Nmap Development mailing list archives
April 2010 service detection highlights
From: David Fifield <david () bamsoftware com>
Date: Sat, 8 May 2010 07:41:22 -0600
Here are highlights from the latest round of service submissions and corrections, from December 2009 to April 2010. There were 764 submissions and 7 corrections. Only 7 corrections is disconcerting. Make sure you visit http://insecure.org/cgi-bin/submit.cgi?corr-service when you know that Nmap is wrong. match bitcoin m|^\xf9\xbe\xb4\xd9version\0\0\0\0\0Q\0\0\0\xc8\0\0\0\x01\0\0\0\0\0\0\0.\xbe\xa8K\0\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\[y\0\xa8\xeb.\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff\x5e\x17\x1a\x8c\x20\x8d........\0$| p/Bitcoin digital currency server/ v/0.2.0/ An open-source digital currency scheme. http://www.bitcoin.org/ match lanrev-agent m|^\x01\0\0\x03\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01| p/LANRev remote administration/ i/**BACKDOOR**/ This is the remote administration backdoor that was installed on the laptops of the Lower Merion School District, which notably took secret webcam pictures of students. There is some analysis of the software here: http://strydehax.blogspot.com/2010/02/spy-at-harrington-high.html match meterpreter m|^\0.\x0b\0MZ\xe8\0\0\0\0\x5b\x52\x45\x55\x89\xe5\x81\xc3..\0\0\xff\xd3\x89\xc3Wh\x04\0\0\0P\xff\xd0h\xf0\xb5\xa2Vh\x05\0\0\0P\xff\xd3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xe0\0\0\0\x0e\x1f\xba\x0e\0\xb4\t\xcd!\xb8\x01L\xcd!This program cannot be run in DOS mode\.\r\r\n\$\0\0\0\0\0\0\0| p/Metasploit meterpreter/ i/**BACKDOOR**/ Metasploit meterpreter. I'm not sure about this one though, because it doesn't match what I saw when I tried running the metsvc server locally. (What I saw seemed to follow the TLV format of http://www.metasploit.com/documents/meterpreter.pdf.) This one looks like a DOS executable preceded by two 16-bit fields. match time m|^[\xca-\xd7]...$|s i/32 bits/ match time m|^[\xca-\xd7]....\0\0\0$|s i/64 bits/ I updated the time match, because the time is now past the previous limit that was sent. The limits were # 0xCA000000 = Thu May 24 14:13:52 2007 # 0xCEFFFFFF = Tue Jan 19 10:55:11 2010 and they are now # 0xCA000000 = Thu May 24 14:13:52 2007 # 0xD7FFFFFF = Sat Nov 1 18:57:35 2014 match bittorrent-utp m|^r\xfe\x1d\x13\0\0\0\0\0\0\0\0\0\0\0\0\xff\0\x03....$|s p/uTorrent uTP/ o/Windows/ # Seems to be a bug here, with a time_t timestamp (0x4B......, ca. Dec 2009) instead of a microsecond count. match bittorrent-utp m|^r\xfe\x1d\x13........\x7f\xff\xff\xff\xff\x02\x02..\0\x01\0\x08\0\0\0\0\0\0\0\0$|s This is a UDP-based BitTorrent protocol used by μTorrent. I couldn't find much documentation about it. http://bittorrent.org/beps/bep_0029.html match eve-online m|^7\0\0\0~\0\0\0\0\x14\x06\x04\xe8\x99\x02\0\x05\xeb\0\x04\xdf\x92\0\0\n\xd7\xa3p=\n\xd7\x18@\x04\x95\xf1\x01\0\x13\x13EVE-EVE-RELEASE@ccp$| p/EVE Online game server/ match frozen-bubble m|^FB/([\d.]+) PUSH: SERVER_READY ([\w._-]+) (\w+)\n| p/Frozen Bubble game server/ v/$1/ h/$2/ i/language: $3/ match lineage-ii m|^\x03\0\x84$| p/l2emurt Lineage II game server/ Here are a few video game servers. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- April 2010 service detection highlights David Fifield (May 08)