Re: [RFC] Detect certain Citrix application browsing services

[David Fifield <david () bamsoftware com>]

On Wed, Nov 25, 2009 at 01:56:05PM -0600, Thomas Buchanan wrote:
> David Fifield wrote:
> > Okay. We can document that the payload comes from a packet capture of
> > Program Neighborhood's broadcast. I committed the nmap-service-probes
> > patch. Please make an updated patch for payload.cc that has
> > documentation on where the packet comes from (packet capture of Program
> > Neighborhood) and what is expected in reply. Because we still don't know
> > much about the reply packet, I want you to include it in its entirety in
> > a comment, with Xs or something to mark the bytes that tend to differ.
> > Or if the replies are completely different after the first 14 bytes,
> > just include the first 14 bytes and say that everything else is
> > different.
>
> Here is an updated patch as requested.  As I was putting it together, I  
> noticed that a couple of the fields in the response packets are IP  
> addresses, one for the Citrix server the response comes from, and a  
> second field that appears to be the address of the primary system in a  
> cluster farm.  However, what this means that the match line I submitted  
> earlier isn't quite right.  It would match all Citrix servers that are  
> in 192.168.*.* address space, but nothing else.  So the match line in  
> nmap-service-probes should be shortened to the first 12 bytes, or else a  
> capture could be added to extract the IP address.  I'm not sure if  
> that's possible, my regex skills are very limited.

Thanks, Thomas, for following up on this. I applied your patch and also
removed that last two bytes from the service probe match line.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/