Re: [RFC] Detect certain Citrix application browsing services

[David Fifield <david () bamsoftware com>]

On Mon, Nov 16, 2009 at 02:07:34AM -0800, Fyodor wrote:
> On Sun, Nov 15, 2009 at 08:13:55PM -0700, David Fifield wrote:
> > On Fri, Nov 13, 2009 at 04:54:35PM -0600, Thomas Buchanan wrote:
> >
> > > I'm looking for feedback on a couple of aspects of the patches.  First,  
> > > how should one determine the frequency values when adding entries to  
> > > nmap-services?  I used a value from the next closest port, but that  
> > > seems pretty arbitrary.
> >
> > We have a record for port 1604/udp in the master nmap-services-all file,
> > but because it has a frequency of 0 it is left out of the smaller
> > nmap-services file.
> >
> > unknown           1604/udp      0/3027
>
> If we have reason to believe the port is interesting, I think it is OK
> to just bump this up to 1/3027 and that should get it added to
> nmap-services.  Eventually we will get better UDP data (ours is pretty
> limited for ports like this which were unnamed), but for now a little
> manual adjustment or two is fine.  That can be useful not just for
> missed services, but for new ones which have become popular since the
> most recent port frequency survey.

For what it's worth, I tried

nmap -PU1604 -sP -iR 10000 -n --reason

using the Citrix payload and got

# Nmap done at Tue Nov 24 10:38:48 2009 -- 10000 IP addresses (189 hosts up) scanned in 151.77 seconds

But all the up hosts were because of destination unreachable replies,
none from udp-response. In this case the UDP payload didn't help.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/