Service fingerprint integration highlights

[Daniel Miller <bonsaiviking () gmail com>]

Hello again! Time for another thrilling installment of "weird stuff Nmap
knows about now," a.k.a. service fingerprints submission highlights.

We received 855 service fingerprint submissions between September 2016 and
March 2017. The number of match lines increased by 323 (2.9%), including 14
new softmatches for protocols like apachemq, Yandex Clickhouse, dtls, and
slmp.

Cryptocurrencies!
+match bitcoin m|^\xbf\x0ck\xbdgetsporks\0\0\0\0\0\0\0\]\xf6\xe0\xe2|
p/Dash cryptocurrency server/ i/Bitcoin fork/
+match cryptonote m|^HTTP/1\.0 200 OK\nContent-Type:
text/plain\nContent-Length: 20\n\nmining server online|
p/node-cryptonote-pool CryptoNote miner/ i/Node.js/ cpe:/a:nodejs:node.js/

Home Automation
+match sma-solar m|^\x01\0\x04\0Z\x06\0\0| p/SMA Sunny WebBox/ d/power-misc/
+match http m|^HTTP/1\.1 200 OK\r\ncontent-length: \d+\r\nDate:
.*\r\nConnection: close\r\n\r\n<\?xml version="1\.0"\?>\n<root
xmlns="urn:schemas-wink-com:device-1-0">\n<specVersion>\n<major>1</major>\n<minor>0</minor>\n</specVersion>\n<URLBase>https://[^<]+</URLBase>\n<device>\n<deviceType>urn:wink-com:device:hub:([^<:]+)</deviceType>\n|
p/Wink Hub $1 API httpd/ d/specialized/ cpe:/h:wink:hub_$1/
+match http m|^HTTP/1\.0 200 Ok\r\nServer: ZiBASE([\d.]+)\r\n| p/Zodianet
ZiBASE home automation httpd/ v/$1/ d/specialized/
+match http m|^HTTP/1\.1 200 OK\r\nCONNECTION: close\r\nCONTENT-LENGTH:
\d+\r\nCONTENT-TYPE: text/html\r\n\r\n\xef\xbb\xbf<!DOCTYPE html PUBLIC
\"-//W3C//DTD XHTML 1\.0 Strict//EN\"
\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-strict\.dtd\";>\r\n<html>
\r\n<head>\r\n<title>WEB SERVICE</title>| p/ADT Home Security web
management interface/ d/security-misc/
+# https://github.com/ael-code/daikin-control
+match http m|^HTTP/1\.0 404 Not Found\r\nContent-Length:
30\r\nContent-Type: text/plain\r\n\r\nret=PARAM NG,msg=404 Not Found|
p/Daikin air conditioning unit REST API httpd/ d/specialized/

You might find this web server on your drone... or your Tesla automobile!
+match http m|^HTTP/1\.0 400 Bad Request\r\nSERVER: Parrot\r\nCONTENT-TYPE:
text/html\r\nCONTENT-LENGTH: \d+\r\n\r\n<html><head><title>400 Bad
Request</title></head><body></body></html>| p/Parrot S.A. embedded httpd/

TiVo set top box remote control
+match tivo-remote m|^CH_STATUS (\d{4}(?: \d{4})?) [REMOTLCADING]+\r|
p/TiVo TCP Remote/ i/channel: $1/ d/media device/

Automated Teller Machines
+match wincor-atm m|^pof16 \(FillUp\) v\.([\d.]+)\n\{cftftc\}\r| p/Wincor
Nixdorf ATM service/ v/$1/ d/specialized/
+# These are probably a different service; seen running on the same system
as the above
+match wincor-atm m|^p16in\n| p/Wincor Nixdorf ATM service/ d/specialized/
+match wincor-atm m|^{cftftc}\r| p/Wincor Nixdorf ATM service/
d/specialized/

Sometimes you just gotta stream an executable?
+softmatch elf-exe m|^.{0,4}\x7fELF\x01[\x01\x02]\x01| p/ELF 32-bit
executable file/
+softmatch elf-exe m|^.{0,4}\x7fELF\x02[\x01\x02]\x01| p/ELF 64-bit
executable file/

This is the actual NetUSB software behind thousands of TP-LINK and
other-branded mini print servers:
+#
http://blog.sec-consult.com/2015/05/kcodes-netusb-how-small-taiwanese.html
+match http m|^HTTP/1\.0 200 OK\r\nCache-control: no-cache\r\nConnection:
Close\r\n\r\n(?:<!-T0004->\r\n)?<HTML>\r\n<HEAD>\r\n<META
HTTP-EQUIV="CONTENT-TYPE"
CONTENT="TEXT/HTML">\r\n<TITLE></TITLE>\r\n</HEAD>\r\n<BODY
BGCOLOR=#FFFFFF>\r\n<SCRIPT
LANGUAGE=JavaScript>\r\n\tdocument\.location\.href="system30\.htm";\r\n</script>\r\n</BODY>\r\n</HTML>|
p/KCodes NetUSB http interface/ cpe:/o:kcodes:netusb/

Microsoft SQL Server is no longer Windows-only: there's a Linux version,
too.
+# No longer Windows-only
+match ms-sql-s
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x0e\x00..|s
p/Microsoft SQL Server vNext tech preview/ v/14.00.X/
cpe:/a:microsoft:sql_server/

Telnet daemons based on 2.11BSD require a terminal type handshake. We had
been matching these as TN3270 (which requires the same handshake), but
they're different:
+match telnet
m|^\xff\xfd\x18\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nSunOS
UNIX \(([^)]+)\)\r\n\r\0\r\n\r\0login: | p/SunOS telnetd/ o/SunOS/ h/$1/
cpe:/o:sun:sunos/a
+match telnet
m|^\xff\xfd\x18\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nUltrix(?:-32)?
V([\d.]+) \(Rev\.? (\d+)\) \(([^)]+)\)\r\n\r\r\n\rlogin: |i p/Ultrix
telnetd/ o/Ultrix $1/ h/$3/ cpe:/o:dec:ultrix:$1:$2/
+# Softmatch because we can get way more specific with most of these.
+softmatch telnet
m|^\xff\xfd\x18\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01|
p/2.11BSD-derived telnetd/ o/Unix/

Also researched and added lots more match lines for Modbus, DTLS, and
Drawpile.

We also added service probes for NoMachine Network Server, JMON for z/OS,
and LibreOffice Impress Remote Server; thanks to Justin Cacak, Soldier of
Fortran, and Jeremy Hiebert for those contributions.

Happy scanning!

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/