Re: Java RMI service finderprint?

[Gabriel Lawrence <gabriel.lawrence () gmail com>]

Its worth noting that there is a script:

rmi-dumpregistry

that has this as its portrule:

portrule = shortport.port_or_service({1098, 1099, 1090, 8901, 8902, 8903},
{"rmi"})

but the info in nmap-service-probes is calling the service jrmi so things
dont match up.

One or the other should really be changed to match.

cheers,
gabe

On Mon, Jun 13, 2011 at 10:38 AM, Gabriel Lawrence <
gabriel.lawrence () gmail com> wrote:

> Folks,
>
> I'm looking at finding different Java RMI servers on my network.
>
> With some help from Brandon we put together this fingerprint:
>
> ##############################NEXT PROBE##############################
> Probe TCP java-rmi q|\x4a\x52\x4d\x49\x00\x02\x4b|
> rarity 7
> ports 1024-65535
>
> match java-rmi m|^\x4e\0[\x00-\x0f]([0-9.]+)\0| p/Java Remote Method
> Invocation/ i/Client IP: $1/
>
> But, I noticed that these already existed:
>
> ##############################NEXT PROBE##############################
> Probe TCP JavaRMI q|\x4a\x52\x4d\x49\0\x02\x4b|
> rarity 8
> ports 706,1098,1099,1981
>
> match jrmi m|^\x4e..[0-9.]+\0\0..$|s p/Java RMI/
> match jrmi m|^\x4e..([\w._-]+)\0\0..$|s p/GNU Classpath grmiregistry/ h/$1/
>
> There really isnt a well known port for Java RMI. So... I'm wondering what
> history there is for the choice of ports and if its possible to open up the
> idea of expanding these to look at all the non-priv ports.
>
> Thanks,
> gabe
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/