Nmap Development mailing list archives

Re: match lines and serialnumberd probe

From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 24 May 2010 22:30:21 +0200


On 24 maj 2010, at 21.28, David Fifield wrote:

On Sun, May 23, 2010 at 07:56:19PM +0200, Patrik Karlsson wrote:


On 18 maj 2010, at 17.10, David Fifield wrote:

Probe UDP serialnumberd q|\x53\x4e\x51\x55\x45\x52\x59\x3a 
\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x3a\x57\x38\x58\x4c\x63\x50\x3a\x78\x73\x76\x72|
rarity 8
ports 626

That looked mysterious until I saw it was all ASCII; it's the same as

Probe UDP serialnumberd q|SNQUERY: 127.0.0.1:W8XLcP:xsvr|

So the only part that looks strange is the W8XLcP: that might be your
own serial number or something. I can't test this because I don't have
OS X Server. So I want to add this probe, and maybe add it as a UDP
payload, once we can determine if that field varies and how. Perhaps we
can replace it with a dummy value like AAAAAA.


I've replaced the probe with the following, and it still works:
q|SNQUERY: 127.0.0.1:AAAAAA:xsvr|

I'm sending you the complete response off-list just in case.


Okay, thanks. I added the probe, and had it print out the (rather long)
numbers that are in the response. My hope is that by displaying them,
someone will be inspired to find out what they all mean. I like to make
the first match line as specific as possible, so that any deviations
(that might disclose version differences) will be reported as new
fingerprints.

I also made a UDP payload from the probe. I'd appreciate if you would
test

nmap -sV -p 626 -sU <target>
nmap -sn -PU636 <target>


The probe works good but not the payload.
I changed 636 to 626 but I don't see any packets coming in to the target.
Probably has something to do with my virtualization again.....
Anyone with access to a real OS X server that could give it a go?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

match lines and serialnumberd probe Patrik Karlsson (May 09)
- Re: match lines and serialnumberd probe David Fifield (May 18)
  - Re: match lines and serialnumberd probe Patrik Karlsson (May 23)
    - Re: match lines and serialnumberd probe David Fifield (May 24)
    - Re: match lines and serialnumberd probe Patrik Karlsson (May 24)
    - Re: match lines and serialnumberd probe Samuel Benson (May 24)
    - Re: match lines and serialnumberd probe David Fifield (May 25)
    - Re: match lines and serialnumberd probe Samuel Benson (May 25)
    - Re: match lines and serialnumberd probe Patrik Karlsson (May 25)