Nmap Development mailing list archives
Re: AFP probe
From: Patrik Karlsson <patrik () labb1 com>
Date: Wed, 6 Jan 2010 21:21:51 +0100
On 6 jan 2010, at 20.38, Matt Selsky wrote:
On Jan 4, 2010, at 4:51 AM, Patrik Karlsson wrote:The SSLSessionReq probe fails to detect AFP on my Linux boxes (Netatalk) and on Snow Leopard. I'm submitting a patch containing new probe and match lines that detect AFP on these systems.I tried this against a netatalk 1.6.4 server with the following response: SF-Port548-TCP:V=5.10BETA2%I=7%D=1/6%Time=4B44E471%P=i386-apple-darwin10.2.0%r(afp,188,"\x01\x03\0\x01\0\0\0\0\0\0\x01x\0\0\0\0\0\x1c\0!\0V\0a\x80}\x SF:08manchego\0\x01a\x01q\0\0\0\0\x04unix\x04\x0eAFPVersion\x201\.1\x0eAFP SF:Version\x202\.0\x0eAFPVersion\x202\.1\x06AFP2\.2\x01\tDHCAST1280\0\x8f\ SF:xf8\xcc\x01H\x0c\xb32\(\n\x8c\xcc\|\x0f\x83\x02\xff\x01\x80\xc3\xc3\x81 SF:\x803\xe3\xc1\x80\x0b\xd3\xc1\x80\x0b\xb1a\x80\x0b\xe0\xe1\x80\x0b\xe1\ SF:xe1\x80\x0b\xd1\xe1\xc0\n\xc0\xe1p\x0bx\xc1\x1c\x0by\xc1\x17\x0b3\xff!\ SF:xcb\xff\xc4@\x7f\xff\x02\x80\x1e\0\x01\xff\xff\xff\xff\x80\0\0\x01\xff\ SF:xff\xff\xff\0\x02\x80\0\0\x02\x80\0\0\x07\xc0\0\0\x04@\0\0\x04@\0\0\x07 SF:\xc0\0\0\x05@\0\x0f\xf9\?\xfc\0\x02\x80\0\x0f\xfc\x7f\xfc0\0\x8f\xf8\xf SF:c\x01\xcf\xfc\xff3\xef\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\ SF:xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff SF:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x7f\xff\xff\xff\x1f\xff\xf SF:f\xff\x1f\xff\xff\xff\?\xff\xff\xfc\x7f\xff\xff\xfe\xff\xff\xff\xff\xff SF:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\0\x03\x80\0\0\x03\x80\0\0\ SF:x07\xc0\0\0\x07\xc0\0\0\x07\xc0\0\0\x07\xc0\0\0\x07\xc0\0\xff\xff\xff\x SF:ff\?\xfe\xff\xff\xff\xfc\x7f\xff\x83\xc74\x11\x83\xc74\x11\x83\xc74\x11 SF:\x83\xc74\x11\x01\x06\x01\x80;;7"); The nodename is manchego. Protocol versions supported (according to wireshark) AFPVersion 1.1 AFPVersion 2.0 AFPVersion 2.1 AFP2.2 Seems like we should push the nodename and the most recent version supported in the info line. -- Matt
Yes, that's what previous matches do and what I was hoping to achieve with my match line. However, it seems as if my Netatalk has a higher AFP version (3.1) than yours. (I'm running Netatalk 2.0.3) My initial thought was to write a less strict match line which would match a larger signature base and would get the most recent version into the info line (assuming versions are listed in descending order). I ended up doing it the same way previous AFP matches were done. While this will require more match lines in the end it comes with the possibility of better being able to fingerprint the OS and service versions. What would be the "best/proper" way to proceed? //Patrik -- Patrik Karlsson http://www.cqure.net _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- AFP probe Patrik Karlsson (Jan 04)
- Re: AFP probe Matt Selsky (Jan 06)
- Re: AFP probe Patrik Karlsson (Jan 06)
- Re: AFP probe David Fifield (Jan 06)
- Re: AFP probe Patrik Karlsson (Jan 06)
- Re: AFP probe David Fifield (Jan 12)
- Re: AFP probe David Fifield (Jan 18)
- Re: AFP probe Matt Selsky (Jan 06)