Re: pgsql-brute and PostgreSQL match lines

[Tom Sellers <nmap () fadedcode net>]

On 2/6/10 4:51 PM, Patrik Karlsson wrote:
> Hi all,
>
> I just finished pgsql-brute.nse, a script that allows password guessing against PostgreSQL servers and the supporting 
> pgsql.lua library used for both version 2 and 3 of the protocol.
>
> While developing the script I also noticed that the fingerprinting of PostgreSQL running version 3 of the protocol could be improved a lot 
> as error messages contains the file in which the error occurred and the line number. Currently, the SMBProgNeg probe triggers the error 
> "Unsupported frontend protocol" with this information, but a to generic match always returns "PostgreSQL DB". Yesterday 
> I therefore started installing quite a few virtual machines in order to pull the error messages of from a number of different PostgreSQL DB 
> versions. Half way through it, HD Moore announced this on Twitter: http://blog.metasploit.com/2010/02/postgres-fingerprinting.html
>
> Well, what are the odds? Anyway, I've looked at the code and that plugin is basing it's matching on the error message 
> returned by an incorrect login. I suppose this is possible now with the new library, and could benefit from the fingerprinting already 
> done, but it's more intrusive and requires a version script (as more than one packet is sent) rather than the the use of the 
> existing SMBProgNeg probe.
>
> I've collected fingerprints from the following versions and so far they've all returned a different line number for the 
> same error message:
> - PostgreSQL 8.0.21 - FreeBSD
> - PostgreSQL 8.1.17 - FreeBSD
> - PostgreSQL 8.2.13 - FreeBSD
> - PostgreSQL 8.3.7 - FreeBSD
> - PostgreSQL 8.4.0 - FreeBSD
> - PostgreSQL 8.4.2 - Linux
> - PostgreSQL 8.4.2 - Windows
>
> The attached patch adds those fingerprints and kills the generic wide match that prevents this detailed matching from 
> being done. The matches currently match the whole server response rather than the file name and line number, but the 
> error packet is static enough I believe. Have a look under ErrorResponse here for more details: 
> http://developer.postgresql.org/pgdocs/postgres/protocol-message-formats.html
>
> //Patrik


Anyone have any objections to me adding a softmatch to the nmap-service-probes file that
would identify the service as PostgreSQL while still printing the fingerprint block?

The line I had in mind was

softmatch postresql m|E\0\0\0\x84SFATAL\0C0A000\0Munsupported frontend protocol 65363| p/PostgreSQL DB/

This would help me with my service queries against the XML files while still providing
the fingerprint block so that we can continue to refine the detection.

Thanks much,

Tom

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/