Nmap Development mailing list archives

Service match for ZOT HTTP server and some corrections...

From: Tomás García-Merás <tomas () rockmusic org>
Date: Mon, 27 Dec 2004 02:06:23 +0100

Hello,
 yet another match: (in response to the "TCP GetRequest" probe):

# Zero One Technology ( http://www.01tech.com/ ) print servers embeddedHTTP servicematch httpm|^HTTP/1\.\d\x20200\x20OK\r\nDate:\x20.*\r\nMIME-version:\x201\.\d\r\nServer:\x20ZOT-PS-(\d+)/(\d[-.\w]+)\r\n| v/Zero One Technology print server model $1 HTTP server/$2//



And that's what the server returns to the "GET / HTTP/1.0":


HTTP/1.0 200 OK
Date: Mon, 10 Sep 2001 12:00:00 GMT
MIME-version: 1.0
Server: ZOT-PS-17/6.9.0117
Last-Modified: Thu, 01 Jan 1970 06:30:52 GMT
Expires: Sat, 07 Feb 1998 01:50:00 GMT
Pragma: no-cache
Content-Type: text/html
Content-Length: 4595

<HTML><HEAD>
.
.
.


I've tested it with nmap 3.78 and a Longshine LCS-PS102 USB Print Server

(Firmware: 6.09.17E (2003/11/26 15:32:28)), which is really a repackaged"Zero One Tech print server model 17" (ZOT-PS-17 => Zero One Technology- Print Server - Model 17).


And one note:

nmap 3.78 identifies the device as:


Device type: print server
Running: Hawking embedded
OS details: Hawking PS12U Embedded Print Server


and nmap 3.75 identifies it as:


Device type: print server
Running: Hawking embedded, Zero One embedded, EUSSO embedded

OS details: Print Server: Zero One Tech 3000, Hawking PN7117, or EUSSOUPS1211-B

Why the change? nmap 3.78 is detecting a different OS fingerprint than3.75, don't know why...

Anyway, there's no such "Hawking embedded" nor "Eusso embedded", bothcompanies sells repackaged Zero One Technology print servers, just likeLongshine does, it's easy to notice by looking at the firmware for theprint servers you can download from http://www.eusso.com ,http://www.hawkingtech.com and http://www.longshine.de , all firmwareupgrades are from ZOT (you can see the copyright notice and the ZOTstrings all over the firmwares with an hex editor, not to mention youcan exchange the upgrades between the devices from different companies!).

So, I think we should change some fingerprints on nmap (please anyonecheck this!):


From:

******************************

# Hawking PS12U Embedded Print Server (Firmware Version : 6.09.17H(2003/04/18 16:55:07)

Fingerprint Hawking PS12U Embedded Print Server
Class Hawking | embedded || print server
TSeq(Class=TD%gcd=78000|F0000%SI=<14%IPID=I%TS=U)
T1(DF=N%W=B68%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=B68%ACK=S++%Flags=AS%Ops=M)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

# Zero One Tech. Print Server 3000
# Hawking Print Server PN7117
# Zero One Tech Printserver ZOT-PS-11 (firmware 5.4.2049)
# EUSSO Technologies UPS1211-B print server

Fingerprint Print Server: Zero One Tech 3000, Hawking PN7117, or EUSSOUPS1211-B

Class Hawking | embedded || print server
Class Zero One | embedded || print server
Class EUSSO | embedded || print server
TSeq(Class=TD%gcd=<C004%SI=<1E%IPID=I%TS=U)
T1(DF=N%W=B68%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=B68%ACK=S++%Flags=AS%Ops=M)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

******************************

To:

******************************

# Hawking PS12U embedded print server (Firmware Version: 6.09.17H(2003/04/18 16:55:07)

Fingerprint Zero One Technology embedded print server
Class Zero One Technology | embedded || print server
TSeq(Class=TD%gcd=78000|F0000%SI=<14%IPID=I%TS=U)
T1(DF=N%W=B68%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=B68%ACK=S++%Flags=AS%Ops=M)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

# Zero One Tech. Print Server 3000
# Hawking Print Server PN7117
# Zero One Tech Printserver ZOT-PS-11 (firmware 5.4.2049)
# EUSSO Technologies UPS1211-B print server
Fingerprint Zero One Technology embedded print server
Class Zero One Technology | embedded || print server
TSeq(Class=TD%gcd=<C004%SI=<1E%IPID=I%TS=U)
T1(DF=N%W=B68%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=B68%ACK=S++%Flags=AS%Ops=M)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

******************************

Just to finish, can anyone please check if I'm doing the probes/matchsrightly? All of them seems to work, but anyway...


Best Regards: Tomas

PS: Sorry for my bad english...


---------------------------------------------------------------------

For help using this (nmap-dev) mailing list, send a blank email tonmap-dev-help () insecure org . List archive: http://seclists.org

Current thread:

Service match for ZOT HTTP server and some corrections... Tomás García-Merás (Dec 26)
- Re: Service match for ZOT HTTP server and some corrections... Martin Mačok (Dec 27)