Re: nmap-dev Digest, Vol 70, Issue 43

[viswanath emani <viswanath.emani () gmail com>]

Thanks for the information Rob.

On Thu, Jan 20, 2011 at 1:30 AM, <nmap-dev-request () insecure org> wrote:

> Send nmap-dev mailing list submissions to
>        nmap-dev () insecure org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://cgi.insecure.org/mailman/listinfo/nmap-dev
> or, via email, send a message with subject or body 'help' to
>        nmap-dev-request () insecure org
>
> You can reach the person managing the list at
>        nmap-dev-owner () insecure org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of nmap-dev digest..."
>
>
> Today's Topics:
>
>   1. Probe for Windows 2008 R2 (viswanath emani)
>   2. Re: Probe for Windows 2008 R2 (Rob Nicholls)
>   3. New VA Modules: OpenVAS: 2, Nessus: 9
>      (New VA Module Alert Service)
>   4. Re: Zenmap Crashing and CPU Utilisation hangs at 50%
>      (David Fifield)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 19 Jan 2011 18:44:37 +0530
> From: viswanath emani <viswanath.emani () gmail com>
> Subject: Probe for Windows 2008 R2
> To: nmap-dev () insecure org, nmap-dev-owner () insecure org
> Message-ID:
>        <AANLkTik8Lj+GRWNYRdWPqd7FRbhddxmQBk0n_HEO+D6O () mail gmail 
> com<AANLkTik8Lj%2BGRWNYRdWPqd7FRbhddxmQBk0n_HEO%2BD6O () mail gmail com>
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi,
>
> Could you please let me know if there is a match available to identify
> Windows 2008 R2.
>
> Regards,
> Viswanath.
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 19 Jan 2011 14:53:28 +0000
> From: Rob Nicholls <robert () robnicholls co uk>
> Subject: Re: Probe for Windows 2008 R2
> To: viswanath emani <viswanath.emani () gmail com>
> Cc: nmap-dev () insecure org
> Message-ID: <3d63e8c6902418ea890d93ccd6f63f41 () robnicholls co uk>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
>  Hi,
>
>  I can see two matches in the latest nmap-os-db file that are specific
>  to 2008 R2:
>
>  # Windows Server 2008 R2 Standard 7600
>  Fingerprint Microsoft Windows Server 2008 R2
>  Class Microsoft | Windows | 2008 | general purpose
>  SEQ(SP=EC-10A%GCD=1-6%ISR=104-110%TI=I%TS=7)
>
>  OPS(O1=M564NW8ST11%O2=M564NW8ST11%O3=M564NW8NNT11%O4=M564NW8ST11%O5=M564NW8ST11%O6=M564ST11)
>  WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
>  ECN(R=Y%DF=Y%T=7B-85%TG=80%W=2000%O=M564NW8NNS%CC=N%Q=)
>  T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
>  T2(R=N)
>  T3(R=N)
>  T4(R=N)
>  T5(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=O%A=S+%F=AR%O=%RD=0%Q=)
>  T6(R=N)
>  T7(R=N)
>  U1(DF=N%T=7B-85%TG=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
>  IE(R=N)
>
>  # Windows Server 2008 R2 Enterprise 7600
>  Fingerprint Microsoft Windows Server 2008 R2
>  Class Microsoft | Windows | 2008 | general purpose
>  SEQ(SP=100-10A%GCD=1-6%ISR=106-110%TI=I%CI=I%II=I%SS=S%TS=7)
>
>  OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)
>  WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
>  ECN(R=N)
>  T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
>  T2(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
>  T3(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
>  T4(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
>  T5(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
>  T6(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
>  T7(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
>  U1(DF=N%T=7B-85%TG=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
>  IE(DFI=N%T=7B-85%TG=80%CD=Z)
>
>  But because of the strong similarities in the network stack between
>  Vista, 2008, 2008 R2 and Windows 7, it's not typically possible for Nmap
>  to distinguish between 2008 R2 and the other Windows variants (Windows 7
>  x64 and 2008 R2 share the same codebase, so have an identical network
>  stack):
>
>  For example, a scan I've just completed of a 2008 R2 host has
>  identified it as:
>
>  Running: Microsoft Windows 2008|7|Vista
>  OS details: Microsoft Windows Server 2008, Microsoft Windows 7
>  Professional, Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or
>  Windows 7
>
>  The only way I could tell that this is running 2008 R2 would be to look
>  at the services (e.g. SMB, DNS, IIS) to identify version numbers. For
>  example, Nmap will identify a 2008 host as running Microsoft DNS
>  6.0.6002 and a 2008 R2 host as running Microsoft DNS 6.1.7600.
>
>  Rob
>
>  On Wed, 19 Jan 2011 18:44:37 +0530, viswanath emani wrote:
> > Hi,
> >
> > Could you please let me know if there is a match available to
> > identify
> > Windows 2008 R2.
> >
> > Regards,
> > Viswanath.
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://seclists.org/nmap-dev/
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 19 Jan 2011 10:00:42 -0800 (PST)
> From: New VA Module Alert Service <postmaster () insecure org>
> Subject: New VA Modules: OpenVAS: 2, Nessus: 9
> To: nmap-dev () insecure org
> Message-ID: <20110119180042.54366B2047 () web insecure org>
> Content-Type: text/plain; charset="utf-8"
>
> This report describes any new scripts/modules/exploits added to Nmap,
> OpenVAS, Metasploit, and Nessus since yesterday.
>
> == OpenVAS plugins (2) ==
>
> r10020 103034 gb_joostina_45732.nasl
>
> http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/gb_joostina_45732.nasl?root=openvas&view=markup
> Joostina 'index.php' Cross Site Scripting Vulnerability
>
> r10020 103033 gb_ccms_45819.nasl
>
> http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/gb_ccms_45819.nasl?root=openvas&view=markup
> CompactCMS Multiple Cross Site Scripting Vulnerabilities
>
> == Nessus plugins (9) ==
>
> 51572 ubuntu_USN-1044-1.nasl
> http://nessus.org/plugins/index.php?view=single&id=51572
> USN1044-1 : dbus vulnerability
>
> 51571 redhat-RHSA-2011-0164.nasl
> http://nessus.org/plugins/index.php?view=single&id=51571
> RHSA-2011-0164: mysql
>
> 51570 redhat-RHSA-2011-0163.nasl
> http://nessus.org/plugins/index.php?view=single&id=51570
> RHSA-2011-0163: kernel
>
> 51569 redhat-RHSA-2011-0162.nasl
> http://nessus.org/plugins/index.php?view=single&id=51569
> RHSA-2011-0162: kernel
>
> 51568 freebsd_pkg_4c0173451d8911e0bbee0014a5e3cda6.nasl
> http://nessus.org/plugins/index.php?view=single&id=51568
> FreeBSD : MoinMoin -- cross-site scripting vulnerabilities (5373)
>
> 51567 freebsd_pkg_2c2d4e83237011e0a91b00e0815b8da8.nasl
> http://nessus.org/plugins/index.php?view=single&id=51567
> FreeBSD : tarsnap -- cryptographic nonce reuse (5372)
>
> 51566 fedora_2011-0470.nasl
> http://nessus.org/plugins/index.php?view=single&id=51566
> Fedora 14 2011-0470
>
> 51565 fedora_2011-0099.nasl
> http://nessus.org/plugins/index.php?view=single&id=51565
> Fedora 14 2011-0099
>
> 51564 blogengine_getfile_accessible.nasl
> http://nessus.org/plugins/index.php?view=single&id=51564
> BlogEngine.NET api/BlogImporter.asmx GetFile Function Unauthorized
> Access
>
> ------------------------------
>
> Message: 4
> Date: Wed, 19 Jan 2011 10:39:05 -0800
> From: David Fifield <david () bamsoftware com>
> Subject: Re: Zenmap Crashing and CPU Utilisation hangs at 50%
> To: Rob Nicholls <robert () robnicholls co uk>
> Cc: Ray Middleton <ray.middleton () gmail com>, nmap-dev () insecure org
> Message-ID: <20110119183904.GA19700 () gusto bamsoftware com>
> Content-Type: text/plain; charset=us-ascii
>
> On Wed, Jan 19, 2011 at 10:23:01AM +0000, Rob Nicholls wrote:
> > On Tue, 18 Jan 2011 22:22:59 -0800, David Fifield wrote:
> > > Guys, I think this is greatly ameliorated in r21861. Please give it a
> > > try. I made it update the text field incrementally, and also apply
> > > new
> > > highlighting incrementally. I can "nmap --packet-trace -p- localhost"
> > > without much delay, with highlighting on.
> >
> > I'm guessing you might not have tested the new incremental update
> > code on Windows (it works as before/expected on Linux), as I don't
> > get to see any scan results until the entire scan has completed. The
> > highlighting seems to work fine though (from memory it looks
> > identical to before), and it didn't freeze/crash.
>
> You're right, I didn't test it on Windows. It didn't work for me either
> when I tried it. I did something different in r21875, please try it.
>
> David Fifield
>
>
> ------------------------------
>
> _______________________________________________
> nmap-dev mailing list
> nmap-dev () insecure org
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
>
>
> End of nmap-dev Digest, Vol 70, Issue 43
> ****************************************
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/