one of msdtc service fingerprints is too wide and matches SSL too

[Martin Mačok <martin.macok () underground cz>]

I came across HTTPS server that gets misidentified as MSDTC:

% nmap -sSV -P0 -p443 --version-trace XXX

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-05-11 10:32 CEST
...
NSOCK (0.0750s) Read request from IOD #1 [XXX:443] (timeout: 6000ms) EID 18
NSOCK (6.0780s) Callback: READ TIMEOUT for EID 18 [XXX:443]
NSOCK (6.0780s) Write request for 22 bytes to IOD #1 EID 27 [XXX:443]: OPTIONS / HTTP/1.0....
NSOCK (6.0780s) Read request from IOD #1 [XXX:443] (timeout: 5000ms) EID 34
NSOCK (6.0790s) Callback: WRITE SUCCESS for EID 27 [XXX:443]
NSOCK (6.0810s) Callback: READ SUCCESS for EID 34 [XXX:443] (7 bytes): .......
...
PORT    STATE SERVICE VERSION
443/tcp open  msdtc   Microsoft Distributed Transaction Coordinator


% diff /usr/share/nmap/nmap-service-probes nmap-service-probes
3344c3344
< match msdtc m|^...\0..$|s p/Microsoft Distributed Transaction Coordinator/ o/Windows/
---
> # match msdtc m|^...\0..$|s p/Microsoft Distributed Transaction Coordinator/ o/Windows/


% NMAPDIR=. nmap -sSV -P0 -p443 --version-trace XXX

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-05-11 10:32 CEST
NSOCK (0.0670s) TCP connection requested to XXX:443 (IOD #1) EID 8
NSOCK (0.0680s) nsock_loop() started (no timeout). 1 events pending
NSOCK (0.0770s) Callback: CONNECT SUCCESS for EID 8 [XXX:443]
NSOCK (0.0770s) Read request from IOD #1 [XXX:443] (timeout: 6000ms) EID 18
NSOCK (6.0770s) Callback: READ TIMEOUT for EID 18 [XXX:443]
NSOCK (6.0770s) Write request for 22 bytes to IOD #1 EID 27 [XXX:443]: OPTIONS / HTTP/1.0....
NSOCK (6.0770s) Read request from IOD #1 [XXX:443] (timeout: 5000ms) EID 34
NSOCK (6.0780s) Callback: WRITE SUCCESS for EID 27 [XXX:443]
NSOCK (6.0800s) Callback: READ SUCCESS for EID 34 [XXX:443] [EOF](7 bytes): .......
NSOCK (6.0800s) Read request from IOD #1 [XXX:443] (timeout: 4994ms) EID 42
NSOCK (6.0840s) Callback: READ EOF for EID 42 [XXX:443]
NSOCK (6.0840s) TCP connection requested to XXX:443 (IOD #2) EID 48
NSOCK (6.0870s) Callback: CONNECT SUCCESS for EID 48 [XXX:443]
NSOCK (6.0870s) Write request for 88 bytes to IOD #2 EID 59 [XXX:443]
NSOCK (6.0870s) Read request from IOD #2 [XXX:443] (timeout: 5000ms) EID 66
NSOCK (6.0870s) Callback: WRITE SUCCESS for EID 59 [XXX:443]
NSOCK (6.0980s) Callback: READ SUCCESS for EID 66 [XXX:443] (63 bytes): 
....:...6..Db..i.8T.....8;4..._......A....{.5K....r.w......_...
NSOCK (6.0980s) SSL/TCP connection requested to XXX:443 (IOD #3) EID 73
NSOCK (6.1200s) Callback: SSL-CONNECT SUCCESS for EID 73 [XXX:443]
NSOCK (6.1200s) Read request from IOD #3 [XXX:443] (timeout: 6000ms) EID 82
NSOCK (12.1270s) Callback: READ TIMEOUT for EID 82 [XXX:443]
NSOCK (12.1270s) Write request for 18 bytes to IOD #3 EID 91 [XXX:443]: GET / HTTP/1.0....
NSOCK (12.1270s) Read request from IOD #3 [XXX:443] (timeout: 5000ms) EID 98
NSOCK (12.1280s) Callback: WRITE SUCCESS for EID 91 [XXX:443]
NSOCK (12.1310s) Callback: READ SUCCESS for EID 98 [XXX:443] [EOF](3725 bytes)
...
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http Oracle Application Server 10g httpd 10.1.2.0.2


I can provide full service fingerprint but it contains a hint
idetifying my target and I can't talk about my pentests in public.
I can provide it off-list if you need it.

Martin Mačok
ICT Security Consultant


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev