Service fingerprint integration highlights

[Daniel Miller <bonsaiviking () gmail com>]

Since February we have added 259 service match lines, a 2.5% increase. Of
those, 9 were new softmatches for services including http, openflow,
hadoop-ipc, domain, smtp, ftp, and postgresql.

We dealt with a few false-positive match problems of note:
* The sslstrip http-proxy match for the GenericLines probe was commented
out. Several products return a bare HTTP 400 error for this probe, so it's
not a good candidate.
* The Apache http softmatch was changed to add a negative lookahead
'(?!400)' to prevent matching 400 errors, which can be sent plaintext by an
HTTPS service.
* The Landesk "match 264 random bytes" regex was expanded to avoid matching
HTTP services with a similar '(?!HTTP)'
* We moved a big block of generic Apache fingerprints down near the bottom
of the http section of GetRequest matches so that more-specific match lines
can match first.

If you wanna ride in my Mercedes, you better probe port 2000/tcp:
match telematics m|^<auth-request rca-id=\"1\" version=\"([\d.]+)\"
car-line=\"([^"]+)\" telematics=\"([^"]+)\"
phase=\"NEGOTIATE_PARAMS\"/>\0<auth-ack result=\"FALSE\"
reason=\"APP_NOT_SUPPORTED\"/>\0| p/Mercedes telematics/ v/$1/ i/model: $2;
telematics: $3/

Care to sequence your genome over the Internet?
match dnastar m|^....\0{7}.,PSH,[\x21-\x7e]{55}\0{800}|s p/Dnastar
Lasergene/ cpe:/a:dnastar:lasergene/

OpenFlow Software Defined Networking (SDN) is an interesting service that
we get submissions for occasionally. It really should get an NSE script, so
I added a suggestion to the Script Ideas page on SecWiki:
https://secwiki.org/w/Nmap/Script_Ideas
# https://wiki.wireshark.org/OpenFlow
# 4-byte TXID is random in OpenDaylight, sequential in POX
softmatch openflow m|^\x01\0\0\x08....$| i/OpenFlow 1.0/

Did you know Python's multiprocessing module can communicate over TCP?
# Unfortunately, no authkey comes up tcpwrapped :( Need a good probe or NSE
script.
match python-mp m|^\0\0\0\x1f#CHALLENGE#.{20}| p/Python
multiprocessing.connection.Listener/ i/authkey set/ cpe:/a:python:python/

A few new services I labeled "textui" instead of "telnet" since they don't
actually do Telnet protocol negotiation. I'd gladly take suggestions for
how to better classify things. Here's a home automation system:
match textui m|^R:ERROR:6 \"Syntax Error\"\r\n| p/Vantage InFusion home
automation controller port/

Thanks to Kristian Hermansen, we know Valve Steam's new in-home streaming
service responds to the Help probe, usually including its hostname:
match valve-steam
m|^\xff\xff\xff\xff!L_\xa0.{28}\0\0\0\x08\x06\x10\x06\x18\x9c\xd3\x01\".([\w.-]+)0\x028|
p/Valve Steam In-Home Streaming service/ h/$1/
match valve-steam m|^\xff\xff\xff\xff!L_\xa0| p/Valve Steam In-Home
Streaming service/

A few malware listeners; perhaps we should mark these "malware" instead of
"backdoor"?
#
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=733
match backdoor m|^!\* LOLNOGTFO\nDUP\n| p/Linux.Flooder.SS C&C server/
i/**MALWARE**/ o/Linux/ cpe:/o:linux:linux_kernel/a
match backdoor m|^x0$| p/Blackshades connection port/ i/**BACKDOOR**/
o/Windows/ cpe:/o:microsoft:windows/a
match backdoor m|^REQF\x0c1\x0c1$| p/Blackshades transfer port/
i/**BACKDOOR**/ o/Windows/ cpe:/o:microsoft:windows/a

And nothing like an unprotected bind shell to make you feel secure in your
network:
# "version" may be locale-dependent: reported as Portuguese with versão
match shell m|^Microsoft Windows ([^[]+) \[[^]]+ ([\d.]+)\]\r\n\(C\)
Copyright 1985-\d\d\d\d Microsoft Corp\.\r\n\r\n(.*)>| p/CMD.EXE/
i/**BACKDOOR**; Windows $2; path: $3/ o/Windows $1/
cpe:/o:microsoft:windows_$SUBST(1," ","_")/

This service slurps up multicast streams and returns them in response to a
HTTP request:
match http m|^HTTP/1\.1 200 OK \nContent-Type:application/octet-stream\n\n|
p/udpxy UDP-to-HTTP multicast traffic relay/ cpe:/a:pavel_cherenkov:udpxy/

We corrected the name and CPE of various iterations of Macromedia/Adobe
sometimes-Flash Media Server based on version number:
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: FlashCom/(1\.[\w._-]+)\r\n|s
p/Macromedia Flash Communication Server httpd/ v/$1/
cpe:/a:macromedia:flash_communication_server:$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: FlashCom/(2\.[\w._-]+)\r\n|s
p/Macromedia Flash Media Server httpd/ v/$1/
cpe:/a:macromedia:flash_media_server:$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer:
FlashCom/([34]\.[\w._-]+)\r\n|s p/Adobe Flash Media Server httpd/ v/$1/
cpe:/a:adobe:flash_media_server:$1/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer:
FlashCom/([5-9]\.[\w._-]+)\r\n|s p/Adobe Media Server httpd/ v/$1/
cpe:/a:adobe:media_server:$1/

Finally have a match for BitKeeper, the VCS that inspired Linus Torvalds to
create Git:
match bitkeeper m|^@SERVER
INFO@\nPROTOCOL=([\d.]+)\nVERSION=bk-([\w._-]+)\nUTC=\d+\nTIME_T=\d+\nROOT=([^\n]+)\nUSER=(?:[^\n]+)\nHOST=(?:[^\n]+)\nREALUSER=(?:[^\n]+)\nREALHOST=([^\n]+)\nPLATFORM=([^\n]+)\n|
p/BitKeeper distributed VCS/ v/$2/ i/protocol $1; root $3; $5/ h/$4/
cpe:/a:bitmover:bitkeeper:$2

AFP match lines will now grab the hardware version for Mac computers,
reporting things like MacPro5,1 which can be used to identify a family of
model numbers.

And we have had a few upgrades to our service probes that are worth a
closer look:
* TLSSessionReq - http://issues.nmap.org/199
* TLS-PSK - http://seclists.org/nmap-dev/2015/q4/51

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/