Nmap Development mailing list archives

Re: match lines and serialnumberd probe

From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 25 May 2010 21:24:22 +0200

Hi Samuel,

On 25 maj 2010, at 07.00, Samuel Benson wrote:


On May 24, 2010, at 3:30 PM, Patrik Karlsson wrote:


On 24 maj 2010, at 21.28, David Fifield wrote:

On Sun, May 23, 2010 at 07:56:19PM +0200, Patrik Karlsson wrote:


On 18 maj 2010, at 17.10, David Fifield wrote:

Probe UDP serialnumberd q|\x53\x4e\x51\x55\x45\x52\x59\x3a 
\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x3a\x57\x38\x58\x4c\x63\x50\x3a\x78\x73\x76\x72|
rarity 8
ports 626

That looked mysterious until I saw it was all ASCII; it's the same as

Probe UDP serialnumberd q|SNQUERY: 127.0.0.1:W8XLcP:xsvr|

So the only part that looks strange is the W8XLcP: that might be your
own serial number or something. I can't test this because I don't have
OS X Server. So I want to add this probe, and maybe add it as a UDP
payload, once we can determine if that field varies and how. Perhaps we
can replace it with a dummy value like AAAAAA.


I've replaced the probe with the following, and it still works:
q|SNQUERY: 127.0.0.1:AAAAAA:xsvr|

I'm sending you the complete response off-list just in case.


Okay, thanks. I added the probe, and had it print out the (rather long)
numbers that are in the response. My hope is that by displaying them,
someone will be inspired to find out what they all mean. I like to make
the first match line as specific as possible, so that any deviations
(that might disclose version differences) will be reported as new
fingerprints.

I also made a UDP payload from the probe. I'd appreciate if you would
test

nmap -sV -p 626 -sU <target>
nmap -sn -PU636 <target>


The probe works good but not the payload.
I changed 636 to 626 but I don't see any packets coming in to the target.
Probably has something to do with my virtualization again.....
Anyone with access to a real OS X server that could give it a go?


Host OS: 10.6.3 x86_64
Target: 10.5.8 PPC

As far as I can tell, the payload does work.
I see the payload packet being sent from laptop to the server, and the server is replying.
The problem I think nmap would run into in parsing the reply, is serialnumberd isn't sending
a response packet to the originating host. According to tcpdump, the response packed is being sent
to a multicast address, in this case 224.0.0.1:626, which if you think about it would be the best
way to detect duplicate serial numbers on a network, especially if the servers are unconfigured, or
using a self assigned ip.


I'm guessing these are actually requests, and not responses, being sent out on the multicast address.
My server keeps sending those periodically too.


Of note; if scanning the secondary nic of the server, the primary nic would be the one
transmitting the reply to 224.0.0.1:626.

If running several scans with a fair amount of time differential between them, the response payload
does change, :ivI7BE:xsvr , and :BE5BO9:xsvr , and :bGPXii:xsvr  are responses garnered from the
same host.

Also of note, when the respone packet hits the network my secondary server also replies, as is 
expected, and answers to the SNQUERY with a SNRESPS packet shaped much differently, 

SNRESPS:ldap.digitalescape.info:0xA87896E21BF70D3AECB9120C54A1D8B52E2B8932:xsvr:0xC5CF122CD26B2A2C39BF90D8E7D895B60166366A:0x4bca7500:0xB0013005AD4FA83E433D450B87D684DE55D7B273:ldap.digitalescape.info

but interestingly enough, directly to the primary server which issues the SNQUERY request, not to the multicast 
address.

This is what I expected to see from the server that you were scanning, at least that's what I'm seeing on 10.6.3.


Hope this was helpful.

It was, thanks!

//Patrik


      -Sam

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

match lines and serialnumberd probe Patrik Karlsson (May 09)
- Re: match lines and serialnumberd probe David Fifield (May 18)
  - Re: match lines and serialnumberd probe Patrik Karlsson (May 23)
    - Re: match lines and serialnumberd probe David Fifield (May 24)
    - Re: match lines and serialnumberd probe Patrik Karlsson (May 24)
    - Re: match lines and serialnumberd probe Samuel Benson (May 24)
    - Re: match lines and serialnumberd probe David Fifield (May 25)
    - Re: match lines and serialnumberd probe Samuel Benson (May 25)
    - Re: match lines and serialnumberd probe Patrik Karlsson (May 25)