service fingerprints && web service probe suggestion

[Willem de Groot <willem () byte nl>]

G'day,

See below for my service fingerprint submit. I'd like to note that,
for people only scanning for http services, it may be worthwhile to
add this line to nmap-service-probes, just below the null probe:

ports 1-79,81-8079,8081-65535

Because http services generally do not advertise themselves upon
connect, the null probe is of no use here. What's more, many
routers/WAPs such as the Siemens Gigaset operate a default timeout < 5
sec. These services will be reported as "tcpwrapped" by nmap, unless
the nullprobe is skipped.

Happy scanning!
Willem

PS. the jewel below is definitely the Kesseltronics Car Wash Tunnel ;-)

--- /home/willem/src/nmap/nmap-service-probes   2009-12-06
01:59:29.016066836 +0100
+++ /usr/share/nmap/nmap-service-probes 2009-12-08 16:39:04.407942572 +0100
@@ -3446,6 +3447,46 @@
 # Needs to go before the Apache match lines -Doug
 match http-proxy m|^HTTP/1\.[01] \d\d\d .*\r\nServer:
Apache\r\n.*X-orenosp-filt:|s p/Orenosp reverse http proxy/

+match http m|^HTTP/1.0 401 Unauthorized\r\nServer:
Apache/0.6.5\r\nPragma: no-cache\r\nContent-type:
text/html\r\nWWW-Authenticate: Basic realm="System Setup"| p/BenQ
wireless router http config/ i/such as AWL700/ d/WAP/
+match http m|^HTTP/1.0 200 OK\r\nServer: Apache/0.6.5\r\n.*<title>Web
Server . Gigaset (\S+) WLAN dsl</title>|s p/Siemens Gigaset $1/ d/WAP/
+match http m|^HTTP/1.0 302 Found\r\nServer:
Apache/0.6.5\r\n.*\r\nLocation: /relink_web.stm|s p/Siemens Gigaset/
d/WAP/
+match http m|^HTTP/1.0 200 OK\r\nServer:
Apache/0.6.5\r\n.*src="top.stm\?pn1=ho3.gif&pn2=ad1.gif"|s p/Philips
SNB5600 http config/ d/broadband router/
+match http m|^HTTP/1.0 200 OK\r\nServer: Apache/0.6.5\r\n.*\nvar
PM="BBR-4MG";\n|s p/SMC7908VoWBRA http config/ d/broadband router/
+match http m!^HTTP/1\.[01] 302 .+(Location|LOCATION):
.+/UE/welcome_login.html!s p/Allegro-Software-RomPager/ i/used by:
Siemens Gigaset sx762 ADSL/ d/WAP/
+match http m|^HTTP.*<title>Gigaset sx762</title>|s p/Siemens Gigaset
sx762 http config/ d/WAP/
+match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer:
Apache.+<title>Welcome to eDR400--login</title>|s p/EverFocus
PowerPlex security cam/ v/eDR400/ d/webcam/
+match http m|^HTTP.*Click here to popup <A
href="javascript:capture\(\)">VigorCam\.</A></font>|s p/VigorCam/
d/webcam/
+match http m|^HTTP.*<TITLE>SMC7004VBR - LOGIN</TITLE>|s p/SMC7004VBR
http config/ d/broadband router/
+match http m|^HTTP/1\.[10] 401 Unauthorized\r\nWWW-Authenticate:
Basic realm="NETGEAR (WNR834B.{1,3})"| p/Netgear $1 http config/
d/WAP/
+match http m|^HTTP/1\.[01] 302 Redirect\r\nSet-Cookie: CrushAuth=|
p/CrushFTP Webserver/
+match http m|^HTTP/1\.[01] 200 OK\r\nConnection: Close\r\nServer:
LANCOM (\d+) (\S+)| p/Lancom $1 $2 http config/ d/broadband router/
+match http m|^HTTP/1\.[01] 401 Unauthorized\r\nWWW-Authenticate:
Basic realm="(WGR\d\d\d.{1,4})"\r\n| p/Netgear $1 http config/ d/WAP/
+match http m|^HTTP/1\.[01] 401 Unauthorized\r\nServer: ISOS/9.0
UPnP/1.0 Conexant-EmWeb/R6_1_0\r\n| p/ISOS 9.0 UPnP 1.0 Conexant-EmWeb
R6_1_0/ i/Allied Data Technologies/ d/broadband router/
+match http m|^HTTP/.*Server: Kerio MailServer (.+)\r\n|s p/Kerio
MailServer Webmail/ v/$1/
+match http m|^HTTP/1\.[01] 401 Unauthorized\r\nWWW-Authenticate:
Basic realm="MET-RV082"\r\n| p/Linksys MET-RV082 http config/
d/broadband router/
+match http m|^HTTP.*<meta http-equiv="refresh"
content="0;url=/login.html\?1600&0">|s p/Digia II Video Surveillance
System/ i/default login: root, 1111/ d/webcam/
+match http m|^HTTP/1.[01] 401 Unauthorized Access Denied\r\nServer:
Intoto Http Server.+\r\nWWW-Authenticate: Basic realm="WRT54G"|
p/Linksys WRT54G http config/ i/running Intoto httpd/ d/WAP/
+match http m|^HTTP/1.0 404 Not Found !!!\r\nPragma:
no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: /nice
ports,/Trinity.txt.bak| p/Draytek http config/ d/broadband router/
+match http m|^HTTP.*Server: eRez Imaging Server\r\n|s p/eRez Imaging Server/
+match http m|^HTTP/1.1 401 Unauthorized\r\nConnection:
Keep-Alive\r\nContent-Length: \d+\r\nContent-Type:
text/html\r\nServer: NetIXServer \(([\d\.]+)\)| p/NetIXServer
Administration/ v/$1/
+match http m|^HTTP.*WWW-Authenticate: Basic realm="SITECOM
(WL-\d+)"|s p/Sitecom $1 http config/ d/WAP/
+match http m|^HTTP/1.1 401 Unauthorized\nWWW-Authenticate: Digest
realm="i3micro VRG", nonce="\d+", qop="auth", algorithm=MD5| p/i3micro
VRG/ d/VoIP adapter/
+match http m|^HTTP/1.0 302 Found\r\nLocation:
/control/userimage.html\r\n| p/Mobotix Camera/ d/webcam/
+match http m|^HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type:
text/html\r\nContent-Length: \d+\r\nServer: Indy/(.+)\r\n| p/Indy/
v/$1/
+match http m|^HTTP.*<TITLE>\r\nXerox WorkCentre 7345|s p/Xerox
WorkCentre 7345/ d/printer/
+match http m|^HTTP/1.0 200 OK\r\nDate:.+\r\nServer:
WYM/([\d\.]+)\r\n| p/WYM webserver/ v/$1/ i/possibly Yoics 9100a
webcam/ d/webcam/
+match http m|^HTTP/1.0 200 OK\r\nServer: iCanWebServer/([\d\.]+)\r\n|
p/iCanTek webcam server/ v/$1/ d/webcam/
+match http m|^HTTP/1.0 401 Unauthorized\r\nDate:.+\r\nConnection:
close\r\nServer:
Microsoft-WinCE/5.0\r\nSet-Cookie:.+\r\nWWW-Authenticate: Basic
Realm="Kesseltronics"| p/Kesseltronics car wash tunnel/ d/specialized/
+match http m|^HTTP/1.0 302 Temporary moved\r\nServer: Cisco AWARE
([\d\.]+)\r\n| p/Cisco AWARE/ v/$1/
+match http m|^HTTP/1.1 401 Unauthorized\r\nWWW-Authenticate: Basic
realm="Prestige ([\d\-\.]+)"\r\n| p/Zyxel Prestige http config/
d/broadband router/
+match http m|^HTTP/1.0 200 OK\r\nServer: TeamWARE URL
Service/([\d\-\.]+)\r\n| p/TeamWARE URL Service/ v/$1/
+match http m|^HTTP/1.0 200 HTTP OK\r\nServer: Serv-U/([\d\-\.]+)\r\n|
p/Serv-U FTP webserver/ v/$1/
+match http m|^HTTP/1.0 401 Unauthorized\r\nWWW-Authenticate: Basic
realm="/webpages"\r\nServer: DigiSprite\r\n| p/Digisprite httpd/
i/Chubb webcam, Dedicated Micros webcam/ d/webcam/
+match http m|^HTTP.+\n<div style="color: #737373; font-size:
9px">RouterOS ([\d\-\.]+) administration page</div>|s p/Mikrotik
router http config/ v/$1/ d/broadband router/
+match http m|^HTTP/1.0 401
Unauthorized\r\nDate:.+\r\nWWW-Authenticate: Basic realm="GN-B41G"|
p/Gigabyte GN-B41G router http config/ d/broadband router/
+match http m|^HTTP/1.0 200\r\nContent-type: text/html\r\nConnection:
close\r\nContent-Length: \d+\r\n\r\n<html>\r\n<head><title>BARIX
Instreamer| p/Barix Instreamer http config/ d/specialized/
+match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: thttpd/.*<meta
name="description" content="NC822A">|s p/NC822A webcam/ i/aka Sitecom
WL-404/ d/webcam/
+match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: thttpd/.*<meta
name="description" content="WVC54GCA">|s p/Linksys WVC54GCA webcam/
d/webcam/
 match http m|^HTTP/1\.0 \d\d\d .*\r\n(.*\r\n)?Server:
MochiWeb/(\d[-.\w]+) \([-.'\w\s]+\)\r\n| p/MochiWeb Erlang HTTP
library/ v/$2/
 match http m|^HTTP/1\.0 200 OK\r\nServer: Apache/([\d.]+)\r\nPragma:
no-cache\r\nDate: .*<title></title>\r\n.*\r\nvar my_upnp = 1;\r\n//
backup log and config\r\nvar PM = \"7004ABR\";|s p/SMC Broadband
router 7004ABR http config/ i/Identifies as Apache $1/ d/broadband
router/
 match http m|^HTTP/1\.0 401 Unauthorized\r\nPragma:
no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: Basic
realm=\"Login to the Router Web Configurator\"\r\n\r\n<html>\n
<head>\n  <title>401 Unauthorized</title>\n  </head>\n<body>\n\n<div
align=\"center\">| p/Draytek Vigor aDSL router webadmin/ d/broadband
router/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/