Re: [NSE] new scripts and libraries: service probes

[David Fifield <david () bamsoftware com>]

On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:
> In addition I've added a few new probes to the nmap-service-probes. They detect the following:
> - Lotus Domino Console running on tcp/2050 (shows OS and hostname)
> - IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
> - Database servers running the DRDA protocol
> - IBM Websphere MQ (shows name of queue-manager and channel)

Do you have the original fingerprints for these? I have committed them
but some changes might be necessary. We keep all the submitted
signatures in a big file, which can some in handy when we get more
submissions in the future. Sometimes matches can be loosened or
tightened based on observed changes in the fingerprints.

I only have the latest submitted fingerprints up to August 5, so if you
submitted them later, just let me know.

Here are the specific questions I have.

match dominoconsole m|^([^:]*):([^:]*):[^:]+:.*$| p/Lotus Domino Console/ o/$2/ i/Server name: $1/

What is the format of the $2 field? If it's not the same as in our other
matches ("windows" lowercase, for example), then it's better to have
multiple match lines to put it in the correct format. Is the $1 field
the host name? If so, put it in h/$1/.

match informix 
m|^.{2}\x03<\x10\0\0d\0e\0\0\0=\0\x6IEEEI\0\0lsrvinfx\0\0\0\0\0\0\x05V1.0\0\0\x04SER\0\0\x08asfecho\0{19}o[ln]\0{9}=soctcp\0{5}\x01\0\x66\0{6}\xfcI..\0\0\0\x01\0\0\0.nmap@[.\d\w]+\0k\0\0\0\0\0\0..\0\0\0\0\0.(.*)\0\0.(.*)\0\0.([A-Z]\:[^/]*)\0\0t\0\x08\x01Y\0\x06\x01Y\0\0\0\x7f$|
 p/Informix Dynamic Server/ v/11.50/ o/Windows/ i/Hostname: $1, Path: $3/

The same thing applies here with the host name. Does the part that
matches nmap@[.\d\w]+ contain any useful information?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/