Nmap Development mailing list archives
Re: Service Check
From: John Bond <john.r.bond () gmail com>
Date: Wed, 4 Dec 2013 20:36:27 +0100
Hi Dan, I checked all the root servers which gives a pretty good cover and i get the same bind results for in both[2]. Thanks John [1]http://pastebin.com/Y3rc13Tu On 4 December 2013 13:56, Daniel Miller <bonsaiviking () gmail com> wrote:
John, A combination of -d and --version-trace flags showed which line was being matched: Service scan sending probe DNSVersionBindReq to 199.7.83.42:53 (tcp) NSOCK INFO [6.5500s] nsock_read(): Read request from IOD #1 [199.7.83.42:53] (timeout: 5000ms) EID 34 NSOCK INFO [6.5500s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [199.7.83.42:53] NSOCK INFO [6.5830s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 34 [199.7.83.42:53] (55 bytes): .5.............version.bind..................NSD 3.2.15 Service scan match (Probe DNSVersionBindReq matched with DNSVersionBindReq line 9619): 199.7.83.42:53 is domain. Version: |ISC BIND|NSD 3.2.15|| Would you mind trying this patch? It works for me, but if you could make sure it doesn't break existing ISC BIND matches, that would be great, too. Some of the lines looked like they were out of order, with more generic matches preceding specific ones: diff --git a/nmap-service-probes b/nmap-service-probes index 38cf1a7..3f2f326 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -9616,8 +9616,9 @@ match domain m|^....\x85\x80\0\x01\0\x01\0\0\0\0\x07version\x04bind\0\0\x10\0\x0 # Has to come before BIND matches. match domain m|^..\0\x06\x81\x80\0\x01\0\x01\0\0\0\0\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x0e.unbound ([\w._-]+)$| p/Unbound/ v/$1/ -match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})|s p/ISC BIND/ v/$1/ cpe:/a:isc:bind:$1/ match domain m|\x07version\x04bind.*[\x03-\x14]BIND ([-\w._]{3,20})|s p/ISC BIND/ v/$1/ cpe:/a:isc:bind:$1/ +match domain m|\x07version\x04bind.*[\x03-\x14]NSD ([-\w._]{3,20})|s p/NLnet Labs NSD/ v/$1/ cpe:/a:nlnet:nsd:$1/ +match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})|s p/ISC BIND/ v/$1/ cpe:/a:isc:bind:$1/ # ISC Bind 9.1.3 match domain m|\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x01\0| p/ISC BIND/ v/9.X/ cpe:/a:isc:bind:9/ match domain m|^..\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0...[\w._-]+-RedHat-([\w._-]+\.el5_[\w._-]+)\xc0\x0c\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c|s p/ISC BIND/ v/$1/ o/Red Hat Enterprise Linux/ cpe:/a:isc:bind:$1/ cpe:/o:redhat:enterprise_linux/ Regarding -i vs -iL, from the changelog for Nmap 2.3BETA12 [2000-01-01]: o The -i (input from list) option has been deprecated. From now on you should use -iL [filename] to read from a list or -iR to have Nmap generate random IPs to scan. This -iR option is new. Dan On Wed, Dec 4, 2013 at 5:57 AM, John Bond <john.r.bond () gmail com> wrote:Hello All, I just noticed that there seems to be an incorrect service check. For NSD sudo nmap/bin/nmap -sV -PE -p53 l.root-servers.net. Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-12-04 11:50 UTC Nmap scan report for l.root-servers.net. (199.7.83.42) Host is up (0.00092s latency). rDNS record for 199.7.83.42: l.root-servers.net PORT STATE SERVICE VERSION 53/tcp open domain ISC BIND NSD 3.2.15 I think its probably just a typo. The server is running NSD, which is developed by nlnetlabs and is not related to ISC or BIND. It looks like you get the same results regardless of which version of NSD is scanned. Couldn't see anything obvious in nmap/nmap-service-probes but im not too familiar wit the format On a different note is the -i flag and allias to -iL. I couldn't see reference to -i in the man page. John _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service Check John Bond (Dec 04)
- Re: Service Check Daniel Miller (Dec 04)
- Re: Service Check John Bond (Dec 04)
- Re: Service Check Daniel Miller (Dec 05)
- Re: Service Check John Bond (Dec 04)
- Re: Service Check Daniel Miller (Dec 04)