Nmap Development mailing list archives
Re: service-probe question: FTP services
From: doug () hcsw org
Date: Wed, 4 Feb 2009 00:10:27 +0000
On Tue, Feb 03, 2009 at 06:01:45PM -0600 or thereabouts, Tom Sellers wrote:
Both of the following lines in nmap-service-probes: match ftp m|^220 ([-\w]+) FTP server \(Version (\d.[.\d]+) ([A-Z][a-z]{2} [A-Z][a-z]{2} [0-9]+ [0-9:]+ .* [21][0-9]+)\) ready\.\r\n| p/HP-UX 10.x ftpd/ h/$1/ v/$2/ o/HP-UX/ i/$3/ match ftp m|^220 ([-\w]+) FTP server \(Version (\d[-.\w]+) [A-Z][a-z]{2} [A-Z][a-z]{2} .*\) ready\.\r\n| p/AIX ftpd/ h/$1/ v/$2/ o/AIX/ will match the following FTP banner: 220 mytesthost FTP server (Version 6.1 Mon Oct 18 04:11:03 CDT 2011) ready. One line indicates HP-UX and the other AIX. The host I tested against was AIX but the service fingerprint indicated that it was an HP-UX 10.x machine. Removing the HP-UX matchline allowed the fp to match the AIX line. Should these be changed to indicate both OSs or just edited to reference a generic ftp server?
Great catch, those lines are basically identical. I will merge them into one for HP-UX or AIX and if we see another false positive we can just make it general.
Also, the following match line: match smtp m|^220 $| p/OpenBSD spamd/ will trigger incorrectly on match ftp m|^220 IB-21E Ver ([\d.]+) FTP server\.\r\n| p/Kyocera IB-21E ftpd/ v/$1/ d/print server/ I have not quite figured out why. When I remove the OpenBSD spamd entry it fingerprints correctly.
That's a tough one. I think spamd is an attempt to sandbag spammers but I can see how it could result in false positives especially if an FTP does something like write(sd, "220 ", 4) and the nagle algorithm isn't enabled (perhaps because it's a simplistic device like a print server). I'm open to suggestions on this one.
Attachment:
_bin
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- service-probe question: FTP services Tom Sellers (Feb 03)
- Re: service-probe question: FTP services doug (Feb 03)
- Re: service-probe question: FTP services Fyodor (Feb 03)
- Re: service-probe question: FTP services doug (Feb 03)
- Re: service-probe question: FTP services Fyodor (Feb 03)
- Re: service-probe question: FTP services doug (Feb 03)