Nmap Development mailing list archives
Kerberos probes for nmap
From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 28 Nov 2009 21:20:53 +0100
I noticed that Kerberos get's detected fine when running against Windows but my Heimdal hosts are not detected. Running over TCP the RPCCheck probe seems to trigger an answer. Here's the signature: SF-Port88-TCP:V=5.10BETA1%I=7%D=11/28%Time=4B1181BB%P=i386-apple-darwin10.2.0%r(RPCCheck,55,"\0\0\0Q~O0M\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\ SF:x11\x18\x0f20091128200203Z\xa5\x05\x02\x03\x08i@\xa6\x03\x02\x01=\xa9\x SF:15\x1b\x13<unspecified\x20realm>\xaa\x0b0\t\xa0\x03\x02\x01\0\xa1\x020\ SF:0"); I have put together a probe that works both against 88/tcp and 88/udp. The probe is a request for a TGT for the user NM in realm NM. Again, my matches might need some improvement. Attaching signatures for reference. SF-Port88-TCP:V=5.10BETA1%I=7%D=11/28%Time=4B1184BD%P=i386-apple-darwin10.2.0%r(kerberos,67,"\0\0\0c~a0_\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\ SF:x11\x18\x0f20091128201453Z\xa5\x05\x02\x03\x0c\xd3O\xa6\x03\x02\x01\x06 SF:\xa7\x04\x1b\x02NM\xa8\x0f0\r\xa0\x03\x02\x01\x01\xa1\x060\x04\x1b\x02N SF:M\xa9\x04\x1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0\xa1\x0e0\x0c\x1b\x06 SF:krbtgt\x1b\x02NM")%r(RPCCheck,55,"\0\0\0Q~O0M\xa0\x03\x02\x01\x05\xa1\x SF:03\x02\x01\x1e\xa4\x11\x18\x0f20091128201459Z\xa5\x05\x02\x03\x03\x80\x SF:ae\xa6\x03\x02\x01=\xa9\x15\x1b\x13<unspecified\x20realm>\xaa\x0b0\t\xa SF:0\x03\x02\x01\0\xa1\x020\0"); SF-Port88-UDP:V=5.10BETA1%I=7%D=11/28%Time=4B118543%P=i386-apple-darwin10.2.0%r(kerberos,63,"~a0_\xa0\x03\x02\x01\x05\xa1\x03\x02\x01\x1e\xa4\x11\x18 SF:\x0f20091128201702Z\xa5\x05\x02\x03\n\xf9m\xa6\x03\x02\x01\x06\xa7\x04\ SF:x1b\x02NM\xa8\x0f0\r\xa0\x03\x02\x01\x01\xa1\x060\x04\x1b\x02NM\xa9\x04 SF:\x1b\x02NM\xaa\x170\x15\xa0\x03\x02\x01\0\xa1\x0e0\x0c\x1b\x06krbtgt\x1 SF:b\x02NM"); //Patrik
Attachment:
kerberos.patch
Description:
-- Patrik Karlsson http://www.cqure.net
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Kerberos probes for nmap Patrik Karlsson (Nov 28)
- Re: Kerberos probes for nmap David Fifield (Dec 12)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 12)
- Re: Kerberos probes for nmap David Fifield (Dec 15)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 15)
- Re: Kerberos probes for nmap David Fifield (Dec 21)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 21)
- Re: Kerberos probes for nmap David Fifield (Dec 22)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 28)
- kerberos-get-realm.nse David Fifield (Dec 31)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 15)
- Re: Kerberos probes for nmap David Fifield (Dec 12)
- Re: Kerberos probes for nmap Patrik Karlsson (Dec 21)