April 2010 service detection highlights

[David Fifield <david () bamsoftware com>]

Here are highlights from the latest round of service submissions and
corrections, from December 2009 to April 2010. There were 764
submissions and 7 corrections. Only 7 corrections is disconcerting. Make
sure you visit http://insecure.org/cgi-bin/submit.cgi?corr-service when
you know that Nmap is wrong.

match bitcoin 
m|^\xf9\xbe\xb4\xd9version\0\0\0\0\0Q\0\0\0\xc8\0\0\0\x01\0\0\0\0\0\0\0.\xbe\xa8K\0\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\[y\0\xa8\xeb.\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\x5e\x17\x1a\x8c\x20\x8d........\0$|
 p/Bitcoin digital currency server/ v/0.2.0/
        An open-source digital currency scheme.
        http://www.bitcoin.org/

match lanrev-agent m|^\x01\0\0\x03\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01| p/LANRev remote administration/ i/**BACKDOOR**/
        This is the remote administration backdoor that was installed on
        the laptops of the Lower Merion School District, which notably
        took secret webcam pictures of students. There is some analysis
        of the software here:
        http://strydehax.blogspot.com/2010/02/spy-at-harrington-high.html

match meterpreter 
m|^\0.\x0b\0MZ\xe8\0\0\0\0\x5b\x52\x45\x55\x89\xe5\x81\xc3..\0\0\xff\xd3\x89\xc3Wh\x04\0\0\0P\xff\xd0h\xf0\xb5\xa2Vh\x05\0\0\0P\xff\xd3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xe0\0\0\0\x0e\x1f\xba\x0e\0\xb4\t\xcd!\xb8\x01L\xcd!This
 program cannot be run in DOS mode\.\r\r\n\$\0\0\0\0\0\0\0| p/Metasploit meterpreter/ i/**BACKDOOR**/
        Metasploit meterpreter. I'm not sure about this one though,
        because it doesn't match what I saw when I tried running the
        metsvc server locally. (What I saw seemed to follow the TLV
        format of http://www.metasploit.com/documents/meterpreter.pdf.)
        This one looks like a DOS executable preceded by two 16-bit
        fields.

match time m|^[\xca-\xd7]...$|s i/32 bits/
match time m|^[\xca-\xd7]....\0\0\0$|s i/64 bits/
        I updated the time match, because the time is now past the
        previous limit that was sent. The limits were
        # 0xCA000000 = Thu May 24 14:13:52 2007
        # 0xCEFFFFFF = Tue Jan 19 10:55:11 2010
        and they are now
        # 0xCA000000 = Thu May 24 14:13:52 2007
        # 0xD7FFFFFF = Sat Nov  1 18:57:35 2014

match bittorrent-utp m|^r\xfe\x1d\x13\0\0\0\0\0\0\0\0\0\0\0\0\xff\0\x03....$|s p/uTorrent uTP/ o/Windows/
# Seems to be a bug here, with a time_t timestamp (0x4B......, ca. Dec 2009) instead of a microsecond count.
match bittorrent-utp m|^r\xfe\x1d\x13........\x7f\xff\xff\xff\xff\x02\x02..\0\x01\0\x08\0\0\0\0\0\0\0\0$|s
        This is a UDP-based BitTorrent protocol used by μTorrent. I
        couldn't find much documentation about it.
        http://bittorrent.org/beps/bep_0029.html

match eve-online 
m|^7\0\0\0~\0\0\0\0\x14\x06\x04\xe8\x99\x02\0\x05\xeb\0\x04\xdf\x92\0\0\n\xd7\xa3p=\n\xd7\x18@\x04\x95\xf1\x01\0\x13\x13EVE-EVE-RELEASE@ccp$|
 p/EVE Online game server/
match frozen-bubble m|^FB/([\d.]+) PUSH: SERVER_READY ([\w._-]+) (\w+)\n| p/Frozen Bubble game server/ v/$1/ h/$2/ 
i/language: $3/
match lineage-ii m|^\x03\0\x84$| p/l2emurt Lineage II game server/
        Here are a few video game servers.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/