Nmap Development mailing list archives

Re: [NSE] new scripts and libraries: service probes

From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 14 Aug 2010 14:44:01 +0200


On 12 aug 2010, at 03.13, David Fifield wrote:

On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:

In addition I've added a few new probes to the nmap-service-probes. They detect the following:
- Lotus Domino Console running on tcp/2050 (shows OS and hostname)
- IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
- Database servers running the DRDA protocol
- IBM Websphere MQ (shows name of queue-manager and channel)


Do you have the original fingerprints for these? I have committed them
but some changes might be necessary. We keep all the submitted
signatures in a big file, which can some in handy when we get more
submissions in the future. Sometimes matches can be loosened or
tightened based on observed changes in the fingerprints.


I'm sending you the signatures off-list.


I only have the latest submitted fingerprints up to August 5, so if you
submitted them later, just let me know.

Here are the specific questions I have.

match dominoconsole m|^([^:]*):([^:]*):[^:]+:.*$| p/Lotus Domino Console/ o/$2/ i/Server name: $1/

What is the format of the $2 field? If it's not the same as in our other
matches ("windows" lowercase, for example), then it's better to have
multiple match lines to put it in the correct format. Is the $1 field
the host name? If so, put it in h/$1/.


This is what a match looks like
PORT     STATE SERVICE           VERSION
2050/tcp open  ssl/dominoconsole Lotus Domino Console (Server name: server1/labb1)
Service Info: OS: Windows/2003 5.2 Intel Pentium

So the format isn't correct. The server name is prefixed with the Domino domain, so I guess we would need to strip that 
off first.
Maybe the domain could be kept as extra information? Let me know what you think.


match informix 
m|^.{2}\x03<\x10\0\0d\0e\0\0\0=\0\x6IEEEI\0\0lsrvinfx\0\0\0\0\0\0\x05V1.0\0\0\x04SER\0\0\x08asfecho\0{19}o[ln]\0{9}=soctcp\0{5}\x01\0\x66\0{6}\xfcI..\0\0\0\x01\0\0\0.nmap@[.\d\w]+\0k\0\0\0\0\0\0..\0\0\0\0\0.(.*)\0\0.(.*)\0\0.([A-Z]\:[^/]*)\0\0t\0\x08\x01Y\0\x06\x01Y\0\0\0\x7f$|
 p/Informix Dynamic Server/ v/11.50/ o/Windows/ i/Hostname: $1, Path: $3/

The same thing applies here with the host name.

I've moved the hostname to the hostname field, it's commited as r19749.

Does the part that matches nmap@[.\d\w]+ contain any useful information?

It contains the name of the client.


David Fifield



//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] new scripts and libraries Patrik Karlsson (Aug 08)
- Re: [NSE] new scripts and libraries: service probes David Fifield (Aug 11)
  - Re: [NSE] new scripts and libraries: service probes Patrik Karlsson (Aug 14)
    - Re: [NSE] new scripts and libraries: service probes David Fifield (Aug 18)
    - Re: [NSE] new scripts and libraries: service probes Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 11)
  - Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 11)
    - Re: [NSE] new scripts and libraries: brute library Ron (Aug 11)
  - Re: [NSE] new scripts and libraries: brute library Ron (Aug 11)
  - Re: [NSE] new scripts and libraries: brute library Patrik Karlsson (Aug 14)
    - Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 18)
    - Re: [NSE] new scripts and libraries: brute library Patrik Karlsson (Aug 19)
    - Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 20)

(Thread continues...)