Re: [bug] weird false match during version scan

[Fyodor <fyodor () insecure org>]

On Mon, Feb 07, 2005 at 12:18:32PM +0100, Martin Ma?ok wrote:

> Strange thing is that 'securetransport' is a match for NULL probe but
> Nmap finds it in DNSVersionBindReq probe (which actually contains no
> match) (?!)

This sounds like a bug, but it is actually a poorly documented
feature called the null probe cheat.  Here is the entry from the 3.48
changelog:

o If responses to a probe fail to match any of the registered match
  strings for that probe, Nmap will now try against the registered
  "null probe" match strings.  This helps in the case that the NULL
  probe initially times out (perhaps because of initial DNS lookup)
  but the banner appears in later responses.

Admittedly it is not having its desired effect in your case.  I think
the fundamental problem is that both services are using SSL and each
use the same initial 7-byte string (\x15\x03\x01\0\x02\x01\0).  At
least I am assuming they are both SSL.

I think the best solution is to move this to the SSL probe section.  I
have attached a patch -- let me know if you try it and encounter any
problems.  I have neither Dell OpenManage nor Tumbleweed available to
me right now, but I did test it against submitted Tumbleweed
signatures.

Thanks,
Fyodor

Attachment: nmap.ssl.patch
Description:

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org