Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

Re: Microsoft SQL Server fingerprint question
From: Fyodor <fyodor () insecure org>
Date: Fri, 4 Jan 2008 23:09:26 -0800
On Thu, Jan 03, 2008 at 07:31:05PM -0600, Tom Sellers wrote:

NMap does not fingerprint Microsoft SQL running on TCP 1433 in my
test environment.  It also does not generate a fingerprint for
submission.

I have a reliable probe, based on a packet capture and some google-fu,
that will elicit a response from MS SQL 2000 and 2005. (It might also


Thanks for your efforts to improve the version detection system!


2.  Have 3 match lines to detect the major versions of MS SQL,
     for example MS SQL 2000, MS SQL 2005, etc. Perhaps add a
     softmatch line before these to provide generic MS SQL detection
     for future proofing.


These seems like the way to go, IMHO.


3.  Use a match line with pattern matching to extract the version
     number in hex, convert it to decimal and present it.  Can this
     be done?  (I saw a mention of helper functions in the docs but
     could not find anything else about them.  The comment toward
     the bottom of the match section:


Doug posted a useful helper function for doing this in Nmap.  But new
helper functions shouldn't be added lightly.  So before integrating
that, we should think about things like:

o Are there other signatures which would likely benefit from this sort
  of function?

o Are there good alternatives to adding and documenting a new helper
  function?  Ideas might be using 3 hardcoded match lines as you
  suggested, or presenting the version number as 0x7F or whatever.  If
  the "version number" presented in hex is different than the
  marketing version number (e.g. mssql 7, ms sql 2005), then we might
  prefer the multiple-match-line approach anyway.


4.  Have multiple match lines and/or lua scripts that detect the
     version and other details.


If it can be done with -sV, that is much more efficient than creating
a Lua script for the purpose.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]