|
osdir.com mailing list archive |
|
Subject: Re: Service probe for Cross Match Verifier E fingerprint capture device (need help!) - msg#00067List: security.nmap.devel> http://www.crossmatch.com/products_singlescan_vE.html > Probe TCP VerifierAdvanced q|Query\r\n| > ports 1501 > match crossmatchverifier > m|^Settings\r\nGain\x20(\d+)\r\nContrast\x20(\d+)\r\nTime\x20(\d+)\r\nIllumination\x20(\d+)\r\nProcessed\r\n$| > > v/Cross Match Technologies Verifier fingerprint capture advanced control > port/// Seems OK to me (anyway, you could substitute "\x20" with " ") but you are true that the version string is a bit too long. Regarding those numbers in match ... could we get the version from it? However, there are often some TCP ports that does not respond to any "common" probes and every new specialized probe would slow down the scan for another 5s which is probably unacceptable trade off for now. It will probably make it to the end of nmap-service-probes in a commented out form now (like WWWOFFLEctrlstat Probe) until some port-related optimization kicks in (like "do not send rare probes to non-default ports" or "send general probes only" or similar...) That is just my comment, Fyodor has the final word on it. > *********************************************** > > The procedure for an application is to open a TCP/IP socket to port 1500 > and send the following (ASCII Text): > > Subscribe > > followed by a LF character. This can optionally be followed by a > "Liftquery" command if the application needs finger sensor notification > events. > > From this point on the unit will send one of 3 messages: "Idle", > "Notify" or, optionally, "Lift". > > *********************************************** > *********************************************** > > If you don't have a fingerprint the device returns an "Idle"; if a new > fingerprint image is available it returns "Notify"; and "Lift" if the > finger sensor detects that finger has been removed from the platen (this > is only sent by the device if the "Liftquery" command was previosly sent). > > By now, I'm trying with the following probe: > > Probe TCP Verifier q|Subscribe\r\n| Shouldn't it be "Subscribe\n" only? > ports 1500 > match crossmatchverifier m|^Idle\r\n$| v/Cross Match Technologies > Verifier fingerprint capture control port/// My uncompetent guess - are you sure with "\r\n" after the Idle string? Maybe the CR is redundant? Any other character (fe. blank) there? Anyway, shouldn't we expect "Notify" too? If so, use "(Idle|Notify)" instead of "Idle" for that. > But the device does not return any data. If I telnet the device to the > port 1500 and type "Subscribe" the device answers normally with "Idle"... OK, since you have tested it with telnet, you probably verified that it acts upon CR+LF line endings too ... You should try $ echo -en "Subscribe\n" | nc -vvv target 1500 to verify that LF is enough to get a response. Try also $ echo -en "Subscribe\n" | nc -vvv target 1500 | xxd to get all the bytes from the response. You could do the same with adding this Probe to nmap-service-probes but without the match (and running -sV). Martin Mačok IT Security Consultant --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help@xxxxxxxxxxxx . List archive: http://seclists.org Thread at a glance:
Previous Message by Date: click to view message previewService probe for Cross Match Verifier E fingerprint capture device (need help!)I'm trying to do the service probes for the two control ports found on the Cross Match Verifier E fingerprint capture device ( http://www.crossmatch.com/products_singlescan_vE.html ). I previously sumitted a service fingerprint for the Advanced Control Port (allways the port 1501) (I assume that it's the fingerprint currently on nmap), it works fine with the older Cross Match software (Release R1.2.0), but with the newer version (tested with Release R3.0.0) the device does not return data to the "Probe TCP GenericLines", so I've made a new probe: Probe TCP VerifierAdvanced q|Query\r\n| ports 1501 match crossmatchverifier m|^Settings\r\nGain\x20(\d+)\r\nContrast\x20(\d+)\r\nTime\x20(\d+)\r\nIllumination\x20(\d+)\r\nProcessed\r\n$| v/Cross Match Technologies Verifier fingerprint capture advanced control port/// It now works fine (although the "Cross Match Technologies Verifier fingerprint capture advanced control port" string is too long!). I can not test it with the older software since I currently have not any old device, and you can not downgrade nor upgrade the device's software. What I need help is for doing a service probe for the second port (the Standard Control Port: 1500); From the device's manual the protocol is: *********************************************** *********************************************** The procedure for an application is to open a TCP/IP socket to port 1500 and send the following (ASCII Text): Subscribe followed by a LF character. This can optionally be followed by a "Liftquery" command if the application needs finger sensor notification events. From this point on the unit will send one of 3 messages: "Idle", "Notify" or, optionally, "Lift". *********************************************** *********************************************** If you don't have a fingerprint the device returns an "Idle"; if a new fingerprint image is available it returns "Notify"; and "Lift" if the finger sensor detects that finger has been removed from the platen (this is only sent by the device if the "Liftquery" command was previosly sent). By now, I'm trying with the following probe: Probe TCP Verifier q|Subscribe\r\n| ports 1500 match crossmatchverifier m|^Idle\r\n$| v/Cross Match Technologies Verifier fingerprint capture control port/// But the device does not return any data. If I telnet the device to the port 1500 and type "Subscribe" the device answers normally with "Idle"... Any ideas on what I am doing wrong? TIA. Best Regards: Tomas Garcia-Meras --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help@xxxxxxxxxxxx . List archive: http://seclists.org Next Message by Date: click to view message previewRe: Service probe for Cross Match Verifier E fingerprint capture device (need help!)> Seems OK to me (anyway, you could substitute "\x20" with " ") > but you are true that the version string is a bit too long. > Regarding those numbers in match ... could we get the version > from it? The number are just the fingerprint image quality settings, nothing about the version. Anyway, I've found the problem with the second port (the "standard" control port: 1500), it needs a higher "totalwaitms". Now, the complete pobes + matchs should be like that (using the service name you suggested): # Cross Match Verifier E TCP/IP fingerprint reader # http://www.crossmatch.com/products_singlescan_vE.html # The device runs an embedded Linux Probe TCP Verifier q|Subscribe\n| ports 1500 totalwaitms 11000 match crossmatchverifier m/^(Idle|Notify)\r\n$/ v/Cross Match Verifier E fingerprint control/// Probe TCP VerifierAdvanced q|Query\n| ports 1501 match crossmatchverifier m|^Settings\r\nGain\x20(\d+)\r\nContrast\x20(\d+)\r\nTime\x20(\d+)\r\nIllumination\x20(\d+)\r\nProcessed\r\n$| v/Cross Match Verifier E fingerprint advanced control/// With "totalwaitms 10000" it works most of the times, I've added another second for security. > However, there are often some TCP ports that does not respond > to any "common" probes and every new specialized probe would > slow down the scan for another 5s which is probably > unacceptable trade off for now. It will probably make it to > the end of nmap-service-probes in a commented out form now > (like WWWOFFLEctrlstat Probe) until some port-related > optimization kicks in (like "do not send rare probes to > non-default ports" or "send general probes only" or > similar...) Now, having a probe with "totalwaitms 11000" I agree with you that it will slow down the scan too much, but having it commented out would be nice, for documentation purposes at least. > Shouldn't it be "Subscribe\n" only? Yesss > Anyway, shouldn't we expect "Notify" too? If so, use > "(Idle|Notify)" instead of "Idle" for that. Again, yes, I was using just "Idle" for testing... Since we've changed the service name we should change also the one already on nmap-service-probes: From: match crossmatchverifier m|^Idle\r\n$| v/Cross Match Technologies Verifier fingerprint capture control port/// To: match crossmatchverifier m|^Idle\r\n$| v/Cross Match Verifier E fingerprint control/// Do I need to post a diff file or this is enough? That's all!! Thanks a lot for helping. Best regards: Tomas --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help@xxxxxxxxxxxx . List archive: http://seclists.org Previous Message by Thread: click to view message previewService probe for Cross Match Verifier E fingerprint capture device (need help!)I'm trying to do the service probes for the two control ports found on the Cross Match Verifier E fingerprint capture device ( http://www.crossmatch.com/products_singlescan_vE.html ). I previously sumitted a service fingerprint for the Advanced Control Port (allways the port 1501) (I assume that it's the fingerprint currently on nmap), it works fine with the older Cross Match software (Release R1.2.0), but with the newer version (tested with Release R3.0.0) the device does not return data to the "Probe TCP GenericLines", so I've made a new probe: Probe TCP VerifierAdvanced q|Query\r\n| ports 1501 match crossmatchverifier m|^Settings\r\nGain\x20(\d+)\r\nContrast\x20(\d+)\r\nTime\x20(\d+)\r\nIllumination\x20(\d+)\r\nProcessed\r\n$| v/Cross Match Technologies Verifier fingerprint capture advanced control port/// It now works fine (although the "Cross Match Technologies Verifier fingerprint capture advanced control port" string is too long!). I can not test it with the older software since I currently have not any old device, and you can not downgrade nor upgrade the device's software. What I need help is for doing a service probe for the second port (the Standard Control Port: 1500); From the device's manual the protocol is: *********************************************** *********************************************** The procedure for an application is to open a TCP/IP socket to port 1500 and send the following (ASCII Text): Subscribe followed by a LF character. This can optionally be followed by a "Liftquery" command if the application needs finger sensor notification events. From this point on the unit will send one of 3 messages: "Idle", "Notify" or, optionally, "Lift". *********************************************** *********************************************** If you don't have a fingerprint the device returns an "Idle"; if a new fingerprint image is available it returns "Notify"; and "Lift" if the finger sensor detects that finger has been removed from the platen (this is only sent by the device if the "Liftquery" command was previosly sent). By now, I'm trying with the following probe: Probe TCP Verifier q|Subscribe\r\n| ports 1500 match crossmatchverifier m|^Idle\r\n$| v/Cross Match Technologies Verifier fingerprint capture control port/// But the device does not return any data. If I telnet the device to the port 1500 and type "Subscribe" the device answers normally with "Idle"... Any ideas on what I am doing wrong? TIA. Best Regards: Tomas Garcia-Meras --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help@xxxxxxxxxxxx . List archive: http://seclists.org Next Message by Thread: click to view message previewRe: Service probe for Cross Match Verifier E fingerprint capture device (need help!)> Seems OK to me (anyway, you could substitute "\x20" with " ") > but you are true that the version string is a bit too long. > Regarding those numbers in match ... could we get the version > from it? The number are just the fingerprint image quality settings, nothing about the version. Anyway, I've found the problem with the second port (the "standard" control port: 1500), it needs a higher "totalwaitms". Now, the complete pobes + matchs should be like that (using the service name you suggested): # Cross Match Verifier E TCP/IP fingerprint reader # http://www.crossmatch.com/products_singlescan_vE.html # The device runs an embedded Linux Probe TCP Verifier q|Subscribe\n| ports 1500 totalwaitms 11000 match crossmatchverifier m/^(Idle|Notify)\r\n$/ v/Cross Match Verifier E fingerprint control/// Probe TCP VerifierAdvanced q|Query\n| ports 1501 match crossmatchverifier m|^Settings\r\nGain\x20(\d+)\r\nContrast\x20(\d+)\r\nTime\x20(\d+)\r\nIllumination\x20(\d+)\r\nProcessed\r\n$| v/Cross Match Verifier E fingerprint advanced control/// With "totalwaitms 10000" it works most of the times, I've added another second for security. > However, there are often some TCP ports that does not respond > to any "common" probes and every new specialized probe would > slow down the scan for another 5s which is probably > unacceptable trade off for now. It will probably make it to > the end of nmap-service-probes in a commented out form now > (like WWWOFFLEctrlstat Probe) until some port-related > optimization kicks in (like "do not send rare probes to > non-default ports" or "send general probes only" or > similar...) Now, having a probe with "totalwaitms 11000" I agree with you that it will slow down the scan too much, but having it commented out would be nice, for documentation purposes at least. > Shouldn't it be "Subscribe\n" only? Yesss > Anyway, shouldn't we expect "Notify" too? If so, use > "(Idle|Notify)" instead of "Idle" for that. Again, yes, I was using just "Idle" for testing... Since we've changed the service name we should change also the one already on nmap-service-probes: From: match crossmatchverifier m|^Idle\r\n$| v/Cross Match Technologies Verifier fingerprint capture control port/// To: match crossmatchverifier m|^Idle\r\n$| v/Cross Match Verifier E fingerprint control/// Do I need to post a diff file or this is enough? That's all!! Thanks a lot for helping. Best regards: Tomas --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help@xxxxxxxxxxxx . List archive: http://seclists.org Loading Comments...
|
|
