Nmap Development mailing list archives
Re: salt in version probes
From: David Fifield <david () bamsoftware com>
Date: Wed, 27 Apr 2011 19:33:47 -0700
On Sun, Jan 16, 2011 at 11:17:25AM +0200, Toni Ruottu wrote:
Here are two version probes I have created for NAT traversal services STUN and Teredo. I am not sure what would be good rarity values. The ports are standardized so I assume it is very common to have the services on those ports. I have not written any match lines yet, and I am not sure how to write really good ones. Could we include these in the release, recommend people to try scanning STUN and Teredo services, and get some match data posted to the database? How does the database work? Who has access to it? Does it have some automatic support for creating regular expressions? Please try running something like... nmap -sU -sV -p 3544,3478 teredo-debian.remlab.net teredo.ipv6.microsoft.com stun.xten.com stun1.noc.ams-ix.net stun.fwd.org stun.voipbuster.com stun01.sipphone.com stun.voxgratia.org -PN ...after including the probes to check that they work. Preferably, check with Wireshark that the sent probes seem sensible. The STUN specification mentions TCP based STUN servers, but I am not aware of any. Also I am not sure about the ssl ports thing. STUN specification discusses them. Does ssl work over udp?
I tried these probes with the example scan you gave. All the server answered to one of the probes except stun.fwd.org and stun01.sipphone.com. Do you get the same? These probes are probably fine, but I don't want to add them without any matchlines. It's kind of a minimum barrier to entry to try a new probe against a known server and add a match for it. (And ideally, try it against two different servers, and get distinguishable responses.) I notice that some of the stun-br responses contain the string "Vovida\.org\x200\.96\", which looks like a nice server name and version number for http://www.voip-info.org/wiki/view/Vovida.org+STUN+server. So if you can test that, we'll add the probe. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: salt in version probes David Fifield (Apr 27)
- Re: salt in version probes Toni Ruottu (May 03)
- Re: salt in version probes David Fifield (May 03)
- Re: salt in version probes Toni Ruottu (May 04)
- Re: salt in version probes Toni Ruottu (May 05)
- Re: salt in version probes David Fifield (May 03)
- Re: salt in version probes Toni Ruottu (May 03)