also of note, when the respone packet hits the network my secondary server also replies, as is expected, and answers to the SNQUERY with a SNRESPS packet shaped much differently,
Thanks, I've added another match line that gets the host name from a response like the one you have given. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- match lines and serialnumberd probe Patrik Karlsson (May 09)
- Re: match lines and serialnumberd probe David Fifield (May 18)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 23)
- Re: match lines and serialnumberd probe David Fifield (May 24)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 24)
- Re: match lines and serialnumberd probe Samuel Benson (May 24)
- Re: match lines and serialnumberd probe David Fifield (May 25)
- Re: match lines and serialnumberd probe Samuel Benson (May 25)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 25)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 23)
- Re: match lines and serialnumberd probe David Fifield (May 18)