Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: salt in version probes
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Tue, 3 May 2011 17:38:54 +0300

I tried these probes with the example scan you gave. All the server
answered to one of the probes except stun.fwd.org and
stun01.sipphone.com. Do you get the same?

Those seem to be unreachable. You can try with regular stun by commanding
stun stun01.sipphone.com
On Ubuntu I can install it with...
apt-get install stun

These probes are probably fine, but I don't want to add them without any
matchlines. It's kind of a minimum barrier to entry to try a new probe
against a known server and add a match for it. (And ideally, try it
against two different servers, and get distinguishable responses.) I
notice that some of the stun-br responses contain the string
"Vovida\.org\x200\.96\", which looks like a nice server name and version
number for http://www.voip-info.org/wiki/view/Vovida.org+STUN+server. So
if you can test that, we'll add the probe.

I think it is impossible to do a regexp that would match the fields
accurately because they have length prefixes, and the regexp would
need to take into account that the fields might be in different
orders, and skip fields. On the other hand we may just have the regexp
look for string "Vovida.org", but in theory this string might exist in
some field with wrong type. I suppose we are okay with that?
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]