Nmap Development mailing list archives
Re: match lines and serialnumberd probe
From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 24 May 2010 22:30:21 +0200
On 24 maj 2010, at 21.28, David Fifield wrote:
On Sun, May 23, 2010 at 07:56:19PM +0200, Patrik Karlsson wrote:On 18 maj 2010, at 17.10, David Fifield wrote:Probe UDP serialnumberd q|\x53\x4e\x51\x55\x45\x52\x59\x3a \x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x3a\x57\x38\x58\x4c\x63\x50\x3a\x78\x73\x76\x72| rarity 8 ports 626 That looked mysterious until I saw it was all ASCII; it's the same as Probe UDP serialnumberd q|SNQUERY: 127.0.0.1:W8XLcP:xsvr| So the only part that looks strange is the W8XLcP: that might be your own serial number or something. I can't test this because I don't have OS X Server. So I want to add this probe, and maybe add it as a UDP payload, once we can determine if that field varies and how. Perhaps we can replace it with a dummy value like AAAAAA.I've replaced the probe with the following, and it still works: q|SNQUERY: 127.0.0.1:AAAAAA:xsvr| I'm sending you the complete response off-list just in case.Okay, thanks. I added the probe, and had it print out the (rather long) numbers that are in the response. My hope is that by displaying them, someone will be inspired to find out what they all mean. I like to make the first match line as specific as possible, so that any deviations (that might disclose version differences) will be reported as new fingerprints. I also made a UDP payload from the probe. I'd appreciate if you would test nmap -sV -p 626 -sU <target> nmap -sn -PU636 <target>
The probe works good but not the payload. I changed 636 to 626 but I don't see any packets coming in to the target. Probably has something to do with my virtualization again..... Anyone with access to a real OS X server that could give it a go?
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- match lines and serialnumberd probe Patrik Karlsson (May 09)
- Re: match lines and serialnumberd probe David Fifield (May 18)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 23)
- Re: match lines and serialnumberd probe David Fifield (May 24)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 24)
- Re: match lines and serialnumberd probe Samuel Benson (May 24)
- Re: match lines and serialnumberd probe David Fifield (May 25)
- Re: match lines and serialnumberd probe Samuel Benson (May 25)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 25)
- Re: match lines and serialnumberd probe Patrik Karlsson (May 23)
- Re: match lines and serialnumberd probe David Fifield (May 18)