Nmap Development mailing list archives
Re: salt in version probes
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Wed, 4 May 2011 16:38:09 +0300
These probes are probably fine, but I don't want to add them without any matchlines. It's kind of a minimum barrier to entry to try a new probe against a known server and add a match for it. (And ideally, try it against two different servers, and get distinguishable responses.) I notice that some of the stun-br responses contain the string "Vovida\.org\x200\.96\", which looks like a nice server name and version number for http://www.voip-info.org/wiki/view/Vovida.org+STUN+server. So if you can test that, we'll add the probe.
I tested the stun probe with Vovida.org, and Jstun. Vovida.org is recognizable while Jstun seems too generic to be distinguished. I also tested Cornell stunt server, but turned out to be too different to generate any kind of response. I could not get the server to compile, so I only tested that against a hosted version, however. I have attached a file with the probe, and three match lines. One matches servers like Vovida that provide version information explicitly, one matches servers that are too generic to be distinguished from each other, and the last softmatch matches any valid binding success response, which would indicate that we have found a stun service, even if we do not know the product name or version. You can try the probes with nmap -sU -sV -p 3478 stun.xten.com stun1.noc.ams-ix.net stun.voipbuster.com stun.voxgratia.org jstun.javawi.de -PN The version information is a free form text field, and I am a bit worried that the product name and version number might be in different order some times or have multiple white spaces, but I have not seen such. Should we address that later when it becomes a problem? This email only contains the stun probe and match lines. I will take a look at teredo separately. cheers, --Toni
Attachment:
stun-version.txt
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: salt in version probes David Fifield (Apr 27)
- Re: salt in version probes Toni Ruottu (May 03)
- Re: salt in version probes David Fifield (May 03)
- Re: salt in version probes Toni Ruottu (May 04)
- Re: salt in version probes Toni Ruottu (May 05)
- Re: salt in version probes David Fifield (May 03)
- Re: salt in version probes Toni Ruottu (May 03)