Nmap Development mailing list archives
telnet service fingerprints from internet scan data
From: "C. Reitter" <reitterc () informatik uni-freiburg de>
Date: Wed, 24 Dec 2014 18:04:35 +0100
Hi everyone, I'm a student working on my bachelor thesis regarding large internet scan datasets, mainly the Rapid7 Critical.IO scan from 2012/2013. For the practical part of my research, I've focused on analyzing, researching and classifying Telnet host banners. I've written over 100+ new nmap fingerprints during the process, catching many previously ignored patterns. However, as far as I can tell, this offline-approach towards fingerprint creation is fairly unusual. While it is a great way to find previously unmatched patterns / variants of common devices and therefore drastically improve fingerprint coverage, researching hard facts on many of those new devices can be quite challenging at times, especially if the banner itself contains no clues at all. For this reason, I will begin by publishing fingerprints that are either straightforward or direct replacements of existing nmap fingerprints. Future submission and discussion of complicated fingerprints might benefit from a dedicated issue-tracking system. Any thoughts on this? I apologize for the presentation format below. The fingerprints easily grow 200+ characters long and have to be kept one-liners. Substituted fingerprints and meta-information is shown in comments above new fingerprints. #### # more than two thirds of these fingerprints are found behind dynamic chinese netblocks, # >> very likely false positives. Remove? Replace? # match telnet m|^\r\n%connection closed by remote host!\0| p/HP H3C SR8808 SecBlade firewall module telnetd/ d/firewall/ match telnet m|^\r\n%connection closed by remote host!\0| i/access denied/ #match telnet m|^\r\nEfficient ([-.\w ]+) Router \(([-.\d/]+)\) v(\d[-.\w]+) Ready\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\xff\xfe\x01Login: | p/Efficient router telnetd/ v/$3/ i/Model $1 - $2/ d/router/ #match telnet m|^\r\nEfficient 5871 IDSL Router \(5871-601 / 5871-001 HW\) v([-\d.]+) Ready\r\n| p/Efficient Networks 5871 IDSL router telnetd/ v/$1/ d/broadband router/ #match telnet m|^\r\nEfficient 5851 SDSL \[ATM\] Router \(5851-\d+\) v([-\d.]+) Ready\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\xff\xfe\x01Login: | p/Efficient 5851 DSL router telnetd/ v/$1/ d/router/ match telnet m|^\r\nEfficient ([\s\S]+)v([\d.-]+) Ready| p/Efficient Networks telnetd/ d/broadband router/ i/$1 v$2/ # match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\n\r \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\r.*GlobespanVirata Inc\., Software Release ([-.\w]+)\n\r|s p/GlobespanVirata telnetd/ v/$1/ d/broadband router/ # match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\n\r *\**\n\r *Welcome to Viking II\. \n\r *\**\n\r\n\rGlobespanVirata Inc\., Software Release VIK-([-\w_.]+)\n\r| p/GlobespanVirata Viking II telnetd/ v/$1/ d/broadband router/ # match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\n\r +\*+\n\r +Welcome to Viking \n\r +\*+\n\r\n\rGlobespanVirata Inc\., Software Release ([\w/.]+)\n\r| p/Viking router telnetd/ v/$1/ d/router/ match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03[\n\r\* ]+Welcome to ([\w ]+) [\.\n\r\* ]+\r([\w,\. ]+), Software Release ([_\-\.\w\/ ]+)\n\r(Copyright \(c\) [\d\-]+)|s p/$2 $1 telnetd/ i/$4/ v/$3/ d/broadband router/ # match telnet m|^\xff\xfd\x01\xff\xfd!\xff\xfb\x01\xff\xfb\x03(BCM[\w._-]+) xDSL Router\r\nLogin: | p/Broadcom $1 DSL router telnetd/ d/broadband router/ cpe:/h:broadcom:$1/ match telnet m|^\xff\xfd\x01\xff\xfd!\xff\xfb\x01\xff\xfb\x03(BCM[\w._-]+) ([\w]+) Router(?:, )?((?:Powered by ClearAccess)?)\r\n(?:Login: )?| p/Broadcom $1 $2 router telnetd/ i/$2/ d/broadband router/ cpe:/h:broadcom:$1/ # HP Jetdirect printer series telnet with password protection # match telnet m|^\xff\xfb\x03\xff\xfb\x01\x07HP JetDirect\r\n\r\nEnter username: | p/HP JetDirect printer telnetd/ d/printer/ match telnet m|^(?:\xff[\xfb\xfc][\x01\x03])+\x07HP JetDirect[\r\n]+Enter username: (?:\xff[\xfb\xfc][\x01\x03])*$| p/HP JetDirect printer telnetd/ d/printer/ # HP Jetdirect printer series telnet without (!) password protection ## "JetDirect Model: J4169A Firmware: L.21.11" # match telnet m|^\xff\xfb\x03\xff\xfb\x01\x07HP JetDirect\r\nPassword is not set\r\n| p/HP JetDirect printer telnetd/ i/No password/ d/printer/ match telnet m|^(?:\xff[\xfb\xfc\xfd][\x01\x03])+\x07HP JetDirect\r\n(Password is not set)\r\n\r\nPlease type| p/HP JetDirect printer telnetd/ i/$1/ d/printer/ # SMC broadband routers with docsis 3.0 modem, several known variants match telnet m|^\xff\xfd\x01\xff\xfd\!\xff\xfb\x01\xff\xfb\x03([\w\-\.]+) login: $| p/SMC/ d/broadband router/ i/SMC $1 docsis 3.0/ # "Amun" HONEYPOT - http://opensourcejavaphp.net/python/amun/vuln_modules/vuln-check/check_modul.py.html match honeypot m|^command unknown\n\nsolaris#\r\n$| p/Amun honeypot/ i=honeypot posing as solaris login/telnet shell= d/security-misc/ # MikroTik routers series, discloses OS version match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfb\x03(?:[\s\S]+)MikroTik (v[\w\.]+)\r\nLogin: $| p/MikroTik/ d/router/ v/$1/ cpe:/o:mikrotik:routeros/ # Huawei DSLAM MA5600 and IAD2000 variants match telnet m=^\xff\xfb\x01\xff\xfb\x03[ \r\n]+(HUAWEI|Huawei) (?:Integrated Access Software \()?([\w ]+\d)[\)]?[\w\- ]*\.[ \r\n\xff\xfc\x01\x03]+(?:[\w\-\(\) ]*)Huawei Technologies= p/$1 $2/ i/DSLAM/ # Ubiquoss L2/L3 switches match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfb\x03\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x05\xff\xfd!\xff\xfb\x03\xff\xfb\x01(?:\r\n)?(Ubiquoss [LSQ][\w\-\h]+)(?:\r\n)+([\w\-_\.\/\+\#]+)\S* login: $| d/switch/ p/$1 telnetd/ i/id: $2/ # ZTE Corp ZXR10 and ZXAN series - core routers match telnet m=^\xff\xfb\x01\xff\xfd\x1f\xff\xfd\x18\xff\xfd \xff\xfb\x03(?:[\r\n\s]+)?\*+\r\n\s*Welcome to ([\s\S]+) of ZTE Corporation\r\n= d/router/ p/ZTE Corp $1 telnetd/ #### More information on how I'm processing offline data for fingerprint creation will follow. For a deeper look into the topic of knowledge gained from internet scans I can recommend HD Moore's "Scanning Darkly" keynote from DerbyCon2013. Happy holidays, Christian Reitter _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- telnet service fingerprints from internet scan data C. Reitter (Dec 25)