Re: Java RMI service finderprint?

[Patrik Karlsson <patrik () cqure net>]

> Folks,
>
> I'm looking at finding different Java RMI servers on my network.
>
> With some help from Brandon we put together this fingerprint:
>
> ##############################NEXT PROBE##############################
> Probe TCP java-rmi q|\x4a\x52\x4d\x49\x00\x02\x4b|
> rarity 7
> ports 1024-65535
>
> match java-rmi m|^\x4e\0[\x00-\x0f]([0-9.]+)\0| p/Java Remote Method
> Invocation/ i/Client IP: $1/
>
> But, I noticed that these already existed:
>
> ##############################NEXT PROBE##############################
> Probe TCP JavaRMI q|\x4a\x52\x4d\x49\0\x02\x4b|
> rarity 8
> ports 706,1098,1099,1981
>
> match jrmi m|^\x4e..[0-9.]+\0\0..$|s p/Java RMI/
> match jrmi m|^\x4e..([\w._-]+)\0\0..$|s p/GNU Classpath grmiregistry/
> h/$1/
>
> There really isnt a well known port for Java RMI. So... I'm wondering what
> history there is for the choice of ports and if its possible to open up
> the
> idea of expanding these to look at all the non-priv ports.

I skimmed through the nmap-service-probes file and couldn't find another
case where such a broad range was specified.
Wouldn't it have a considerable impact on overall scan times?
I think this is another case that would qualify for the force or "named
probe" approach where selected probes or scripts could be selected to run
against every open port.
I tried to look at implementing and estimating the effort for writing a
PoC for "named probes" but didn't get very far and I'm back working on
some more scripts instead.

> Thanks,
> gabe
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

//Patrik

--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/