Re: bizarre false positive (?) in service detection

["DePriest, Jason R." <jrdepriest () gmail com>]

On 4/13/07, Brandon Enright <> wrote:
> On Fri, 13 Apr 2007 10:39:51 -0500
> "DePriest, Jason R." <> wrote:
>
> > With the skype line commented out of the service-probe file, nmap is
> > unable to determine what is running on the port.
>
> Nmap should provide you with a service fingerprint for submission.
> This service looks pretty easy to match so go ahead and submit it.

submitted

> > Which is sort of strange since
> > ----
> > jrdepriest@ebizsrvb:/usr/local/share/nmap$ telnet <SCANNERTARGET> 25
> > Trying <SCANNERTARGET>...
> > Connected to <SCANNERTARGET>.
> > Escape character is '^]'.
> > 220  DP-6020
> > EHLO
> > 250-Hello
> > 250-DSN
> > 250 CONNEG
> > MAIL TO:
> > 501 Syntax error in parameters
> > RCPT FROM:
> > 503 Need MAIL before RCPT
> >
> > 554 command not support
> >
> > 554 command not support
> > Connection closed by foreign host.
> > ----
> > See attached for nmap's fingerprint of the port.  I'll do some packet
> > captures if I get time to find a pattern.
> >
> > Thanks for the suggestions.
> >
> > -Jason
>
> If you don't get a fingerprint it may be because we don't have a probe for
> "EHLO".  Go ahead and try adding it to your service probes file like so:
>
> Probe TCP Hello q|EHLO\r\n|
> rarity 5
> ports 25,587
> sslports 465
> totalwaitms 7500

This didn't make a difference.  With the Skype line active, it found
Skype; with the Skype line commented out, it was stumped.

But the signature for the service did have this bit added to it that
was missing without the EHLO probe:
(hello,2E,"220\x20\x20DP-6020\r\n250-Hello\r\n250-DSN\r\n250\x20CONNEG\r\n")

> If you are still having trouble getting a fingerprint let us know and we'll
> try to figure it out.
>
> Brandon

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org