Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: salt in version probes

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Thu, 5 May 2011 16:48:34 +0300
After pondering teredo probing for a while my feeling is that we
probably can not distinguish between different teredo implementations
very easily. Would it still make sense to send the teredo probe just
to match the protocol, even if we can not match the product or
version?

On Wed, May 4, 2011 at 4:38 PM, Toni Ruottu <toni.ruottu () iki fi> wrote:

These probes are probably fine, but I don't want to add them without any
matchlines. It's kind of a minimum barrier to entry to try a new probe
against a known server and add a match for it. (And ideally, try it
against two different servers, and get distinguishable responses.) I
notice that some of the stun-br responses contain the string
"Vovida\.org\x200\.96\", which looks like a nice server name and version
number for http://www.voip-info.org/wiki/view/Vovida.org+STUN+server. So
if you can test that, we'll add the probe.


I tested the stun probe with Vovida.org, and Jstun. Vovida.org is
recognizable while Jstun seems too generic to be distinguished. I also
tested Cornell stunt server, but turned out to be too different to
generate any kind of response. I could not get the server to compile,
so I only tested that against a hosted version, however.

I have attached a file with the probe, and three match lines. One
matches servers like Vovida that provide version information
explicitly, one matches servers that are too generic to be
distinguished from each other, and the last softmatch matches any
valid binding success response, which would indicate that we have
found a stun service, even if we do not know the product name or
version.

You can try the probes with
nmap -sU -sV -p 3478 stun.xten.com stun1.noc.ams-ix.net
stun.voipbuster.com stun.voxgratia.org jstun.javawi.de -PN

The version information is a free form text field, and I am a bit
worried that the product name and version number might be in different
order some times or have multiple white spaces, but I have not seen
such. Should we address that later when it becomes a problem?

This email only contains the stun probe and match lines. I will take a
look at teredo separately.

 cheers, --Toni


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: