Nmap Development mailing list archives
Re: Regarding "Windows XP identd" in nmap-service-probes (r2839)
From: Fyodor <fyodor () insecure org>
Date: Fri, 30 Jan 2009 15:21:30 -0800
On Fri, Jan 30, 2009 at 11:14:07PM +0000, Brandon Enright wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We often get compromised Windows machines running some IRC bot that also run some fake identd. Sometimes this fake ident matches "Windows XP identd" with the match-line: match ident m|^ : USERID : UNIX : [a-z]{4,8}\r\n$| p/Windows XP identd/ o/Windows/ It seems the only unique requirement here is a username in the 4-8 char range followed by a \r\n instead of just a \n.
Thanks for the report. I've removed the p/Windows XP identd/ part. It is probably worth keeping the o/Windows/, since the \r\n makes that platform more likely and we haven't heard reports of this matching other systems. BTW (to everyone), we could fix more of these sorts of things if we received more OS detection and service detection corrections. We get tons of new signature submissions for both, but very few people seem to bother reporting errors. But we're happy to hear about them, even if they are slight! As of right now, we have 1,717 new service detection signatures in the queue to integrate, but only 15(!) corrections from the same period. And, umm, we should probably integrate soon, so I've added it to the Nmap TODO. So please do submit corrections when Nmap gives you a wrong OS detection or version detection result! Even if it seems minor, such as a slightly wrong model number of the right printer, or the right application but the wrong platform, we'd love to hear about it at http://nmap.org/submit/. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Regarding "Windows XP identd" in nmap-service-probes (r2839) Brandon Enright (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Fyodor (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Kris Katterjohn (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Fyodor (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Kris Katterjohn (Jan 31)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Kris Katterjohn (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Fyodor (Jan 30)