Nmap Development mailing list archives
Re: salt in version probes
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Tue, 3 May 2011 17:38:54 +0300
I tried these probes with the example scan you gave. All the server answered to one of the probes except stun.fwd.org and stun01.sipphone.com. Do you get the same?
Those seem to be unreachable. You can try with regular stun by commanding stun stun01.sipphone.com On Ubuntu I can install it with... apt-get install stun
These probes are probably fine, but I don't want to add them without any matchlines. It's kind of a minimum barrier to entry to try a new probe against a known server and add a match for it. (And ideally, try it against two different servers, and get distinguishable responses.) I notice that some of the stun-br responses contain the string "Vovida\.org\x200\.96\", which looks like a nice server name and version number for http://www.voip-info.org/wiki/view/Vovida.org+STUN+server. So if you can test that, we'll add the probe.
I think it is impossible to do a regexp that would match the fields accurately because they have length prefixes, and the regexp would need to take into account that the fields might be in different orders, and skip fields. On the other hand we may just have the regexp look for string "Vovida.org", but in theory this string might exist in some field with wrong type. I suppose we are okay with that? _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: salt in version probes David Fifield (Apr 27)
- Re: salt in version probes Toni Ruottu (May 03)
- Re: salt in version probes David Fifield (May 03)
- Re: salt in version probes Toni Ruottu (May 04)
- Re: salt in version probes Toni Ruottu (May 05)
- Re: salt in version probes David Fifield (May 03)
- Re: salt in version probes Toni Ruottu (May 03)