Nmap Development mailing list archives
Re: Service probes ambiguity
From: doug () hcsw org
Date: Wed, 10 Oct 2007 10:19:17 -0700
Hi Richard, On Wed, Oct 10, 2007 at 03:00:00PM +0200 or thereabouts, Richard van den Berg wrote:
From: http://insecure.org/nmap/data/nmap-service-probes match http m|^HTTP/1\.0 302 Document Follows\r\nLocation: http:///private/welcome\.ssi\r\nConnection: close\r\n\r\n$| p/BladeCenter Management Module/ d/remote management/ match http m|^HTTP/1\.0 302 Document Follows\r\nLocation: https:///private/welcome\.ssi\r\nConnection: close\r\n\r\n$| p/IBM RAS2 http config/ d/remote management/ So if the 302 is to HTTP, it's a BladeCenter Management Module, but if it redirects to HTTPS, it's an IBM RAS2? I doubt that is actually the case. Can anyone comment on which one of these results is correct?
I'm actually integrating service submissions right now so I was able to check into this really quick: Sometimes devices are re-branded by new companies and only changed in very, very slight ways. Perhaps IBM re-branded this and changed it to only allow SSL? Another possibility is that there is a configuration option on this device and some instances turned SSL on and others left it off. It's very difficult to tell with the information at hand and often we can only make educated guesses. I checked the source of these match lines and there were two distinct fingerprints for the IBM device, both of which redirect to SSL, and only one for the BladeCenter device (which didn't redirect to SSL). I agree these devices are probably not substantially different enough to have their own match lines so I'm taking your advice and merging them into one: match http m|^HTTP/1\.0 302 Document Follows\r\nLocation: https?:///private/welcome\.ssi\r\nConnection: close\r\n\r\n$| p|BladeCenter/IBM RSA2 http config| d/remote management/ Sound good? Also, it's lucky you pointed these lines out because the name of the IBM device was actually typoed in the match line (should be RSA2 instead of RAS2): IBM Remote Supervisor Adaptor 2 Thanks for your correction! There should be an update to the probes file available within the next week containing this update and the results of the Q3-2007 submissions. Best, Doug PS Although using the nmap-dev mailing list for these types of corrections is perfectly OK, you might also find the new web interface convenient: http://insecure.org/cgi-bin/submit.cgi?corr-service
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Service probes ambiguity Richard van den Berg (Oct 10)
- Re: Service probes ambiguity doug (Oct 10)
- Re: Service probes ambiguity Richard van den Berg (Oct 10)
- Re: Service probes ambiguity doug (Oct 10)