Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Service integration highlights

From: David Fifield <david () bamsoftware com>
Date: Wed, 17 Jul 2013 20:48:57 -0700
Here are the highlights of integrating 737 service fingerprint
submissions and 5 corrections since January 7. For help understanding
the format of matchlines, see http://nmap.org/book/vscan-fileformat.html#vscan-db-match.

match bitcoin 
m|^\xf9\xbe\xb4\xd9version\0\0\0\0\0.\0\0\0....\x71\x11\x01\0\0\0\0\0\0\0\0\0........\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff......\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff.............../Bitpeer:([\w._-]+)/\0\0\0\0\x01$|s
 p/Bitpeer/ v/$1/
        This is really interesting. Bitcoin needed to make a
        backward-incompatible protocol change to add checksums to
        certain messages. But because all nodes need to be able to
        communicate with each other, they couldn't make this change
        incrementally. So they put a time check in the source code, and
        on February 20, 2012, all nodes instantly and simultaneously
        began to speak a different protocol.

        https://bitcointalk.org/index.php?topic=55852.0
        http://bitcoin.org/en/alert/2012-02-18-protocol-change
        https://en.bitcoin.it/wiki/Protocol_specification#version

        The source code literally said this:
        https://github.com/bitcoin/bitcoin/commit/f93d5f9ffe1e12079e560a735111735924726a06#L7R538
                // Version 0.2 obsoletes 20 Feb 2012
                if (GetTime() > 1329696000)
                {
                    vSend.SetVersion(209);
                    vRecv.SetVersion(209);
                } 

        Nmap's bitcoin.lua was patched in the nick of time in r28104.

        Unfortunately I think that this coordinated change instantly
        obsoleted all our existing Bitcoin matchlines! They'd only work
        against extremely old software that didn't know to change the
        protocol with everyone else, and there's no reason why that
        software would ever be used since it can't communicate with the
        rest of the network. Just imagine minding your own business and
        suddenly everyone in the world starts speaking a different
        language...

match http m|^HTTP/1\.0 200 OK\r\nDate: .*\r\nServer: BQTWWW/([\w._-]+) \(RSX\) \(RSX-11M-PLUS V([\w._-]+)\)\r\n| 
p/BQTWWW/ v/$1/ cpe:/o:dec:rsx_11m_plus:$2/ o/RSX-11M-PLUS $2/
        I previously wrote about the work of Johnny Billquist at
        http://seclists.org/nmap-dev/2012/q4/221. But I think I made a
        mistake there--the TCP/IP stack attributed to him should have
        been that of RSX-11M-PLUS, not DG/UX. Anyway, this is a web
        server for RSX-11M-PLUS, also written by Billquist. It's running
        on an emulated PDP-11!
        http://madame.update.uu.se/
        http://www.update.uu.se/~bqt/

match http m|^HTTP/1\.1 401 UNAUTHORIZED\r\nWWW-Authenticate: Basic realm=\"CouchPotato Login\"\r\nContent-Type: 
text/html; charset=utf-8\r\nContent-Length: 54\r\nServer: TornadoServer/([\w._-]+)\r\n\r\nThis is not the page you are 
looking for\. \*waves hand\*$| p/Tornado httpd/ v/$1/ i/CouchPotato downloader/
        "This is not the page you are looking for\. \*waves hand\*" This
        is an automatic downloader program.
        https://couchpota.to/

match telnet 
m|^\x1b\[\?25l\xff\xfb\x01\xff\xfb\x03\xff\xfc\"\xff\xfd\x1f\x1b\[2J\x1b\[0m\x1b\[40m\x1b\[30m\x1b\[1;1H\x1b\[34;1m\xe2\x95\x94Enter
 your nickname for this session \(Alt\+1\)\xe2\x95\x90| p/dfterm2 telnetd for Dwarf Fortress game/
        This is a utility that allows you to play the video game Dwarf
        Fortress over Telnet. Telnet signature are often highly unique,
        even without identifying text, because of ANSI escape sequences
        and Telnet options.
        http://dwarffortresswiki.org/index.php/Utility:Dfterm2
        https://gitorious.org/dfterm2

match http m|^HTTP/1\.0 \xff\xfbAllow: GET \r\nAccept-Ranges: bytes\r\nCache-Control: no-cache\r\nCache-Control: 
no-store\r\nConnection: Keep-Alive\r\nServer: GoPro Web Server v([\w._-]+)\r\nContent-Type: 
text/plain\r\nContent-Length: 2\r\n\r\n$| p/GoPro HERO3 camera http interface/ v/$1/ cpe:/h:gopro:hero3/ d/webcam/
        This is quite a strange interpretation of HTTP. Note the mangled
        \xff\xfb in the status-line, that seems to run right into the
        header fields. It says the content-length is 2, but the body is
        empty.

match http m|^HTTP/2\.0 404 Not Found\r\n.*Server: 
Restlet-Framework/@major-number@\.@minor-number@@release-type@@release-number@\r\n.*<p>The server has not found 
anything matching the request URI</p>|s p/Serviio media server http status/
        This is supposedly "HTTP 2.0". Look at the broken variable
        substitution (@major-number@) where a version number should be.

match http m|^HTTP/1\.0 200 OK\r\nDate: .*\r\nServer: HTTP Server\r\n.*<!--\n    M Comeau Dec 19, 2011\n    This page 
is used to redirect to the URL below\.  It is necessary to do this\n    so the http server properly redirects to the 
CGI\.\n-->\n<head>\n<title>BSE Redirect</title>|s p/Chrysler wiTECH VCI Pod automotive diagnostic device/ d/specialized/
        I think this is one of those things a service technician plugs
        into your car to interpret the error codes.

match telnet m|^\xff\xfd\x03\xff\xfb\x03\xff\xfd\x18\xff\xfd\x17Please wait\. The connection to your station is still 
in the process of being established\. Your last input has been discarded\.\r\nPlease wait\. The connection to your 
station is still in the process of being established\. Your last input has been discarded\.\r\n| p/Burroughs MCP 
telnetd/ o/Burroughs MCP/ cpe:/o:burroughs:mcp/
        The Wikipedia page for this OS says "Initial release: 1961; 52
        years ago." (But the system this fingerprint was taken from was
        probably a much newer release.)
        https://en.wikipedia.org/wiki/Burroughs_MCP

match telnet m|^\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x01\xff\xfb\x03\r\r\nGET / HTTP/1\.0\r\n\r\n\r\nPartedMagic login: 
login: loginprompt\.c:164: login_prompt: Assertion `wlen == \(int\) len -1' failed\.\r\n| p/Busybox telnetd/ v/1.19.4/ 
i/Parted Magic pkg-shadow login/
        Nmap apparently crashes the login program that comes with the
        shadow suite. You can see the assertion in the source code here:
        http://fossies.org/dox/shadow_4.1.5.1.orig/loginprompt_8c_source.html
        Parted Magic is a distro with disk partitioning programs.
        http://partedmagic.com/

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: