Re: service fingerprints && web service probe suggestion

[Fyodor <fyodor () insecure org>]

On Tue, Dec 08, 2009 at 04:45:33PM +0100, Willem de Groot wrote:
> See below for my service fingerprint submit. I'd like to note that,
> for people only scanning for http services, it may be worthwhile to
> add this line to nmap-service-probes, just below the null probe:
>
> ports 1-79,81-8079,8081-65535
>
> Because http services generally do not advertise themselves upon
> connect, the null probe is of no use here.

Hi Willem.  Thanks for the match lines.  The HTTP probe will still run
by default even for non-standard ports.  It is just that the null
"probe" happens first.

> What's more, many
> routers/WAPs such as the Siemens Gigaset operate a default timeout < 5
> sec. These services will be reported as "tcpwrapped" by nmap, unless
> the nullprobe is skipped.

That is a good point, but seems like an extraordinarily short timeout.
They will close web connections after just 5 seconds idle?!

> PS. the jewel below is definitely the Kesseltronics Car Wash Tunnel ;-)

Haha, car wash signatures are awesome!

Thanks for the signatures, but the lines seem to have been wrapped.
Maybe if you send the diff as an attachment insteada of inline that
won't happen.  Also, what would be even better, is if you could submit
them via Nmap's version detection submission form (see
http://nmap.org/submit/).  If you could include the fingerprint Nmap
gets you and also the match line you generated, that would be perfect.
The reason we prefer that is because it helps a lot when we have to go
back and change signatures if we can find the original fingerprint
submission.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/