Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PATCH: Oracle related matchline cleanup

From: Verde Denim <tdldev () gmail com>
Date: Wed, 13 May 2009 21:39:42 -0400
On Wed, May 13, 2009 at 8:29 PM, Tom Sellers <nmap () fadedcode net> wrote:


A problem that I had with Oracle detection last year [1] cropped back up
again
recently.  After digging around for a bit I finally settled on a proposed
solution
and implemented and tested it.

In short, the service response was 2 packets.  The first packet contained
no version
info, but happened to have a generic matchline so the service was detected
and the
match process completed, but yielded little information.  The resulting
output looked
like this:

1521/tcp open  oracle-tns Oracle TNS Listener

Changing this generic matchline to a softmatch allowed the process to
continue.  The
second packet contains detailed version and platform information and is
actually detected
by a matchline PRIOR to the generic, now soft- matchline.   The results now
look like
this:

1521/tcp  open  oracle-tns Oracle TNS Listener 10.2.0.1.0 (for Linux)

Much better!

I have tested this patch against the 8, 9 and 10 families of Oracle on
Linux and
Windows.

There was also an Oracle related matchline that was triggered by the
DNSVersionBindReq
probe.  I have removed this in favor of the more precise Oracle probe and
matchlines.
Any versions that were previously detected by this old, but not by the new
(shouldn't
be any!!) will likely be picked up by the dedicated Oracle probe and either
not match
anything or trigger on the softmatch.

Additionally, there is now a new matchline for an Oracle service that is
not the
TNS listener, but that was triggering on the old, generic TNS matchline.  I
have tried
to locate the official name or function for the service, but I have been
unsuccessful.
It also does not help that the new service lives on a dynamic port, usually
low on
9.x and high on 10.x versions of Oracle.


In summary the attached patch
1.  Adds specific detection for the database service.
2.  Changes a former incomplete match line to a softmatch line.
3.  Adds an additional ports line entry for 1526 to the oracle-tns probe
4.  Cleans up some old Oracle related matchlines that were triggered
   by the DNSVersionBindReq probe and removes 1521 from the DNS probe.

Tom



1.  http://seclists.org/nmap-dev/2008/q3/0030.html

Well done, Tom!




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: