Nmap Development mailing list archives
Re: [NSE] new scripts and libraries: service probes
From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 14 Aug 2010 14:44:01 +0200
On 12 aug 2010, at 03.13, David Fifield wrote:
On Sun, Aug 08, 2010 at 05:31:36PM +0200, Patrik Karlsson wrote:In addition I've added a few new probes to the nmap-service-probes. They detect the following: - Lotus Domino Console running on tcp/2050 (shows OS and hostname) - IBM Informix Dynamic Server running native protocol (shows hostname, and file path) - Database servers running the DRDA protocol - IBM Websphere MQ (shows name of queue-manager and channel)Do you have the original fingerprints for these? I have committed them but some changes might be necessary. We keep all the submitted signatures in a big file, which can some in handy when we get more submissions in the future. Sometimes matches can be loosened or tightened based on observed changes in the fingerprints.
I'm sending you the signatures off-list.
I only have the latest submitted fingerprints up to August 5, so if you submitted them later, just let me know. Here are the specific questions I have. match dominoconsole m|^([^:]*):([^:]*):[^:]+:.*$| p/Lotus Domino Console/ o/$2/ i/Server name: $1/ What is the format of the $2 field? If it's not the same as in our other matches ("windows" lowercase, for example), then it's better to have multiple match lines to put it in the correct format. Is the $1 field the host name? If so, put it in h/$1/.
This is what a match looks like PORT STATE SERVICE VERSION 2050/tcp open ssl/dominoconsole Lotus Domino Console (Server name: server1/labb1) Service Info: OS: Windows/2003 5.2 Intel Pentium So the format isn't correct. The server name is prefixed with the Domino domain, so I guess we would need to strip that off first. Maybe the domain could be kept as extra information? Let me know what you think.
match informix m|^.{2}\x03<\x10\0\0d\0e\0\0\0=\0\x6IEEEI\0\0lsrvinfx\0\0\0\0\0\0\x05V1.0\0\0\x04SER\0\0\x08asfecho\0{19}o[ln]\0{9}=soctcp\0{5}\x01\0\x66\0{6}\xfcI..\0\0\0\x01\0\0\0.nmap@[.\d\w]+\0k\0\0\0\0\0\0..\0\0\0\0\0.(.*)\0\0.(.*)\0\0.([A-Z]\:[^/]*)\0\0t\0\x08\x01Y\0\x06\x01Y\0\0\0\x7f$| p/Informix Dynamic Server/ v/11.50/ o/Windows/ i/Hostname: $1, Path: $3/ The same thing applies here with the host name.
I've moved the hostname to the hostname field, it's commited as r19749.
Does the part that matches nmap@[.\d\w]+ contain any useful information?
It contains the name of the client.
David Fifield
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] new scripts and libraries Patrik Karlsson (Aug 08)
- Re: [NSE] new scripts and libraries: service probes David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: service probes Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: service probes David Fifield (Aug 18)
- Re: [NSE] new scripts and libraries: service probes Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: service probes Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: service probes David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 11)
- Re: [NSE] new scripts and libraries: brute library Ron (Aug 11)
- Re: [NSE] new scripts and libraries: brute library Ron (Aug 11)
- Re: [NSE] new scripts and libraries: brute library Patrik Karlsson (Aug 14)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 18)
- Re: [NSE] new scripts and libraries: brute library Patrik Karlsson (Aug 19)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 20)
- Re: [NSE] new scripts and libraries: brute library David Fifield (Aug 11)