Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS-SD probe issues

From: David Fifield <david () bamsoftware com>
Date: Mon, 1 Feb 2010 13:17:13 -0700
On Mon, Feb 01, 2010 at 09:11:17PM +0100, Patrik Karlsson wrote:

Hi All,

The DNS-SD probe in nmap-service-probes fails to discover one of my boxes running Avahi and incorrectly discovers the 
other one as "Apple mDNSResponder". The reason the first box isn't discovered is that it contains 10 entries which 
translates to \n and fails matching the .. (two dots) in the match line.

The reason for the incorrect match is that the packet from Avahi is identical with the packet from the Apple 
mDNSResponder. There's really not much place for uniqueness in these packets and I'm guessing it may be difficult to 
distinguish products by sending legitimate/correct queries. 

-- Unmatched packet
SF-Port5353-UDP:V=5.21%I=0%D=2/1%Time=4B66F6E7%P=i386-apple-darwin10.2.0%r
SF:(DNS-SD,10F,"\0\0\x84\0\0\x01\0\n\0\0\0\0\t_services\x07_dns-sd\x04_udp
SF:\x05local\0\0\x0c\0\x01\xc0\x0c\0\x0c\0\x01\0\0\0\n\0\x14\x0c_workstati
SF:on\x04_tcp\xc0#\xc0\x0c\0\x0c\0\x01\0\0\0\n\0\x07\x04_ssh\xc0G\xc0\x0c\
SF:0\x0c\0\x01\0\0\0\n\0\x0c\t_sftp-ssh\xc0G\xc0\x0c\0\x0c\0\x01\0\0\0\n\0
SF:\x07\x04_smb\xc0G\xc0\x0c\0\x0c\0\x01\0\0\0\n\0\x07\x04_ftp\xc0G\xc0\x0
SF:c\0\x0c\0\x01\0\0\0\n\0\x0f\x0c_device-info\xc0G\xc0\x0c\0\x0c\0\x01\0\
SF:0\0\n\0\x0e\x0b_afpovertcp\xc0G\xc0\x0c\0\x0c\0\x01\0\0\0\n\0\x07\x04_r
SF:sp\xc0G\xc0\x0c\0\x0c\0\x01\0\0\0\n\0\x08\x05_daap\xc0G\xc0\x0c\0\x0c\0
SF:\x01\0\0\0\n\0\x08\x05_http\xc0G");

-- Packet matched as Apple mDNSResponder
SF-Port5353-UDP:V=5.21%I=0%D=2/1%Time=4B66FAA2%P=i386-apple-darwin10.2.0%r
SF:(DNS-SD,4E,"\0\0\x84\0\0\x01\0\x01\0\0\0\0\t_services\x07_dns-sd\x04_ud
SF:p\x05local\0\0\x0c\0\x01\xc0\x0c\0\x0c\0\x01\0\0\0\n\0\x14\x0c_workstat
SF:ion\x04_tcp\xc0#");


Just send things like this to the service submission/correction page.
The DNS-SD matches are pretty new, and matches generally start out
specific and become looser as corrections are submitted.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: