Service probes question

[Eric Buggenhout <eric.buggenhout () gmail com>]

Hi list,


I'm running the following scan : "nmap -p80 -sV XXX.XXX.XXX.XXX" and
analysing the nmap traffic with wireshark.
I see some GET and OPTION requests but after that there are some probes
that generate "HTTP/1.1 400 Bad Request" so I checked out which probes were
sent out.

For example this data :


00:5a:00:00:01:00:00:00:01:36:01:2c:00:00:08:00:7f:ff:7f:08:00:00:00:01:00:20:00:3a:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:34:e6:00:00:00:01:00:00:00:00:00:00:00:00:28:43:4f:4e:4e:45:43:54:5f:44:41:54:41:3d:28:43:4f:4d:4d:41:4e:44:3d:76:65:72:73:69:6f:6e:29:29


Which maps to this in nmap-service-probes :

Probe TCP oracle-tns
q|\0Z\0\0\x01\0\0\0\x016\x01,\0\0\x08\0\x7F\xFF\x7F\x08\0\0\0\x01\0
\0:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\04\xE6\0\0\0\x01\0\0\0\0\0\0\0\0(CONNECT_DATA=(COMMAND=version))|
rarity 7
ports 1035,1521,1522,1525,1526,1574,1748,1754,14238,20000




Why is nmap using this probe when I'm scanning on port 80?



Thanks in advance!

Eric
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/