Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Service probes ambiguity
From: doug () hcsw org
Date: Wed, 10 Oct 2007 10:19:17 -0700

Hi Richard,

On Wed, Oct 10, 2007 at 03:00:00PM +0200 or thereabouts, Richard van den Berg wrote:
From: http://insecure.org/nmap/data/nmap-service-probes

match http m|^HTTP/1\.0 302 Document Follows\r\nLocation:
http:///private/welcome\.ssi\r\nConnection: close\r\n\r\n$|
p/BladeCenter Management Module/ d/remote management/
match http m|^HTTP/1\.0 302 Document Follows\r\nLocation:
https:///private/welcome\.ssi\r\nConnection: close\r\n\r\n$| p/IBM RAS2
http config/ d/remote management/

So if the 302 is to HTTP, it's a BladeCenter Management Module, but if
it redirects to HTTPS, it's an IBM RAS2? I doubt that is actually the
case. Can anyone comment on which one of these results is correct?

I'm actually integrating service submissions right now so I was able
to check into this really quick:

Sometimes devices are re-branded by new companies and only changed
in very, very slight ways. Perhaps IBM re-branded this and changed
it to only allow SSL? Another possibility is that there is a
configuration option on this device and some instances turned SSL
on and others left it off. It's very difficult to tell with the
information at hand and often we can only make educated guesses.

I checked the source of these match lines and there were two distinct
fingerprints for the IBM device, both of which redirect to SSL, and
only one for the BladeCenter device (which didn't redirect to SSL).

I agree these devices are probably not substantially different enough
to have their own match lines so I'm taking your advice and merging them
into one:

match http m|^HTTP/1\.0 302 Document Follows\r\nLocation: https?:///private/welcome\.ssi\r\nConnection: close\r\n\r\n$| 
p|BladeCenter/IBM RSA2 http config| d/remote management/

Sound good? Also, it's lucky you pointed these lines out because the
name of the IBM device was actually typoed in the match line (should
be RSA2 instead of RAS2): IBM Remote Supervisor Adaptor 2

Thanks for your correction! There should be an update to the probes
file available within the next week containing this update and the
results of the Q3-2007 submissions.

Best,

Doug

PS Although using the nmap-dev mailing list for these types of
corrections is perfectly OK, you might also find the new web
interface convenient:

http://insecure.org/cgi-bin/submit.cgi?corr-service

Attachment: signature.asc
Description: Digital signature


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]