Service fingerprint integration highlights

[Daniel Miller <bonsaiviking () gmail com>]

We processed 508 service fingerprint submissions from October 2015 to
January 2016. We added 224 new match lines (up 2.2%) including 12 new
softmatches for services like websocket, bgp, memcached, and minecraft-pe.

Here's a live feed of ADS-B flight data from commercial aircraft:
+match basestation m=^(?:MSG|SEL|ID|AIR|STA|CLK)(?:,[^,\r\n]*){9,21}\r\n=
p/ADS-B flight data/

Protocol Buffers
+match clementine m|^\0\0\0.\x08\x0c\x10\.\xa2\x01.\x08.|s p/Clementine
music player remote control/ v/1.2.1/
cpe:/a:clementine-player:clementine:1.2.1/
+match ipfs
m|^\0\0..\n\x10................\x12.*\x1a.(?:P-\d+,?)+".[\w.,_-]+\*.[\w.,_-]+$|s
p/InterPlanetary File System peer/

Throwback Thursday: a classic BBS
+match telnet m|^\r\nSynchronet BBS for (\w+)  Version (\d[-.\w]+)\r\n|
p/Synchronet BBS/ v/$2/ o/$1/ cpe:/a:rob_swindell:synchronet:$2/

A virus claiming to be "good," the prosumware Reincarna/Linux.Wifatch"
+match telnet m|^\nREINCARNA / Linux\.Wifatch\n\nYour device has been
infected by REINCARNA / Linux\.Wifatch\.\n\n| p|Reincarna/Linux.Wifatch
virus| i/**MALWARE**/

This is just silly:
+match telnet
m|^\xff\xfc\x01\xff\xfb\x03\xff\xfc'\xff\xfd\x01\xff\xfd\x03\xff\xfd\x18\xff\xfd\x1f\xff\xfe"\xff\xfd'\x1bkNyanyanyanyanyanyanya\.\.\.\x1b\\\x1b\]1;Nyanyanyanyanyanyanya\.\.\.\x07\x1b\]2;Nyanyanyanyanyanyanya\.\.\.\x07\x1b\[H\x1b\[2J\x1b\[\?25l\r\0\n\r\0\n\r\0\n
{29}\x1b\[1mNyancat Telnet Server| p/Nyancat telnet server/
cpe:/a:kevin_lange:nyancat/

IoT:
+match telnet
m|^\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\nKernel
([\d.]+) on \(/dev/pts/\d\)\r\n\rLedCard login: | p/XIXUN LedCard LED sign
control card telnetd/ d/specialized/ o/Linux $1/
cpe:/o:linux:linux_kernel:$1/a
+match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nLast-Modified: .*\r\nEtag:
"[a-f\d]+\.\d+"\r\nContent-Type: text/html\r\nContent-Length:
\d+\r\nConnection: close\r\nAccept-Ranges: bytes\r\n\r\n<!doctype
html>\n<html lang="en">\n    <head>\n {8}<meta charset="utf-8">\n
{8}<title>Z-Way UI selection</title>| p/Z-Way home automation controller/
cpe:/a:z-wave.me:z-way/ d/specialized/

OpenBSD launched their own httpd, and it hard-codes CSS forcing Comic Sans
on error pages:
+# Server header is usually "OpenBSD httpd" but compile-time configurable.
CSS however is literal string, but only for abort responses.
+match http m|^HTTP/1\.0 [345]\d\d .*\r\nDate: [^\r\n]*\r\nServer:
[^\r\n]*\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length:
\d+\r\n.*\r\n<!DOCTYPE html>\n<html>\n<head>\n<title>[^<]*</title>\n<style
type="text/css"><!--\nbody \{ background-color: white; color: black;
font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif;
\}|s p/OpenBSD httpd/ cpe:/a:openbsd:httpd/
+match http m|^HTTP/1.1 [126-9]\d\d .*\r\nServer: OpenBSD httpd\r\n|s
p/OpenBSD httpd/ cpe:/a:openbsd:httpd/
Several services were more accurately identified as the ICY service:
-match peercast m|^OK2\r\nicy-caps:\d+\r\n\r\nOK\r\n$| p/Peercast/
+match icy m|^OK2\r\nicy-caps:\d+\r\n\r\nOK\r\n$| p/Peercast/
-match http m|^HTTP/1\.0 200 OK\r\nContent-Type:
audio/mpeg\r\nicy-br:([\d.]+)\r\n.*icy-name:([^\r\n]+)\r\n.*Server: Icecast
([\d.]+)\r\n\r\n|s p/Icecast streaming media server/ v/$3/ i/Name $2;
Bitrate $1/
+match icy m|^HTTP/1\.0 200 OK\r\nContent-Type:
audio/mpeg\r\nicy-br:([\d.]+)\r\n.*icy-name:([^\r\n]+)\r\n.*Server: Icecast
([\d.]+)\r\n\r\n|s p/Icecast streaming media server/ v/$3/ i/Name $2;
Bitrate $1/
-match shoutcast m|^ICY \d\d\d .*SHOUTcast Distributed Network Audio
Server/Linux.v([\d.]+)|s p/SHOUTcast server/ v/$1/ o/Linux/
cpe:/a:shoutcast:dnas:$1/ cpe:/o:linux:linux_kernel/a
+match icy m|^ICY \d\d\d .*SHOUTcast Distributed Network Audio
Server/Linux.v([\d.]+)|s p/SHOUTcast server/ v/$1/ o/Linux/
cpe:/a:shoutcast:dnas:$1/ cpe:/o:linux:linux_kernel/a

A controller for physical door locks:
+match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nSet-Cookie:
SiteName64=[^;]+; Expires=Sat, 31 Dec 2050 23:59:59 GMT\r\nSet-Cookie:
SiteName=([^;]+);.*\r\nSet-Cookie: SiteAddress64=.*\r\nSet-Cookie:
SiteAddress=([^;]+);.*\r\nSet-Cookie: Build64=.*\r\nSet-Cookie:
Build=(\d+);.*\r\nSet-Cookie: Version64=.*\r\nSet-Cookie:
Version=([^;]+);.*\r\nCONTENT-LENGTH: \d+\r\n| p/aPod Access Control system
master controller/ v/$SUBST(4,"%2E",".")/ i/site: $SUBST(1,"%20"," ");
address: $SUBST(2,"%20"," "); build: $3/ d/security-misc/
cpe:/a:online_security_technologies:apod:$SUBST(4,"%2E",".")/

Made great use of Shodan to find example services of some submissions.
Here, we used it to find 10 additional languages of ISA server: fr, es, pt,
de, it, ru, zh, zh_TW, ko, and ja
+match http-proxy m|^HTTP/1\.1 502 Proxy Error \( La direcci\xc3\xb3n URL
\(Uniform Resource Locator\) no utiliza un protocolo reconocido\. El
protocolo no es compatible o la petici\xc3\xb3n no se escribi\xc3\xb3
correctamente\. Confirme que se utiliza un protocolo v\xc3\xa1lido \(por
ejemplo, HTTP para una petici\xc3\xb3n de web\)\.  \)\r\nVia: 1\.1
([\w.-]+)\r\n| p/Microsoft ISA Server http proxy/ o/Windows/ h/$1/
cpe:/a:microsoft:isa_server::::es/ cpe:/o:microsoft:windows/a i/Spanish/

And even more languages for I2P: de, es, fr, id, nl, pl, pt_br, pt, ro, ru,
sv, zh
+match http-proxy m|^HTTP/1\.1 403 Bad Protocol\r\n.*<title>(?:I2P
)?Peringatan: Protokol Non-HTTP</title>\r\n<link rel=\"shortcut icon\"
href=\"http://proxy\.i2p/themes/console/images/favicon\.ico\"; ?>\r\n|s
p/I2P anonymizing http proxy/ i/Indonesian/ cpe:/a:i2p_project:i2p::::id/

Fixed a bug in the AFP service matches that made it not match on MacMini
hardware.

Minecraft Pocket Edition shows up on Sqlping probes:
+#
http://wiki.vg/Pocket_Minecraft_Protocol#ID_UNCONNECTED_PING_OPEN_CONNECTIONS_.280x1C.29
+match minecraft-pe
m|^\x1c................\0\xff\xff\0\xfe\xfe\xfe\xfe\xfd\xfd\xfd\xfd\x12\x34\x56\x78..MCCPP;Demo;([^;]+)|s
p/Minecraft Pocket Edition server/ v/pre-0.11/ i/Server Name: $P(1)/
cpe:/a:mojang:minecraft_pocket_edition/

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/