mailing list archives
Re: addition to -sV service detection switch
From: MadHat <madhat () unspecific com>
Date: Sat, 27 Mar 2004 11:45:07 -0600
On Mar 27, 2004, at 8:45 AM, Cemil Degirmenci wrote:
What would be the difference from the existing probes? I know on the
http probes I discussed other requests methods and the reason GET was
used first is that more servers respond to it than any other web
As far as i know the version.bind txt chaos record is not asked by
nmap . Some people change this record or deactivate it, but this like
as far as I can tell, that is what it is sending...
nmap -sUV -PS53 -T4 -p53 ns1.symantec.com
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-27
Interesting ports on ns1.symantec.com (18.104.22.168):
PORT STATE SERVICE VERSION
53/tcp open domain?
53/udp open domain?
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
It doesn't match because Fyodor has it looking for specific version
info and not free form entries like this, but you can see the response
in the fingerprint. Also if you look at the nmap-service-probes file,
you can see what is being sent for testing DNS.
Probe UDP DNSVersionBindReq
If you sniff what you are sending with what you send, it should be very
similar, if not exactly the same.
cemil () fusie:~/nmap-3.50$ host -c chaos -t txt version.bind
VERSION.BIND text "Symantec's DNS version of course! Doh!"
but this is the exception... and if someone has changed this record
there are some funny things to see :)
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List archive: http://seclists.org