Re: bizarre false positive (?) in service detection

["DePriest, Jason R." <jrdepriest () gmail com>]

With the skype line commented out of the service-probe file, nmap is
unable to determine what is running on the port.
Which is sort of strange since
----
jrdepriest@ebizsrvb:/usr/local/share/nmap$ telnet <SCANNERTARGET> 25
Trying <SCANNERTARGET>...
Connected to <SCANNERTARGET>.
Escape character is '^]'.
220  DP-6020
EHLO
250-Hello
250-DSN
250 CONNEG
MAIL TO:
501 Syntax error in parameters
RCPT FROM:
503 Need MAIL before RCPT

554 command not support

554 command not support
Connection closed by foreign host.
----
See attached for nmap's fingerprint of the port.  I'll do some packet
captures if I get time to find a pattern.

Thanks for the suggestions.

-Jason

On 4/12/07, Brandon Enright  wrote:
> On Thu, 12 Apr 2007 18:06:50 -0500
> "DePriest, Jason R."  wrote:
>
> > I'm attaching the debug output as explained on
> > http://insecure.org/nmap/vscan/vscan-community.html#vscan-submit-corrections
> >
> > I don't see in the information where it determines what is running on
> > the port, but then again, I don't know how to read the nitty gritty
> > details of the capture information either.
> >
> > IP addresses have been sanitized and replaced with <BIGWORDSINBRACES>
> >
> > -Jason
>
> From the service probes file:
>
> # Skype - Protocol seems to spew out 14 random characters upon
> # connection. Luckily, this shouldn't conflict any other X11 services.
> match skype m|^.{14}$|s p/Skype VoIP data channel/
>
> Either the service you are scanning really is Skype (not Skype v2) or you
> have a service that returns exactly 14 bytes.
>
> I haven't looked very closely at Skype v1 but if the data being returned
> really is random enough that a regular language can't match it without
> overmatching there is little that can be done to improve the check.
>
> One idea would be to use a NSE script like what we did with Skype v2.  The
> logic would be something like "if we receive exactly 14 bytes and it looks
> fairly random" say it is Skype.
>
> The "if it looks fairly random" was done in the v2 script with this line:
>
> if string.match(result, "[^%s!-~].*[^%s!-~].*[^%s!-~].*[^%s!-~]") then
>
> Basically this regex requires at least 4 non-typeable bytes.
>
> This would improve the Skype v1 match some but certainly wouldn't eliminate
> false-positives (and would add rare false negatives).
>
> Real knowledge of the Skype v1 protocol would be needed to improve the
> check much further.
>
> If you comment out the out the match skype line in your nmap-service-probes
> file you should start getting a fingerprint.  Run Nmap against the service
> several times.  If you can discern a pattern in the output (or if it is the
> same every time) or if you can illicit different (interesting) response for
> different probes we can write a pattern match for your service that will
> take precedence over the Skype match.
>
> Brandon
>
>
> --
> Brandon Enright
> Network Security Analyst
> UCSD ACS/Network Operations
> bmenrigh () ucsd edu

Attachment: port-fancy01.txt
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org