Nmap Development mailing list archives
Re: [NSE] isakmp aggressive mode and version detection
From: David Fifield <david () bamsoftware com>
Date: Thu, 20 Dec 2012 20:39:05 -0800
On Mon, Dec 17, 2012 at 09:17:39PM +0100, Jesper Kückelhahn wrote:
Hmmm, it seems I have some issues attaching files. I'll try attaching them once again.
This looks nice. In a version script, you should set product, vendor, version, etc. separately, and not put all the information in the product field. Check the XML output to see how it breaks down. The structure of the fingerprints file seems funny to me. Here is a sample entry: table.insert(fingerprints,{ category = 'fingerprint', vendor = 'Checkpoint', version = 'Firewall-1', vids = { ['4.1 Base'] = '^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000020000000000000000........', ['4.1 SP1'] = '^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000030000000000000000........', ['4.1 SP2-SP6'] = '^f4ed19e0c114eb516faaac0ee37daf2807b4381f0000000100000fa20000000000000000........', ['NG Base'] = '^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000013880000000000000000........', ['NG FP1'] = '^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000013890000000000000000........', ['NG FP2'] = '^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138a0000000000000000........', ['NG FP3'] = '^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138b0000000000000000........', ['NG AI R54'] = '^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138c0000000000000000........', ['NG AI R55'] = '^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d0000000000000000........', } }); The way I think of such a database is as a list of byte patterns, each one having an associated set of data like product, vendor, and version. This format seems to use a common vendor and "version" (I guess this "version" is what Nmap usually calls the "product") for a list of actual version numbers. Maybe it makes sense to use a common block of data for multiple fingerprints, but this format is confusing. Suppose a certain fingerprint matches two different vendors, how do you represent that? For each fingerprint, you should store all the information that you can potentially set about a port. In other words, these fields: http://nmap.org/book/nse-api.html#scripting-tbl-port-version-values In particular, it should be possible to set "cpe" in the fingerprints file. What's the difference between category='fingerprint' and category='attribute'? David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 08)
- Re: [NSE] isakmp aggressive mode and version detection Fyodor (Dec 10)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 11)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 14)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 14)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 17)
- Re: [NSE] isakmp aggressive mode and version detection David Fifield (Dec 20)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 21)
- Re: [NSE] isakmp aggressive mode and version detection David Fifield (Dec 21)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 23)
- Re: [NSE] isakmp aggressive mode and version detection David Fifield (Dec 23)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 31)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 11)
- Re: [NSE] isakmp aggressive mode and version detection Fyodor (Dec 10)