Re: Detection of CORBA (GIOP protocol)

[Daniel Miller <bonsaiviking () gmail com>]

Quentin,

This is much better. I'm going to add two match lines: one will be the one
you provided, but changed to a "softmatch". This is because there's not
enough info in that match to positively identify the product or version,
but it is certainly the giop service. The other match line will match more
specifically and identify the product. Then we can add more solid match
lines as users submit them. What product and version is it that generates
this particular exception? And is 9876 a common port for this service, or
is 2481 the only standard? Thanks!

Dan

### Example probe and match lines ###
Probe TCP giop
q|GIOP\x01\x00\x01\x00$\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00abcdef\x00\x00\x04\x00\x00\x00get\x00\x00\x00\x00\x00|
ports 2481,9876
sslports 2482

match giop 
m|GIOP\x01\0\x01\x01@\0\0\0\0\0\0\0\x01\0\0\0\x02\0\0\0'\0\0\0IDL:omg\.org/CORBA/OBJECT_NOT_EXIST:1\.0\0\0\0\0\0\0\x01\0\0\0|
p/omg.org CORBA naming service/
softmatch giop m|^GIOP\x01\x00\x01\x01........\x01\x00\x00\x00|



On Fri, Dec 18, 2015 at 4:03 AM, qhardyfr () gmail com <qhardyfr () gmail com>
wrote:

> Hello,
>
> I agree with you: the match line is too much general.
>
> Here is an example of reply:
>
> 47494f5001000101400000000000000001000000020000002700000049444c3a6f6d672e6f72672f434f5242412f4f424a4543545f4e4f545f45584953543a312e30003b0000000001000000
>
> SF:iop,4C,"GIOP\x01\0\x01\x01@\0\0\0\0\0\0\0\x01\0\0\0\x02\0\0\0'\0\0\0IDL
> SF::omg\.org/CORBA/OBJECT_NOT_EXIST:1\.0\0\0\0\0\0\0\x01\0\0\0");
>
> Information about this packet (Reply):
> GIOP Header:
> - Magic: GIOP
> - Version: 1.0 (\x01\x00)
> - Msge type: Reply (\x01)
> - Msg size: 64 (\x40\x00\x00\x00)
> Reply Data:
> - ServiceContextList (\x00\x00\x00\x00)
> - Reply Id: 1 (\x01\x00\x00\x00)
> - Reply status: System Exception (\x02\x00\x00\x00)
> - Exception Length: 39 (\x27\x00\x00\x00)
> - Exception ID: IDL:omg.org/CORBA/OBJECT_NOT_EXIST:1.0
> (49444c3a6f6d672e6f72672f434f5242412f4f424a4543545f4e4f545f45584953543a312e3000)
> - Minnor code value: 0 (\x00\x00\x00\x00)
> - Completion Status: 1 (\x01\x00\x00\x00)
>
> Here is the *new match line*:
>
> match giop m|^GIOP\x01\x00\x01\x01........\x01\x00\x00\x00.+\x00$| p/CORBA
> naming service/
>
> I match this following information:
> - Magic header
> - Version
> - Msge type
> - Reply Id
> - the end of packet (the end of Completion Status)
>
> I don't want to catch the error string because I am not sure this string
> will be the same for all products and versions.
>
> --
> Quentin HARDY
>
>
> 2015-12-17 21:00 GMT+01:00 Daniel Miller <bonsaiviking () gmail com>:
>
> > Quentin,
> >
> > Thanks for the recommendation. This looks like a good probe in that you
> > have fully explained its dissection. But the match line is much too
> > general: any service which echoes the first 4 bytes of the probe will
> > match, which is not what we want. Would you be comfortable sharing the
> > entire packet that is returned? Simply comment out the "match" line and add
> > "ports 9876" just below the "Probe" line to force it to be sent early, then
> > send us the fingerprint that results. If you do this multiple times and get
> > slightly different results, we can use that to determine which portions of
> > the response are static and will result in a good match.
> >
> > Dan
> >
> > On Wed, Dec 16, 2015 at 9:21 AM, qhardyfr () gmail com <qhardyfr () gmail com>
> > wrote:
> >
> > > I have a *CORBA GIOP* (General Inter-ORB Protocol) listener running on
> > > the port 9876 of a server.
> > > Nmap, with option -A -sV --version-all, does not detect this service
> > > (GIOP protocol):
> > >
> > > PORT STATE SERVICE
> > > 9876/tcp open *unknown*
> > >
> > > There is a "service probe" for GIOP in the version 7 of nmap (line 1310,
> > > filename nmap-service-probes) but it *doesn't detect* this service -:(
> > >
> > > The following "service probe" detects this service type:
> > >
> > > Probe TCP giop
> > > q|GIOP\x01\x00\x01\x00$\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00abcdef\x00\x00\x04\x00\x00\x00get\x00\x00\x00\x00\x00|
> > > match giop m|^GIOP| p/CORBA naming service/
> > >
> > > Information about the packet:
> > > GIOP Header:
> > > - Magic: GIOP
> > > - Version: 1.0 (\x01\x00)
> > > - Msge type: Request (\x00)
> > > - Msg size: 36 ($\x00\x00\x00 i.e \x24\x00\x00\x00)
> > > Request Data:
> > > - ServiceContextList (\x00\x00\x00\x00)
> > > - Request Id: 1 (\x01\x00\x00\x00)
> > > - Response expected: 1 (\x01)
> > > - Object key Length: 6 (\x06x\00\x00\x00)
> > > - Object Key: 616263646566
> > > - Operation length : 4 (\x04\x00\x00\x00)
> > > - Req Operation: get (i.e \x67\x65\x74\x00)
> > > - Requesting Principal Length: 0 (\x00\x00\x00\x00)
> > >
> > > When you use this "service probe", the server will respond with a
> > > "System Exception".
> > >
> > > This "service probe" could be put in a future version of
> > > nmap-service-probes ?
> > >
> > > --
> > > Quentin HARDY
> > >
> > > _______________________________________________
> > > Sent through the dev mailing list
> > > https://nmap.org/mailman/listinfo/dev
> > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/