Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: addition to -sV service detection switch
From: MadHat <madhat () unspecific com>
Date: Sat, 27 Mar 2004 11:45:07 -0600

On Mar 27, 2004, at 8:45 AM, Cemil Degirmenci wrote:
MadHat wrote:

What would be the difference from the existing probes? I know on the http probes I discussed other requests methods and the reason GET was used first is that more servers respond to it than any other web server "verb".

As far as i know the version.bind txt chaos record is not asked by nmap . Some people change this record or deactivate it, but this like symantec:


as far as I can tell, that is what it is sending...
nmap -sUV -PS53 -T4 -p53  ns1.symantec.com
Password:

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-27 09:34 CST
Interesting ports on ns1.symantec.com (198.6.49.5):
PORT   STATE SERVICE VERSION
53/tcp open  domain?
53/udp open  domain?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port53-UDP:V=3.50%D=3/27%Time=40659EFA%P=powerpc-apple- darwin7.2.0%r(DN SF: SVersionBindReq,5E,"\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07version\x04bind SF: \0\0\x10\0\x03\x07VERSION\x04BIND\0\0\x10\0\x03\0\0\0\0\0\('Symantec's\
SF:x20DNS\x20version\x20of\x20course!\x20\x20Doh!");


It doesn't match because Fyodor has it looking for specific version info and not free form entries like this, but you can see the response in the fingerprint. Also if you look at the nmap-service-probes file, you can see what is being sent for testing DNS.

Probe UDP DNSVersionBindReq q|\0\x06\x01\0\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03|

If you sniff what you are sending with what you send, it should be very similar, if not exactly the same.


cemil () fusie:~/nmap-3.50$ host -c chaos -t txt version.bind ns1.symantec.com.
VERSION.BIND text "Symantec's DNS version of course!  Doh!"


but this is the exception... and if someone has changed this record there are some funny things to see :)


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault