Re: Detection of CORBA (GIOP protocol)

["qhardyfr () gmail com" <qhardyfr () gmail com>]

Hello,

I agree with you: the match line is too much general.

Here is an example of reply:
47494f5001000101400000000000000001000000020000002700000049444c3a6f6d672e6f72672f434f5242412f4f424a4543545f4e4f545f45584953543a312e30003b0000000001000000

SF:iop,4C,"GIOP\x01\0\x01\x01@\0\0\0\0\0\0\0\x01\0\0\0\x02\0\0\0'\0\0\0IDL
SF::omg\.org/CORBA/OBJECT_NOT_EXIST:1\.0\0\0\0\0\0\0\x01\0\0\0");

Information about this packet (Reply):
GIOP Header:
- Magic: GIOP
- Version: 1.0 (\x01\x00)
- Msge type: Reply (\x01)
- Msg size: 64 (\x40\x00\x00\x00)
Reply Data:
- ServiceContextList (\x00\x00\x00\x00)
- Reply Id: 1 (\x01\x00\x00\x00)
- Reply status: System Exception (\x02\x00\x00\x00)
- Exception Length: 39 (\x27\x00\x00\x00)
- Exception ID: IDL:omg.org/CORBA/OBJECT_NOT_EXIST:1.0
(49444c3a6f6d672e6f72672f434f5242412f4f424a4543545f4e4f545f45584953543a312e3000)
- Minnor code value: 0 (\x00\x00\x00\x00)
- Completion Status: 1 (\x01\x00\x00\x00)

Here is the *new match line*:

match giop m|^GIOP\x01\x00\x01\x01........\x01\x00\x00\x00.+\x00$| p/CORBA
naming service/

I match this following information:
- Magic header
- Version
- Msge type
- Reply Id
- the end of packet (the end of Completion Status)

I don't want to catch the error string because I am not sure this string
will be the same for all products and versions.

--
Quentin HARDY


2015-12-17 21:00 GMT+01:00 Daniel Miller <bonsaiviking () gmail com>:

> Quentin,
>
> Thanks for the recommendation. This looks like a good probe in that you
> have fully explained its dissection. But the match line is much too
> general: any service which echoes the first 4 bytes of the probe will
> match, which is not what we want. Would you be comfortable sharing the
> entire packet that is returned? Simply comment out the "match" line and add
> "ports 9876" just below the "Probe" line to force it to be sent early, then
> send us the fingerprint that results. If you do this multiple times and get
> slightly different results, we can use that to determine which portions of
> the response are static and will result in a good match.
>
> Dan
>
> On Wed, Dec 16, 2015 at 9:21 AM, qhardyfr () gmail com <qhardyfr () gmail com>
> wrote:
>
> > I have a *CORBA GIOP* (General Inter-ORB Protocol) listener running on
> > the port 9876 of a server.
> > Nmap, with option -A -sV --version-all, does not detect this service
> > (GIOP protocol):
> >
> > PORT STATE SERVICE
> > 9876/tcp open *unknown*
> >
> > There is a "service probe" for GIOP in the version 7 of nmap (line 1310,
> > filename nmap-service-probes) but it *doesn't detect* this service -:(
> >
> > The following "service probe" detects this service type:
> >
> > Probe TCP giop
> > q|GIOP\x01\x00\x01\x00$\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00abcdef\x00\x00\x04\x00\x00\x00get\x00\x00\x00\x00\x00|
> > match giop m|^GIOP| p/CORBA naming service/
> >
> > Information about the packet:
> > GIOP Header:
> > - Magic: GIOP
> > - Version: 1.0 (\x01\x00)
> > - Msge type: Request (\x00)
> > - Msg size: 36 ($\x00\x00\x00 i.e \x24\x00\x00\x00)
> > Request Data:
> > - ServiceContextList (\x00\x00\x00\x00)
> > - Request Id: 1 (\x01\x00\x00\x00)
> > - Response expected: 1 (\x01)
> > - Object key Length: 6 (\x06x\00\x00\x00)
> > - Object Key: 616263646566
> > - Operation length : 4 (\x04\x00\x00\x00)
> > - Req Operation: get (i.e \x67\x65\x74\x00)
> > - Requesting Principal Length: 0 (\x00\x00\x00\x00)
> >
> > When you use this "service probe", the server will respond with a "System
> > Exception".
> >
> > This "service probe" could be put in a future version of
> > nmap-service-probes ?
> >
> > --
> > Quentin HARDY
> >
> > _______________________________________________
> > Sent through the dev mailing list
> > https://nmap.org/mailman/listinfo/dev
> > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/