Nmap Development mailing list archives
Service fingerprint integration highlights
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 29 May 2015 15:42:06 -0500
From the 6.47 release, we have added 1098 new service match lines, bringing
us over the 10000 mark! That's a 12% increase, which is huge.
Of those, softmatches increased from 51 to 95, an 86% increase. Soft match
lines help speed up version detection by limiting what probes are sent
after Nmap is sure that a service is using a particular protocol.
Sometimes, though, we use them to match a service that we want more or
better quality submissions for in the future. We now have new or expanded
softmatches for:
adobe-crossdomain
afp
bgp
caldav
domain
epp
gopher
http-proxy
icap
imap
kerberos-sec
ldap
microsoft-ds
netbios-ns
openwebnet
pop3
postgresql
ppp
rtsp
sieve
slp-servreg
smpp
smtp
svrloc
telnet
tftp
upnp
webdav
ws-discovery
A few open-source software projects have been fingerprinted based on source
code analysis. A comment in the nmap-service-probes file for postgresql
matches describes the technique of checking out the source at every git tag
(version) and grepping for a particular output string, noting which
versions change. Using this technique, the Postgres fingerprints were
extended, and new fingerprints for Varnish Cache CLI and amavisd-new were
created without receiving any submissions for those versions! There are
probably other services that would benefit from this sort of analysis. For
example, "openssl s_server -WWW" gives a nice error message including line
numbers:
# TODO: hunt down line number/version number correlations
match http m|^HTTP/1\.0 200 ok\r\nContent-type: text/plain\r\n\r\nError
opening ''\r\n\d+:error:[A-F\d]+:system library:fopen:No such file or
directory:bss_file\.c:169:fopen\('','r'\)\n\d+:error:[A-F\d]+:BIO
routines:BIO_new_file:no such file:bss_file\.c:172:\n| p/OpenSSL s_server
-WWW httpd/
Several fingerprints are for various USB-over-network protocols:
# Need to figure out what this is and how to structure the match
match ipmi-usb m|^IUSB
\0\0\0\x007\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xf1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$|
p/IPMI USB redirection/ d/remote management/
match ipmi-usb m|^IUSB
\0\0\0\x007\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xf1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x0210\.6\.11\.29\0\0\0\0\0\0\0\0\0\0\0\0\0\0$|
p/IPMI USB CD redirection/ d/remote management/
# TRENDnet NetUSB - 4-byte-length-prefixed null-terminated strings
# USB-over-network:
https://www.trendnet.com/kb/kbp_viewquestion.asp?ToDo=view&questId=1350&catId=516
match netusb m|^\0\0\0. connect success c\d+ \n\0\0\0\0. NetUSB ([\w._-]+),
2\d\d\d, \d+ \n\0\0\0\0\x0c AUTH ISOC\n\0\0\0\0\x18 MOVE_HEAD
filterAudio\n\0\0\0\0\0| p/TRENDnet NetUSB/ v/$1/
# virtualhere 2.2.5, port 7575
match virtualhere
m|^\0\0\0\0%\0\0\0\x0c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x04\0\0\0.\xca\xc0T|
p/VirtualHere USB Server/
Some things are truly random and hard to match. This one has had a couple
false-positives in the submissions we've received after it was put in, but
it seems worthwhile to keep:
# Port 9535: http://community.landesk.com/support/docs/DOC-1591
# This is 264 random bytes, probably some sort of shared-key encryption
match landesk-rc m|^.{264}$|s p/LANDesk remote management/
Similarly, the SSH server on Fortinet devices uses a randomized banner.
Instead of adding these every time, we made this match line but commented
it out due to false positives:
# FortiSSH uses random server name
#match ssh m|^SSH-([\d.]+)-[\w._-]{5,14}\n| p/FortiSSH/ i/protocol $1/
Finally got to the bottom of this odd one that was frequently submitted.
It's some demo software that Netgear puts into their OpenWrt-based firmware
for home routers. I think that the MAC address may be filled out in some
cases, but I didn't have any examples in this round of submissions. Also,
I'm not sure whether it gets filled out with the requester's MAC or the
router's MAC.
# /usr/sbin/potval
# https://github.com/elvanderb/TCP-32764/issues/98
match pot m|^0NTP00-00-00MAC00-00-00-00-00-00| p|Netgear POT-(Get/Set)
Demo| d/broadband router/
Another enigma partly solved. The public key always starts with this
sequence, but as the comment states, we don't know what the name portion
refers to:
# Not sure what this name is. Have seen XenVMMXenVMM, @\x03, and NOTFOUND
match r1soft-cdp m|^\0\0\x01.R.\x02\n.\x08\xa3\x80\x04\x10.\x18\0
[\0\x01]\*.(.*?)\x10\0\x1a\x90\x02-----BEGIN PUBLIC
KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ|s p/R1Soft Continuous Data
Protection Agent/ i/name: $P(1)/
This fun service is used to remote-control a Roku set-top box. On another
note, should we continue to call these set-top boxes if the "TV set" is
more likely to be hanging on the wall than having something set on top of
it?
# port 8080, accepts commands like "press up" "press mute"
match roku-remote m|^([0-9A-Z]{5}[A-Z]\d{6})\r\n>| p/Roku remote API/ i/SN
$1/ d/media device/
Added a bunch of fingerprints to match unauthenticated shells listening
directly on TCP ports:
match shell m|^(?:ba)?sh-\d\.\d+\w?# $| p/ROOT SHELL/ i/**BACKDOOR**/
o/Unix/
match shell m|^(?:ba)?sh-\d\.\d+\w?\$ $| p/bind shell/ i/**BACKDOOR**/
o/Unix/
match shell m|^(?:ba)?sh: no job control in this
shell\n(?:ba)?sh-\d\.\d+\w?\$ $| p/bind shell/ i/**BACKDOOR**/ o/Unix/
match winshell m=^Microsoft Windows (2000|XP|NT 4\.0) \[Version
([\d.]+)\]\r\n\(C\) Copyright 1985-20\d\d Microsoft Corp\.\r\n\r\n=
p/Microsoft Windows cmd.exe/ v/$2/ i/**BACKDOOR**/ o/Windows $1/
match winshell m|^Microsoft Windows \[Version ([\d.]+)\]\r\n\(C\) Copyright
1985-20\d\d Microsoft Corp\.\r\n\r\n| p/Microsoft Windows cmd.exe/ v/$1/
i/**BACKDOOR**/ o/Windows/
match shell m|^bash: line 1: \$'\\r': command not found\nbash: line 2:
\$'\\r': command not found\n| p/Bash shell/ i/**BACKDOOR**/
match shell m|\r: bad character in file name: '/bin/\r'\n$| p/Plan 9 rc
shell/ i/**BACKDOOR**/ o/Plan 9/
What was that? Plan 9? Yes, lots of Plan 9 services were added, thanks to a
valuable contributor:
match imap m|^\* BYE imap4 connections must use ssl\n$| p/Plan 9 imapd/
i/must use ssl/ o/Plan 9/
match rexec m|^/bin/ip/rexexec: auth_proxy: auth_proxy rpc: negotiation
failed, no common protocols or keys\n| p/Plan 9 rexexec/ o/Plan 9/
match ssh m|^SSH-([\d.]+)-Plan9\r?\n| p/Plan 9 sshd/ i/protocol $1/ o/Plan
9/
match venti m|^venti-02-libventi\n| p/Plan 9 venti storage system/ o/Plan 9/
match ident m|^rc \(tcp113\): null list in concatenation\n| p/Plan 9
identd/ o/Plan 9/
match shell m|\r: bad character in file name: '/bin/\r'\n$| p/Plan 9 rc
shell/ i/**BACKDOOR**/ o/Plan 9/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Pegasus/Plan9\r\n|s p/Pegasus
httpd/ o/Plan 9/
match exportfs m|^(?:p9sk1@[\w._-]+ )*p9sk1@([\w._-]+)\0/bin/exportfs:
auth_proxy: auth_proxy rpc write: : invalid argument\n| p/Plan 9 exportfs/
o/Plan 9/ h/$1/
match smtp m|^220 ([\w._-]+) ESMTP\r\n250 2\.0\.0 See
http://www\.ietf\.org/rfc/rfc2821\r\n|
p|Plan 9 upas/smtpd| o/Plan 9/ h/$1/
match cpu m|^unsupported auth method\0| p/Plan 9 cpu/ o/Plan 9/
More on the subject of backdoors, we have a couple new fingerprints for
malware:
match darkcomet m|^[0-9A-F]{12}$| p/DarkComet RAT/ i/**BACKDOOR**/
match ftp m|^220 220 RMNetwork FTP\r\n$| p/Ramnit worm ftpd/ i/malware/
match rmmd m|^100 Rmmd version ([\w._ -]+?)\. *\r\n101 [\da-f]{32}\r\n|
p/Rmmd trojan/ v/$1/
Plus, the infamous TCP-32764 backdoor:
# https://github.com/elvanderb/TCP-32764
match scmm m|^MMcS\xff\xff\xff\xff\0\0\0\0| p/SerComm manufacturer
backdoor/ d/broadband router/
Replaced a bunch of haphazard Apache match lines with some
intentionally-ordered matches to cover possible future edge-cases and grab
as much correct info as possible:
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache[/
](\d[-.\w]+)\r.*\nX-Powered-By: PHP/([\w._-]+)\r\n|s p/Apache httpd/ v/$1/
i/PHP $2/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache\r.*\nX-Powered-By:
PHP/([\w._-]+)\r\n|s p/Apache httpd/ i/PHP $1/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache[/
](\d[-.\w]+)\r.*\nX-Powered-By: ([^\r\n]+)\r\n|s p/Apache httpd/ v/$1/ i/$2/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache\r.*\nX-Powered-By:
([^\r\n]+)\r\n|s p/Apache httpd/ i/$1/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache[/ ](\d[-.\w]+)
([^\r\n]+)|s p/Apache httpd/ v/$1/ i/$2/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache[/
](\d[.\w-]+)\s*\r?\n|s p/Apache httpd/ v/$1/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache\r\n|s p/Apache httpd/
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache
+\(([^\r\n\)]+)\)\r\n|s p/Apache httpd/ i/$1/
These print servers had many different matches, but are all the same thing
so I consolidated them:
# Branded as Longshine, TRENDnet, TP-LINK, IOGear, Hawking
# Date is usually (always?) Mon, 24 Sep 2001 18:00:00 GMT
match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .* GMT\r\nMIME-version:
1\.0\r?\nServer: ZOT-PS-(\d+)/([\w._-]+)\r?\n| p/Zero One Technology $1
httpd/ v/$2/ d/print server/
Apple Filing Protocol (AFP) matches are tricky to determine what variance
is due to OS or application version, and what is due to configuration. I
was able to consolidate a lot of these matches by capturing the machine
type. Possible improvement would be to also capture the hardware version
(comma-separated digits after the hardware type which a user could use to
solidly pin down a range of OS X versions supported). Example:
match afp
m=^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?))\d+,\d+\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver=s
p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5 - 10.6; $2/ o/Mac OS
X/ h/$3/
PROTIP: If you're developing a honeypot, copy the response from a real
service, don't write your own:
match honeypot m|^HTTP/1\.0 200 OK\r\nAllow: OPTIONS, GET, HEAD,
POST\r\nContent-Length: 0\r\nConnection: close\r\n\r\n| p/Dionaea Honeypot
httpd/
match honeypot m|^SIP/2\.0 200 OK\r\nContent-Length: 0\r\nVia: SIP/2\.0/TCP
nm;branch=foo\r\nFrom: sip:nm@nm;tag=root\r\nAccept: application/sdp\r\nTo:
sip:nm2@nm2\r\nContact: sip:nm2@nm2\r\nCSeq: 42 OPTIONS\r\nAllow: REGISTER,
OPTIONS, INVITE, CANCEL, BYE, ACK\r\nCall-ID: 50000\r\nAccept-Language:
en\r\n\r\n| p/Dionaea Honeypot sipd/
match ms-sql-s
m|^\x04\x01\x00\x2b\x00\x00\x00\x00\x00\x00\x1a\x00\x06\x01\x00\x20\x00\x01\x02\x00\x21\x00\x01\x03\x00\x22\x00\x00\x04\x00\x22\x00\x01\xff\x08\x00\x02\x10\x00\x00\x02\x00\x00|
p/Dionaea honeypot MS-SQL server/
Used MS Windows version table lookups to generate detailed fingerprints for
ms-sql-s. These include service pack and major update info. Example:
match ms-sql-s
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x0a\x32\x06\x51|
p/Microsoft SQL Server 2008 R2/ v/10.50.1617; RTM+ MS11-049/ o/Windows/
Additionally, we have vastly improved detection of SSL and SSL-wrapped
services by expanding the port lists for the SSL probes, marking more
standard ssl-wrapped ports as sslports for the associated services, and
matching more TLS versions and handshake alerts. We also have a new probe,
TLSSessionReq, which adds some TLS features, ciphersuites, and extensions
that could cause the older SSLSessionReq request to fail to get a response
from a real TLS service. Discussion: http://seclists.org/nmap-dev/2015/q2/17
And finally, David Fifield did some great work on detecting Tor, including
a new tor-versions probe: http://seclists.org/nmap-dev/2015/q1/39
Happy scanning!
Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service fingerprint integration highlights Daniel Miller (May 29)