November 2010 service detection highlights

[David Fifield <david () bamsoftware com>]

I just finished integrating 1,840 service submissions and 10 corrections
between April and November 2010. nmap-service-probes grew in size from
6,663 to 7,354 match lines (+13%). Here are a few interesting
submissions and matches I came across.

match http-proxy m|^HTTP/1\.1 403 Forbidden\r\nServer: Lusca/([\w._-]+)\r\n| p/Lusca http proxy/ v/$1/
        There is a theme of sea life in HTTP proxies. He have matches
        for Squid, Polipo, and Lusca. A Lusca is a sea monster.
        http://en.wikipedia.org/wiki/Lusca

match http m|^HTTP/0\.9 400 Bad Request\r\n\r\n$| p/Ganeti httpd/
match http m|^HTTP/2\.0 302 Found\r\nServer: SmarterTools/([\w._-]+)\r\n.*X-AspNet-Version: ([\w._-]+)\r\n.*Location: 
/Login\.aspx\r\n|s p/SmarterTools httpd/ v/$1/ i/ASP.NET $2/ o/Windows/
        Past and future versions of HTTP. HTTP/0.9 exists, but not like
        this, because it isn't supposed to return any response header
        (http://www.w3.org/Protocols/HTTP/AsImplemented.html). HTTP/2.0
        doesn't exist.

Here are a couple of SMTP servers that tell you where to go if you ask
for help:
---------- Help ----------
"220 mx\.google\.com ESMTP bq20sm7560916bkb\.4\r\n214 2\.0\.0 http://www\.google\.com/search\?btnI&q=RFC\+2821 
bq20sm7560916bkb\.4\r\n"
---------- Help ----------
"220 hostname ESMTP service ready\r\n214 2\.0\.0 try reading the RFCs: http://www\.imc\.org/rfcs\.html\r\n";

match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\nConnection: 
close\r\n\r\n<!---CAS:0003--><HTML><HEAD>\n<TITLE> Broadband NAT Router Web-Console           </TITLE>|s p/D-Link 
DGE-530T network adapter http config/
        This is an httpd embedded within a PCI network adapter.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/