Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Version detection of Ldap Service using nmap
From: MadHat <madhat () unspecific com>
Date: Fri, 5 Dec 2003 15:55:19 -0600

On Dec 4, 2003, at 11:18 PM, Anil Kumar D.K wrote:
Hi all,

I am trying to find version of ldap service using nmap.

nmap -p389 -A

For Microsoft Active directory, I am getting the right information. (As the match string already exists in nmap-service-probes file)

I would like to find version of ldap service of the following vendors
Critical Path Directory Service 4.2
Siemens Directory DirX 6.0

For Critical Path Directory Service 4.2, I got the service finger print as below

D:\nmap-3.48>nmap -p1702 -A
Starting nmap 3.48 ( http://www.insecure.org/nmap ) at 2003-12-05 10:35 India Standard Time Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on EWSMC280 (
1702/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version,please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port1702-TCP:V=3.48%D=12/ 5%Time=3FD01237%r(LDAPBindReq,E,"0\x0c\x02\x01
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional
 or Advanced Server, or Windows XP

Nmap run completed -- 1 IP address (1 host up) scanned in 13.570 seconds

I have submitted the fingerprint to http://www.insecure.org/cgi-bin/servicefp-submit.cgi I tried to use the match string "0\x0c\x02\x01\x01a\x07\n\x01\0\x04\0\x04\0" in the nmap-service-probes for Ldap service
But this string matches even for openLDAP 1.4.x

Is there any way to get a unique string for each ldap product?
Any help will be really appreciated.

If they return the exact same thing, it is not going to be possible. The only other option is to try and figure out a different probe to send to get a different response from each lpad server. The problem then comes in on wether it works with the most ldap servers. You don't want 3 or 4 probes for a single service, then it takes a lot longer if the service is not known or even when it is. You want one probe that elicits the most data to be able to fingerprint the most number of unique servers accurately.

For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]