Re: [NSE] isakmp aggressive mode and version detection

[Jesper Kückelhahn <dev.kyckel () gmail com>]

Hi David,

Thanks for testing, it's nice to see it's working. In order for the version detection to work, the service needs to 
send at least one known Vendor ID, which it  doesn't in this case. In a successful scenario it will produce the 
following (debugging) output:

NSE: IKE: Found IKE Header: 01: SA
NSE: IKE: Found IKE Header: 0D: VID - 1e2b516905991c7d7c96fcbfb587e46100000002
NSE: IKE: Found IKE Header: 0D: VID - 4048b7d56ebce88525e7de7f00d6c2d3
NSE: IKE: Found IKE Header: 0D: VID - 90cb80913ebb696e086381b5ec427b1f
Fetchfile found /usr/local/bin/../share/nmap/nselib/data/ike-fingerprints.lua
NSE: ike: Loading fingerprints: /usr/local/bin/../share/nmap/nselib/data/ike-fingerprints.lua
NSE: IKE: Fingerprint: 1e2b516905991c7d7c96fcbfb587e46100000002 matches Microsoft Windows 2000
NSE: IKE: Attribute: 1e2b516905991c7d7c96fcbfb587e46100000002 matches MS NT5 ISAKMPOAKLEY
NSE: IKE: Attribute: 4048b7d56ebce88525e7de7f00d6c2d3 matches IKE FRAGMENTATION
NSE: IKE: Attribute: 90cb80913ebb696e086381b5ec427b1f matches draft-ietf-ipsec-nat-t-ike-02\n
NSE: Version: Microsoft
…
PORT    STATE SERVICE REASON       VERSION
500/udp open  isakmp  udp-response Microsoft Windows 2000
Service Info: OS: Windows 2000; CPE: cpe:/o:microsoft:windows:2000

There are additional methods that can be used for fingerprinting, such as analysing the backoff pattern, but this would 
take a couple of minutes to complete, so I haven't prioritised this approach.


- Jesper

On Jan 27, 2013, at 8:00 PM, David Fifield <david () bamsoftware com> wrote:

> NSE: IKE: Found IKE Header: 01: SA
> NSE: IKE: Found IKE Header: 04: Key Exchange
> NSE: IKE: Found IKE Header: 0A: Nonce
> NSE: IKE: Found IKE Header: 05: ID
> NSE: IKE: Found IKE Header: 08: Hash
> NSE: Version: nil

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/