Nmap Development mailing list archives
Re: Detection of CORBA (GIOP protocol)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 17 Dec 2015 14:00:50 -0600
Quentin, Thanks for the recommendation. This looks like a good probe in that you have fully explained its dissection. But the match line is much too general: any service which echoes the first 4 bytes of the probe will match, which is not what we want. Would you be comfortable sharing the entire packet that is returned? Simply comment out the "match" line and add "ports 9876" just below the "Probe" line to force it to be sent early, then send us the fingerprint that results. If you do this multiple times and get slightly different results, we can use that to determine which portions of the response are static and will result in a good match. Dan On Wed, Dec 16, 2015 at 9:21 AM, qhardyfr () gmail com <qhardyfr () gmail com> wrote:
I have a *CORBA GIOP* (General Inter-ORB Protocol) listener running on the port 9876 of a server. Nmap, with option -A -sV --version-all, does not detect this service (GIOP protocol): PORT STATE SERVICE 9876/tcp open *unknown* There is a "service probe" for GIOP in the version 7 of nmap (line 1310, filename nmap-service-probes) but it *doesn't detect* this service -:( The following "service probe" detects this service type: Probe TCP giop q|GIOP\x01\x00\x01\x00$\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00abcdef\x00\x00\x04\x00\x00\x00get\x00\x00\x00\x00\x00| match giop m|^GIOP| p/CORBA naming service/ Information about the packet: GIOP Header: - Magic: GIOP - Version: 1.0 (\x01\x00) - Msge type: Request (\x00) - Msg size: 36 ($\x00\x00\x00 i.e \x24\x00\x00\x00) Request Data: - ServiceContextList (\x00\x00\x00\x00) - Request Id: 1 (\x01\x00\x00\x00) - Response expected: 1 (\x01) - Object key Length: 6 (\x06x\00\x00\x00) - Object Key: 616263646566 - Operation length : 4 (\x04\x00\x00\x00) - Req Operation: get (i.e \x67\x65\x74\x00) - Requesting Principal Length: 0 (\x00\x00\x00\x00) When you use this "service probe", the server will respond with a "System Exception". This "service probe" could be put in a future version of nmap-service-probes ? -- Quentin HARDY _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Detection of CORBA (GIOP protocol) qhardyfr () gmail com (Dec 16)
- Re: Detection of CORBA (GIOP protocol) Daniel Miller (Dec 17)
- Re: Detection of CORBA (GIOP protocol) qhardyfr () gmail com (Dec 18)
- Re: Detection of CORBA (GIOP protocol) Daniel Miller (Dec 18)
- Re: Detection of CORBA (GIOP protocol) qhardyfr () gmail com (Dec 18)
- Re: Detection of CORBA (GIOP protocol) qhardyfr () gmail com (Dec 18)
- Re: Detection of CORBA (GIOP protocol) Daniel Miller (Dec 17)