Nmap Development mailing list archives
Service fingerprint integration highlights
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 5 Jun 2017 16:28:47 -0500
Hello again! Time for another thrilling installment of "weird stuff Nmap knows about now," a.k.a. service fingerprints submission highlights. We received 855 service fingerprint submissions between September 2016 and March 2017. The number of match lines increased by 323 (2.9%), including 14 new softmatches for protocols like apachemq, Yandex Clickhouse, dtls, and slmp. Cryptocurrencies! +match bitcoin m|^\xbf\x0ck\xbdgetsporks\0\0\0\0\0\0\0\]\xf6\xe0\xe2| p/Dash cryptocurrency server/ i/Bitcoin fork/ +match cryptonote m|^HTTP/1\.0 200 OK\nContent-Type: text/plain\nContent-Length: 20\n\nmining server online| p/node-cryptonote-pool CryptoNote miner/ i/Node.js/ cpe:/a:nodejs:node.js/ Home Automation +match sma-solar m|^\x01\0\x04\0Z\x06\0\0| p/SMA Sunny WebBox/ d/power-misc/ +match http m|^HTTP/1\.1 200 OK\r\ncontent-length: \d+\r\nDate: .*\r\nConnection: close\r\n\r\n<\?xml version="1\.0"\?>\n<root xmlns="urn:schemas-wink-com:device-1-0">\n<specVersion>\n<major>1</major>\n<minor>0</minor>\n</specVersion>\n<URLBase>https://[^<]+</URLBase>\n<device>\n<deviceType>urn:wink-com:device:hub:([^<:]+)</deviceType>\n| p/Wink Hub $1 API httpd/ d/specialized/ cpe:/h:wink:hub_$1/ +match http m|^HTTP/1\.0 200 Ok\r\nServer: ZiBASE([\d.]+)\r\n| p/Zodianet ZiBASE home automation httpd/ v/$1/ d/specialized/ +match http m|^HTTP/1\.1 200 OK\r\nCONNECTION: close\r\nCONTENT-LENGTH: \d+\r\nCONTENT-TYPE: text/html\r\n\r\n\xef\xbb\xbf<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1\.0 Strict//EN\" \"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-strict\.dtd\">\r\n<html> \r\n<head>\r\n<title>WEB SERVICE</title>| p/ADT Home Security web management interface/ d/security-misc/ +# https://github.com/ael-code/daikin-control +match http m|^HTTP/1\.0 404 Not Found\r\nContent-Length: 30\r\nContent-Type: text/plain\r\n\r\nret=PARAM NG,msg=404 Not Found| p/Daikin air conditioning unit REST API httpd/ d/specialized/ You might find this web server on your drone... or your Tesla automobile! +match http m|^HTTP/1\.0 400 Bad Request\r\nSERVER: Parrot\r\nCONTENT-TYPE: text/html\r\nCONTENT-LENGTH: \d+\r\n\r\n<html><head><title>400 Bad Request</title></head><body></body></html>| p/Parrot S.A. embedded httpd/ TiVo set top box remote control +match tivo-remote m|^CH_STATUS (\d{4}(?: \d{4})?) [REMOTLCADING]+\r| p/TiVo TCP Remote/ i/channel: $1/ d/media device/ Automated Teller Machines +match wincor-atm m|^pof16 \(FillUp\) v\.([\d.]+)\n\{cftftc\}\r| p/Wincor Nixdorf ATM service/ v/$1/ d/specialized/ +# These are probably a different service; seen running on the same system as the above +match wincor-atm m|^p16in\n| p/Wincor Nixdorf ATM service/ d/specialized/ +match wincor-atm m|^{cftftc}\r| p/Wincor Nixdorf ATM service/ d/specialized/ Sometimes you just gotta stream an executable? +softmatch elf-exe m|^.{0,4}\x7fELF\x01[\x01\x02]\x01| p/ELF 32-bit executable file/ +softmatch elf-exe m|^.{0,4}\x7fELF\x02[\x01\x02]\x01| p/ELF 64-bit executable file/ This is the actual NetUSB software behind thousands of TP-LINK and other-branded mini print servers: +# http://blog.sec-consult.com/2015/05/kcodes-netusb-how-small-taiwanese.html +match http m|^HTTP/1\.0 200 OK\r\nCache-control: no-cache\r\nConnection: Close\r\n\r\n(?:<!-T0004->\r\n)?<HTML>\r\n<HEAD>\r\n<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="TEXT/HTML">\r\n<TITLE></TITLE>\r\n</HEAD>\r\n<BODY BGCOLOR=#FFFFFF>\r\n<SCRIPT LANGUAGE=JavaScript>\r\n\tdocument\.location\.href="system30\.htm";\r\n</script>\r\n</BODY>\r\n</HTML>| p/KCodes NetUSB http interface/ cpe:/o:kcodes:netusb/ Microsoft SQL Server is no longer Windows-only: there's a Linux version, too. +# No longer Windows-only +match ms-sql-s m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x0e\x00..|s p/Microsoft SQL Server vNext tech preview/ v/14.00.X/ cpe:/a:microsoft:sql_server/ Telnet daemons based on 2.11BSD require a terminal type handshake. We had been matching these as TN3270 (which requires the same handshake), but they're different: +match telnet m|^\xff\xfd\x18\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nSunOS UNIX \(([^)]+)\)\r\n\r\0\r\n\r\0login: | p/SunOS telnetd/ o/SunOS/ h/$1/ cpe:/o:sun:sunos/a +match telnet m|^\xff\xfd\x18\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nUltrix(?:-32)? V([\d.]+) \(Rev\.? (\d+)\) \(([^)]+)\)\r\n\r\r\n\rlogin: |i p/Ultrix telnetd/ o/Ultrix $1/ h/$3/ cpe:/o:dec:ultrix:$1:$2/ +# Softmatch because we can get way more specific with most of these. +softmatch telnet m|^\xff\xfd\x18\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01| p/2.11BSD-derived telnetd/ o/Unix/ Also researched and added lots more match lines for Modbus, DTLS, and Drawpile. We also added service probes for NoMachine Network Server, JMON for z/OS, and LibreOffice Impress Remote Server; thanks to Justin Cacak, Soldier of Fortran, and Jeremy Hiebert for those contributions. Happy scanning!
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service fingerprint integration highlights Daniel Miller (Jun 05)