Nmap Development mailing list archives
Re: bizarre false positive (?) in service detection
From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Fri, 13 Apr 2007 11:33:27 -0500
On 4/13/07, Brandon Enright <> wrote:
On Fri, 13 Apr 2007 10:39:51 -0500 "DePriest, Jason R." <> wrote:With the skype line commented out of the service-probe file, nmap is unable to determine what is running on the port.Nmap should provide you with a service fingerprint for submission. This service looks pretty easy to match so go ahead and submit it.
submitted
Which is sort of strange since ---- jrdepriest@ebizsrvb:/usr/local/share/nmap$ telnet <SCANNERTARGET> 25 Trying <SCANNERTARGET>... Connected to <SCANNERTARGET>. Escape character is '^]'. 220 DP-6020 EHLO 250-Hello 250-DSN 250 CONNEG MAIL TO: 501 Syntax error in parameters RCPT FROM: 503 Need MAIL before RCPT 554 command not support 554 command not support Connection closed by foreign host. ---- See attached for nmap's fingerprint of the port. I'll do some packet captures if I get time to find a pattern. Thanks for the suggestions. -JasonIf you don't get a fingerprint it may be because we don't have a probe for "EHLO". Go ahead and try adding it to your service probes file like so: Probe TCP Hello q|EHLO\r\n| rarity 5 ports 25,587 sslports 465 totalwaitms 7500
This didn't make a difference. With the Skype line active, it found Skype; with the Skype line commented out, it was stumped. But the signature for the service did have this bit added to it that was missing without the EHLO probe: (hello,2E,"220\x20\x20DP-6020\r\n250-Hello\r\n250-DSN\r\n250\x20CONNEG\r\n")
If you are still having trouble getting a fingerprint let us know and we'll try to figure it out. Brandon
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)
- Re: bizarre false positive (?) in service detection Brandon Enright (Apr 12)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 13)
- Re: bizarre false positive (?) in service detection Brandon Enright (Apr 13)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 13)
- Re: bizarre false positive (?) in service detection Brandon Enright (Apr 13)
- Re: bizarre false positive (?) in service detection doug (Apr 13)
- Re: bizarre false positive (?) in service detection Brandon Enright (Apr 12)
- Re: bizarre false positive (?) in service detection DePriest, Jason R. (Apr 12)