Nmap Development mailing list archives
Re: Regarding "Windows XP identd" in nmap-service-probes (r2839)
From: Kris Katterjohn <katterjohn () gmail com>
Date: Fri, 30 Jan 2009 20:03:50 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fyodor wrote:
On Fri, Jan 30, 2009 at 11:14:07PM +0000, Brandon Enright wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We often get compromised Windows machines running some IRC bot that also run some fake identd. Sometimes this fake ident matches "Windows XP identd" with the match-line: match ident m|^ : USERID : UNIX : [a-z]{4,8}\r\n$| p/Windows XP identd/ o/Windows/ It seems the only unique requirement here is a username in the 4-8 char range followed by a \r\n instead of just a \n.Thanks for the report. I've removed the p/Windows XP identd/ part. It is probably worth keeping the o/Windows/, since the \r\n makes that platform more likely and we haven't heard reports of this matching other systems.
Hmm.. many services have an official EOL of CRLF (which is why Ncat's -C comes in handy), so reading that keeping \r\n to specify Windows makes me a little uncomfortable. I just glanced over RFC 1413 and it in fact says that the EOL is CRLF (I searched for both "CR" and "LF" and didn't see any mention of an exception). So while many, many services don't follow RFCs to the letter (especially not with EOL sequences), I'm not positive that o/Windows/ is a great way to go about this. Although, the fact that it hasn't been reported wrong does help your side. Anyway, this is more me thinking out loud than saying "don't do that." I don't know the db all that well, so maybe this is a norm I'm not familiar with or something.
Cheers, -F
Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBAgAGBQJJg7GGAAoJEEQxgFs5kUfuqZ4QAMSSfBGJWS0olSjZGDpE2/ED 3f3kVxyfi/0KpeG/yVmjCpABTGcqCM/qRv5KsHLVyY7Emuz3ptVHylOApq6YzFnM hvbeztLskuUfDYzYt9ciiBBfd4oguO2vwXBBJhpYUffJvdU6iziT2v1U52r2QOuq ese2/hlRp/iQTB4K/P2FY9ta6PuzP4sDqxagl/dBgD+EgO1pfJTCH/7yvFg9c8wj KN/4/qRh7PhGlzcVV3V4ZJJ4oEvfUxf7PUL5LM7ETS7zH9fu4LFMOJC+d/ox4qTB CInzFexae5EnDgdg5rljo/mLunZqZbaQ+aMOy8iQzJ86XWjJeTgzYxi5XhY5PRMy 1roGvdv0QUr1LLPCMe9R9Zhl22bu85eE+aoGtBnAiEQsSRjksM2w7Tqaj/UYLHbg Hr60Ihcb/lHH5q4xY0sL4FFbAXXaBCgdWi+tT+oOMtxCgWuX6YKhhshe5DDrMRqV VzAMSkeJFmnnlB1AzNNh0VUlkb3gYEkedEE+MqMslqdQfG18o0Z/Idum+zzy+zZi Su3eA0hzBS2IzGn13xVxZKi0Qam/qJyMMNtnTE464ayFpRqJUV5yYFydtgFtM6I+ JfMeaFujXmmCG9C/8/7afNoSYZXewn1yltXRqWEzarmgxOO4zOvMEzjTS44lrj/w +UMojXmdnpHCx8CvBVK1 =DNv1 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Regarding "Windows XP identd" in nmap-service-probes (r2839) Brandon Enright (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Fyodor (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Kris Katterjohn (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Fyodor (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Kris Katterjohn (Jan 31)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Kris Katterjohn (Jan 30)
- Re: Regarding "Windows XP identd" in nmap-service-probes (r2839) Fyodor (Jan 30)