Re: Service probe for Cross Match Verifier E fingerprint capture device (need help!)

[Martin Mačok <martin.macok () underground cz>]

On Thu, Dec 23, 2004 at 01:09:18AM +0100, Tomás García-Merás wrote:

> http://www.crossmatch.com/products_singlescan_vE.html

> Probe TCP VerifierAdvanced q|Query\r\n|
> ports 1501
> match crossmatchverifier 
> m|^Settings\r\nGain\x20(\d+)\r\nContrast\x20(\d+)\r\nTime\x20(\d+)\r\nIllumination\x20(\d+)\r\nProcessed\r\n$| 
> v/Cross Match Technologies Verifier fingerprint capture advanced control 
> port///

Seems OK to me (anyway, you could substitute "\x20" with " ") but you
are true that the version string is a bit too long. Regarding those
numbers in match ... could we get the version from it?

However, there are often some TCP ports that does not respond to any
"common" probes and every new specialized probe would slow down the
scan for another 5s which is probably unacceptable trade off
for now. It will probably make it to the end of nmap-service-probes in
a commented out form now (like WWWOFFLEctrlstat Probe) until some
port-related optimization kicks in (like "do not send rare probes to
non-default ports" or "send general probes only" or similar...)

That is just my comment, Fyodor has the final word on it.

> ***********************************************
>
> The procedure for an application is to open a TCP/IP socket to port 1500 
> and send the following (ASCII Text):
>
>    Subscribe
>
> followed by a LF character. This can optionally be followed by a 
> "Liftquery" command if the application needs finger sensor notification 
> events.
>
> From this point on the unit will send one of 3 messages: "Idle", 
> "Notify" or, optionally, "Lift".
>
> ***********************************************
> ***********************************************
>
> If you don't have a fingerprint the device returns an "Idle"; if a new 
> fingerprint image is available it returns "Notify"; and "Lift" if the 
> finger sensor detects that finger has been removed from the platen (this 
> is only sent by the device if the "Liftquery" command was previosly sent).
>
> By now, I'm trying with the following probe:
>
> Probe TCP Verifier q|Subscribe\r\n|

Shouldn't it be "Subscribe\n" only?

> ports 1500
> match crossmatchverifier m|^Idle\r\n$| v/Cross Match Technologies 
> Verifier fingerprint capture control port///

My uncompetent guess - are you sure with "\r\n" after the Idle string?
Maybe the CR is redundant? Any other character (fe. blank) there?
Anyway, shouldn't we expect "Notify" too? If so, use "(Idle|Notify)"
instead of "Idle" for that.

> But the device does not return any data. If I telnet the device to the 
> port 1500 and type "Subscribe" the device answers normally with "Idle"...

OK, since you have tested it with telnet, you probably verified that
it acts upon CR+LF line endings too ... You should try

$ echo -en "Subscribe\n" | nc -vvv target 1500

to verify that LF is enough to get a response. Try also

$ echo -en "Subscribe\n" | nc -vvv target 1500 | xxd

to get all the bytes from the response. You could do the same with
adding this Probe to nmap-service-probes but without the match (and
running -sV).

Martin Mačok
IT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org