Nmap Development mailing list archives
service fingerprints && web service probe suggestion
From: Willem de Groot <willem () byte nl>
Date: Tue, 8 Dec 2009 16:45:33 +0100
G'day, See below for my service fingerprint submit. I'd like to note that, for people only scanning for http services, it may be worthwhile to add this line to nmap-service-probes, just below the null probe: ports 1-79,81-8079,8081-65535 Because http services generally do not advertise themselves upon connect, the null probe is of no use here. What's more, many routers/WAPs such as the Siemens Gigaset operate a default timeout < 5 sec. These services will be reported as "tcpwrapped" by nmap, unless the nullprobe is skipped. Happy scanning! Willem PS. the jewel below is definitely the Kesseltronics Car Wash Tunnel ;-) --- /home/willem/src/nmap/nmap-service-probes 2009-12-06 01:59:29.016066836 +0100 +++ /usr/share/nmap/nmap-service-probes 2009-12-08 16:39:04.407942572 +0100 @@ -3446,6 +3447,46 @@ # Needs to go before the Apache match lines -Doug match http-proxy m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache\r\n.*X-orenosp-filt:|s p/Orenosp reverse http proxy/ +match http m|^HTTP/1.0 401 Unauthorized\r\nServer: Apache/0.6.5\r\nPragma: no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: Basic realm="System Setup"| p/BenQ wireless router http config/ i/such as AWL700/ d/WAP/ +match http m|^HTTP/1.0 200 OK\r\nServer: Apache/0.6.5\r\n.*<title>Web Server . Gigaset (\S+) WLAN dsl</title>|s p/Siemens Gigaset $1/ d/WAP/ +match http m|^HTTP/1.0 302 Found\r\nServer: Apache/0.6.5\r\n.*\r\nLocation: /relink_web.stm|s p/Siemens Gigaset/ d/WAP/ +match http m|^HTTP/1.0 200 OK\r\nServer: Apache/0.6.5\r\n.*src="top.stm\?pn1=ho3.gif&pn2=ad1.gif"|s p/Philips SNB5600 http config/ d/broadband router/ +match http m|^HTTP/1.0 200 OK\r\nServer: Apache/0.6.5\r\n.*\nvar PM="BBR-4MG";\n|s p/SMC7908VoWBRA http config/ d/broadband router/ +match http m!^HTTP/1\.[01] 302 .+(Location|LOCATION): .+/UE/welcome_login.html!s p/Allegro-Software-RomPager/ i/used by: Siemens Gigaset sx762 ADSL/ d/WAP/ +match http m|^HTTP.*<title>Gigaset sx762</title>|s p/Siemens Gigaset sx762 http config/ d/WAP/ +match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: Apache.+<title>Welcome to eDR400--login</title>|s p/EverFocus PowerPlex security cam/ v/eDR400/ d/webcam/ +match http m|^HTTP.*Click here to popup <A href="javascript:capture\(\)">VigorCam\.</A></font>|s p/VigorCam/ d/webcam/ +match http m|^HTTP.*<TITLE>SMC7004VBR - LOGIN</TITLE>|s p/SMC7004VBR http config/ d/broadband router/ +match http m|^HTTP/1\.[10] 401 Unauthorized\r\nWWW-Authenticate: Basic realm="NETGEAR (WNR834B.{1,3})"| p/Netgear $1 http config/ d/WAP/ +match http m|^HTTP/1\.[01] 302 Redirect\r\nSet-Cookie: CrushAuth=| p/CrushFTP Webserver/ +match http m|^HTTP/1\.[01] 200 OK\r\nConnection: Close\r\nServer: LANCOM (\d+) (\S+)| p/Lancom $1 $2 http config/ d/broadband router/ +match http m|^HTTP/1\.[01] 401 Unauthorized\r\nWWW-Authenticate: Basic realm="(WGR\d\d\d.{1,4})"\r\n| p/Netgear $1 http config/ d/WAP/ +match http m|^HTTP/1\.[01] 401 Unauthorized\r\nServer: ISOS/9.0 UPnP/1.0 Conexant-EmWeb/R6_1_0\r\n| p/ISOS 9.0 UPnP 1.0 Conexant-EmWeb R6_1_0/ i/Allied Data Technologies/ d/broadband router/ +match http m|^HTTP/.*Server: Kerio MailServer (.+)\r\n|s p/Kerio MailServer Webmail/ v/$1/ +match http m|^HTTP/1\.[01] 401 Unauthorized\r\nWWW-Authenticate: Basic realm="MET-RV082"\r\n| p/Linksys MET-RV082 http config/ d/broadband router/ +match http m|^HTTP.*<meta http-equiv="refresh" content="0;url=/login.html\?1600&0">|s p/Digia II Video Surveillance System/ i/default login: root, 1111/ d/webcam/ +match http m|^HTTP/1.[01] 401 Unauthorized Access Denied\r\nServer: Intoto Http Server.+\r\nWWW-Authenticate: Basic realm="WRT54G"| p/Linksys WRT54G http config/ i/running Intoto httpd/ d/WAP/ +match http m|^HTTP/1.0 404 Not Found !!!\r\nPragma: no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: /nice ports,/Trinity.txt.bak| p/Draytek http config/ d/broadband router/ +match http m|^HTTP.*Server: eRez Imaging Server\r\n|s p/eRez Imaging Server/ +match http m|^HTTP/1.1 401 Unauthorized\r\nConnection: Keep-Alive\r\nContent-Length: \d+\r\nContent-Type: text/html\r\nServer: NetIXServer \(([\d\.]+)\)| p/NetIXServer Administration/ v/$1/ +match http m|^HTTP.*WWW-Authenticate: Basic realm="SITECOM (WL-\d+)"|s p/Sitecom $1 http config/ d/WAP/ +match http m|^HTTP/1.1 401 Unauthorized\nWWW-Authenticate: Digest realm="i3micro VRG", nonce="\d+", qop="auth", algorithm=MD5| p/i3micro VRG/ d/VoIP adapter/ +match http m|^HTTP/1.0 302 Found\r\nLocation: /control/userimage.html\r\n| p/Mobotix Camera/ d/webcam/ +match http m|^HTTP/1.1 200 OK\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: \d+\r\nServer: Indy/(.+)\r\n| p/Indy/ v/$1/ +match http m|^HTTP.*<TITLE>\r\nXerox WorkCentre 7345|s p/Xerox WorkCentre 7345/ d/printer/ +match http m|^HTTP/1.0 200 OK\r\nDate:.+\r\nServer: WYM/([\d\.]+)\r\n| p/WYM webserver/ v/$1/ i/possibly Yoics 9100a webcam/ d/webcam/ +match http m|^HTTP/1.0 200 OK\r\nServer: iCanWebServer/([\d\.]+)\r\n| p/iCanTek webcam server/ v/$1/ d/webcam/ +match http m|^HTTP/1.0 401 Unauthorized\r\nDate:.+\r\nConnection: close\r\nServer: Microsoft-WinCE/5.0\r\nSet-Cookie:.+\r\nWWW-Authenticate: Basic Realm="Kesseltronics"| p/Kesseltronics car wash tunnel/ d/specialized/ +match http m|^HTTP/1.0 302 Temporary moved\r\nServer: Cisco AWARE ([\d\.]+)\r\n| p/Cisco AWARE/ v/$1/ +match http m|^HTTP/1.1 401 Unauthorized\r\nWWW-Authenticate: Basic realm="Prestige ([\d\-\.]+)"\r\n| p/Zyxel Prestige http config/ d/broadband router/ +match http m|^HTTP/1.0 200 OK\r\nServer: TeamWARE URL Service/([\d\-\.]+)\r\n| p/TeamWARE URL Service/ v/$1/ +match http m|^HTTP/1.0 200 HTTP OK\r\nServer: Serv-U/([\d\-\.]+)\r\n| p/Serv-U FTP webserver/ v/$1/ +match http m|^HTTP/1.0 401 Unauthorized\r\nWWW-Authenticate: Basic realm="/webpages"\r\nServer: DigiSprite\r\n| p/Digisprite httpd/ i/Chubb webcam, Dedicated Micros webcam/ d/webcam/ +match http m|^HTTP.+\n<div style="color: #737373; font-size: 9px">RouterOS ([\d\-\.]+) administration page</div>|s p/Mikrotik router http config/ v/$1/ d/broadband router/ +match http m|^HTTP/1.0 401 Unauthorized\r\nDate:.+\r\nWWW-Authenticate: Basic realm="GN-B41G"| p/Gigabyte GN-B41G router http config/ d/broadband router/ +match http m|^HTTP/1.0 200\r\nContent-type: text/html\r\nConnection: close\r\nContent-Length: \d+\r\n\r\n<html>\r\n<head><title>BARIX Instreamer| p/Barix Instreamer http config/ d/specialized/ +match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: thttpd/.*<meta name="description" content="NC822A">|s p/NC822A webcam/ i/aka Sitecom WL-404/ d/webcam/ +match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: thttpd/.*<meta name="description" content="WVC54GCA">|s p/Linksys WVC54GCA webcam/ d/webcam/ match http m|^HTTP/1\.0 \d\d\d .*\r\n(.*\r\n)?Server: MochiWeb/(\d[-.\w]+) \([-.'\w\s]+\)\r\n| p/MochiWeb Erlang HTTP library/ v/$2/ match http m|^HTTP/1\.0 200 OK\r\nServer: Apache/([\d.]+)\r\nPragma: no-cache\r\nDate: .*<title></title>\r\n.*\r\nvar my_upnp = 1;\r\n// backup log and config\r\nvar PM = \"7004ABR\";|s p/SMC Broadband router 7004ABR http config/ i/Identifies as Apache $1/ d/broadband router/ match http m|^HTTP/1\.0 401 Unauthorized\r\nPragma: no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: Basic realm=\"Login to the Router Web Configurator\"\r\n\r\n<html>\n <head>\n <title>401 Unauthorized</title>\n </head>\n<body>\n\n<div align=\"center\">| p/Draytek Vigor aDSL router webadmin/ d/broadband router/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- service fingerprints && web service probe suggestion Willem de Groot (Dec 08)
- Re: service fingerprints && web service probe suggestion Fyodor (Dec 09)
- Re: service fingerprints && web service probe suggestion Willem de Groot (Dec 13)
- Re: service fingerprints && web service probe suggestion David Fifield (Dec 31)
- Re: service fingerprints && web service probe suggestion Willem de Groot (Dec 13)
- Re: service fingerprints && web service probe suggestion Fyodor (Dec 09)