Regarding "Windows XP identd" in nmap-service-probes (r2839)

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We often get compromised Windows machines running some IRC bot that
also run some fake identd.  Sometimes this fake ident matches "Windows
XP identd" with the match-line:

match ident m|^ : USERID : UNIX : [a-z]{4,8}\r\n$| p/Windows XP identd/ o/Windows/

It seems the only unique requirement here is a username in the 4-8 char
range followed by a \r\n instead of just a \n.

Here is an example of a fake identd in action:

$ telnet !$ 113
telnet x.y.230.221 113
Trying x.y.230.221...
Connected to x.y.230.221.
Escape character is '^]'.
1, 1
 : USERID : UNIX : ckilzyfc
^]
telnet> Connection closed.  

$ telnet x.y.230.221 113
Trying x.y.230.221...
Connected to x.y.230.221.
Escape character is '^]'.
1, 1
 : USERID : UNIX : ekedvig
^]
telnet> Connection closed.  


So my gripe is that the match line isn't really all that specific and
as far as I know, there is no "Windows XP identd" anyways.  Just about
any fake identd running on Windows has a good chance of matching.

I'm torn though -- I want to either remove the match line or add a
i/**BACKDOOR**/ to the match.  The problem with the first option is
that it appears to be removing functionality, even if the functionality
isn't always accurate.  The problem with the second is that
**BACKDOOR** may not always be accurate either.

Ideas?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkmDicAACgkQqaGPzAsl94KYQwCfetnsSxgQLqqPVpiZM7w6cjTS
NO4AnRnTmrSoh66R5BTej9Zg9v306h5c
=uhS8
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org