Nmap Development mailing list archives

Re: Service Check

From: John Bond <john.r.bond () gmail com>
Date: Wed, 4 Dec 2013 20:36:27 +0100

Hi Dan,

I checked all the root servers which gives a pretty good cover and i
get the same bind results for in both[2].

Thanks John

[1]http://pastebin.com/Y3rc13Tu

On 4 December 2013 13:56, Daniel Miller <bonsaiviking () gmail com> wrote:

John,

A combination of -d and --version-trace flags showed which line was
being matched:

Service scan sending probe DNSVersionBindReq to 199.7.83.42:53 (tcp)
NSOCK INFO [6.5500s] nsock_read(): Read request from IOD #1
[199.7.83.42:53] (timeout: 5000ms) EID 34
NSOCK INFO [6.5500s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 27 [199.7.83.42:53]
NSOCK INFO [6.5830s] nsock_trace_handler_callback(): Callback: READ
SUCCESS for EID 34 [199.7.83.42:53] (55 bytes):
.5.............version.bind..................NSD 3.2.15
Service scan match (Probe DNSVersionBindReq matched with
DNSVersionBindReq line 9619): 199.7.83.42:53 is domain.  Version: |ISC
BIND|NSD 3.2.15||

Would you mind trying this patch? It works for me, but if you could
make sure it doesn't break existing ISC BIND matches, that would be
great, too. Some of the lines looked like they were out of order, with
more generic matches preceding specific ones:

diff --git a/nmap-service-probes b/nmap-service-probes
index 38cf1a7..3f2f326 100644
--- a/nmap-service-probes
+++ b/nmap-service-probes
@@ -9616,8 +9616,9 @@ match domain
m|^....\x85\x80\0\x01\0\x01\0\0\0\0\x07version\x04bind\0\0\x10\0\x0
 # Has to come before BIND matches.
 match domain 
m|^..\0\x06\x81\x80\0\x01\0\x01\0\0\0\0\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x0e.unbound
([\w._-]+)$| p/Unbound/ v/$1/

-match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})|s
p/ISC BIND/ v/$1/ cpe:/a:isc:bind:$1/
 match domain m|\x07version\x04bind.*[\x03-\x14]BIND ([-\w._]{3,20})|s
p/ISC BIND/ v/$1/ cpe:/a:isc:bind:$1/
+match domain m|\x07version\x04bind.*[\x03-\x14]NSD ([-\w._]{3,20})|s
p/NLnet Labs NSD/ v/$1/ cpe:/a:nlnet:nsd:$1/
+match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})|s
p/ISC BIND/ v/$1/ cpe:/a:isc:bind:$1/
 # ISC Bind 9.1.3
 match domain m|\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x01\0|
p/ISC BIND/ v/9.X/ cpe:/a:isc:bind:9/
 match domain 
m|^..\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0...[\w._-]+-RedHat-([\w._-]+\.el5_[\w._-]+)\xc0\x0c\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c|s
p/ISC BIND/ v/$1/ o/Red Hat Enterprise Linux/ cpe:/a:isc:bind:$1/
cpe:/o:redhat:enterprise_linux/

Regarding -i vs -iL, from the changelog for Nmap 2.3BETA12 [2000-01-01]:

o The -i (input from list) option has been deprecated.  From now on
  you should use -iL [filename] to read from a list or -iR to have
  Nmap generate random IPs to scan.  This -iR option is new.

Dan

On Wed, Dec 4, 2013 at 5:57 AM, John Bond <john.r.bond () gmail com> wrote:

Hello All,

I just noticed that there seems to be an incorrect service check.  For NSD

sudo nmap/bin/nmap -sV -PE -p53 l.root-servers.net.

Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-12-04 11:50 UTC
Nmap scan report for l.root-servers.net. (199.7.83.42)
Host is up (0.00092s latency).
rDNS record for 199.7.83.42: l.root-servers.net
PORT   STATE SERVICE VERSION
53/tcp open  domain  ISC BIND NSD 3.2.15

I think its probably just a typo.  The server is running NSD, which is
developed by nlnetlabs and is not related to ISC or BIND.  It looks
like you get the same results regardless of which version of NSD is
scanned.  Couldn't see anything obvious in nmap/nmap-service-probes
but im not too familiar wit the format

On a different note is the -i flag and allias to -iL.  I couldn't see
reference to -i in the man page.

John
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Service Check John Bond (Dec 04)
- Re: Service Check Daniel Miller (Dec 04)
  - Re: Service Check John Bond (Dec 04)
    - Re: Service Check Daniel Miller (Dec 05)