Nmap Development mailing list archives
Service fingerprint integration highlights
From: Daniel Miller <bonsaiviking () gmail com>
Date: Sat, 26 Nov 2016 10:58:54 -0600
Now for the fun and really weird stuff! We received 1357 new service
fingerprints submissions between January and September 2016. The number of
match lines increased by 561 (5.3%), including 20 new softmatches for
services like clam, websocket, jabber, quic, niagara-fox, asf-rmcp, and
coap. Softmatches allow Nmap to jump straight to sending the most likely
probes for a service type instead of relying solely on the port number, so
they are extra valuable in speeding up -sV scan times.
We did a deep dive on HAproxy versioning based on error pages and HTTP
headers introduced in different versions. 22 new match lines distinguishing
versions before 1.3.1, 1.4.0 - 1.5.10, and 1.6.0 and later.
Malware!
+match backdoor m|^DT Key Logger -- Logging System Wide Key Presses\r\n|
p/Deep Throat keylogger/ i/**MALWARE**/
+# A DOS/Win PE executable within 4 bytes of the beginning of stream
+softmatch ms-pe-exe m|^.{0,4}MZ.{76}This program cannot be run in DOS
mode\.|s p/Microsoft PE executable file/
Backdoors!
+match shell m|^(root@([^:]+):[^#$]+)# bash: HELP: command not found\n\1#
\1# $| p/Bash shell/ i/**BACKDOOR**; root shell/ h/$2/ cpe:/a:gnu:bash/
+match shell m|^(([\w-]+)@([^:]+):[^#$]+)\$ bash: HELP: command not
found\n\1\$ \1\$ $| p/Bash shell/ i/**BACKDOOR**; user: $2/ h/$3/
cpe:/a:gnu:bash/
Here's a raw serial port:
+# Hayes codes, could be something else but all searches point to Lantronix
devices on port 3001
+match modem m|^(?:ATZ\r)?(?:\+\+\+ATZ\r)| p/Lantronix raw serial port/
+match extron-serial m|^\r\n\(c\) Copyright 2\d\d\d, Extron Electronics,
([^,]+), V([\d.]+)\r\n| p/Extron $1 serial port/ v/$2/ cpe:/h:extron:$1/
This database server, 4th Dimension, is 32 years old and only just now
starting to show up in our service database!
+match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: 4D_v(\d+)/(\1\.\d+)\r\n| p/4D
RDBMS web server/ v/$2/ cpe:/a:4d_sas:4d:$2/
+match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: 4D/([\d.]+)\r\n|s p/4D RDBMS
web server/ v/$1/ cpe:/a:4d_sas:4d:$1/
Geolocate your target with GPS!
+match nmea-0183
m|^(?:\$GP[A-Z]{3},[\w.,]+\*[A-F\d]{2}\r\n)*\$GPGGA,(\d\d)(\d\d)(\d\d),([-\d.]+,[NS]),([-\d.]+,[EW]),\d,|
p/NMEA 0183 GPS data/ i/coordinates: $4, $5 as of $1:$2:$3 UTC/
+match nmea-0183 m|^\$GP[A-Z]{3},[\w.,]+\*[A-F\d]{2}\r\n| p/NMEA 0183 GPS
data/
SCADA/ICS services:
+match siemens-xtrace
m|^OK\x1d\0\x0e\x18.\x08\x02\x10\xd5q..([\w.]+)\0\0\0\0\0\0|s p/Siemens
X-Trace/ i/production version: $1/
+match keyence-pc m|^ER,,02\rER,,02\r| p|Keyence EtherNet/IP module|
d/specialized/
+match http m|^HTTP/1\.0 200 OK\r\nDate: .* GMT\r\nExpires: .*
GMT\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length:
\d+\r\n\r\n<html><head><title>Velkommen til 963</title>| p/Trend 963
Supervisor building control system/ i/Danish/ d/specialized/
cpe:/a:trend_control_systems:963_supervisor::::da/
IoT and home automation:
+match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: HTTPD\r\nDate: .*
GMT\r\nWWW-Authenticate: Basic realm="USER LOGIN"\r\nPragma:
no-cache\r\nCache-Control: no-cache\r\nContent-Type:
text/html\r\nConnection: close\r\n\r\n<HTML><HEAD><TITLE>401
Unauthorized</TITLE></HEAD>\n<BODY BGCOLOR="#cc9999"><H4>401
Unauthorized</H4>\nAuthorization required\.\n</BODY></HTML>\n|
p/LimitlessLED smart lightbulb bridge httpd/ d/specialized/
+match http m|^HTTP/1\.1 200 OK\r\nContent-type:
text/html\r\n\r\n<html><head><title>hue personal wireless
lighting</title></head><body><b>Use a modern browser to view this
resource\.</b></body></html>| p/Philips Hue wireless lighting bridge/
cpe:/h:philips:hue_bridge/
Plus a ton of IP cameras, DVRs, phones, modems, printers, etc.
Fortinet devices are tricky to match. We've mentioned this before in the
highlights, but since last time we added this complicated match line which
does a decent job of catching the unusual randomness of the banner:
+# FortiSSH uses random server name - match an appropriate length, then
check for 3 dissimilar character classes in a row.
+# Does not catch everything, but ought to be pretty good.
+match ssh
m%^SSH-([\d.]+)-(?=[\w._-]{5,15}\n$).*(?:[a-z](?:[A-Z]\d|\d[A-Z])|[A-Z](?:[a-z]\d|\d[a-z])|\d(?:[a-z][A-Z]|[A-Z][a-z]))%
p/FortiSSH/ i/protocol $1/ cpe:/o:fortinet:fortios/
Here's a Ukranian taxicab!
+# Ukrainian Taxi Software by EvOs: Такси Навигатор
+match taxinav m|^\x9f\x01<D><T RT="0" MT="1" MTData="| p/EvoS Taxi
Navigator/
A collection of services that come with the Miami Deluxe IP stack for Amiga:
+match telnet m|^\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\xff\xfd!| p/MiamiDx
telnetd/ o/AmigaOS/
+match finger m|^Site: (.+)\n\nLogin Name\n| p/MiamiDx fingerd/ i/site:
$1/ o/AmigaOS/
+match finger m|^no such user here\n$| p/MiamiDx fingerd/ o/AmigaOS/
This very odd service runs on TCP 54548 on Ricoh printers:
+match dps-shell m|^\+-{26}\+\r\n\x7c {6}Welcome to use {6}\x7c\r\n\x7c
Destiny DPS Mini shell< \x7c\r\n\+-{9}\+-{16}\+\r\n\x7c Author \x7c
TimesWu {8}\x7c\r\n\+-{9}\+-{16}\+\r\n\x7c Version \x7c V([\d.]+)
{10}\x7c\r\n\+-{9}\+-{16}\+\r\n| p/Destiny DPS Mini shell/ v/$1/ i/Ricoh
printer/ d/printer/
Fixed up these RPC match lines to cover all possibilities more efficiently:
-match rpcbind
m|^\x80\0\0\x18\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01|
-match rpcbind
m|^\x80\0\0\x20\x72\xFE\x1D\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x02|
-match rpcbind
m|^\x80\0\0\x14r\xfe\x1d\x13\0\0\0\x01\0\0\0\x01\0\0\0\x01\0\0\0\x05|
-match rpcbind
m|^\x80\0\0\x18r\xfe\x1d\x13\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|
-# AUTH_DH, apparently used by Veeam?
-match rpcbind
m|^\x80\0\0\x18r\xfe\x1d\x13\0\0\0\x01\0\0\0\0\0\0\0\x03\0\0\0\0\0\0\0\0|
+#RPC Response, MSG_ACCEPTED, any AUTH type
+match rpcbind
m|^\x80\0\0.\x72\xfe\x1d\x13\0\0\0\x01\0\0\0\0\0\0\0[\x00-\x03\x06]|
+# RPC Response, MSG_DENIED, RPC_MISMATCH
+match rpcbind
m|^\x80\0\0.\x72\xfe\x1d\x13\0\0\0\x01\0\0\0\x01\0\0\0\x00\0\0\0[\x00-\x02]\0\0\0[\x00-\x02]|
+# RPC Response, MSG_DENIED, AUTH_ERROR, any status
+match rpcbind
m|^\x80\0\0.\x72\xfe\x1d\x13\0\0\0\x01\0\0\0\x01\0\0\0\x01\0\0\0[\x00-\x07]|
Plus, as noted in Nmap's changelog [1], we have new service probes for
OpenVPN (TCP and UDP), PCWorx, ProConOs, Tridium Niagara Fox, MQTT, RMCP
(IPMI), CoAP, DTLS, iperf3, QUIC, and ClamAV. Thanks to all who contributed
these probes!
Happy scanning!
Dan
[1] https://nmap.org/changelog.html
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service fingerprint integration highlights Daniel Miller (Nov 26)
- Re: Service fingerprint integration highlights David Fifield (Nov 26)
- Re: Service fingerprint integration highlights Daniel Miller (Nov 28)
- Re: Service fingerprint integration highlights David Fifield (Nov 26)