Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[bug] weird false match during version scan

From: Martin Mačok <martin.macok () underground cz>
Date: Mon, 7 Feb 2005 12:18:32 +0100
I'm scanning Dell servers with Windows OS with Dell Openmanage on port
1311/tcp (https). I've written a match for this service (already in
3.80) but it keeps matching Tumbleweed SecureTransport Transaction
Manager Secure Port (securetransport) and I don't know why.

The strange thing is that when I tried to minimize the
nmap-service-probes file (deleting 'unused' probes/matches step by step) to
narrow down the problem and create a testcase, it suddenly starts to
match Dell Openmanage ...

I have simplified nmap-service-probes to a file that contains just
NULL, GetRequest, DNSVersionBindReq and SSLSessionReq probes and
relevant matches (http://Xtrmntr.org/ORBman/tmp/nmap-service-probes).

Using this file:
% NMAPDIR=. nmap -sSV -P0 -p1311 -vvv frmailbox --version_trace

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-02-07 12:09 CET
Initiating SYN Stealth Scan against TARGET (1.2.3.4) [1 port] at 12:09
Packet capture filter (device eth0): dst host 172.17.14.150 and (icmp or (tcp and (src host 1.2.3.4)))
Discovered open port 1311/tcp on 1.2.3.4
The SYN Stealth Scan took 0.00s to scan 1 total ports.
Initiating service scan against 1 service on TARGET (1.2.3.4) at 12:09
NSOCK (0.0050s) TCP connection requested to 1.2.3.4:1311 (IOD #1) EID 8
NSOCK (0.0050s) nsock_loop() started (no timeout). 1 events pending
NSOCK (0.0060s) Callback: CONNECT SUCCESS for EID 8 [1.2.3.4:1311]
NSOCK (0.0060s) Read request from IOD #1 [1.2.3.4:1311] (timeout: 5000ms) EID 18
NSOCK (5.0190s) Callback: READ TIMEOUT for EID 18 [1.2.3.4:1311]
NSOCK (5.0190s) Write request for 18 bytes to IOD #1 EID 27 [1.2.3.4:1311]: GET / HTTP/1.0....
NSOCK (5.0190s) Read request from IOD #1 [1.2.3.4:1311] (timeout: 5000ms) EID 34
NSOCK (5.0190s) Callback: WRITE SUCCESS for EID 27 [1.2.3.4:1311]
NSOCK (10.0230s) Callback: READ TIMEOUT for EID 34 [1.2.3.4:1311]
NSOCK (10.0230s) TCP connection requested to 1.2.3.4:1311 (IOD #2) EID 40
NSOCK (10.0240s) Callback: CONNECT SUCCESS for EID 40 [1.2.3.4:1311]
NSOCK (10.0240s) Write request for 32 bytes to IOD #2 EID 51 [1.2.3.4:1311]: ...............version.bind.....
NSOCK (10.0240s) Read request from IOD #2 [1.2.3.4:1311] (timeout: 5000ms) EID 58
NSOCK (10.0240s) Callback: WRITE SUCCESS for EID 51 [1.2.3.4:1311]
NSOCK (10.0280s) Callback: READ SUCCESS for EID 58 [1.2.3.4:1311] [EOF](7 bytes): .......
The service scan took 10.02s to scan 1 service on 1 host.
Starting RPC scan against TARGET (1.2.3.4)
Host TARGET (1.2.3.4) appears to be up ... good.
Interesting ports on TARGET (1.2.3.4):
PORT     STATE SERVICE         VERSION
1311/tcp open  securetransport Tumbleweed SecureTransport Transaction Manager Secure Port
Final times for host: srtt: 308 rttvar: 5000  to: 100000

Nmap finished: 1 IP address (1 host up) scanned in 10.031 seconds
               Raw packets sent: 1 (40B) | Rcvd: 1 (46B)


Strange thing is that 'securetransport' is a match for NULL probe but
Nmap finds it in DNSVersionBindReq probe (which actually contains no
match) (?!)


Now I remove DNSVersionBindReq from the file and run again:
% NMAPDIR=. nmap -sSV -P0 -p1311 -vvv frmailbox --version_trace

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-02-07 12:13 CET
Initiating SYN Stealth Scan against TARGET (1.2.3.4) [1 port] at 12:13
Packet capture filter (device eth0): dst host 172.17.14.150 and (icmp or (tcp and (src host 1.2.3.4)))
Discovered open port 1311/tcp on 1.2.3.4
The SYN Stealth Scan took 0.00s to scan 1 total ports.
Initiating service scan against 1 service on TARGET (1.2.3.4) at 12:13
NSOCK (0.0050s) TCP connection requested to 1.2.3.4:1311 (IOD #1) EID 8
NSOCK (0.0050s) nsock_loop() started (no timeout). 1 events pending
NSOCK (0.0060s) Callback: CONNECT SUCCESS for EID 8 [1.2.3.4:1311]
NSOCK (0.0060s) Read request from IOD #1 [1.2.3.4:1311] (timeout: 5000ms) EID 18
NSOCK (5.0060s) Callback: READ TIMEOUT for EID 18 [1.2.3.4:1311]
NSOCK (5.0060s) Write request for 18 bytes to IOD #1 EID 27 [1.2.3.4:1311]: GET / HTTP/1.0....
NSOCK (5.0060s) Read request from IOD #1 [1.2.3.4:1311] (timeout: 5000ms) EID 34
NSOCK (5.0060s) Callback: WRITE SUCCESS for EID 27 [1.2.3.4:1311]
NSOCK (10.0060s) Callback: READ TIMEOUT for EID 34 [1.2.3.4:1311]
NSOCK (10.0060s) TCP connection requested to 1.2.3.4:1311 (IOD #2) EID 40
NSOCK (10.0070s) Callback: CONNECT SUCCESS for EID 40 [1.2.3.4:1311]
NSOCK (10.0070s) Write request for 88 bytes to IOD #2 EID 51 [1.2.3.4:1311]
NSOCK (10.0070s) Read request from IOD #2 [1.2.3.4:1311] (timeout: 5000ms) EID 58
NSOCK (10.0070s) Callback: WRITE SUCCESS for EID 51 [1.2.3.4:1311]
NSOCK (10.0080s) Callback: READ SUCCESS for EID 58 [1.2.3.4:1311] (717 bytes)
NSOCK (10.0090s) SSL/TCP connection requested to 1.2.3.4:1311 (IOD #3) EID 65
NSOCK (10.2760s) Callback: SSL-CONNECT SUCCESS for EID 65 [1.2.3.4:1311]
NSOCK (10.2760s) Read request from IOD #3 [1.2.3.4:1311] (timeout: 5000ms) EID 74
NSOCK (15.2760s) Callback: READ TIMEOUT for EID 74 [1.2.3.4:1311]
NSOCK (15.2760s) Write request for 18 bytes to IOD #3 EID 83 [1.2.3.4:1311]: GET / HTTP/1.0....
NSOCK (15.2760s) Read request from IOD #3 [1.2.3.4:1311] (timeout: 5000ms) EID 90
NSOCK (15.2760s) Callback: WRITE SUCCESS for EID 83 [1.2.3.4:1311]
NSOCK (15.3530s) Callback: READ SUCCESS for EID 90 [1.2.3.4:1311] (78 bytes): HTTP/1.1 200 OK..Connection: 
Close..Content-Type: text/html; charset=UTF-8....
NSOCK (15.3530s) Read request from IOD #3 [1.2.3.4:1311] (timeout: 4923ms) EID 98
NSOCK (15.3540s) Callback: READ SUCCESS for EID 98 [1.2.3.4:1311] [EOF](2370 bytes)
The service scan took 15.35s to scan 1 service on 1 host.
Starting RPC scan against TARGET (1.2.3.4)
Host TARGET (1.2.3.4) appears to be up ... good.
Interesting ports on TARGET (1.2.3.4):
PORT     STATE SERVICE  VERSION
1311/tcp open  ssl/http Dell Openmanage Server Administrator (PowerEdge)
Final times for host: srtt: 301 rttvar: 5000  to: 100000

Nmap finished: 1 IP address (1 host up) scanned in 15.357 seconds
               Raw packets sent: 1 (40B) | Rcvd: 1 (46B)

... and Nmap gets it right. Any clue?

Martin Mačok
ICT Security Consultant

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org
Previous By Date Next
Previous By Thread Next

Current thread: