Nmap Development mailing list archives
Re: [NSE] isakmp aggressive mode and version detection
From: David Fifield <david () bamsoftware com>
Date: Thu, 20 Dec 2012 20:39:05 -0800
On Mon, Dec 17, 2012 at 09:17:39PM +0100, Jesper Kückelhahn wrote:
Hmmm, it seems I have some issues attaching files. I'll try attaching them once again.
This looks nice. In a version script, you should set product, vendor,
version, etc. separately, and not put all the information in the product
field. Check the XML output to see how it breaks down.
The structure of the fingerprints file seems funny to me. Here is a
sample entry:
table.insert(fingerprints,{
category = 'fingerprint',
vendor = 'Checkpoint',
version = 'Firewall-1',
vids = {
['4.1 Base'] =
'^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000020000000000000000........',
['4.1 SP1'] =
'^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000000030000000000000000........',
['4.1 SP2-SP6'] =
'^f4ed19e0c114eb516faaac0ee37daf2807b4381f0000000100000fa20000000000000000........',
['NG Base'] =
'^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000013880000000000000000........',
['NG FP1'] =
'^f4ed19e0c114eb516faaac0ee37daf2807b4381f00000001000013890000000000000000........',
['NG FP2'] =
'^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138a0000000000000000........',
['NG FP3'] =
'^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138b0000000000000000........',
['NG AI R54'] =
'^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138c0000000000000000........',
['NG AI R55'] =
'^f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d0000000000000000........',
}
});
The way I think of such a database is as a list of byte patterns, each
one having an associated set of data like product, vendor, and version.
This format seems to use a common vendor and "version" (I guess this
"version" is what Nmap usually calls the "product") for a list of actual
version numbers. Maybe it makes sense to use a common block of data for
multiple fingerprints, but this format is confusing. Suppose a certain
fingerprint matches two different vendors, how do you represent that?
For each fingerprint, you should store all the information that you can
potentially set about a port. In other words, these fields:
http://nmap.org/book/nse-api.html#scripting-tbl-port-version-values
In particular, it should be possible to set "cpe" in the fingerprints
file.
What's the difference between category='fingerprint' and
category='attribute'?
David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 08)
- Re: [NSE] isakmp aggressive mode and version detection Fyodor (Dec 10)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 11)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 14)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 14)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 17)
- Re: [NSE] isakmp aggressive mode and version detection David Fifield (Dec 20)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 21)
- Re: [NSE] isakmp aggressive mode and version detection David Fifield (Dec 21)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 23)
- Re: [NSE] isakmp aggressive mode and version detection David Fifield (Dec 23)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 31)
- Re: [NSE] isakmp aggressive mode and version detection Jesper Kückelhahn (Dec 11)
- Re: [NSE] isakmp aggressive mode and version detection Fyodor (Dec 10)