Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Openssh version detect may be inaccurate

From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 22 Jun 2015 07:36:05 -0500
I do agree this version line could use some work, but I actually disagree
that "Ubuntu-2ubuntu2" should be in the version field. The reason is that
this is build information, not version information. When we build the CPE
identifier for OpenSSH, it should contain the version that was released by
the OpenSSH project. Build information from the Ubuntu package maintainers
should probably go into the "extra info" field.

I'm not going to take immediate action on this because it would require
changing a lot of other fingerprints to match the new schema, but I would
support someone else if the decided to undertake the task.

Dan

On Sun, Jun 21, 2015 at 10:16 PM, kid dragon <idragonkid () gmail com> wrote:


dear all,

I found a match string of Openssh may be inaccurate.

The origin banner is
```SSH-2.0-OpenSSH=5F6.6.1p1=20Ubuntu-2ubuntu2=0D=0A```

Nmap dectect the version of this banner as `6.6.1p1 Ubuntu 2ubuntu2`. But
I think this version may be `6.6.1p1-2ubuntu2`, because I get the version
like this (although not definitely is) from [1] rather than `6.6.1p1 Ubuntu
2ubuntu2`

The nmap-service-probes match string is ```match ssh
m|^SSH-([\d.]+)-OpenSSH_([\w._-]+)[ -]{1,2}Ubuntu[ -_]([^\r\n]+)\r\n|
p/OpenSSH/ v/$2 Ubuntu $3/ i/Ubuntu Linux; protocol $1/ o/Linux/
cpe:/a:openbsd:openssh:$2/ cpe:/o:canonical:ubuntu_linux/
cpe:/o:linux:linux_kernel/```

But I think the match string above may be ```match ssh
m|^SSH-([\d.]+)-OpenSSH_([\w._-]+)[ -]{1,2}Ubuntu[ -_]([^\r\n]+)\r\n|
p/OpenSSH/ v/$2-$3/ i/Ubuntu Linux; protocol $1/ o/Linux/
cpe:/a:openbsd:openssh:$2/ cpe:/o:canonical:ubuntu_linux/
cpe:/o:linux:linux_kernel/```

Is it right?

[1]https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: