sometimes nmap just wont give you good results with a -sV, a good example of this is trying to get versions of domain name servers.
SegFault:~/fpdns-0.9.1 cg$ nmap -sV 24.93.41.125 -p 53
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-04 13:54 MST
Interesting ports on dns-cac-lb-01.texas.rr.com (24.93.41.125):
PORT STATE SERVICE VERSION
53/tcp open domain
SegFault:~/fpdns-0.9.1 cg$ nmap -sV 24.93.41.126 -p 53
Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-04 13:55 MST
Interesting ports on dns-cac-lb-02.texas.rr.com (24.93.41.126):
PORT STATE SERVICE VERSION
53/tcp filtered domain
thats no good :-(
Let's see if we can get better results using "fpdns" http://www.rfc.se/fpdns
SegFault:~/fpdns-0.9.1 cg$ ./fpdns.pl 24.93.41.125
fingerprint (24.93.41.125, 24.93.41.125): BIND 9.2.3rc1 -- 9.4.0a0 [recursion enabled]
SegFault:~/fpdns-0.9.1 cg$ ./fpdns.pl 24.93.41.126
fingerprint (24.93.41.126, 24.93.41.126): BIND 9.2.3rc1 -- 9.4.0a0 [recursion enabled]
SegFault:~/fpdns-0.9.1 cg$ ./fpdns.pl www.learnsecurityonline.com
fingerprint (www.learnsecurityonline.com, 216.83.24.173): BIND 9.2.3rc1 -- 9.4.0a0 [recursion enabled]
SegFault:~/fpdns-0.9.1 cg$ ./fpdns.pl 192.168.0.109
fingerprint (192.168.0.109, 192.168.0.109): Microsoft Windows 2003
SegFault:~/fpdns-0.9.1 cg$ ./fpdns.pl 192.168.0.104
fingerprint (192.168.0.104, 192.168.0.104): Microsoft Windows 2000
I have mixed feelings on how accurate this is, i think it hasnt been updated in awhile and perhaps BIND 9.2.3rc1 -- 9.4.0a0 is the last fingerprint they had for bind, the current version is 9.4.1
i was a bit disheartened by it, then i found this survey from 2004 that said that BIND has 70% of the market of DNS, thats quite a bit, so my limited testing of about 50 sites that all came up as BIND 9.2.3rc1 -- 9.4.0a0 is probably right.
**I checked the file, BIND 9.2.3rc1 -- 9.4.0a0 is the latest fingerprint and there are several ways you can get that for a result so that probably explains why i kept getting that answer. Jury is still out on the effectiveness and i'm not sure i am motivated enough to install some of these crazy DNS servers just to check. if someone knows of some sites running some obscure DNS let me know so i can scan it and check.
-CG
$ dig @learnsecurityonline.com version.bind chaos txt | grep vers>
ReplyDelete; <<>> DiG 9.3.0 <<>> @learnsecurityonline.com version.bind chaos txt
;version.bind. CH TXT
version.bind. 0 CH TXT "9.3.1"
version.bind. 0 CH NS version.bind.
cool, thanks for the comment.
ReplyDeletethis is what i get when i run that:
SegFault:~/sqlninja-0.1.2 cg$ dig @learnsecurityonline.com version.bind chaos txt | grep vers
; <<>> DiG 9.3.4 <<>> @learnsecurityonline.com version.bind chaos txt
;version.bind. CH TXT
version.bind. 0 CH TXT "Surely, you jest..."
version.bind. 0 CH NS version.bind.
dig versions???