Re: Kerberos probes for nmap

[David Fifield <david () bamsoftware com>]

On Sat, Nov 28, 2009 at 09:20:53PM +0100, Patrik Karlsson wrote:
> I noticed that Kerberos get's detected fine when running against Windows but my Heimdal hosts are not detected. 
> Running over TCP the RPCCheck probe seems to trigger an answer. Here's the signature:
>
> SF-Port88-TCP:V=5.10BETA1%I=7%D=11/28%Time=4B1181BB%P=i386-apple-darwin10.2.0%r(RPCCheck,55,"\0\0\0Q~O0M\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\
> SF:x11\x18\x0f20091128200203Z\xa5\x05\x02\x03\x08i@\xa6\x03\x02\x01=\xa9\x
> SF:15\x1b\x13<unspecified\x20realm>\xaa\x0b0\t\xa0\x03\x02\x01\0\xa1\x020\
> SF:0");

Thanks for checking this out. If the RPCCheck probe gets a response,
then let's just add another match line instead of a whole new probe.
Just follow the instructions at
http://insecure.org/cgi-bin/submit.cgi?new-service
Those submissions are due to be processed soon.

It would be worth adding a new probe if the new probe could provide a
lot more information, like a version number or server name. And then,
it's best to make the match specific at first. Otherwise people will see
"Kerberos" in the output and think, "good enough," and not submit
fingerprints that might allow us to be more discriminating.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/