December 2009 service detection highlights

[David Fifield <david () bamsoftware com>]

I just finished integrating service fingerprint submissions since
February 2009. When you fill out a service submission or correction at
http://nmap.org/submit/, your submission gets processed by a human and
turned into regular expressions. In this round, the size of the database
file increased 14% from 7468 to 8501. It's hard to quantify that in a
number of matches, because some matches get modified, other get
combined, etc. I didn't keep track of interesting submissions as I was
going through but here are some from the diff just now.

Here are two fingerprint for parts of an Integrated Library System. In
this case "library" is a building with books.

match millennium-ils m|^\"Thread-15\"  prio=5 
\(RUNNABLE\)\r\n------------------------------\r\njava\.lang\.ProcessImpl\.waitFor\(Native 
Method\)\r\ncom\.iii\.miltoolbarpanel\$ToolbarProcess\$1\.run\(miltoolbarpanel\.java:1168\)\r\n\r\n| p/III Millennium 
Integrated Library System/
match 3m-sip m|^Invalid request string: Request string is: \"\r\"$| p/Standard Interchange Prototol 2.0/ i/Integrated 
Library System authentication; Civica Spydus 7/

Three revision control systems. I don't know how the Git one will change
on a non-GitHub server.

match netsync m|^\x06\x02[^\x01]+\x01.([\w._@-]+)[^\x01]+\x01|s p/Netsync/ v/6/ i/Monotone VCS/
match git m|^0077ERR \n  Your Git client has made an invalid request:\n  GET / HTTP/1\.0\r\n\r\n\n  Visit 
http://support\.github\.com for help$| p/Git/ i/GitHub/
match bzr m|^error\x01Generic bzr smart protocol error: bad request '\\r'\n$| p/Bazaar VCS bzr serve/

This is great. A service scan of these devices will reveal their
temperature.

# *B1E1 is magic. Protocol implementation at
# http://www.papouch.com/shop/scripts/soft/tmedotnet/readme.asp
match papouch-tme m|^\*B1E1([\+-]\d\d\d\.\d)\r$| p/Papouch TME Ethernet thermometer/ i/temperature: $1 C/
match http m|^HTTP/1\.0 200 OK\r\nContent-type: text/html\r\nConnection: close\r\n\r\n.*<title>Hollis</title>.*<td 
id=b>Indoor</td><td id=c bgcolor=green>([\d.]+)</td><td id=b>&deg;F</td></tr><tr><td id=b>Indoor Set Temp\.</td><td 
id=c><input type=text name=setTemp size=10 maxlength=10 value=([\d.]+)></td><td id=b>&deg;F&nbsp;<input type=submit 
name=7 value=\"Apply\"></td></tr><tr><td id=b>Outdoor temp</td><td id=c bgcolor=green>([\d.]+)</td><td 
id=b>&deg;F</td></tr></table></form></body></html>$| p/ControlByWeb httpd/ i/Temperature (F): indoor $1 (set to $2), 
outdoor $3/ d/specialized/

There were a suprising number of Freenet-related submissions.

match nntp m|^200 Service available, posting allowed\r\n| p/Freenet Message System nntpd/
match http m|^HTTP/1\.0 200 OK\r\nConnection: Close\r\nContent-Type: text/html\r\nDate: Tue, 28 Jul 2009 12:43:48 
GMT\r\n\r\n<html xml:lang=\"en\" xmlns=\"http://www\.w3\.org/1999/xhtml\";>\r\n<head>\r\n<meta 
http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\r\n<title>FMS : Freenet Message System</title>| 
p/Freenet Message System web client/
match http-proxy m%^HTTP/1\.1 200 OK\r\nConnection: close\r\n.*<title>Browse Freenet \(Node id\|(\d+)\) - 
Freenet</title>%s p/Freenet Fproxy/ i/node id $1/
match fcp m|^ProtocolError\nFatal=true\nCodeDescription=ClientHello must be first message\nCode=1\nEndMessage\n$| 
p/Freenet Client Protocol 2.0/

And not one but two IP-over-DNS tunnels.

match iodine m|^\x80\xa7\x84\0\0\x01\0\x01\0\0\0\0.*\0\0\x0a\0\x01\xc0\x0c\0\n\0\x01\0\0\0\0\0\x05BADIP$| p/iodine 
IP-over-DNS tunnel/
match nstx m|^\0\x06\x84\x80\0\x01\0\x01\0\0\0\0\x07version\x04bind\0\0\x10\0\x01\xc0\x0c\0\x10\0\x01\0\0\0\0| p/NSTX 
IP-over-DNS tunnel/

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/