Nmap Development mailing list archives
[PATCH] Replace kibuvDetection.nse with service matchline
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sun, 25 May 2008 17:07:28 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey everyone, I've attached a patch to replace the kibuvDetection.nse script with a service detection matchline, like the mswindowsShell.nse script that was removed[1]. Not only is the script obscure[2], but one of the banners matched against is already present in nmap-service-probes (although it just reported it as an unknown ftp backdoor). I removed the $ anchor that was used in the original matchline because I don't think it's correct[3], and I also changed the newline pattern from "\n" to "\r?\n" because I'm not sure which it is and the script doesn't match it (Kibuv.b is on Windows so I'd assume it's "\r\n"). Can the matchlines be improved, or is there any particular reason to keep the script? Thanks, Kris Katterjohn [1] http://seclists.org/nmap-dev/2008/q2/0257.html [2] http://seclists.org/nmap-dev/2008/q2/0272.html [3] http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSDnjHv9K37xXYl36AQLAJw/+Mi3+JiC9/afG7AmtARqS5uH1hLbhLJUp 4791iUjNqodPOcReiG9rI9kP376/N+C5zo7ZeazIgjq9JyTV2Wj32oS17Q04mEdw /6aG9aeQzGLFCyjwQcdzd6weDQcUK7GqvrPmEDLoHNez4HnV4sToo3BBy06I3dGt GtZiEwI5M44hnOKDQ2ulHwtIgNhj8Bq2uci2nYRJ2PfxNe7YF9M3Zv339UQlQ2vJ 4K87f13puwJl+0gafJb8Rmr8CFGd9ukZiMpaZLxTtEmLoLAfvQ0ZNZxm1bYp21xF 4w75/F7YII7dmr0Hg5wqgY5YD6D5rY3PSUf7brgQ1U6ffTd1D6MjgClDEuN1l2UE ChVhpxFgSfU/lcPGiVgyQtsPp0Fg4V7lhh1rh2pbErVnY2luQxbRBzCZErizSv0x xcbrfI3hHnCwaTKRNts070k6Mk43QN2bn4IXxgGnNJdAeX0sYPVzoSCe5u5aMwCp GgJgZ5CcShoUvRDOfOpYRF3teT14NeX5qbBeN6l7YUA8yLe2cC/9nZlS/1AMWAfN ceJf6aNqUR/DD7wjQ36AHphBubVqS9ESQE7dKUk8TIEw0OW/ycPRH5DH6AuiDWDY 2CEKGFqDD+xvD3nv5e5BWUvm4foEvAkHBA+IWOZhixvzDmiQ8cxMqaiseUE2Kzky ZSE4jwt6tqc= =pDb/ -----END PGP SIGNATURE-----
Index: nmap-service-probes =================================================================== --- nmap-service-probes (revision 7666) +++ nmap-service-probes (working copy) @@ -85,6 +85,7 @@ match backdoor m|^220 SSL Connection Established - Loading Protocol\.\.\.\.\r\n| p/dhcpse.exe/ i/**BACKDOOR**/ o/Windows/ match backdoor m|^A-311 Death welcome\x001| p/Haxdoor trojan/ i/**BACKDOOR**/ o/Windows/ match backdoor m|^220 CAFEiNi [-\w_.]+ FTP server\r\n$| p/CAFEiNi trojan/ i/**BACKDOOR**/ o/Windows/ +match backdoor m|^220 (Stny|fuck)Ftpd 0wns j0\r?\n| p/Kibuv.b worm/ i/**BACKDOOR**/ o/Windows/ match bf2rcon m|^### Battlefield 2 ModManager Rcon v([\d.]+)\.\n### Digest seed: \w+\n\n| p/Battlefield 2 ModManager Remote Console/ v/$1/ @@ -482,7 +483,6 @@ match ftp m=^220 \w+ IBM Infoprint (Color |)(\d+) FTP Server ([\d.]+) ready\.\r\n= p/IBM Inforprint $1$2 ftpd/ v/$3/ d/printer/ match ftp m|^220 ShareIt FTP Server ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt ftpd/ v/$1/ d/PDA/ match ftp m|^220 ShareIt FTP Pro ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt Pro ftpd/ v/$1/ d/PDA/ -match ftp m|^220 StnyFtpd 0wns j0\n$| p/Unknown ftp backdoor/ match ftp m|^220 ISOS FTP Server for Upgrade Purpose \(([\d.]+)\) ready\r\n| p/Billion 741GE ADSL router/ v/$1/ d/router/ match ftp m|^220 PV11 FTP Server ready\r\n| p/Unknown wireless acces point ftpd/ i/Runs Phar Lap RTOS/ d/router/ match ftp m|^220 Alize Session Manager FTP Server\r\n| p/Alcatel OmniPCX ftpd/ d/PBX/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Replace kibuvDetection.nse with service matchline Kris Katterjohn (May 25)
- Re: [PATCH] Replace kibuvDetection.nse with service matchline Fyodor (May 25)
- Re: [PATCH] Replace kibuvDetection.nse with service matchline Brandon Enright (May 25)
- Re: [PATCH] Replace kibuvDetection.nse with service matchline Kris Katterjohn (May 25)