Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Determining UDP 161 port (SNMP) status using SNMPv3
From: Tom Sellers <nmap () fadedcode net>
Date: Wed, 18 Jun 2008 05:24:59 -0500

Fyodor wrote:
On Tue, Jun 17, 2008 at 11:04:37PM -0500, Tom Sellers wrote:
I have attached a patch to nmap-service-probes that includes the probe/match
combination that I spoke of earlier.  It sends a SNMPv3 connection request
that with the username sent to "public".  The rarity has been set to 4, the
same as the SNMPv1public probe.

Hi Tom.  That is great, but the match line may be too generic.  It says:

+match snmp m|^..\x02\x01\x030.\x02\x02\x20\x97\x02.{32,38}\x04\x06public\x04\0\x04\x00|s p/SNMPv3 server/

For version detection purposes, it would be best if we could at least
try to match individual SMTPv3 servers where possible.  So if you know
what is running on the remote host, maybe try to include as much
context as you can with the match (this may be enough) and then
include the details in the match line.  Then, if you have another
SMTPv3 server, maybe you will be able to match that separately.  This
way we know more than just that it is some snmpv3 server.  Now it may
turn out that SNMPv3 responses are so generic that we can't glean any
more details.  But it is best to start specific and then we can
generalize it if needed when we receive correction reports at
http://nmap.org/submit/ .

 From what I can tell the packet is pretty generic, but there are two
places where the packet has host specific information.  One includes an
encoded version of the MAC address, the other contains the first 4
bytes of the IANA SNMP private enterprise number for the manufacturer.
The enterprise number is not in a format where the number is easy to
put into i// strings but should be able to give us enough information
to generate a variety of match lines over time.  The problem with this
is that I think that this field can be editted on the device itself.

I will dig into this some more tonight and see if I can improve the
submission.

Thanks much,

Tom


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault