Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

telnet service fingerprints from internet scan data

From: "C. Reitter" <reitterc () informatik uni-freiburg de>
Date: Wed, 24 Dec 2014 18:04:35 +0100
Hi everyone,
I'm a student working on my bachelor thesis regarding large internet scan datasets,
mainly the Rapid7 Critical.IO scan from 2012/2013. For the practical part of my research,
I've focused on analyzing, researching and classifying Telnet host banners.
I've written over 100+ new nmap fingerprints during the process,
catching many previously ignored patterns.

However, as far as I can tell, this offline-approach towards fingerprint creation is fairly unusual.
While it is a great way to find previously unmatched patterns / variants of common devices
and therefore drastically improve fingerprint coverage,
researching hard facts on many of those new devices can be quite challenging at times,
especially if the banner itself contains no clues at all.
For this reason, I will begin by publishing fingerprints that are
either straightforward or direct replacements of existing nmap fingerprints.
Future submission and discussion of complicated fingerprints might benefit
from a dedicated issue-tracking system. Any thoughts on this?

I apologize for the presentation format below.
The fingerprints easily grow 200+ characters long and have to be kept one-liners.
Substituted fingerprints and meta-information is shown in comments above new fingerprints.

####

# more than two thirds of these fingerprints are found behind dynamic chinese netblocks,
# >> very likely false positives.  Remove? Replace?
# match telnet m|^\r\n%connection closed by remote host!\0| p/HP H3C SR8808 SecBlade firewall module telnetd/ 
d/firewall/
match telnet m|^\r\n%connection closed by remote host!\0| i/access denied/

#match telnet m|^\r\nEfficient ([-.\w ]+) Router \(([-.\d/]+)\) v(\d[-.\w]+) 
Ready\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\xff\xfe\x01Login: | p/Efficient router telnetd/ v/$3/ i/Model $1 - $2/ 
d/router/
#match telnet m|^\r\nEfficient 5871 IDSL Router \(5871-601 / 5871-001 HW\) v([-\d.]+) Ready\r\n| p/Efficient Networks 
5871 IDSL router telnetd/ v/$1/ d/broadband router/
#match telnet m|^\r\nEfficient 5851 SDSL \[ATM\] Router \(5851-\d+\) v([-\d.]+) 
Ready\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\xff\xfe\x01Login: | p/Efficient 5851 DSL router telnetd/ v/$1/ d/router/
match telnet m|^\r\nEfficient ([\s\S]+)v([\d.-]+) Ready| p/Efficient Networks telnetd/ d/broadband router/ i/$1 v$2/

# match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\n\r                         
\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\r.*GlobespanVirata Inc\., Software Release ([-.\w]+)\n\r|s p/GlobespanVirata 
telnetd/ v/$1/ d/broadband router/
# match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\n\r *\**\n\r *Welcome to Viking II\.  \n\r 
*\**\n\r\n\rGlobespanVirata Inc\., Software Release VIK-([-\w_.]+)\n\r| p/GlobespanVirata Viking II telnetd/ v/$1/ 
d/broadband router/
# match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\n\r +\*+\n\r +Welcome to Viking  \n\r 
+\*+\n\r\n\rGlobespanVirata Inc\., Software Release ([\w/.]+)\n\r| p/Viking router telnetd/ v/$1/ d/router/
match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03[\n\r\* ]+Welcome to ([\w ]+)  [\.\n\r\* ]+\r([\w,\. ]+), Software 
Release ([_\-\.\w\/ ]+)\n\r(Copyright \(c\) [\d\-]+)|s p/$2 $1 telnetd/ i/$4/ v/$3/ d/broadband router/
# match telnet m|^\xff\xfd\x01\xff\xfd!\xff\xfb\x01\xff\xfb\x03(BCM[\w._-]+) xDSL Router\r\nLogin: | p/Broadcom $1 DSL 
router telnetd/ d/broadband router/ cpe:/h:broadcom:$1/
match telnet m|^\xff\xfd\x01\xff\xfd!\xff\xfb\x01\xff\xfb\x03(BCM[\w._-]+) ([\w]+) Router(?:, )?((?:Powered by 
ClearAccess)?)\r\n(?:Login: )?| p/Broadcom $1 $2 router telnetd/ i/$2/ d/broadband router/ cpe:/h:broadcom:$1/

# HP Jetdirect printer series telnet with password protection
# match telnet m|^\xff\xfb\x03\xff\xfb\x01\x07HP JetDirect\r\n\r\nEnter username: | p/HP JetDirect printer telnetd/ 
d/printer/
match telnet m|^(?:\xff[\xfb\xfc][\x01\x03])+\x07HP JetDirect[\r\n]+Enter username: (?:\xff[\xfb\xfc][\x01\x03])*$| 
p/HP JetDirect printer telnetd/ d/printer/

# HP Jetdirect printer series telnet without (!) password protection
## "JetDirect Model: J4169A Firmware: L.21.11"
# match telnet m|^\xff\xfb\x03\xff\xfb\x01\x07HP JetDirect\r\nPassword is not set\r\n| p/HP JetDirect printer telnetd/ 
i/No password/ d/printer/
match telnet m|^(?:\xff[\xfb\xfc\xfd][\x01\x03])+\x07HP JetDirect\r\n(Password is not set)\r\n\r\nPlease type| p/HP 
JetDirect printer telnetd/ i/$1/ d/printer/

# SMC broadband routers with docsis 3.0 modem, several known variants
match telnet m|^\xff\xfd\x01\xff\xfd\!\xff\xfb\x01\xff\xfb\x03([\w\-\.]+) login: $| p/SMC/ d/broadband router/ i/SMC $1 
docsis 3.0/

# "Amun" HONEYPOT - http://opensourcejavaphp.net/python/amun/vuln_modules/vuln-check/check_modul.py.html
match honeypot m|^command unknown\n\nsolaris#\r\n$| p/Amun honeypot/ i=honeypot posing as solaris login/telnet shell= 
d/security-misc/

# MikroTik routers series, discloses OS version
match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfb\x03(?:[\s\S]+)MikroTik (v[\w\.]+)\r\nLogin: $| 
p/MikroTik/ d/router/ v/$1/ cpe:/o:mikrotik:routeros/

# Huawei DSLAM MA5600 and IAD2000 variants
match telnet m=^\xff\xfb\x01\xff\xfb\x03[ \r\n]+(HUAWEI|Huawei) (?:Integrated Access Software \()?([\w ]+\d)[\)]?[\w\- 
]*\.[ \r\n\xff\xfc\x01\x03]+(?:[\w\-\(\) ]*)Huawei Technologies= p/$1 $2/ i/DSLAM/

# Ubiquoss L2/L3 switches
match telnet m|^\xff\xfd\x18\xff\xfd 
\xff\xfd#\xff\xfd'\xff\xfb\x03\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x05\xff\xfd!\xff\xfb\x03\xff\xfb\x01(?:\r\n)?(Ubiquoss 
[LSQ][\w\-\h]+)(?:\r\n)+([\w\-_\.\/\+\#]+)\S* login: $| d/switch/ p/$1 telnetd/ i/id: $2/

# ZTE Corp ZXR10 and ZXAN series - core routers
match telnet m=^\xff\xfb\x01\xff\xfd\x1f\xff\xfd\x18\xff\xfd \xff\xfb\x03(?:[\r\n\s]+)?\*+\r\n\s*Welcome to ([\s\S]+) 
of ZTE Corporation\r\n= d/router/ p/ZTE Corp $1 telnetd/

####

More information on how I'm processing offline data for fingerprint creation will follow.
For a deeper look into the topic of knowledge gained from internet scans I can
recommend HD Moore's "Scanning Darkly" keynote from DerbyCon2013.
Happy holidays,
Christian Reitter

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: