|
Nmap Development
mailing list archives
Re: NMAP OS Guessing Tweak
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 14 Jan 2009 22:40:07 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 14 Jan 2009 16:55:28 -0500
"Juengling, Kurt W" <juengling () att com> wrote:
Thanks - I won't promise anything as my coding skills are rusty (circa
10+ years ago) but perhaps I'll take a stab.
1.0 = NT 3.51 (just found a shrink-wrapped copy in the lab...scary)
2.0-4.0 = NT 4.0 (yeech, still some out there in production)
5.0 = Windows 2000 server
5.1 = XP Pro & 2000 Pro (definitely not 2003)
6.0 = Windows 2003 server
7.0 = Vista, Server 2008, supposedly also in Win 7 but haven't tested
yet
Does NMAP determine webserver fingerprint by parsing the lexical
variations of the return code? "Targets" should be following RFC 2068
and mask/obfuscate anyhow, but...
Cheers,
Kurt
Thanks for the information. As for coding skills, none are required.
All that you need to change is sitting in the nmap-service-probes
file. You won't even need to change any of the PCRE
m|whatever| expressions, just the o/whatever/ expressions.
Also, I did a grep through some of my scans for IIS info, I noticed
that we need to canonicalize some names:
Microsoft IIS httpd 5.1
Microsoft IIS httpd 6.0
Microsoft IIS webserver 5.1
Microsoft IIS webserver 7.0
Microsoft IIS httpd
Microsoft IIS webserver 5.0
Microsoft IIS webserver 6.0
I haven't looked at the probes file but I think "webserver" needs to be
changed to "httpd".
I also noticed while looking at the Apache matches that the version
information stuffed into i// includes superfluous (). That is,
anything in i// already appears in parenthesis. I don't think any of
these should include the (...) inside of i//:
...snip...
Apache httpd 1.3.34 (Ben-SSL/1.55 (Debian))
Apache httpd 1.3.34 (Ben-SSL/1.55 (Ubuntu))
Apache httpd 1.3.36 ((Unix))
Apache httpd 1.3.37 ((Unix))
Apache httpd 1.3.39 ((Unix))
Apache httpd 1.3.4 ((Unix))
Apache httpd 1.3.41 ((Darwin))
Apache httpd 1.3.41 ((Unix))
Apache httpd 1.3.9 ((Unix))
Apache httpd 2.0.39 ((Unix))
Apache httpd 2.0.40 ((Red Hat Linux))
Apache httpd 2.0.40 ((Win32))
Apache httpd 2.0.46 ((Red Hat))
Apache httpd 2.0.46 ((Scientific Linux))
...snip...
It should actually be just a few Apache httpd match lines that need to
be changed -- I suspect we are using some rather generic regexes to do
the matching.
Brandon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkluadQACgkQqaGPzAsl94K9wwCeMMHhewfev1RG4X4fPXV4g7a8
XBUAmwQILu33iKNjjbe+loPAIk951j7Y
=Fquk
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
 By Date 
By Thread
Current thread:
|
Intro
