Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: salt in version probes

From: David Fifield <david () bamsoftware com>
Date: Wed, 27 Apr 2011 19:33:47 -0700
On Sun, Jan 16, 2011 at 11:17:25AM +0200, Toni Ruottu wrote:

Here are two version probes I have created for NAT traversal services
STUN and Teredo. I am not sure what would be good rarity values. The
ports are standardized so I assume it is very common to have the
services on those ports. I have not written any match lines yet, and I
am not sure how to write really good ones.

Could we include these in the release, recommend people to try
scanning STUN and Teredo services, and get some match data posted to
the database? How does the database work? Who has access to it? Does
it have some automatic support for creating regular expressions?

Please try running something like...
nmap -sU -sV -p 3544,3478 teredo-debian.remlab.net
teredo.ipv6.microsoft.com stun.xten.com stun1.noc.ams-ix.net
stun.fwd.org stun.voipbuster.com stun01.sipphone.com
stun.voxgratia.org -PN
...after including the probes to check that they work. Preferably,
check with Wireshark that the sent probes seem sensible.

The STUN specification mentions TCP based STUN servers, but I am not
aware of any. Also I am not sure about the ssl ports thing. STUN
specification discusses them. Does ssl work over udp?


I tried these probes with the example scan you gave. All the server
answered to one of the probes except stun.fwd.org and
stun01.sipphone.com. Do you get the same?

These probes are probably fine, but I don't want to add them without any
matchlines. It's kind of a minimum barrier to entry to try a new probe
against a known server and add a match for it. (And ideally, try it
against two different servers, and get distinguishable responses.) I
notice that some of the stun-br responses contain the string
"Vovida\.org\x200\.96\", which looks like a nice server name and version
number for http://www.voip-info.org/wiki/view/Vovida.org+STUN+server. So
if you can test that, we'll add the probe.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: