Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [service-probes] Detect tibco RDV

From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 19 Jun 2014 17:35:40 -0500
Quentin,

Thanks for the submission. I think this needs a bit more improvement before
we would consider including it, since it doesn't give much information at
all. First, I would want to know that there are no existing probes that can
elicit a response. In this particular case, I would begin with the
following command:

nmap -p 7500 -sV --version-all $TARGET

If the service responds at all, Nmap will print a service fingerprint (
http://nmap.org/book/vscan-community.html#vscan-submit-prints), which you
can submit to http://insecure.org/cgi-bin/submit.cgi?new-service

If the service does not respond, then we need to add a new probe--likely
the one you have created. A good probe will:

1. Not cause changes on the target system (e.g. we would never use a SNMP
SET request as a probe)
2. Get responses from the widest range of versions of the target software
(e.g. our HTTP probes use HTTP/1.0, not HTTP/1.1, since more devices
support that)
3. Preferably get responses that contain version information, or that
change from version to version. This is not always possible.

It's possible that after all that, your probe and match line are the best
we can come up with. In that case, though, we would still want a better
product name than "unknown". I would guess that we would use "TIBCO
Rendezvous" instead.

Dan


On Mon, Jun 16, 2014 at 3:59 AM, qhardyfr () gmail com <qhardyfr () gmail com>
wrote:


Hello,

Nmap don't detect the tibco RDV yet (

http://www.tibco.com/products/automation/enterprise-messaging/rendezvous/default.jsp
).

Here is a service-probes that detect the the tibco RDV protocol.

"""
##############################NEXT PROBE##############################
Probe TCP tibco-rdv q|\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00|
ports 7500

match tibco-rdv

m|\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00|s
p/unknown/
"""

What do you think of that?

Thank you in advance,

--
Quentin HARDY
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: