Nmap Development mailing list archives
Re: NMAP OS Guessing Tweak
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 14 Jan 2009 22:40:07 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 14 Jan 2009 16:55:28 -0500 "Juengling, Kurt W" <juengling () att com> wrote:
Thanks - I won't promise anything as my coding skills are rusty (circa 10+ years ago) but perhaps I'll take a stab. 1.0 = NT 3.51 (just found a shrink-wrapped copy in the lab...scary) 2.0-4.0 = NT 4.0 (yeech, still some out there in production) 5.0 = Windows 2000 server 5.1 = XP Pro & 2000 Pro (definitely not 2003) 6.0 = Windows 2003 server 7.0 = Vista, Server 2008, supposedly also in Win 7 but haven't tested yet Does NMAP determine webserver fingerprint by parsing the lexical variations of the return code? "Targets" should be following RFC 2068 and mask/obfuscate anyhow, but... Cheers, Kurt
Thanks for the information. As for coding skills, none are required. All that you need to change is sitting in the nmap-service-probes file. You won't even need to change any of the PCRE m|whatever| expressions, just the o/whatever/ expressions. Also, I did a grep through some of my scans for IIS info, I noticed that we need to canonicalize some names: Microsoft IIS httpd 5.1 Microsoft IIS httpd 6.0 Microsoft IIS webserver 5.1 Microsoft IIS webserver 7.0 Microsoft IIS httpd Microsoft IIS webserver 5.0 Microsoft IIS webserver 6.0 I haven't looked at the probes file but I think "webserver" needs to be changed to "httpd". I also noticed while looking at the Apache matches that the version information stuffed into i// includes superfluous (). That is, anything in i// already appears in parenthesis. I don't think any of these should include the (...) inside of i//: ...snip... Apache httpd 1.3.34 (Ben-SSL/1.55 (Debian)) Apache httpd 1.3.34 (Ben-SSL/1.55 (Ubuntu)) Apache httpd 1.3.36 ((Unix)) Apache httpd 1.3.37 ((Unix)) Apache httpd 1.3.39 ((Unix)) Apache httpd 1.3.4 ((Unix)) Apache httpd 1.3.41 ((Darwin)) Apache httpd 1.3.41 ((Unix)) Apache httpd 1.3.9 ((Unix)) Apache httpd 2.0.39 ((Unix)) Apache httpd 2.0.40 ((Red Hat Linux)) Apache httpd 2.0.40 ((Win32)) Apache httpd 2.0.46 ((Red Hat)) Apache httpd 2.0.46 ((Scientific Linux)) ...snip... It should actually be just a few Apache httpd match lines that need to be changed -- I suspect we are using some rather generic regexes to do the matching. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkluadQACgkQqaGPzAsl94K9wwCeMMHhewfev1RG4X4fPXV4g7a8 XBUAmwQILu33iKNjjbe+loPAIk951j7Y =Fquk -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- NMAP OS Guessing Tweak Juengling, Kurt W (Jan 14)
- Re: NMAP OS Guessing Tweak Brandon Enright (Jan 14)
- RE: NMAP OS Guessing Tweak Juengling, Kurt W (Jan 14)
- Re: NMAP OS Guessing Tweak Brandon Enright (Jan 14)
- RE: NMAP OS Guessing Tweak Juengling, Kurt W (Jan 14)
- Re: NMAP OS Guessing Tweak Brandon Enright (Jan 14)