Nmap Development mailing list archives
Service fingerprint integration highlights
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 9 Mar 2016 23:59:09 -0600
We processed 508 service fingerprint submissions from October 2015 to January 2016. We added 224 new match lines (up 2.2%) including 12 new softmatches for services like websocket, bgp, memcached, and minecraft-pe. Here's a live feed of ADS-B flight data from commercial aircraft: +match basestation m=^(?:MSG|SEL|ID|AIR|STA|CLK)(?:,[^,\r\n]*){9,21}\r\n= p/ADS-B flight data/ Protocol Buffers +match clementine m|^\0\0\0.\x08\x0c\x10\.\xa2\x01.\x08.|s p/Clementine music player remote control/ v/1.2.1/ cpe:/a:clementine-player:clementine:1.2.1/ +match ipfs m|^\0\0..\n\x10................\x12.*\x1a.(?:P-\d+,?)+".[\w.,_-]+\*.[\w.,_-]+$|s p/InterPlanetary File System peer/ Throwback Thursday: a classic BBS +match telnet m|^\r\nSynchronet BBS for (\w+) Version (\d[-.\w]+)\r\n| p/Synchronet BBS/ v/$2/ o/$1/ cpe:/a:rob_swindell:synchronet:$2/ A virus claiming to be "good," the prosumware Reincarna/Linux.Wifatch" +match telnet m|^\nREINCARNA / Linux\.Wifatch\n\nYour device has been infected by REINCARNA / Linux\.Wifatch\.\n\n| p|Reincarna/Linux.Wifatch virus| i/**MALWARE**/ This is just silly: +match telnet m|^\xff\xfc\x01\xff\xfb\x03\xff\xfc'\xff\xfd\x01\xff\xfd\x03\xff\xfd\x18\xff\xfd\x1f\xff\xfe"\xff\xfd'\x1bkNyanyanyanyanyanyanya\.\.\.\x1b\\\x1b\]1;Nyanyanyanyanyanyanya\.\.\.\x07\x1b\]2;Nyanyanyanyanyanyanya\.\.\.\x07\x1b\[H\x1b\[2J\x1b\[\?25l\r\0\n\r\0\n\r\0\n {29}\x1b\[1mNyancat Telnet Server| p/Nyancat telnet server/ cpe:/a:kevin_lange:nyancat/ IoT: +match telnet m|^\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\nKernel ([\d.]+) on \(/dev/pts/\d\)\r\n\rLedCard login: | p/XIXUN LedCard LED sign control card telnetd/ d/specialized/ o/Linux $1/ cpe:/o:linux:linux_kernel:$1/a +match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nLast-Modified: .*\r\nEtag: "[a-f\d]+\.\d+"\r\nContent-Type: text/html\r\nContent-Length: \d+\r\nConnection: close\r\nAccept-Ranges: bytes\r\n\r\n<!doctype html>\n<html lang="en">\n <head>\n {8}<meta charset="utf-8">\n {8}<title>Z-Way UI selection</title>| p/Z-Way home automation controller/ cpe:/a:z-wave.me:z-way/ d/specialized/ OpenBSD launched their own httpd, and it hard-codes CSS forcing Comic Sans on error pages: +# Server header is usually "OpenBSD httpd" but compile-time configurable. CSS however is literal string, but only for abort responses. +match http m|^HTTP/1\.0 [345]\d\d .*\r\nDate: [^\r\n]*\r\nServer: [^\r\n]*\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: \d+\r\n.*\r\n<!DOCTYPE html>\n<html>\n<head>\n<title>[^<]*</title>\n<style type="text/css"><!--\nbody \{ background-color: white; color: black; font-family: 'Comic Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; \}|s p/OpenBSD httpd/ cpe:/a:openbsd:httpd/ +match http m|^HTTP/1.1 [126-9]\d\d .*\r\nServer: OpenBSD httpd\r\n|s p/OpenBSD httpd/ cpe:/a:openbsd:httpd/ Several services were more accurately identified as the ICY service: -match peercast m|^OK2\r\nicy-caps:\d+\r\n\r\nOK\r\n$| p/Peercast/ +match icy m|^OK2\r\nicy-caps:\d+\r\n\r\nOK\r\n$| p/Peercast/ -match http m|^HTTP/1\.0 200 OK\r\nContent-Type: audio/mpeg\r\nicy-br:([\d.]+)\r\n.*icy-name:([^\r\n]+)\r\n.*Server: Icecast ([\d.]+)\r\n\r\n|s p/Icecast streaming media server/ v/$3/ i/Name $2; Bitrate $1/ +match icy m|^HTTP/1\.0 200 OK\r\nContent-Type: audio/mpeg\r\nicy-br:([\d.]+)\r\n.*icy-name:([^\r\n]+)\r\n.*Server: Icecast ([\d.]+)\r\n\r\n|s p/Icecast streaming media server/ v/$3/ i/Name $2; Bitrate $1/ -match shoutcast m|^ICY \d\d\d .*SHOUTcast Distributed Network Audio Server/Linux.v([\d.]+)|s p/SHOUTcast server/ v/$1/ o/Linux/ cpe:/a:shoutcast:dnas:$1/ cpe:/o:linux:linux_kernel/a +match icy m|^ICY \d\d\d .*SHOUTcast Distributed Network Audio Server/Linux.v([\d.]+)|s p/SHOUTcast server/ v/$1/ o/Linux/ cpe:/a:shoutcast:dnas:$1/ cpe:/o:linux:linux_kernel/a A controller for physical door locks: +match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nSet-Cookie: SiteName64=[^;]+; Expires=Sat, 31 Dec 2050 23:59:59 GMT\r\nSet-Cookie: SiteName=([^;]+);.*\r\nSet-Cookie: SiteAddress64=.*\r\nSet-Cookie: SiteAddress=([^;]+);.*\r\nSet-Cookie: Build64=.*\r\nSet-Cookie: Build=(\d+);.*\r\nSet-Cookie: Version64=.*\r\nSet-Cookie: Version=([^;]+);.*\r\nCONTENT-LENGTH: \d+\r\n| p/aPod Access Control system master controller/ v/$SUBST(4,"%2E",".")/ i/site: $SUBST(1,"%20"," "); address: $SUBST(2,"%20"," "); build: $3/ d/security-misc/ cpe:/a:online_security_technologies:apod:$SUBST(4,"%2E",".")/ Made great use of Shodan to find example services of some submissions. Here, we used it to find 10 additional languages of ISA server: fr, es, pt, de, it, ru, zh, zh_TW, ko, and ja +match http-proxy m|^HTTP/1\.1 502 Proxy Error \( La direcci\xc3\xb3n URL \(Uniform Resource Locator\) no utiliza un protocolo reconocido\. El protocolo no es compatible o la petici\xc3\xb3n no se escribi\xc3\xb3 correctamente\. Confirme que se utiliza un protocolo v\xc3\xa1lido \(por ejemplo, HTTP para una petici\xc3\xb3n de web\)\. \)\r\nVia: 1\.1 ([\w.-]+)\r\n| p/Microsoft ISA Server http proxy/ o/Windows/ h/$1/ cpe:/a:microsoft:isa_server::::es/ cpe:/o:microsoft:windows/a i/Spanish/ And even more languages for I2P: de, es, fr, id, nl, pl, pt_br, pt, ro, ru, sv, zh +match http-proxy m|^HTTP/1\.1 403 Bad Protocol\r\n.*<title>(?:I2P )?Peringatan: Protokol Non-HTTP</title>\r\n<link rel=\"shortcut icon\" href=\"http://proxy\.i2p/themes/console/images/favicon\.ico\" ?>\r\n|s p/I2P anonymizing http proxy/ i/Indonesian/ cpe:/a:i2p_project:i2p::::id/ Fixed a bug in the AFP service matches that made it not match on MacMini hardware. Minecraft Pocket Edition shows up on Sqlping probes: +# http://wiki.vg/Pocket_Minecraft_Protocol#ID_UNCONNECTED_PING_OPEN_CONNECTIONS_.280x1C.29 +match minecraft-pe m|^\x1c................\0\xff\xff\0\xfe\xfe\xfe\xfe\xfd\xfd\xfd\xfd\x12\x34\x56\x78..MCCPP;Demo;([^;]+)|s p/Minecraft Pocket Edition server/ v/pre-0.11/ i/Server Name: $P(1)/ cpe:/a:mojang:minecraft_pocket_edition/ Dan
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Service fingerprint integration highlights Daniel Miller (Mar 09)