Re: Services matched by script--show a service fingerprint?

[ambarisha b <b.ambarisha () gmail com>]

Hi,

I have looked into this, but as far as I could read, it should be
working as intended i.e if there is a match in the scripts, the
fingerprint doesn't get displayed.From the code, when we run a service
probe against a port , we're saving the results(if any) using the
setServiceProbeResults() whose last parameter is the fingerprint.If
the fingerprint wasn't properly matched we're passing it on to the
setServiceProbeResults() otherwise we just pass NULL which means the
fingerprint wouldn't be displayed as it was matched..So,what is
currently happening,in this particular case, is that service_scan will
set the fingerprint for the port.But after that when the
skype2-version.nse script is run , it will try to set what it has
found for the port.If there is a match it will pass the fingerprint
argument as NULL which will overwrite the previously set
fingerprint.Finally, we wouldn't be printing the fingerprint and there
shouldn't be a problem.

To verify this,I set up a skype2.1Beta on a local test bed and tried
to fingerprint the service.This was what I got :[See port 6666]

$nmap -sV localhost

Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-04-03 02:56 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00040s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 989 closed ports
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     Pure-FTPd
22/tcp    open  ssh     OpenSSH 5.5p1 Debian 4ubuntu5 (protocol 2.0)
25/tcp    open  smtp    Sendmail 8.14.3/8.14.3/Debian-9.2ubuntu1
80/tcp    open  http    Apache httpd 2.2.16 ((Ubuntu))
443/tcp   open  https?
587/tcp   open  smtp    Sendmail 8.14.3/8.14.3/Debian-9.2ubuntu1
631/tcp   open  ipp     CUPS 1.4
3306/tcp  open  mysql   MySQL 5.1.49-1ubuntu8.1
6666/tcp  open  skype2  Skype
8000/tcp  open  socks5  (No authentication; connection failed)
49152/tcp open  upnp    Portable SDK for UPnP devices 1.6.6 (kernel
2.6.35-28-generic; UPnP 1.0)
Service Info: Host: localhost6.localdomain6; OSs: Linux, Unix

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 156.36 seconds

(I couldn't make it run on 80 and 443 because a webserver was running
which was not to be disturbed.So, I modified my skypev2-version.nse's
port rule to run against 6666 also.This is with the SVN build and the
bug was on 5.50)
The fingerprint was not printed.I could verify that service_scan is
generating a fingerprint to submit, but it isn't getting displayed
ultimately.It is being overridden by the skype script's "NULL"
fingerprint.

What do you say?

Cheers
Ambarish

On Fri, Apr 1, 2011 at 8:41 AM, David Fifield <david () bamsoftware com> wrote:
> On Sun, Mar 27, 2011 at 02:39:03PM -0700, David Fifield wrote:
> > Dhruval Gandhi's screenshot at http://seclists.org/nmap-dev/2011/q1/1014
> > shows port 80 being matched as skype2 by the skypev2-version.nse script,
> > but a service fingerprint is being shown anyway.
> >
> > We usually get a bunch of Skype service submissions in each batch, which
> > I have to ignore because service detection can't match it (that's what
> > skypev2-version.nse is for, after all). I thought that perhaps the
> > script was failing for some reason, but now I see that if a service
> > produces output, it can cause a fingerprint to be displayed even when a
> > script later matches the service.
> >
> > Should it work this way? How about hiding the fingerprint (and request
> > to submit it) when a service is hardmatched by NSE?
>
> Okay, we've had some agreement that the fingerprint shouldn't be shown
> in this case. I'm going to suggest that this would make a good starter
> task for a feature creeper / bug wrangler in the Summer of Code. So, you
> applicants, this is a nice easy problem to analyze and solve. First, you
> need to find where the service fingerprint is printed, then look at the
> conditions that make it be printed or not, and modify the condition so
> that it is false when there is a service match from a script.
>
> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/