Discussion:
Version detection of Ldap Service using nmap
Anil Kumar D.K
2003-12-05 05:18:37 UTC
Permalink
Hi all,

I am trying to find version of ldap service using nmap.

nmap 10.10.40.223 -p389 -A

For Microsoft Active directory, I am getting the right information. (As the match string already exists in nmap-service-probes file)

I would like to find version of ldap service of the following vendors
Critical Path Directory Service 4.2
Siemens Directory DirX 6.0

For Critical Path Directory Service 4.2, I got the service finger print as below

D:\nmap-3.48>nmap 10.10.40.223 -p1702 -A
Starting nmap 3.48 ( http://www.insecure.org/nmap ) at 2003-12-05 10:35 India Standard Time
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on EWSMC280 (10.10.40.223):
PORT STATE SERVICE VERSION
1702/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version,please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1702-TCP:V=3.48%D=12/5%Time=3FD01237%r(LDAPBindReq,E,"0\x0c\x02\x01
SF:\x01a\x07\n\x01\0\x04\0\x04\0");
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional
or Advanced Server, or Windows XP

Nmap run completed -- 1 IP address (1 host up) scanned in 13.570 seconds

I have submitted the fingerprint to http://www.insecure.org/cgi-bin/servicefp-submit.cgi
I tried to use the match string "0\x0c\x02\x01\x01a\x07\n\x01\0\x04\0\x04\0" in the nmap-service-probes for Ldap service
But this string matches even for openLDAP 1.4.x

Is there any way to get a unique string for each ldap product?
Any help will be really appreciated.

Regards,
Anil
MadHat
2003-12-05 21:55:19 UTC
Permalink
Post by Anil Kumar D.K
Hi all,
I am trying to find version of ldap service using nmap.
nmap 10.10.40.223 -p389 -A
For Microsoft Active directory, I am getting the right information.
(As the match string already exists in nmap-service-probes file)
I would like to find version of ldap service of the following vendors
Critical Path Directory Service 4.2
Siemens Directory DirX 6.0
For Critical Path Directory Service 4.2, I got the service finger print as below
D:\nmap-3.48>nmap 10.10.40.223 -p1702 -A
Starting nmap 3.48 ( http://www.insecure.org/nmap ) at 2003-12-05 10:35 India Standard Time
Warning: OS detection will be MUCH less reliable because we did not
find at least 1 open and 1 closed TCP port
PORT STATE SERVICE VERSION
1702/tcp open unknown
1 service unrecognized despite returning data. If you know the
service/version,please submit the following fingerprint at
SF-Port1702-TCP:V=3.48%D=12/
5%Time=3FD01237%r(LDAPBindReq,E,"0\x0c\x02\x01
SF:\x01a\x07\n\x01\0\x04\0\x04\0");
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional
or Advanced Server, or Windows XP
Nmap run completed -- 1 IP address (1 host up) scanned in 13.570 seconds
I have submitted the fingerprint to
http://www.insecure.org/cgi-bin/servicefp-submit.cgi
I tried to use the match string
"0\x0c\x02\x01\x01a\x07\n\x01\0\x04\0\x04\0" in the
nmap-service-probes for Ldap service
But this string matches even for openLDAP 1.4.x
Is there any way to get a unique string for each ldap product?
Any help will be really appreciated.
If they return the exact same thing, it is not going to be possible.
The only other option is to try and figure out a different probe to
send to get a different response from each lpad server. The problem
then comes in on wether it works with the most ldap servers. You don't
want 3 or 4 probes for a single service, then it takes a lot longer if
the service is not known or even when it is. You want one probe that
elicits the most data to be able to fingerprint the most number of
unique servers accurately.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-***@insecure.org . List archive: http://seclists.org
Bo Cato
2003-12-05 23:17:05 UTC
Permalink
M> If they return the exact same thing, it is not going to be possible.
M> The only other option is to try and figure out a different probe to
M> send to get a different response from each lpad server. The problem
M> then comes in on wether it works with the most ldap servers. You don't
M> want 3 or 4 probes for a single service, then it takes a lot longer if
M> the service is not known or even when it is. You want one probe that
M> elicits the most data to be able to fingerprint the most number of
M> unique servers accurately.

I agree with Madhat completely on this point.

But I also would suggest that the service option be expanded to allow
for Quick probe and Extensive probe. The current probe could satisfy
the Quick option and check for the most the quickest. And if someone
was willing to give up this speed for the option of a more detailed
probe they could select the Extensive option that could provide 3 or 4
probes for each service.

-sV0 <- Fast probe (or Limited Probe, Quick Probe, etc)
-sV1 <- Slow probe (or Additional Probe, Extensive Probe, etc)

Normally 1 size does not fit all. Those that need "quick and general"
probe would not have to suffer for those that want a "slow and
granular" probe.

Am I going to code this? Hehehe. N o - W a y !

I guess this could be added to the very long "wish list" for nmap, eh?

The more people that feel this is an attractive addition the more
likely it will be looked into.

Honestly I'd rather see a proxy scan be added as a feature first. It
still amazes me that nmap can't use a proxy server after all this
time. I guess no one has asked for it. *shrug*

-b



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-***@insecure.org . List archive: http://seclists.org

Loading...