[PATCH] Metasploit Framework msfd matchline

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey everyone,

I've attached a patch to add a matchline for the Metasploit Framework
msfd daemon.

You can see what I'm trying to match here[1].  It shows msfconsole there
instead, but it's the same thing.

I've tested it against the following versions (the last is from SVN):

55554/tcp open  metasploit Metasploit Framework msfd 3.0-beta-dev
55554/tcp open  metasploit Metasploit Framework msfd 3.0
55554/tcp open  metasploit Metasploit Framework msfd 3.1-release
55554/tcp open  metasploit Metasploit Framework msfd 3.2-release

(msfd is only in 3.x)

Is "metasploit" a good service name, or would something like "msf" be
better?  "msf" is short and has the "framework", but it might not be as
recognizable.  Of course the version information tells everything and it
will be the only thing using the name so far.

How's the matchline?

I left out "aux" from the match because I saw "recon" there (or nothing
at all) instead in a screenshot of an old 3.0-alpha version, and even
though "aux" probably won't be going away, I think I've matched enough
to be sure it's msf :)

And I was also tempted to match the exploits/payloads and encoders/nops
pairs together with the dash between them, but again I think enough is
matched and I don't want it to break if they change a little bit there.

I think the matchline is fine because it matched the range I tested
above, but I didn't try everything.  I could be matching too much.

Thanks,
Kris Katterjohn

[1] http://metasploit.com/images/gallery/msfconsole.jpg

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSDnxKf9K37xXYl36AQLdFQ/8CdeEb8Xm2lFwtzyFEBkHYI2lVRKEbjzI
O5eUZyGhTV7x/gXmGcCA8Hy7Vt2CWb65etXpcp1fPyKgKQ9a0ltQ6DUVymm20N1c
18bE/FsA3Oo113yBg1Ld7/8nXBM9Ez9pBJkNf2RYcEzhKKtwZxWCykKIPiL7Ar1q
2I75kMUeiJjELbe5k2ZI6aJ7CYnGdOGtJZrZMfwL97r6sLbYvg9o3ZG2w6z/tJDI
rpGWXuXNPL6rAsVJowctzdbIJj9mh3dhfOAu7Tb7rVXVvvRr/gkh8r3fIHS15Wgn
BAQI+hyXytHxJBTrzGC6ENt/hN5Kb9YVmcZ6hI8dmtFK9k0XLi8Ye3ZgpOm2ZDyw
E3qv1XOrcwjh2PVMeELdTg94Q96hmO0IiVHR+F0FwVn4LfCpCsvSgB1SWbe1ZQN5
6o4TIND4xh3oUCHpVexnNoWXcMKEelijjIqpTuZAkeobn8hgeDdYTCW3toYFcsWY
CTIYUF7L9KlKd3yqfux4+bc4BFru6ijMI6qM7ajIzK/a0LrN65OtMjTwDfuTlZMP
VroJ5HyshGhvZarX+HoUqA560UTAw+Rl4WLUiBxrFFDfNEVxEFI7WeGC2V56A/k9
yoyO4lVwYTxffU2hT35z6w4Q7/w7/uzc6tfY5gv6coz4npzT0ZFhzLimTcFk10xu
TW7pps3brXo=
=6NIH
-----END PGP SIGNATURE-----

Index: nmap-service-probes
===================================================================
--- nmap-service-probes (revision 7667)
+++ nmap-service-probes (working copy)
@@ -975,6 +975,7 @@
 match mailq m|^version zmailer ([\d.]+)\n220 MAILQ-V2-CHALLENGE: | p/zmailer/ v/$1/ o/Unix/
 match meetingmaker m/^\xc1,$/ p/Meeting Maker calendaring/
 match melange m|^\+\+\+Online\r\n>> Melange Chat Server \(Version (\d[-.\w]+)\), Apr-25-1999\r\n\nWelcome | p/Melange 
Chat Server/ v/$1/
+match metasploit m|^\n.*=\[ msf v([^\r\n]+)\r?\n.*\d+ exploits.*\d+ payloads.*\d+ encoders.*\d+ nops.*msf > $|s 
p/Metasploit Framework msfd/ v/$1/
 match midas m|^MIDASd v([\w.]+) connection accepted\n\xff| p/midasd/ v/$1/
 match mpd m|^OK MPD ([\d.]+)\n$| p/Music Player Daemon/ v/$1/
 # lopster 1.2.0.1 on Linux 1.1


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org