Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Service Check
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 4 Dec 2013 06:56:12 -0600


A combination of -d and --version-trace flags showed which line was
being matched:

Service scan sending probe DNSVersionBindReq to (tcp)
NSOCK INFO [6.5500s] nsock_read(): Read request from IOD #1
[] (timeout: 5000ms) EID 34
NSOCK INFO [6.5500s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 27 []
NSOCK INFO [6.5830s] nsock_trace_handler_callback(): Callback: READ
SUCCESS for EID 34 [] (55 bytes):
.5.............version.bind..................NSD 3.2.15
Service scan match (Probe DNSVersionBindReq matched with
DNSVersionBindReq line 9619): is domain.  Version: |ISC
BIND|NSD 3.2.15||

Would you mind trying this patch? It works for me, but if you could
make sure it doesn't break existing ISC BIND matches, that would be
great, too. Some of the lines looked like they were out of order, with
more generic matches preceding specific ones:

diff --git a/nmap-service-probes b/nmap-service-probes
index 38cf1a7..3f2f326 100644
--- a/nmap-service-probes
+++ b/nmap-service-probes
@@ -9616,8 +9616,9 @@ match domain
 # Has to come before BIND matches.
 match domain 
([\w._-]+)$| p/Unbound/ v/$1/

-match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})|s
p/ISC BIND/ v/$1/ cpe:/a:isc:bind:$1/
 match domain m|\x07version\x04bind.*[\x03-\x14]BIND ([-\w._]{3,20})|s
p/ISC BIND/ v/$1/ cpe:/a:isc:bind:$1/
+match domain m|\x07version\x04bind.*[\x03-\x14]NSD ([-\w._]{3,20})|s
p/NLnet Labs NSD/ v/$1/ cpe:/a:nlnet:nsd:$1/
+match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})|s
p/ISC BIND/ v/$1/ cpe:/a:isc:bind:$1/
 # ISC Bind 9.1.3
 match domain m|\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x01\0|
p/ISC BIND/ v/9.X/ cpe:/a:isc:bind:9/
 match domain 
p/ISC BIND/ v/$1/ o/Red Hat Enterprise Linux/ cpe:/a:isc:bind:$1/

Regarding -i vs -iL, from the changelog for Nmap 2.3BETA12 [2000-01-01]:

o The -i (input from list) option has been deprecated.  From now on
  you should use -iL [filename] to read from a list or -iR to have
  Nmap generate random IPs to scan.  This -iR option is new.


On Wed, Dec 4, 2013 at 5:57 AM, John Bond <john.r.bond () gmail com> wrote:
Hello All,

I just noticed that there seems to be an incorrect service check.  For NSD

sudo nmap/bin/nmap -sV -PE -p53 l.root-servers.net.

Starting Nmap 6.41SVN ( http://nmap.org ) at 2013-12-04 11:50 UTC
Nmap scan report for l.root-servers.net. (
Host is up (0.00092s latency).
rDNS record for l.root-servers.net
53/tcp open  domain  ISC BIND NSD 3.2.15

I think its probably just a typo.  The server is running NSD, which is
developed by nlnetlabs and is not related to ISC or BIND.  It looks
like you get the same results regardless of which version of NSD is
scanned.  Couldn't see anything obvious in nmap/nmap-service-probes
but im not too familiar wit the format

On a different note is the -i flag and allias to -iL.  I couldn't see
reference to -i in the man page.

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]