Re: service-probe question: FTP services

[doug () hcsw org]

On Tue, Feb 03, 2009 at 06:01:45PM -0600 or thereabouts, Tom Sellers wrote:
> Both of the following lines in nmap-service-probes:
>
> match ftp m|^220 ([-\w]+) FTP server \(Version (\d.[.\d]+) ([A-Z][a-z]{2} 
> [A-Z][a-z]{2} [0-9]+ [0-9:]+ .* [21][0-9]+)\) ready\.\r\n| p/HP-UX 10.x 
> ftpd/ h/$1/ v/$2/ o/HP-UX/ i/$3/
> match ftp m|^220 ([-\w]+) FTP server \(Version (\d[-.\w]+) [A-Z][a-z]{2} 
> [A-Z][a-z]{2} .*\) ready\.\r\n| p/AIX ftpd/ h/$1/ v/$2/ o/AIX/
>
> will match the following FTP banner:
>
> 220 mytesthost FTP server (Version 6.1 Mon Oct 18 04:11:03 CDT 2011) ready.
>
> One line indicates HP-UX and the other AIX.  The host I tested against was 
> AIX but
> the service fingerprint indicated that it was an HP-UX 10.x machine.  
> Removing the HP-UX
> matchline allowed the fp to match the AIX line.  Should these be changed to 
> indicate
> both OSs or just edited to reference a generic ftp server?

Great catch, those lines are basically identical. I will merge them into
one for HP-UX or AIX and if we see another false positive we can just
make it general.

> Also, the following match line:
> match smtp m|^220 $| p/OpenBSD spamd/
>
> will trigger incorrectly on
>
> match ftp m|^220 IB-21E Ver ([\d.]+) FTP server\.\r\n| p/Kyocera IB-21E 
> ftpd/ v/$1/ d/print server/
>
> I have not quite figured out why.  When I remove the OpenBSD spamd entry it 
> fingerprints correctly.

That's a tough one. I think spamd is an attempt to sandbag spammers but
I can see how it could result in false positives especially if an
FTP does something like write(sd, "220 ", 4) and the nagle algorithm
isn't enabled (perhaps because it's a simplistic device like a print
server). I'm open to suggestions on this one.

Attachment: _bin
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org