Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[PATCH] Replace kibuvDetection.nse with service matchline
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sun, 25 May 2008 17:07:28 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey everyone,

I've attached a patch to replace the kibuvDetection.nse script with a
service detection matchline, like the mswindowsShell.nse script that was
removed[1].

Not only is the script obscure[2], but one of the banners matched
against is already present in nmap-service-probes (although it just
reported it as an unknown ftp backdoor).

I removed the $ anchor that was used in the original matchline because I
don't think it's correct[3], and I also changed the newline pattern from
"\n" to "\r?\n" because I'm not sure which it is and the script doesn't
match it (Kibuv.b is on Windows so I'd assume it's "\r\n").

Can the matchlines be improved, or is there any particular reason to
keep the script?

Thanks,
Kris Katterjohn

[1] http://seclists.org/nmap-dev/2008/q2/0257.html
[2] http://seclists.org/nmap-dev/2008/q2/0272.html
[3]
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KIBUV.B&VSect=T


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSDnjHv9K37xXYl36AQLAJw/+Mi3+JiC9/afG7AmtARqS5uH1hLbhLJUp
4791iUjNqodPOcReiG9rI9kP376/N+C5zo7ZeazIgjq9JyTV2Wj32oS17Q04mEdw
/6aG9aeQzGLFCyjwQcdzd6weDQcUK7GqvrPmEDLoHNez4HnV4sToo3BBy06I3dGt
GtZiEwI5M44hnOKDQ2ulHwtIgNhj8Bq2uci2nYRJ2PfxNe7YF9M3Zv339UQlQ2vJ
4K87f13puwJl+0gafJb8Rmr8CFGd9ukZiMpaZLxTtEmLoLAfvQ0ZNZxm1bYp21xF
4w75/F7YII7dmr0Hg5wqgY5YD6D5rY3PSUf7brgQ1U6ffTd1D6MjgClDEuN1l2UE
ChVhpxFgSfU/lcPGiVgyQtsPp0Fg4V7lhh1rh2pbErVnY2luQxbRBzCZErizSv0x
xcbrfI3hHnCwaTKRNts070k6Mk43QN2bn4IXxgGnNJdAeX0sYPVzoSCe5u5aMwCp
GgJgZ5CcShoUvRDOfOpYRF3teT14NeX5qbBeN6l7YUA8yLe2cC/9nZlS/1AMWAfN
ceJf6aNqUR/DD7wjQ36AHphBubVqS9ESQE7dKUk8TIEw0OW/ycPRH5DH6AuiDWDY
2CEKGFqDD+xvD3nv5e5BWUvm4foEvAkHBA+IWOZhixvzDmiQ8cxMqaiseUE2Kzky
ZSE4jwt6tqc=
=pDb/
-----END PGP SIGNATURE-----
Index: nmap-service-probes
===================================================================
--- nmap-service-probes (revision 7666)
+++ nmap-service-probes (working copy)
@@ -85,6 +85,7 @@
 match backdoor m|^220 SSL Connection Established - Loading Protocol\.\.\.\.\r\n| p/dhcpse.exe/ i/**BACKDOOR**/ 
o/Windows/
 match backdoor m|^A-311 Death welcome\x001| p/Haxdoor trojan/ i/**BACKDOOR**/ o/Windows/
 match backdoor m|^220 CAFEiNi [-\w_.]+ FTP server\r\n$| p/CAFEiNi trojan/ i/**BACKDOOR**/ o/Windows/
+match backdoor m|^220 (Stny|fuck)Ftpd 0wns j0\r?\n| p/Kibuv.b worm/ i/**BACKDOOR**/ o/Windows/
 
 match bf2rcon m|^### Battlefield 2 ModManager Rcon v([\d.]+)\.\n### Digest seed: \w+\n\n| p/Battlefield 2 ModManager 
Remote Console/ v/$1/
 
@@ -482,7 +483,6 @@
 match ftp m=^220 \w+ IBM Infoprint (Color |)(\d+) FTP Server ([\d.]+) ready\.\r\n= p/IBM Inforprint $1$2 ftpd/ v/$3/ 
d/printer/
 match ftp m|^220 ShareIt FTP Server ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt ftpd/ v/$1/ d/PDA/
 match ftp m|^220 ShareIt FTP Pro ([\d.]+) \(WINCE\) Ready\.\r\n| p/ShareIt Pro ftpd/ v/$1/ d/PDA/
-match ftp m|^220 StnyFtpd 0wns j0\n$| p/Unknown ftp backdoor/
 match ftp m|^220 ISOS FTP Server for Upgrade Purpose \(([\d.]+)\) ready\r\n| p/Billion 741GE ADSL router/ v/$1/ 
d/router/
 match ftp m|^220 PV11 FTP Server ready\r\n| p/Unknown wireless acces point ftpd/ i/Runs Phar Lap RTOS/ d/router/
 match ftp m|^220 Alize Session Manager FTP Server\r\n| p/Alcatel OmniPCX ftpd/ d/PBX/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault