/ nmap Public
Version detection: version.bind / fallbacks #977
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge.
The goal of this PR is to use data from a Project Sonar Internet wide survey of DNS responses to a
version.bindquery on both TCP and UDP to improve Nmap's version detection coverage. As part of this effort a couple of quality and consistency issues were addressed. Full disclosure, I work on the Rapid7 team that runs Project Sonar.
Note: Core version detection fallback logic was changed.
The DNS query response packet over TCP and UDP only differ by one field. The TCP version contains a two byte length field at the start of the response data. This means that we can use the same match lines for both probes if the regex is constructed with this in mind and fingerprint fallbacks work cross protocol. This PR implements cross protocol fallbacks by making changes to
*AllProbes::getProbeByNamewhich is only used in the fallback process. This should not break any existing functionality since fallbacks are only currently used to fall back to
Prior to the above, match lines were implemented separately in the TCP and UDP
DNSVersionBindReqprobe sections. Given the organic growth of these sections over time they were inconsistent in coverage and had many match quality issues. Many of the fingerprints could have never fired due to over broad fingerprints that occurred earlier in the match process. Additionally there were many fingerprints that generically matched a DNS query response but that had no service specific data in the regex.
To address this I have:
version.bindmatch lines to the
UDP DNSVersionBindReqprobe section
TCP DNSVersionBindReqTCPand configured it to fall back to
UDP DNSVersionBindReqMatchlines for this response should now only occur in one section, simplifying maintenance. I have made similar but very limited changes to the UDP and TCP
version.bindquery on both TCP and UDP. The new match lines have been grouped by product/os where possible and roughly ordered by occurrence on the public Internet. We will be publishing some of the metrics in the near future.
I've tossed some notes on cloning the repo and pr as well as building Nmap here:
Example output - No match
Custom version.bind response of
A "not implemented" response which has been softmatched in order to allow the chance for other probe/matchlines the opportunity to determine more information about the service. There are similar for Format Error, Server Fail, etc. responses.