Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: salt in version probes
From: Toni Ruottu <toni.ruottu () iki fi>
Date: Wed, 4 May 2011 16:38:09 +0300

These probes are probably fine, but I don't want to add them without any
matchlines. It's kind of a minimum barrier to entry to try a new probe
against a known server and add a match for it. (And ideally, try it
against two different servers, and get distinguishable responses.) I
notice that some of the stun-br responses contain the string
"Vovida\.org\x200\.96\", which looks like a nice server name and version
number for http://www.voip-info.org/wiki/view/Vovida.org+STUN+server. So
if you can test that, we'll add the probe.

I tested the stun probe with Vovida.org, and Jstun. Vovida.org is
recognizable while Jstun seems too generic to be distinguished. I also
tested Cornell stunt server, but turned out to be too different to
generate any kind of response. I could not get the server to compile,
so I only tested that against a hosted version, however.

I have attached a file with the probe, and three match lines. One
matches servers like Vovida that provide version information
explicitly, one matches servers that are too generic to be
distinguished from each other, and the last softmatch matches any
valid binding success response, which would indicate that we have
found a stun service, even if we do not know the product name or
version.

You can try the probes with
nmap -sU -sV -p 3478 stun.xten.com stun1.noc.ams-ix.net
stun.voipbuster.com stun.voxgratia.org jstun.javawi.de -PN

The version information is a free form text field, and I am a bit
worried that the product name and version number might be in different
order some times or have multiple white spaces, but I have not seen
such. Should we address that later when it becomes a problem?

This email only contains the stun probe and match lines. I will take a
look at teredo separately.

  cheers, --Toni

Attachment: stun-version.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]