-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version detection: version.bind / fallbacks #977
Conversation
With BIND as configured on some older OS X 10.6 systems I was unable to fingerprint the service/OS over TCP or UDP with or without this PR. Here is the base64 encoded version of the single-packet PCAP:
I've also submitted this as a new fingerprint. |
With BIND as configured on an old Ubuntu 7.10 system I was unable to fingerprint the service/OS over TCP or UDP with or without this PR. Base64 encoded version of the single-packet PCAP:
Fingerprint submitted. |
Perhaps off topic, but while testing this for @TomSellers I noticed that DNS instances configured to return non-default or non-standard responses for the
In cases like this, as currently written nmap will say the following about the endpoint:
It will also provide the missing fingerprint data to be submitted to nmap.org, but it seems to imply a bigger problem than there actually is. In reality we know that the endpoint is DNS/domain and we did get a version response, it just doesn't look like any version we've seen before. I'd argue that showing what we did get for the version response is more useful than masking it. In many cases this will be enough to inform the user that some sort of hardening or custom configuration may be in use on the DNS server in question and that perhaps the fingerprint isn't good enough for general distribution with nmap. |
Thanks @jhart-r7 for the feedback. I've incorporated the matches as well as your feedback about echoing the banner when not matched.
|
🍩 ! |
The goal of this PR is to use data from a Project Sonar Internet wide survey of DNS responses to a
version.bind
query on both TCP and UDP to improve Nmap's version detection coverage. As part of this effort a couple of quality and consistency issues were addressed. Full disclosure, I work on the Rapid7 team that runs Project Sonar.Note: Core version detection fallback logic was changed.
Summary
The DNS query response packet over TCP and UDP only differ by one field. The TCP version contains a two byte length field at the start of the response data. This means that we can use the same match lines for both probes if the regex is constructed with this in mind and fingerprint fallbacks work cross protocol. This PR implements cross protocol fallbacks by making changes to
*AllProbes::getProbeByName
which is only used in the fallback process. This should not break any existing functionality since fallbacks are only currently used to fall back toGetRequest
.Prior to the above, match lines were implemented separately in the TCP and UDP
DNSVersionBindReq
probe sections. Given the organic growth of these sections over time they were inconsistent in coverage and had many match quality issues. Many of the fingerprints could have never fired due to over broad fingerprints that occurred earlier in the match process. Additionally there were many fingerprints that generically matched a DNS query response but that had no service specific data in the regex.To address this I have:
version.bind
match lines to theUDP DNSVersionBindReq
probe sectionTCP DNSVersionBindReq
toTCP DNSVersionBindReqTCP
and configured it to fall back toUDP DNSVersionBindReq
Matchlines for this response should now only occur in one section, simplifying maintenance. I have made similar but very limited changes to the UDP and TCPDNSStatusRequest
probe.version.bind
query on both TCP and UDP. The new match lines have been grouped by product/os where possible and roughly ordered by occurrence on the public Internet. We will be publishing some of the metrics in the near future.Building
I've tossed some notes on cloning the repo and pr as well as building Nmap here:
https://gist.github.com/TomSellers/9ad59588ca0436f2192a90437a660dcf
Example output
Example output - No match
Custom version.bind response of
get lost
A "not implemented" response which has been softmatched in order to allow the chance for other probe/matchlines the opportunity to determine more information about the service. There are similar for Format Error, Server Fail, etc. responses.