Re: [BUG?] Setting host ( using h//) based on UDP matchlines

[David Fifield <david () bamsoftware com>]

On Thu, Dec 03, 2009 at 06:07:03AM -0600, tom () fadedcode net wrote:
> I had hoped to have this problem sorted out already but I have been  
> buried in work so I wanted to send
> this to the list before I forgot.
>
> While working on the UDP probe/match line that Patrik Karlsson sent in I  
> experienced some problems
> setting the Hostname value using  h/ / on a matchline.  The matchline  
> reliably captured the host name data
> from the service response. 
>
> I could set the information value using i/$4/  100% of the time, but I  
> could never set the Hostname value
> using  h/$4/.   I tested the same thing on TCP probes and never  
> experienced the problem.
>
> I had intended to replicate this with other UDP probes, build a test  
> case for it and, if it was actually a bug,
> fix the problem but have not had time.

I can't reproduce this with an Ncat server. First I added these lines to
the end of nmap-service-probes:

Probe UDP Test q|^xxx$|
ports 31337
match test m|^12345-(.*)$| p/Test server/ i/$1/ h/$1/

Then I ran this Ncat server:

ncat --udp --sh-exec "echo 12345-abc" --listen

Then I ran this scan:

nmap --datadir . localhost -sU -p 31337 -sV --version-light -d2

The output was

PORT      STATE SERVICE REASON       VERSION
31337/udp open  test    udp-response Test server (abc)
Service Info: Host: abc

What's the exact match line you're using? We can set up Ncat to emulate
the expected response and perhaps reproduce it.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/