Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: salt in version probes
From: David Fifield <david () bamsoftware com>
Date: Wed, 27 Apr 2011 19:33:47 -0700

On Sun, Jan 16, 2011 at 11:17:25AM +0200, Toni Ruottu wrote:
Here are two version probes I have created for NAT traversal services
STUN and Teredo. I am not sure what would be good rarity values. The
ports are standardized so I assume it is very common to have the
services on those ports. I have not written any match lines yet, and I
am not sure how to write really good ones.

Could we include these in the release, recommend people to try
scanning STUN and Teredo services, and get some match data posted to
the database? How does the database work? Who has access to it? Does
it have some automatic support for creating regular expressions?

Please try running something like...
nmap -sU -sV -p 3544,3478 teredo-debian.remlab.net
teredo.ipv6.microsoft.com stun.xten.com stun1.noc.ams-ix.net
stun.fwd.org stun.voipbuster.com stun01.sipphone.com
stun.voxgratia.org -PN
...after including the probes to check that they work. Preferably,
check with Wireshark that the sent probes seem sensible.

The STUN specification mentions TCP based STUN servers, but I am not
aware of any. Also I am not sure about the ssl ports thing. STUN
specification discusses them. Does ssl work over udp?

I tried these probes with the example scan you gave. All the server
answered to one of the probes except stun.fwd.org and
stun01.sipphone.com. Do you get the same?

These probes are probably fine, but I don't want to add them without any
matchlines. It's kind of a minimum barrier to entry to try a new probe
against a known server and add a match for it. (And ideally, try it
against two different servers, and get distinguishable responses.) I
notice that some of the stun-br responses contain the string
"Vovida\.org\x200\.96\", which looks like a nice server name and version
number for http://www.voip-info.org/wiki/view/Vovida.org+STUN+server. So
if you can test that, we'll add the probe.

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]