Nmap Development mailing list archives
Re: SSH Survey Results
From: "Joshua D. Abraham" <jabra () ccs neu edu>
Date: Thu, 15 Jun 2006 09:01:44 -0400
Awesome work Doug. I'm wondering if you thought about the idea of the soft fingerprint match to help with OS detection as I suggested a month ago? --Josh On 15.Jun.2006 04:03AM -0700, doug () hcsw org wrote:
Hi nmap-dev!
One of the projects I elected to take on for this Google Summer
of Code is a large SSH scan against random hosts on the internet in
order to refine and update Nmap's SSH version detection.
SSH is becoming more and more common of a protocol and is rarely
filtered to the extent many services are (SMB, telnet, etc) so
performing version detection (-sV) on remote SSH ports is often
the fastest and most reliable remote device profiling method.
I know when I'm doing a quick survey of my internal network
(what IP is that box using again?) I usually look at the
MAC OUI vendor if I'm on the same ethernet or the SSH version
otherwise. The SSH protocol is short and simple but don't let that
sway you: the information from it can be quite useful!
So, ladies and gentlemen, I'm pleased to announce the results
of the SoC 2006 SSH scan!
Nearly 8000 open port 22s were discovered. Of them, about 98.7%
had running SSH daemons. The fact that 1.3% of the open ports
were not in fact SSH daemons, to me, underscores the importance
of performing Nmap's version detection. When you assume an open
port 22 is SSH you may be wrong more than once every hundred
times!
Without further ado, here are the results of the scan broken
down into categories:
(("OpenSSH" 4936)
("Debian/OpenSSH" 808)
("FreeBSD/OpenSSH" 545)
("Cisco" 284)
("SCS SSH" 258)
("SCS SSH (non-commercial)" 150)
("dropbear" 98)
("Ubuntu/OpenSSH" 58)
("SunSSH/OpenSSH" 58)
("RomCliSecure" 50)
("HUAWEI-VRP" 35)
("Akamai" 30)
("xxxxxxx Fortinet VPN/firewall sshd" 28)
("NetScreen" 26)
("libssh" 19)
("VRP" 19)
("lancom" 19)
("Mikrotik/OpenSSH" 18)
("NetBSD/OpenSSH" 17)
("Rad SFTP" 12)
("RemotelyAnywhere/OpenSSH" 10)
("FortiSSH" 9)
("WinSSHD/libssh" 7)
("X Cisco VPN Concentrator SSHd" 5)
("Mocana SSH" 5)
("F-Secure" 4)
("Dlink SSH" 3)
("mpSSH" 3)
("F-Secure winNT" 3)
("VShell win32/unix" 3)
("WeOnlyDo" 2)
("GlobalScape/libssh" 2)
("lshd" 2)
("Radware" 2)
("FreSSH" 2)
("IPSSH" 2)
("cryptlib" 2)
("miniBSD/OpenSSH" 1)
("WeOnlyDo" 1)
("AOS SSH" 1)
("RedlineNetworks/OpenSSH" 1)
("F-Secure dss-only" 1)
("SSH Compatible Server" 1)
("Neteyes" 1)
("DigiSSH" 1)
("Tru64 SSH" 1)
("Tasman router sshd" 1))
As was previously expected, OpenSSH is *by far* the most popular SSH
server currently in use on the internet. How about a breakdown of its
versions?
(("3.9p1" 897)
("3.6.1p2" 844)
("3.8.1p1 Debian-8.sarge.4" 484)
("3.7.1p2" 358)
("3.5p1" 355)
("3.1p1" 349)
("4.2" 303)
("4.1" 273)
("3.5p1 FreeBSD-20030924" 224)
("4.3" 209)
("3.4p1" 204)
("3.8.1p1" 193)
("4.0" 174)
("3.6p1" 150)
("3.8.1p1 FreeBSD-20040419" 135)
("3.7.1p2 Debian 1:3.7.1p2-1.2" 113)
("3.4p1 Debian 1:3.4p1-1.woody.3" 88)
("4.2p1 FreeBSD-20050903" 81)
("3.7.1p1" 78)
("3.8p1" 76)
("3.6.1p1+CAN-2004-0175" 61)
("2.9p2" 44)
("3.6.1" 40)
("4.2p1 Debian-8" 33)
("3.0.2p1" 32)
("2.3.0p1" 29)
("4.1p1 Debian-7ubuntu4.1" 25)
("3.8.1p1 FreeBSD-20060123" 25)
("2.5.2p2" 24)
("3.6.1p1 FreeBSD-20030924" 23)
("2.9.9p2" 22)
("4.2p1 Debian-5" 22)
("3.4p1 FreeBSD-20020702" 19)
("1.2" 19)
("2.3.0_Mikrotik_v2.9" 18)
("3.9.0p1" 17)
("3.5p1 FreeBSD-20030201" 16)
("3.8" 13)
("3.4" 13)
("3.2.3p1" 13)
("4.2p1 Debian-7ubuntu3" 12)
("3.5" 12)
("3.4p1+CAN-2004-0175" 11)
("3.7p1" 10)
("4.2p1 Debian-7" 10))
And finally, what about the protocol versions in use?
(("1.99" 4262)
("2.0" 2912)
("1.5" 382))
After processing this data as carefuly as possible, I proceeded to
use the data to enhance the SSH match lines in the nmap-service-probes
file. I added 29 new SSH match lines bringing us up to 76 as well
as refining and updating numerous others.
Probably the most useful modification is the refined OpenSSH match
lines. We now should get more detailed and accurate service-detection
operating system and device type guesses based on SSH.
Also, numerous new match lines have been added, giving Nmap's
version detection the capability of recognising SSH daemons such
as, to name a few,
* HUAWEI VRP routers
* Fortinet VPN/firewalls
* FreSSH
* DLink routers sshd
* RemotelyAnywhere
* etc
Finally, I took the time to reorganise and refine some of the match
lines. For instance, it might not be obvious to everybody that
mpSSH is, in fact, Hewlett Packard's Integrated Lights Out SSH
daemon.
I'm attaching a patch to Nmap 4.10's nmap-service-probes file.
Enjoy!
Doug
--- nmap-service-probes.orig 2006-06-12 16:29:24.000000000 -0700
+++ nmap-service-probes 2006-06-15 02:12:38.000000000 -0700
@@ -1488,60 +1488,101 @@
match sourceoffice m|^200\r\nProtocol-Version:(\d[.\d]+)\r\nMessage-ID:\d+\r\nDatabase
.*\r\nContent-Length:\d+\r\n\r\n(\w:\\.*ini)\r\n\r\n| p/Sourcegear SourceOffSite/ i/Protocol $1; INI file: $2/
match sourceoffice m|^250\r\nProtocol-Version:(\d[.\d]+)\r\nMessage-ID:\d+\r\nDatabase
.*\r\nContent-Length:\d+\r\nKey Length:(\d+)\r\n\r\n.*(\w:\\.*ini)\r\n\r\n|s p/Sourcegear SourceOffSite/ i/Protocol
$1; Key len: $2; INI file: $3/
+
match ssh m|^\0\0\0\$\0\0\0\0\x01\0\0\0\x1bNo host key is configured!\n\r!\"v| p/Foundry Networks switch sshd/
i/broken: No host key configured/
match ssh m|^SSH-(\d[\d.]+)-SSF-(\d[-.\w]+)\n| p/SSF French SSH/ v/$2/ i/protocol $1/
match ssh m|^SSH-(\d[\d.]+)-lshd_(\d[-.\w]+) lsh - a free ssh\r\n\0\0| p/lshd secure shell/ v/$2/ i/protocol $1/
-match ssh m/^SSH-([.\d]+)-OpenSSH[_-](\S+ Debian-7ubuntu3)/i o/Linux/ p/OpenSSH/ v/$2/ i/protocol $1/
-match ssh m/^SSH-([.\d]+)-OpenSSH[_-]([\S ]+)/i p/OpenSSH/ v/$2/ i/protocol $1/
match ssh m/^SSH-([.\d]+)-Sun_SSH_(\S+)/ p/SunSSH/ v/$2/ i/protocol $1/
match ssh m/^SSH-([.\d]+)-meow roototkt by rebel/ p/meow SSH ROOTKIT/ i/protocol $1/
-match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.\d+) SSH Secure Shell/ p/F-Secure SSH Secure Shell/ v/$2/ i/protocol $1/
-match ssh m|^sshd: SSH Secure Shell (\d[-.\w]+) on ([-.\w]+)\nSSH-(\d[.\d]+)-| p/F-Secure SSH Secure Shell/ v/$1/
i/on $2; protocol $3/
-match ssh m|^sshd: SSH Secure Shell (\d[-.\w]+) \(([^\r\n\)]+)\) on ([-.\w]+)\nSSH-(\d[.\d]+)-| p/F-Secure SSH
Secure Shell/ v/$1/ i/$2; on $3; protocol $4/
-match ssh m|^sshd2\[\d+\]: .*\r\nSSH-(\d[\d.]+)-(\d[-.\w]+) SSH Secure Shell \(([^\r\n\)]+)\)\r\n| p/F-Secure SSH
Secure Shell/ v/$2/ i/protocol $1/
-match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.[-.\w]+)/ p/SSH/ v/$2/ i/protocol $1/
# Akamai hosted systems tend to run this - found on www.microsoft.com
match ssh m|^SSH-(\d[.\d]*)-AKAMAI-I\n$| p/Akamai-I SSH/ i/protocol $1/
match ssh m|^SSH-(\d[.\d]*)-Server-V\n$| p/Akamai-I SSH/ i/protocol $1/
match ssh m|^SSH-(\d[.\d]*)-Server-VI\n$| p/Akamai-I SSH/ i/protocol $1/
match ssh m|^SSH-(\d[.\d]+)-Cisco-(\d[.\d]+)\n$| p/Cisco SSH/ v/$2/ i/protocol $1/
match ssh m|^\r\nDestination server does not have Ssh activated\.\r\nContact Cisco Systems, Inc to purchase
a\r\nlicense key to activate Ssh\.\r\n| p/Cisco CSS SSH/ i/Unlicensed/
-match ssh m|^SSH-(\d[.\d]+)-SSH Protocol Compatible Server SCS (\d[-.\w]+)\n| p/NetScreen SCS sshd/ v/$2/ i/protocol
$1/
-match ssh m|^SSH-(\d[.\d]+)-VShell_(\d[._\d]+) VShell\r\n$| p/VanDyke VShell/ v/$SUBST(2,"_",".")/ i/protocol $1/
-match ssh m|^SSH-2\.0-0\.0 \r\n| p/VanDyke VShell/ i/version info hidden/
-match ssh m/^SSH-([.\d]+)-(\d[-.\w]+) sshlib: WinSSHD (\d[-.\w]+)\r\n/ p/Bitvise WinSSHD/ v/$3/ i/protocol $1/
o/Windows/
-match ssh m/^SSH-([.\d]+)-(\d[-.\w]+) sshlib: WinSSHD\r\n/ p/Bitvise WinSSHD/ i/protocol $1; server version hidden/
o/Windows/
+match ssh m|^SSH-(\d[.\d]+)-VShell_(\d[._\d]+) VShell\r\n$| p/VanDyke VShell sshd/ v/$SUBST(2,"_",".")/ i/protocol
$1/
+match ssh m|^SSH-2\.0-0\.0 \r\n| p/VanDyke VShell sshd/ i/version info hidden; protocol 2.0/
+match ssh m|^SSH-([\d.]+)-([\d.]+) VShell\r\n| p/VanDyke VShell/ v/$2/ i/protocol $1/
+match ssh m/^SSH-([.\d]+)-(\d[-.\w]+) sshlib: WinSSHD (\d[-.\w]+)\r\n/ p/Bitvise WinSSHD/ v/$3/ i/sshlib $2;
protocol $1/ o/Windows/
+match ssh m/^SSH-([.\d]+)-(\d[-.\w]+) sshlib: WinSSHD\r\n/ p/Bitvise WinSSHD/ i/sshlib $2; protocol $1; server
version hidden/ o/Windows/
# Cisco VPN 3000 Concentrator
# Cisco VPN Concentrator 3005 - Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.1.B Jun 20 2003
match ssh m/^SSH-([.\d]+)-OpenSSH\n$/ p/OpenSSH/ i/protocol $1/ d/terminal server/
-match ssh m/^SSH-([.\d]+)-([.\d]+) Radware\n$/ p/Radware Linkproof SSH/ v/$2/ i/protocol $1/ d/terminal server/
match ssh m|^SSH-1\.5-X\n| p/Cisco VPN Concentrator SSHd/ i/protocol 1.5/ d/terminal server/
match ssh m|^SSH-([\d.]+)-NetScreen\r\n| p/NetScreen sshd/ i/protocol $1/ d/firewall/
-match ssh m|^SSH-1\.5-FucKiT RootKit by Cyrax\n| p/FucKiT RootKit sshd/ i/protocol 1.5/ o/Linux/
+match ssh m|^SSH-1\.5-FucKiT RootKit by Cyrax\n| p/FucKiT RootKit sshd/ i/**BACKDOOR** protocol 1.5/ o/Linux/
match ssh m|^SSH-2\.0-dropbear_([\w.]+)\r\n| p/Dropbear sshd/ v/$1/ i/protocol 2.0/
match ssh m|^Access to service sshd from [\w-_.]+@[\w-_.]+ has been denied\.\r\n| p/libwrap'd OpenSSH/ i/Access
denied/
match ssh m|^SSH-2\.0-FortiSSH_([\d.]+)\n| p/FortiSSH/ v/$1/ i/protocol 2.0/
match ssh m|^SSH-([\d.]+)-cryptlib\r?\n| p/APC AOS cryptlib sshd/ i/protocol $1/ o/AOS/
-match ssh m|^SSH-2\.0-1\.0 Radware SSH \r\n| p/Radware sshd/ i|protocols 1.0/2.0| d/firewall/
-match ssh m|^SSH-1\.5-By-ICE_4_All \( Hackers Not Allowed! \)\n| p/ICE_4_All backdoor sshd/ i/protocol 1.5/
-match ssh m|^SSH-2\.0-mpSSH_([\d.]+)\n| p/mpSSH/ v/$1/ i/protocol 2.0/
-# This is a strange one. The linksys WRT45G pretends to be OpenSSH,
-# but doesn't do a great job:
-match ssh m|^SSH-2\.0-OpenSSH\r\n| p/Linksys WRT45G modified dropbear sshd/ i/protocol 2.0/ d/router/
+match ssh m/^SSH-([.\d]+)-([.\d]+) Radware\n$/ p/Radware Linkproof SSH/ v/$2/ i/protocol $1/ d/terminal server/
+match ssh m|^SSH-2\.0-1\.0 Radware SSH \r\n| p/Radware sshd/ i|protocol 2.0| d/firewall/
+match ssh m|^SSH-([\d.]+)-Radware_([\d.]+)\r\n| p/Radware sshd/ v/$2/ i/protocol $1/ d/firewall/
+match ssh m|^SSH-1\.5-By-ICE_4_All \( Hackers Not Allowed! \)\n| p/ICE_4_All backdoor sshd/ i/**BACKDOOR** protocol
1.5/
+match ssh m|^SSH-2\.0-mpSSH_([\d.]+)\n| p/HP Integrated Lights Out mpSSH/ v/$1/ i/protocol 2.0/
match ssh m|^SSH-2\.0-Unknown\n| p/Allot Netenforcer OpenSSH/ i/protocol 2.0/
match ssh m|^SSH-2\.0-FrSAR ([\d.]+) TRUEX COMPT 32/64\r\n| p/FrSAR truex compt sshd/ v/$1/ i/protocol 2.0/
-match ssh m|^SSH-2\.0-(\d+)\n| p/Netpilot config access/ v/$1/ i/protocol 2.0/
-match ssh m|^SSH-2\.0-RomCliSecure_([\d.]+)\r\n| p/Adtran Netvanta RomCliSecure sshd/ v/$1/ i/protocol 2.0/
-match ssh m|^SSH-2\.0-([\d.]+) sshlib: GlobalScape\r\n| p/GlobalScape CuteFTP sshd/ v/$1/ o/Windows/
+match ssh m|^SSH-2\.0-(\d{8,12})\n| p/Netpilot config access/ v/$1/ i/protocol 2.0/
+match ssh m|^SSH-([\d.]+)-RomCliSecure_([\d.]+)\r\n| p/Adtran Netvanta RomCliSecure sshd/ v/$2/ i/protocol $1/
+match ssh m|^SSH-([\d.]+)-([\d.]+) sshlib: GlobalScape\r\n| p/GlobalScape CuteFTP sshd/ i/sshlib $2; protocol $1/
o/Windows/
match ssh m|^SSH-2\.0-APSSH_([\w.]+)\n| p/APSSHd/ v/$1/ i/protocol 2.0/
match ssh m|^SSH-2\.0-Twisted\r\n| p/Kojoney SSH honeypot/ i/protocol 2.0/
match ssh m|^SSH-2\.0-Mocana SSH \r\n| p/Mocanada embedded SSH/ i/protocol 2.0/
match ssh m|^SSH-1\.99-InteropSecShell_([\d.]+)\n| p/InteropSystems SSH/ v/$1/ i/protocol 1.99/ o/Windows/
match ssh m|^SSH-2\.0-WeOnlyDo(-wodFTPD)? ([\d.]+)\r\n| p/WeOnlyDo sshd/ v/$2/ i/protocol 2.0/ o/Windows/
match ssh m|^SSH-2\.0-PGP\n| p/PHP Universal sshd/ i/protocol 2.0/
+match ssh m|^SSH-([\d.]+)-libssh-([\w-.]+)\r\n| p/libssh/ v/$2/ i/protocol $1/
+match ssh m|^SSH-([\d.]+)-HUAWEI-VRP([\d.]+)\n| p/HUAWEI VRP sshd/ v/$2/ i/protocol $1/ o/VRP/ d/router/
+match ssh m|^SSH-([\d.]+)-VRP-([\d.]+)\n| p/HUAWEI VRP sshd/ v/$2/ i/protocol $1/ o/VRP/ d/router/
+match ssh m|^SSH-([\d.]+)-lancom\r\n| p/lancom sshd/ i/protocol $1/
+match ssh m|^SSH-([\d.]+)-xxxxxxx\n| p|Fortinet VPN/firewall sshd| i/protocol $1/ d/firewall/
+match ssh m|^SSH-([\d.]+)-AOS_SSH\n| p/AOS sshd/ i/protocol $1/ o/AOS/
+match ssh m|^SSH-([\d.]+)-RedlineNetworksSSH_([\d.]+) Derived_From_OpenSSH-([\d.])+\n| p/RedLineNetworks sshd/ v/$2/
i/Derived from OpenSSH $3; protocol $1/
+match ssh m|^SSH-([\d.]+)-DLink Corp\. SSH server ver ([\d.]+)\n| p/DLink sshd/ v/$2/ i/protocol $1/ d/router/
+match ssh m|^SSH-([\d.]+)-FreSSH\.([\d.]+)\n| p/FreSSH/ v/$2/ i/protocol $1/
+match ssh m|^SSH-([\d.]+)-Neteyes-C-Series_([\d.]+)\r\n| p/Neteyes C Series load balancer sshd/ v/$2/ i/protocol $1/
d/load balancer/
+match ssh m|^SSH-([\d.]+)-IPSSH-([\d.]+)\r\n| p/Cisco IPSSHd/ v/$2/ i/protocol $1/ d/router/ o/IOS/
+match ssh m|^SSH-([\d.]+)-DigiSSH_([\d.]+)\n| p/Digi CM sshd/ v/$2/ i/protocol $1/
+match ssh m|^SSH-([\d.]+)-0 Tasman Networks Inc\.\n| p/Tasman router sshd/ i/protocol $1/ d/router/
+match ssh m|^SSH-([\d.]+)-([\w.]+)rad\n| p/Rad Java SFTPd/ v/$2/ i/protocol $1/
+# This is a strange one. The linksys WRT45G pretends to be OpenSSH,
+# but doesn't do a great job:
+match ssh m|^SSH-2\.0-OpenSSH\r\n| p/Linksys WRT45G modified dropbear sshd/ i/protocol 2.0/ d/router/
+
+# F-Secure/WRQ
+match ssh m|^SSH-([\d.]+)-([\d.]+) F-Secure SSH Windows NT Server\r\n| p/F-Secure WinNT sshd/ v/$2/ i/protocol $1/
o/Windows/
+match ssh m|^SSH-([\d.]+)-([\d.]+) dss F-SECURE SSH\r\n| p/F-Secure sshd/ v/$2/ i/dss-only; protocol $1/
+match ssh m|^SSH-([\d.]+)-([\d.]+) F-SECURE SSH.*\r\n| p/F-Secure sshd/ v/$2/ i/protocol $1/
+
+# SCS
+match ssh m|^SSH-(\d[.\d]+)-SSH Protocol Compatible Server SCS (\d[-.\w]+)\n| p/SCS NetScreen sshd/ v/$2/ i/protocol
$1/
+match ssh m|^SSH-([\d.]+)-SSH Compatible Server\n| p/SCS NetScreen sshd/ i/protocol $1/
+match ssh m|^SSH-([\d.]+)-([\d.]+) SSH Secure Shell Tru64 UNIX\r\n| p/SCS sshd/ v/$2/ i/protocol $1/ o/Tru64 Unix/
+match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.\d+) SSH Secure Shell/ p/SCS sshd/ v/$2/ i/protocol $1/
+match ssh m|^sshd: SSH Secure Shell (\d[-.\w]+) on ([-.\w]+)\nSSH-(\d[.\d]+)-| p/SCS SSH Secure Shell/ v/$1/ i/on
$2; protocol $3/
+match ssh m|^sshd: SSH Secure Shell (\d[-.\w]+) \(([^\r\n\)]+)\) on ([-.\w]+)\nSSH-(\d[.\d]+)-| p/SCS sshd/ v/$1/
i/$2; on $3; protocol $4/
+match ssh m|^sshd2\[\d+\]: .*\r\nSSH-(\d[\d.]+)-(\d[-.\w]+) SSH Secure Shell \(([^\r\n\)]+)\)\r\n| p/SCS sshd/ v/$2/
i/protocol $1/
+match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.[-.\w]+)/ p/SCS sshd/ v/$2/ i/protocol $1/
+
+# OpenSSH
+match ssh m|^SSH-([\d.]+)-OpenSSH_([\w.]+)[ -]Debian[ -]([^\r\n]ubuntu[\d.]+)\n| p/OpenSSH/ v/$2 Debian $3/
i/protocol $1/ o/Linux/
+match ssh m|^SSH-([\d.]+)-OpenSSH_([\w.]+)[ -]Debian[ -]([^\r\n]+)\n| p/OpenSSH/ v/$2 Debian $3/ i/protocol $1/
o/Linux/
+match ssh m|^SSH-([\d.]+)-OpenSSH_([\w.]+) FreeBSD-([\d]+)\n| p/OpenSSH/ v/$2/ i/FreeBSD $3; protocol $1/ o/FreeBSD/
+match ssh m|^SSH-([\d.]+)-OpenSSH_([\w.]+) FreeBSD localisations (\d+)\n| p/OpenSSH/ v/$2/ i/FreeBSD $3; protocol
$1/ o/FreeBSD/
+match ssh m|^SSH-([\d.]+)-OpenSSH_([\w.]+) miniBSD-([\d]+)\n| p/OpenSSH/ v/$2/ i/MiniBSD $3; protocol $1/ o/MiniBSD/
+match ssh m|^SSH-([\d.]+)-OpenSSH_([\w.]+) NetBSD_Secure_Shell-([\d]+)\n| p/OpenSSH/ v/$2/ i/NetBSD $3; protocol $1/
o/NetBSD/
+match ssh m|^SSH-([\d.]+)-OpenSSH_([\w.]+)_Mikrotik_v([\d.]+)\n| p/OpenSSH/ v/$2 mikrotik $3/ i/protocol $1/
d/router/
+match ssh m|^SSH-([\d.]+)-OpenSSH_([\w.]+) in RemotelyAnywhere ([\d.]+)\n| p/OpenSSH/ v/$2/ i/RemotelyAnywhere $3;
protocol $1/ o/Windows/
+
+# Choose 1 of the following:
+# 1) Match all OpenSSHs:
+#match ssh m/^SSH-([.\d]+)-OpenSSH[_-]([\S ]+)/i p/OpenSSH/ v/$2/ i/protocol $1/
+# 2) Don't match unknown SSHs (and generate fingerprints)
+match ssh m/^SSH-([.\d]+)-OpenSSH[_-]([\w.]+)\n/i p/OpenSSH/ v/$2/ i/protocol $1/
softmatch ssh m/^SSH-([.\d]+)-/ i/protocol $1/
+
match soldat m|^Soldat Admin Connection Established\.\.\.\r\nAdmin connected\.\r\n| p/Soldat multiplayer-game server/
match solproxy m|^The solproxy is used by [\d.]+\n\rThe client is closed!\n\r| p/Dell Serial Over LAN proxy/
match subethaedit m|^RPY \d \d \. \d \d+\r\nContent-Type: application/beep\+xml\r\n\r\n<greeting><profile
uri=\"http://www\.codingmonkeys\.de/BEEP/SubEthaEditHandshake\";| p/SubEthaEdit collaborative text editor/ o/Mac OS X/
@@ -3464,6 +3505,7 @@
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: NI Service Locator/([\d.]+) \(SLServer\)\r\n| p/National Instruments
LabVIEW service locator httpd/ v/$1/
match http m|^HTTP/1\.1 406 Not Acceptable\r\nServer: Phex ([\d.]+)\r\n\r\n| p/Phex HTML-Shared File Export httpd/
v/$1/
match http m|^HTTP/1\.0 200 NoPhrase\r\n.*\r\n<HTML>\r\n<HEAD>\r\n<TITLE>\[JMX RI/([\d.]+)\] Agent View</TITLE>|s
p/Sun Java Management Extensions Reference Installation httpd/ v/$1/
+match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nLast-Modified: .*\r\nETag: \"[\w_]+\"\r\nAccept-Ranges:
bytes\r\nContent-Length: 79\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n<html>\n<script
language=javascript>\n\ntop\.location=\"/login\";\n\n</script>\n</html>\n| p|Fortinet VPN/firewall http config|
d/firewall/
# Maybe too generic?
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
-- Joshua D. Abraham Northeastern University College of Computer and Information Science www.ccs.neu.edu/home/jabra _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- SSH Survey Results doug (Jun 15)
- Re: SSH Survey Results Joshua D. Abraham (Jun 15)
- Re: SSH Survey Results Fyodor (Jun 23)