Nmap Development mailing list archives
Service integration highlights
From: David Fifield <david () bamsoftware com>
Date: Wed, 17 Jul 2013 20:48:57 -0700
Here are the highlights of integrating 737 service fingerprint submissions and 5 corrections since January 7. For help understanding the format of matchlines, see http://nmap.org/book/vscan-fileformat.html#vscan-db-match. match bitcoin m|^\xf9\xbe\xb4\xd9version\0\0\0\0\0.\0\0\0....\x71\x11\x01\0\0\0\0\0\0\0\0\0........\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff......\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xff\xff.............../Bitpeer:([\w._-]+)/\0\0\0\0\x01$|s p/Bitpeer/ v/$1/ This is really interesting. Bitcoin needed to make a backward-incompatible protocol change to add checksums to certain messages. But because all nodes need to be able to communicate with each other, they couldn't make this change incrementally. So they put a time check in the source code, and on February 20, 2012, all nodes instantly and simultaneously began to speak a different protocol. https://bitcointalk.org/index.php?topic=55852.0 http://bitcoin.org/en/alert/2012-02-18-protocol-change https://en.bitcoin.it/wiki/Protocol_specification#version The source code literally said this: https://github.com/bitcoin/bitcoin/commit/f93d5f9ffe1e12079e560a735111735924726a06#L7R538 // Version 0.2 obsoletes 20 Feb 2012 if (GetTime() > 1329696000) { vSend.SetVersion(209); vRecv.SetVersion(209); } Nmap's bitcoin.lua was patched in the nick of time in r28104. Unfortunately I think that this coordinated change instantly obsoleted all our existing Bitcoin matchlines! They'd only work against extremely old software that didn't know to change the protocol with everyone else, and there's no reason why that software would ever be used since it can't communicate with the rest of the network. Just imagine minding your own business and suddenly everyone in the world starts speaking a different language... match http m|^HTTP/1\.0 200 OK\r\nDate: .*\r\nServer: BQTWWW/([\w._-]+) \(RSX\) \(RSX-11M-PLUS V([\w._-]+)\)\r\n| p/BQTWWW/ v/$1/ cpe:/o:dec:rsx_11m_plus:$2/ o/RSX-11M-PLUS $2/ I previously wrote about the work of Johnny Billquist at http://seclists.org/nmap-dev/2012/q4/221. But I think I made a mistake there--the TCP/IP stack attributed to him should have been that of RSX-11M-PLUS, not DG/UX. Anyway, this is a web server for RSX-11M-PLUS, also written by Billquist. It's running on an emulated PDP-11! http://madame.update.uu.se/ http://www.update.uu.se/~bqt/ match http m|^HTTP/1\.1 401 UNAUTHORIZED\r\nWWW-Authenticate: Basic realm=\"CouchPotato Login\"\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: 54\r\nServer: TornadoServer/([\w._-]+)\r\n\r\nThis is not the page you are looking for\. \*waves hand\*$| p/Tornado httpd/ v/$1/ i/CouchPotato downloader/ "This is not the page you are looking for\. \*waves hand\*" This is an automatic downloader program. https://couchpota.to/ match telnet m|^\x1b\[\?25l\xff\xfb\x01\xff\xfb\x03\xff\xfc\"\xff\xfd\x1f\x1b\[2J\x1b\[0m\x1b\[40m\x1b\[30m\x1b\[1;1H\x1b\[34;1m\xe2\x95\x94Enter your nickname for this session \(Alt\+1\)\xe2\x95\x90| p/dfterm2 telnetd for Dwarf Fortress game/ This is a utility that allows you to play the video game Dwarf Fortress over Telnet. Telnet signature are often highly unique, even without identifying text, because of ANSI escape sequences and Telnet options. http://dwarffortresswiki.org/index.php/Utility:Dfterm2 https://gitorious.org/dfterm2 match http m|^HTTP/1\.0 \xff\xfbAllow: GET \r\nAccept-Ranges: bytes\r\nCache-Control: no-cache\r\nCache-Control: no-store\r\nConnection: Keep-Alive\r\nServer: GoPro Web Server v([\w._-]+)\r\nContent-Type: text/plain\r\nContent-Length: 2\r\n\r\n$| p/GoPro HERO3 camera http interface/ v/$1/ cpe:/h:gopro:hero3/ d/webcam/ This is quite a strange interpretation of HTTP. Note the mangled \xff\xfb in the status-line, that seems to run right into the header fields. It says the content-length is 2, but the body is empty. match http m|^HTTP/2\.0 404 Not Found\r\n.*Server: Restlet-Framework/@major-number@\.@minor-number@@release-type@@release-number@\r\n.*<p>The server has not found anything matching the request URI</p>|s p/Serviio media server http status/ This is supposedly "HTTP 2.0". Look at the broken variable substitution (@major-number@) where a version number should be. match http m|^HTTP/1\.0 200 OK\r\nDate: .*\r\nServer: HTTP Server\r\n.*<!--\n M Comeau Dec 19, 2011\n This page is used to redirect to the URL below\. It is necessary to do this\n so the http server properly redirects to the CGI\.\n-->\n<head>\n<title>BSE Redirect</title>|s p/Chrysler wiTECH VCI Pod automotive diagnostic device/ d/specialized/ I think this is one of those things a service technician plugs into your car to interpret the error codes. match telnet m|^\xff\xfd\x03\xff\xfb\x03\xff\xfd\x18\xff\xfd\x17Please wait\. The connection to your station is still in the process of being established\. Your last input has been discarded\.\r\nPlease wait\. The connection to your station is still in the process of being established\. Your last input has been discarded\.\r\n| p/Burroughs MCP telnetd/ o/Burroughs MCP/ cpe:/o:burroughs:mcp/ The Wikipedia page for this OS says "Initial release: 1961; 52 years ago." (But the system this fingerprint was taken from was probably a much newer release.) https://en.wikipedia.org/wiki/Burroughs_MCP match telnet m|^\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x01\xff\xfb\x03\r\r\nGET / HTTP/1\.0\r\n\r\n\r\nPartedMagic login: login: loginprompt\.c:164: login_prompt: Assertion `wlen == \(int\) len -1' failed\.\r\n| p/Busybox telnetd/ v/1.19.4/ i/Parted Magic pkg-shadow login/ Nmap apparently crashes the login program that comes with the shadow suite. You can see the assertion in the source code here: http://fossies.org/dox/shadow_4.1.5.1.orig/loginprompt_8c_source.html Parted Magic is a distro with disk partitioning programs. http://partedmagic.com/ David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service integration highlights David Fifield (Jul 17)