Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Service probes ambiguity

Re: Service probes ambiguity

From: <doug_at_hcsw.org>
Date: Wed, 10 Oct 2007 10:19:17 -0700

Hi Richard,

On Wed, Oct 10, 2007 at 03:00:00PM +0200 or thereabouts, Richard van den Berg wrote:
> From: http://insecure.org/nmap/data/nmap-service-probes
>
> match http m|^HTTP/1\.0 302 Document Follows\r\nLocation:
> http:///private/welcome\.ssi\r\nConnection: close\r\n\r\n$|
> p/BladeCenter Management Module/ d/remote management/
> match http m|^HTTP/1\.0 302 Document Follows\r\nLocation:
> https:///private/welcome\.ssi\r\nConnection: close\r\n\r\n$| p/IBM RAS2
> http config/ d/remote management/
>
> So if the 302 is to HTTP, it's a BladeCenter Management Module, but if
> it redirects to HTTPS, it's an IBM RAS2? I doubt that is actually the
> case. Can anyone comment on which one of these results is correct?

I'm actually integrating service submissions right now so I was able
to check into this really quick:

Sometimes devices are re-branded by new companies and only changed
in very, very slight ways. Perhaps IBM re-branded this and changed
it to only allow SSL? Another possibility is that there is a
configuration option on this device and some instances turned SSL
on and others left it off. It's very difficult to tell with the
information at hand and often we can only make educated guesses.

I checked the source of these match lines and there were two distinct
fingerprints for the IBM device, both of which redirect to SSL, and
only one for the BladeCenter device (which didn't redirect to SSL).

I agree these devices are probably not substantially different enough
to have their own match lines so I'm taking your advice and merging them
into one:

match http m|^HTTP/1\.0 302 Document Follows\r\nLocation: https?:///private/welcome\.ssi\r\nConnection: close\r\n\r\n$| p|BladeCenter/IBM RSA2 http config| d/remote management/

Sound good? Also, it's lucky you pointed these lines out because the
name of the IBM device was actually typoed in the match line (should
be RSA2 instead of RAS2): IBM Remote Supervisor Adaptor 2

Thanks for your correction! There should be an update to the probes
file available within the next week containing this update and the
results of the Q3-2007 submissions.

Best,

Doug

PS Although using the nmap-dev mailing list for these types of
corrections is perfectly OK, you might also find the new web
interface convenient:

http://insecure.org/cgi-bin/submit.cgi?corr-service

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Received on Oct 10 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]