Nmap Development mailing list archives
Service fingerprint integration highlights
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 26 Nov 2016 10:58:54 -0600
Now for the fun and really weird stuff! We received 1357 new service fingerprints submissions between January and September 2016. The number of match lines increased by 561 (5.3%), including 20 new softmatches for services like clam, websocket, jabber, quic, niagara-fox, asf-rmcp, and coap. Softmatches allow Nmap to jump straight to sending the most likely probes for a service type instead of relying solely on the port number, so they are extra valuable in speeding up -sV scan times. We did a deep dive on HAproxy versioning based on error pages and HTTP headers introduced in different versions. 22 new match lines distinguishing versions before 1.3.1, 1.4.0 - 1.5.10, and 1.6.0 and later. Malware! +match backdoor m|^DT Key Logger -- Logging System Wide Key Presses\r\n| p/Deep Throat keylogger/ i/**MALWARE**/ +# A DOS/Win PE executable within 4 bytes of the beginning of stream +softmatch ms-pe-exe m|^.{0,4}MZ.{76}This program cannot be run in DOS mode\.|s p/Microsoft PE executable file/ Backdoors! +match shell m|^(root@([^:]+):[^#$]+)# bash: HELP: command not found\n\1# \1# $| p/Bash shell/ i/**BACKDOOR**; root shell/ h/$2/ cpe:/a:gnu:bash/ +match shell m|^(([\w-]+)@([^:]+):[^#$]+)\$ bash: HELP: command not found\n\1\$ \1\$ $| p/Bash shell/ i/**BACKDOOR**; user: $2/ h/$3/ cpe:/a:gnu:bash/ Here's a raw serial port: +# Hayes codes, could be something else but all searches point to Lantronix devices on port 3001 +match modem m|^(?:ATZ\r)?(?:\+\+\+ATZ\r)| p/Lantronix raw serial port/ +match extron-serial m|^\r\n\(c\) Copyright 2\d\d\d, Extron Electronics, ([^,]+), V([\d.]+)\r\n| p/Extron $1 serial port/ v/$2/ cpe:/h:extron:$1/ This database server, 4th Dimension, is 32 years old and only just now starting to show up in our service database! +match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: 4D_v(\d+)/(\1\.\d+)\r\n| p/4D RDBMS web server/ v/$2/ cpe:/a:4d_sas:4d:$2/ +match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: 4D/([\d.]+)\r\n|s p/4D RDBMS web server/ v/$1/ cpe:/a:4d_sas:4d:$1/ Geolocate your target with GPS! +match nmea-0183 m|^(?:\$GP[A-Z]{3},[\w.,]+\*[A-F\d]{2}\r\n)*\$GPGGA,(\d\d)(\d\d)(\d\d),([-\d.]+,[NS]),([-\d.]+,[EW]),\d,| p/NMEA 0183 GPS data/ i/coordinates: $4, $5 as of $1:$2:$3 UTC/ +match nmea-0183 m|^\$GP[A-Z]{3},[\w.,]+\*[A-F\d]{2}\r\n| p/NMEA 0183 GPS data/ SCADA/ICS services: +match siemens-xtrace m|^OK\x1d\0\x0e\x18.\x08\x02\x10\xd5q..([\w.]+)\0\0\0\0\0\0|s p/Siemens X-Trace/ i/production version: $1/ +match keyence-pc m|^ER,,02\rER,,02\r| p|Keyence EtherNet/IP module| d/specialized/ +match http m|^HTTP/1\.0 200 OK\r\nDate: .* GMT\r\nExpires: .* GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: \d+\r\n\r\n<html><head><title>Velkommen til 963</title>| p/Trend 963 Supervisor building control system/ i/Danish/ d/specialized/ cpe:/a:trend_control_systems:963_supervisor::::da/ IoT and home automation: +match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: HTTPD\r\nDate: .* GMT\r\nWWW-Authenticate: Basic realm="USER LOGIN"\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: text/html\r\nConnection: close\r\n\r\n<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>\n<BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4>\nAuthorization required\.\n</BODY></HTML>\n| p/LimitlessLED smart lightbulb bridge httpd/ d/specialized/ +match http m|^HTTP/1\.1 200 OK\r\nContent-type: text/html\r\n\r\n<html><head><title>hue personal wireless lighting</title></head><body><b>Use a modern browser to view this resource\.</b></body></html>| p/Philips Hue wireless lighting bridge/ cpe:/h:philips:hue_bridge/ Plus a ton of IP cameras, DVRs, phones, modems, printers, etc. Fortinet devices are tricky to match. We've mentioned this before in the highlights, but since last time we added this complicated match line which does a decent job of catching the unusual randomness of the banner: +# FortiSSH uses random server name - match an appropriate length, then check for 3 dissimilar character classes in a row. +# Does not catch everything, but ought to be pretty good. +match ssh m%^SSH-([\d.]+)-(?=[\w._-]{5,15}\n$).*(?:[a-z](?:[A-Z]\d|\d[A-Z])|[A-Z](?:[a-z]\d|\d[a-z])|\d(?:[a-z][A-Z]|[A-Z][a-z]))% p/FortiSSH/ i/protocol $1/ cpe:/o:fortinet:fortios/ Here's a Ukranian taxicab! +# Ukrainian Taxi Software by EvOs: Такси Навигатор +match taxinav m|^\x9f\x01<D><T RT="0" MT="1" MTData="| p/EvoS Taxi Navigator/ A collection of services that come with the Miami Deluxe IP stack for Amiga: +match telnet m|^\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\xff\xfd!| p/MiamiDx telnetd/ o/AmigaOS/ +match finger m|^Site: (.+)\n\nLogin Name\n| p/MiamiDx fingerd/ i/site: $1/ o/AmigaOS/ +match finger m|^no such user here\n$| p/MiamiDx fingerd/ o/AmigaOS/ This very odd service runs on TCP 54548 on Ricoh printers: +match dps-shell m|^\+-{26}\+\r\n\x7c {6}Welcome to use {6}\x7c\r\n\x7c
Destiny DPS Mini shell< \x7c\r\n\+-{9}\+-{16}\+\r\n\x7c Author \x7c
TimesWu {8}\x7c\r\n\+-{9}\+-{16}\+\r\n\x7c Version \x7c V([\d.]+) {10}\x7c\r\n\+-{9}\+-{16}\+\r\n| p/Destiny DPS Mini shell/ v/$1/ i/Ricoh printer/ d/printer/ Fixed up these RPC match lines to cover all possibilities more efficiently: -match rpcbind m|^\x80\0\0\x18\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01| -match rpcbind m|^\x80\0\0\x20\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x02| -match rpcbind m|^\x80\0\0\x14r\xfe\x1d\x13\0\0\0\x01\0\0\0\x01\0\0\0\x01\0\0\0\x05| -match rpcbind m|^\x80\0\0\x18r\xfe\x1d\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| -# AUTH_DH, apparently used by Veeam? -match rpcbind m|^\x80\0\0\x18r\xfe\x1d\x13\0\0\0\x01\0\0\0\0\0\0\0\x03\0\0\0\0\0\0\0\0| +#RPC Response, MSG_ACCEPTED, any AUTH type +match rpcbind m|^\x80\0\0.\x72\xfe\x1d\x13\0\0\0\x01\0\0\0\0\0\0\0[\x00-\x03\x06]| +# RPC Response, MSG_DENIED, RPC_MISMATCH +match rpcbind m|^\x80\0\0.\x72\xfe\x1d\x13\0\0\0\x01\0\0\0\x01\0\0\0\x00\0\0\0[\x00-\x02]\0\0\0[\x00-\x02]| +# RPC Response, MSG_DENIED, AUTH_ERROR, any status +match rpcbind m|^\x80\0\0.\x72\xfe\x1d\x13\0\0\0\x01\0\0\0\x01\0\0\0\x01\0\0\0[\x00-\x07]| Plus, as noted in Nmap's changelog [1], we have new service probes for OpenVPN (TCP and UDP), PCWorx, ProConOs, Tridium Niagara Fox, MQTT, RMCP (IPMI), CoAP, DTLS, iperf3, QUIC, and ClamAV. Thanks to all who contributed these probes! Happy scanning! Dan [1] https://nmap.org/changelog.html
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service fingerprint integration highlights Daniel Miller (Nov 26)
- Re: Service fingerprint integration highlights David Fifield (Nov 26)
- Re: Service fingerprint integration highlights Daniel Miller (Nov 28)
- Re: Service fingerprint integration highlights David Fifield (Nov 26)