Nmap Development mailing list archives
[bug] weird false match during version scan
From: Martin Mačok <martin.macok () underground cz>
Date: Mon, 7 Feb 2005 12:18:32 +0100
I'm scanning Dell servers with Windows OS with Dell Openmanage on port 1311/tcp (https). I've written a match for this service (already in 3.80) but it keeps matching Tumbleweed SecureTransport Transaction Manager Secure Port (securetransport) and I don't know why. The strange thing is that when I tried to minimize the nmap-service-probes file (deleting 'unused' probes/matches step by step) to narrow down the problem and create a testcase, it suddenly starts to match Dell Openmanage ... I have simplified nmap-service-probes to a file that contains just NULL, GetRequest, DNSVersionBindReq and SSLSessionReq probes and relevant matches (http://Xtrmntr.org/ORBman/tmp/nmap-service-probes). Using this file: % NMAPDIR=. nmap -sSV -P0 -p1311 -vvv frmailbox --version_trace Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-02-07 12:09 CET Initiating SYN Stealth Scan against TARGET (1.2.3.4) [1 port] at 12:09 Packet capture filter (device eth0): dst host 172.17.14.150 and (icmp or (tcp and (src host 1.2.3.4))) Discovered open port 1311/tcp on 1.2.3.4 The SYN Stealth Scan took 0.00s to scan 1 total ports. Initiating service scan against 1 service on TARGET (1.2.3.4) at 12:09 NSOCK (0.0050s) TCP connection requested to 1.2.3.4:1311 (IOD #1) EID 8 NSOCK (0.0050s) nsock_loop() started (no timeout). 1 events pending NSOCK (0.0060s) Callback: CONNECT SUCCESS for EID 8 [1.2.3.4:1311] NSOCK (0.0060s) Read request from IOD #1 [1.2.3.4:1311] (timeout: 5000ms) EID 18 NSOCK (5.0190s) Callback: READ TIMEOUT for EID 18 [1.2.3.4:1311] NSOCK (5.0190s) Write request for 18 bytes to IOD #1 EID 27 [1.2.3.4:1311]: GET / HTTP/1.0.... NSOCK (5.0190s) Read request from IOD #1 [1.2.3.4:1311] (timeout: 5000ms) EID 34 NSOCK (5.0190s) Callback: WRITE SUCCESS for EID 27 [1.2.3.4:1311] NSOCK (10.0230s) Callback: READ TIMEOUT for EID 34 [1.2.3.4:1311] NSOCK (10.0230s) TCP connection requested to 1.2.3.4:1311 (IOD #2) EID 40 NSOCK (10.0240s) Callback: CONNECT SUCCESS for EID 40 [1.2.3.4:1311] NSOCK (10.0240s) Write request for 32 bytes to IOD #2 EID 51 [1.2.3.4:1311]: ...............version.bind..... NSOCK (10.0240s) Read request from IOD #2 [1.2.3.4:1311] (timeout: 5000ms) EID 58 NSOCK (10.0240s) Callback: WRITE SUCCESS for EID 51 [1.2.3.4:1311] NSOCK (10.0280s) Callback: READ SUCCESS for EID 58 [1.2.3.4:1311] [EOF](7 bytes): ....... The service scan took 10.02s to scan 1 service on 1 host. Starting RPC scan against TARGET (1.2.3.4) Host TARGET (1.2.3.4) appears to be up ... good. Interesting ports on TARGET (1.2.3.4): PORT STATE SERVICE VERSION 1311/tcp open securetransport Tumbleweed SecureTransport Transaction Manager Secure Port Final times for host: srtt: 308 rttvar: 5000 to: 100000 Nmap finished: 1 IP address (1 host up) scanned in 10.031 seconds Raw packets sent: 1 (40B) | Rcvd: 1 (46B) Strange thing is that 'securetransport' is a match for NULL probe but Nmap finds it in DNSVersionBindReq probe (which actually contains no match) (?!) Now I remove DNSVersionBindReq from the file and run again: % NMAPDIR=. nmap -sSV -P0 -p1311 -vvv frmailbox --version_trace Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-02-07 12:13 CET Initiating SYN Stealth Scan against TARGET (1.2.3.4) [1 port] at 12:13 Packet capture filter (device eth0): dst host 172.17.14.150 and (icmp or (tcp and (src host 1.2.3.4))) Discovered open port 1311/tcp on 1.2.3.4 The SYN Stealth Scan took 0.00s to scan 1 total ports. Initiating service scan against 1 service on TARGET (1.2.3.4) at 12:13 NSOCK (0.0050s) TCP connection requested to 1.2.3.4:1311 (IOD #1) EID 8 NSOCK (0.0050s) nsock_loop() started (no timeout). 1 events pending NSOCK (0.0060s) Callback: CONNECT SUCCESS for EID 8 [1.2.3.4:1311] NSOCK (0.0060s) Read request from IOD #1 [1.2.3.4:1311] (timeout: 5000ms) EID 18 NSOCK (5.0060s) Callback: READ TIMEOUT for EID 18 [1.2.3.4:1311] NSOCK (5.0060s) Write request for 18 bytes to IOD #1 EID 27 [1.2.3.4:1311]: GET / HTTP/1.0.... NSOCK (5.0060s) Read request from IOD #1 [1.2.3.4:1311] (timeout: 5000ms) EID 34 NSOCK (5.0060s) Callback: WRITE SUCCESS for EID 27 [1.2.3.4:1311] NSOCK (10.0060s) Callback: READ TIMEOUT for EID 34 [1.2.3.4:1311] NSOCK (10.0060s) TCP connection requested to 1.2.3.4:1311 (IOD #2) EID 40 NSOCK (10.0070s) Callback: CONNECT SUCCESS for EID 40 [1.2.3.4:1311] NSOCK (10.0070s) Write request for 88 bytes to IOD #2 EID 51 [1.2.3.4:1311] NSOCK (10.0070s) Read request from IOD #2 [1.2.3.4:1311] (timeout: 5000ms) EID 58 NSOCK (10.0070s) Callback: WRITE SUCCESS for EID 51 [1.2.3.4:1311] NSOCK (10.0080s) Callback: READ SUCCESS for EID 58 [1.2.3.4:1311] (717 bytes) NSOCK (10.0090s) SSL/TCP connection requested to 1.2.3.4:1311 (IOD #3) EID 65 NSOCK (10.2760s) Callback: SSL-CONNECT SUCCESS for EID 65 [1.2.3.4:1311] NSOCK (10.2760s) Read request from IOD #3 [1.2.3.4:1311] (timeout: 5000ms) EID 74 NSOCK (15.2760s) Callback: READ TIMEOUT for EID 74 [1.2.3.4:1311] NSOCK (15.2760s) Write request for 18 bytes to IOD #3 EID 83 [1.2.3.4:1311]: GET / HTTP/1.0.... NSOCK (15.2760s) Read request from IOD #3 [1.2.3.4:1311] (timeout: 5000ms) EID 90 NSOCK (15.2760s) Callback: WRITE SUCCESS for EID 83 [1.2.3.4:1311] NSOCK (15.3530s) Callback: READ SUCCESS for EID 90 [1.2.3.4:1311] (78 bytes): HTTP/1.1 200 OK..Connection: Close..Content-Type: text/html; charset=UTF-8.... NSOCK (15.3530s) Read request from IOD #3 [1.2.3.4:1311] (timeout: 4923ms) EID 98 NSOCK (15.3540s) Callback: READ SUCCESS for EID 98 [1.2.3.4:1311] [EOF](2370 bytes) The service scan took 15.35s to scan 1 service on 1 host. Starting RPC scan against TARGET (1.2.3.4) Host TARGET (1.2.3.4) appears to be up ... good. Interesting ports on TARGET (1.2.3.4): PORT STATE SERVICE VERSION 1311/tcp open ssl/http Dell Openmanage Server Administrator (PowerEdge) Final times for host: srtt: 301 rttvar: 5000 to: 100000 Nmap finished: 1 IP address (1 host up) scanned in 15.357 seconds Raw packets sent: 1 (40B) | Rcvd: 1 (46B) ... and Nmap gets it right. Any clue? Martin Mačok ICT Security Consultant --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- [bug] weird false match during version scan Martin Mačok (Feb 07)
- Re: [bug] weird false match during version scan Fyodor (Feb 10)
- Re: [bug] weird false match during version scan Martin Mačok (Feb 10)
- Re: [bug] weird false match during version scan Fyodor (Feb 10)