Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Regarding "Windows XP identd" in nmap-service-probes (r2839)

From: Fyodor <fyodor () insecure org>
Date: Fri, 30 Jan 2009 15:21:30 -0800
On Fri, Jan 30, 2009 at 11:14:07PM +0000, Brandon Enright wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We often get compromised Windows machines running some IRC bot that
also run some fake identd.  Sometimes this fake ident matches "Windows
XP identd" with the match-line:

match ident m|^ : USERID : UNIX : [a-z]{4,8}\r\n$| p/Windows XP identd/ o/Windows/

It seems the only unique requirement here is a username in the 4-8 char
range followed by a \r\n instead of just a \n.


Thanks for the report.  I've removed the p/Windows XP identd/ part.
It is probably worth keeping the o/Windows/, since the \r\n makes that
platform more likely and we haven't heard reports of this matching
other systems.

BTW (to everyone), we could fix more of these sorts of things if we
received more OS detection and service detection corrections.  We get
tons of new signature submissions for both, but very few people seem
to bother reporting errors.  But we're happy to hear about them, even
if they are slight!  As of right now, we have 1,717 new service
detection signatures in the queue to integrate, but only 15(!)
corrections from the same period.  And, umm, we should probably
integrate soon, so I've added it to the Nmap TODO.

So please do submit corrections when Nmap gives you a wrong OS
detection or version detection result!  Even if it seems minor, such
as a slightly wrong model number of the right printer, or the right
application but the wrong platform, we'd love to hear about it at
http://nmap.org/submit/.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: