Service detection highlights

[David Fifield <david () bamsoftware com>]

I just finished working through a huge backlog of service submissions,
over 2,500 stretching back to November 2010. Here are some interesting
new signatures.

A telnetd with attitude:
match telnet m%^\r\nTelnet connection from [\d.]+:\d+ refused\.\r\n\r\n(?:Knock it off; I'm not lettin' you 
in\.\.\.|You again\?  Don't make me call the cops\.\.\.|Your IP address has been logged and reported to your 
ISP\.)\r\n\r\n\nBye bye\.\.\.\r\n% p/SB5100MoD telnetd/ i/Motorola SB5100 WAP/ d/WAP/ cpe:/h:motorola:sb5100/

No CRLFs between header fields means that everything up to \r\n\r\n is
parsed as the reason-phrase.
match http m|^HTTP/1\.0 200 OKContent-Type: text/htmlContent-Length: \d+\r\n\r\nYou have reached Aperio DSC Server 
running on 0\.0\.0\.0 / \d+\r\n Number of current sessions = \d+\r\n| p/Aperio Digital Slide Conferencing httpd/

Some embedded servers try to hide their provenance, but "inherently
impossible to satisfy" is a giveaway for thttpd.
match http m|^UNKNOWN 400 Bad Request\r\nServer: unknown HTTP server\r\nContent-Type: text/html; 
charset=iso-8859-1\r\n.*<BODY BGCOLOR=\"#cc9999\" TEXT=\"#000000\" LINK=\"#2020ff\" VLINK=\"#4040cc\">\n<H2>400 Bad 
Request</H2>\nYour request has bad syntax or is inherently impossible to satisfy\.\n|s p/thttpd/ cpe:/a:acme:thttpd/ 
i/IDIS surveillance DVR/ d/media device/

Here is a typo that got fixed.
match ssh m|^Could not load hosy key\. Closing connection\.\.\.$| p/Cisco switch sshd/ i/misconfigured/ d/switch/ 
o/IOS/ cpe:/o:cisco:ios/a
match ssh m|^Could not load host key\. Closing connection\.\.\.$| p/Cisco switch sshd/ i/misconfigured/ d/switch/ 
o/IOS/ cpe:/o:cisco:ios/a

This nonce is not as random as it could be.
match rtsp m|^RTSP/1\.0 401 Unauthorized\r\nCSeq: 0\r\nDate: .*\r\nExpires: .*\r\nCache-Control: 
must-revalidate\r\nWWW-Authenticate: Digest realm=\"NET-i\", nonce=\"000000000000000000000000[0-9A-F]{8}\"\r\n\r\n| 
p/Samsung SNB-2000 webcam rtspd/ d/webcam/ cpe:/h:samsung:snb-2000/

I was excited to see this long book quotation in the submission for this
search engine. But it turns out that the quote is random with each
request, and they removed them in a later release. I added a shorter
signature.
https://github.com/elasticsearch/elasticsearch/commit/f320cf450977ae94e200c85e6a710a9b518966c0#commitcomment-927625
match http m|^HTTP/1\.0 200 OK\r\nAccess-Control-Allow-Origin: \*\r\nContent-Type: application/json; 
charset=UTF-8\r\nContent-Length: \d+\r\n\r\n{\n  \"ok\" : true,\n  \"name\" : \"Nightmare\",\n  \"version\" : {\n    
\"number\" : \"([\w._-]+)\",\n    \"date\" : \"\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d\",\n    \"snapshot_build\" : false\n  
},\n  \"tagline\" : \"You Know, for Search\",\n  \"cover\" : \"DON'T PANIC\",\n  \"quote\" : {\n    \"book\" : \"So 
Long And Thanks for All the Fish\",\n    \"chapter\" : \"Chapter 40\",\n    \"text1\" : \"\\\"So much time,\\\" it 
groaned, \\\"oh so much time\. And pain as well, so much of that, and so much time to suffer it in too\. One or the 
other on its own I could probably manage\. It's the two together that really get me down\.\\\"\"\n  }\n}$|

A cute 404 poem, strangely served as 200.
match http m|^HTTP/1\.0 200 OK\nContent-Type: text/html\n\n<head><title>File not found</title></head><h1><tt><font 
color=red>404 / OOPS!</font></tt></h1>\n<i>'File not found'</i>,<br>\nHow dare they say!<br>\nI am here,<br>\njust out 
of the way\.<br>\n<br>\nHow was I found\?<br>\nA typo\? A mistake\?<br>\nOr were you 
snooping\?!<br>\n<br>\nNonetheless, we meet at last\.<br>\nI am found - hip hip hooray!<br>\nNevermore can they 
say:<br>\n<i>'File not found! <a href=index>Back to main page!</a>'</i><br>\n<br>\n<a href=index><img 
src=\"puretraclogo\.png\" border=0></a>$| p/PureChoice Nose environmental monitor http config/ cpe:/h:purechoice:nose/

Complaints about IE.
match http m|^HTTP/1\.0 200 OK\nContent-type: text/html\r\n.*/\* f\*cking IE doesn't support web standard \*/\n|s 
p/Encore ENTC-1000 thin client http config/ d/terminal/ cpe:/h:encore:entc-1000/

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/