HCSW Technical Blog

HCSW Technical Blog

by

Doug Hoyte


through
Viewing entries 33 through 35.
Most Recent Blog Entries
RSS Feed

35. Big Nmap Services Update
Sun, Jun 29 2008

Here's the CHANGELOG entry from Nmap 4.68: 

o Doug integrated all of your version detection submissions and
  corrections for the year up to May 31.  There were more than 1,000
  new submissions and 18 corrections.  Please keep them coming!  And
  don't forget that corrections are very important, so do submit them
  if you ever catch Nmap making a version detection or OS detection
  mistake.  The version detection DB has grown to 5,054 signatures
  representing 486 service protocols.  Protocols span the gamut from
  abc, acap, access-remote-pc, activefax, and activemq, to zebedee,
  zebra, zenimaging, and zenworks.  The most popular protocols are
  http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
  pop3 (201).

Thanks to everyone who contributed!

This one is interesting. Open up a shell and run "GET / HTTP/1.0" (without the quotes). 

match backdoor m|^<HTML>\n<HEAD>\n<TITLE>Directory /</TITLE>\n<BASE HREF=\"file:/\">\n</HEAD>\n<BODY>\n<H1>Directory listing of /</H1>| p/No-auth shell/ i/**BACKDOOR**/ o/Unix/

It always surprises me that it is still common for Nmap to crash poorly written devices. Note to device developers: Please run Nmap on your device before releasing it--someone else out there will, guaranteed. 

Notes:
Telnet management port on Siemens C2-010-I ADSL2+ modem with firmware R100B01.0B_HN_20060406.
The -sV scan makes the device crash! :)

Notes:
Belkin Network USB Hub F5L009ea
Device crashes during nmap -A run

Here are some interesting misconfigurations. Unknown imapd: 

Port 993-TCP
V=4.53
---------- NULL ----------
"\* BYE Fatal error: tls_init\(\) failed\r\n"

Unknown smtpd: 

---------- NULL ----------
"421 Cannot connect to SMTP server 127\.0\.0\.1 \(127\.0\.0\.1:25\), connect error 10061\r\n"

Oops: 

---------- NULL ----------
"python: can't open file '/usr/sbin/gandiagent\.py': \[Errno 2\] No such file or directory\n"

Really oops: 

match ftp m|^.* klogd: klogd started: BusyBox v([\w-_.]+) \(.*\)\r\nDoing BRCTL \.\.\.\r\nsetfilter br0 0 \r\n/var/tmp/act_firewall: No such file or directory\r\n| p/Actiontec router ftpd/ i/firewall broken; BusyBox $1/ d/broadband router/

Backdoors can be misconfigured too: 

match backdoor m=^exec .* failed : No such file or directory\n$= p/failed netcat -e/ i/**BACKDOOR**/

Fingerprinting by typos: 

match http m|^HTTP/1\.0 302 Found\r\nLocation: /login\.app\r\nContent-Lenght: 0\r\n\r\n$| p/NetXMS httpd/

I think this one wins the prize for least compliant HTTP/1.1 server ever: 

match http m|^HTTP/1\.1 200 OK\r\nCONTENT-LANGUAGE:\r\nCONTENT-LENGTH: 0\r\nCONTENT-TPYE: text/xml\r\nDATE: .*\n\r\n\r\n\(null\)| p/Syabas Popcorn Hour http config/ d/media device/

Notes:
its a friggin bindshell, detect it

Arrrggghhh.. 4.11 is like 2+ years old, upgrade it.

I'm getting tired of pointing out this bit of information leakage: 

match telnet m|^\r\nSorry, this system is engaged by a rlogin session\.\r\nHost IP address: ([\d.]+)\.\nLogin name: ([\w-_.]+)\.\n| p/3Com LANplex switch telnetd/ i/in use by $2 from $1/ d/switch/

And of course, the gallery of funny or otherwise noteworthy fingerprints:

  • Nortel Alteon 2216 layer 7 switch telnetd 

    ---------- SMBProgNeg ----------
"\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\r\n\r\nEnter password: \r\nError 4 upcall; goodbye\.\r\n"

  • Huh? 

    match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfb\x1fError2 negotiated with client \d+ and get 1 char is a a d\. \n\r\n\r\*+\n\r\*\* +\*\*\n\r\*\* IP Phone firmware +V([\w-_.]+) | p/Thomson VoIP phone telnetd/ v/$1/ d/VoIP phone/

  • An unknown webserver that doesn't handle GET, HEAD, or POST? I don't believe that version either. 

    ---------- GetRequest ----------
"HTTP/1\.1 501 Method Not Implemented\r\nDate: Sun, 16 Mar 2008 21:50:24 GMT\r\nServer: Apache 2\.50\.21\r\nAllow: TRACE\r\n"

  • Unknown switch http config that gzip encodes content even to clients that don't send an accept-encoding: 

    ---------- GetRequest ----------
HTTP/1\.0 200 OK\r\nConnection: close\r\nContent-Encoding: gzip\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n\x1f\x8b\x08\0\0\0\0\0\x02\x03\xa5\x93

  • Unknown httpd: 

    ---------- GetRequest ----------
"HTTP/1\.0 400 String index out of range: -1\r\nContent-Type: text/html\r\n\r\n"

  • match realport m|^\xff\x17Access to unopened port.$|s p/Digi EtherLite 32 RealPort/ d/terminal server/

  • Hahahaha 

    match http m|^HTTP/1\.1 200 OK\r\nServer: peerguardnf/([\w-_.]+) \(Unix\)\r\nX-Powered-By: You need to wind it\r\n| p/Phoenix Labs PeerGuardian httpd/ v/$1/ o/Unix/
λ
34. ISAAC
Fri, May 2 2008

Because my Common Lisp environment (CMUCL) doesn't come with a cryptographic pseudo-random number generator (PRNG), I have implemented Bob Jenkins's excellent ISAAC algorithm in ANSI standard Common Lisp.

Download it here: isaac.lisp.

;; isaac.lisp (C) May 2008 Doug Hoyte, HCSW
;; BSD license: you can do anything you want with it (but no warranty).
;;
;; Optimised Common Lisp implementation of Bob Jenkins' ISAAC-32 Algorithm:
;; Indirection, Shift, Accumulate, Add, and Count. More details and
;; the C reference implementations can be found here:
;;
;; ISAAC: a fast cryptographic random number generator
;; http://burtleburtle.net/bob/rand/isaacafa.html
;;
;; This lisp implementation is roughly as fast as Jenkins' optimised rand.c
;; when compiled with a good native-code lisp compiler. It also performs
;; well when byte-code compiled.
;;
;;
;; USAGE:
;;
;; First, create an isaac context. There are three functions that do this:
;;
;;   isaac:init-kernel-seed => 
;;     *RECOMMENDED* Seeds with values from /dev/arandom on BSD
;;     or /dev/urandom on Linux. Reads 1024 bytes from the device.
;;
;;   isaac:init-common-lisp-random-seed => 
;;     Seeds with values from your Common Lisp implementation's
;;     random function. Consumes 256 32-bit values from #'random.
;;
;;   isaac:init-null-seed => 
;;     Seeds with all 0s. Always results in the same stream.
;;     For comparing with Jenkins' reference implementations.
;;
;; These are functions you can pass an isaac context to. They will modify
;; the isaac context and return a random value:
;;
;;   isaac:rand32  => 
;;     Uses the ISAAC-32 algorithm to generate a new random value.
;;
;;   isaac:rand-bits   => 
;;     Uses the ISAAC-32 algorithm to generate random values between
;;     0 and (1- (expt 2 N)). This function always consumes one or more
;;     ISAAC-32 words. Note that the N parameter is different from
;;     the CL random function parameter.   Examples:
;;       (isaac:rand-bits ctx 1) => [0,1] (consumes 1 ISAAC-32 word)
;;       (isaac:rand-bits ctx 2) => [0,1,2,3] (ditto)
;;       (isaac:rand-bits ctx 3) => [0,1,2,3,4,5,6,7] (ditto)
;;       (isaac:rand-bits ctx 32) => [0,1,...,(1- (expt 2 32))] (ditto)
;;       (isaac:rand-bits ctx 33) => [0,1,...,(1- (expt 2 33))] (consumes 2 words)
;;       (isaac:rand-bits ctx 512) => [0,1,...,(1- (expt 2 512))] (consumes 16 words)
;;
;;
;; QUICK RECIPE:
;;
;; Generate a 128-bit session ID as a 0-padded hexadecimal string:
;;   (compile-file "isaac.lisp")
;;   (load "isaac")
;;   (defvar my-isaac-ctx (isaac:init-kernel-seed))
;;   (format nil "~32,'0x" (isaac:rand-bits my-isaac-ctx 128))
;;     => "078585213B0EF01B1B9BECB291EF38F0"
;;
;;
;; FAQ:
;;     Q) My Common Lisp implementation already uses the Mersenne Twister,
;;        what are the advantages of ISAAC?
;;
;;     A1) The Mersenne Twister is not a cryptographic PRNG. This means that it
;;         is possible for someone to predict future values based on previously
;;         observed values (just over 600 of them). As such, MT is particularly
;;         undesirable for things like web session IDs. You can still use MT for
;;         crypto, but you must use a cryptographic hash function on the MT output.
;;     A2) isaac.lisp appears to be roughly as fast as the Mersenne Twister #'random
;;         of CMUCL 19d on x86 before even considering the above-mentioned hash
;;         function overhead requirement of MT.
;;     A3) isaac.lisp is not implemented as an x86 VOP like CMUCL's Mersenne
;;         Twister, but instead in 100% standard ANSI Common Lisp (except for the
;;         kernel seed interface). This should mean comparable performance on all
;;         architectures targetted by your lisp compiler. The non-x86 MT
;;         implementation is apparently an order-of-magnitude slower.
;;
;;     Q) How "random" can I expect these values to be?
;;
;;     A) Very. From Bob Jenkins' website: "Cycles are guaranteed to be at least
;;        (expt 2 40) values long, and they are (expt 2 8295) values long on
;;        average. The results are uniformly distributed, unbiased, and unpredictable
;;        unless you know the seed. [...] Why not use RC4? RC4 is three times slower,
;;        more biased, has a shorter minimum and average cycle length, and is
;;        proprietary. No way is known to break either RC4 or ISAAC; both are immune
;;        to Gaussian elimination."
;;
;;        Note that there is a $1000 prize you can win from Jenkins if you find
;;        a flaw in ISAAC (but all flaws in isaac.lisp are of course mine).

Once again, here's the link: isaac.lisp.

λ
33. Q4'2007 Nmap Updates
Thu, Jan 17 2008

The fourth quarter of 2007 was big for Nmap. We had the first stable release in over a year: 4.50! I integrated many of your fingerprints for that release so some of the entries described here will be supported there. For the latest and greatest, you can find the probes file here or in the Nmap SVN repository.

Thanks to everyone who submitted fingerprints, and keep em coming!

The HP166XC Logic Analyzer developers seemed to have misinterpreted a field when setting up this ftpd (see the email address we're supposed to direct comments to). 

---------- Help ----------
"220  HP166XC V01\.00 FUSION FTP server \(Version 3\.3\) ready\.\r\n214-The following commands are recognized \(\* =>'s unimplemented\)\.\r\n    USER     PORT     RETR     MSND\*    ALLO\*    DELE     SITE\*    MKD      XCUP \n    PASS\*    PASV\* STOR     MSOM\*    REST\*    CWD      STAT\*    XRMD     CDUP \n    ACCT\*    TYPE     APPE\*    MSAM\*    RNFR\*    XCWD  HELP     RMD      XDLS \n    REIN\*    STRU\*    MLFL\*    MRSQ\*    RNTO\*    LIST     NOOP     XPWD \n    QUIT     MODE     MAIL\*    MRCP\*    ABOR\*    NLST     XMKD     PWD \n214 Direct comments to ftp-bugs@ HP166XC V01\.00\.\r\n"

These HP Logic Analyzers are strange devices. The HP 1662C seems to echo the data backwards! 

Port 818-TCP
V=4.11
---------- GenericLines ----------
"\r\n\r\x1f\r\n"

---------- GetRequest ----------
"\r\n\r0\.1/PTTH / TEG!\r\n"

---------- HTTPOptions ----------
"\r\n\r0\.1/PTTH / SNOITPO%\r\n"

VMS, still alive and kicking (ah, fond memories.. The first time I used the internet it was on a VMS VAX). 

match ftp m|^211 Hello \[[\w-_.]+\], Secure/IP Authentication Server ([\w-_.]+) at your service\.\r\n| p|OpenVMS Secure/IP ftpd| v/$1/ o/OpenVMS/

Always fun to see protocols using non-English languages. Senha is Portugese for "password": 

---------- GetRequest ----------
"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\nGET / HTTP/1\.0\r\n\r\n\x1b\[H\x1b\[JLogin: \[: /: unknown operand\r\nSenha: \[: /: unknown operand\r\n\x1b\[H\x1b\[JLogin: "

And this unknown SMTPd is, I think, Italian. 

---------- NULL ----------
"220 Server di posta generico\. Wed, 14 Nov 2007 10:28:56 \+0100\r\n"

Another amusing (maybe it's just me?) language observation. Look at this product name: "DocuCentre Color". "Centre" is spelled british and "color" is spelled american. D'oh! 

match http m|^HTTP/1\.1 \d\d\d .*\r\nDocuCentre Color (\d+) -|s p/Fuji Xerox DocuCentre Color $1 http config/ d/printer/

Another WAP that proudly announces its default password to the world. Does anybody care about wireless security? (not Schneier!) 

match http m|^HTTP/1\.0 \d\d\d .*Server: Boa/([\w-_.]+) \(with Intersil Extensions\)\r\nConnection: close\r\nWWW-Authenticate: Basic realm=\"CONNECT2AIR AP-600RP-USB LOGIN Enter Password \(default is connect\)\"\r\n|s p/Fujitsu Siemens CONNECT2AIR AP-600RP-USB WAP http config/ d/WAP/ i/Boa httpd $1; default passwd "connect"/

And, of course, the gallery of funny or otherwise noteworthy submissions:

  • An unknown telnetd: 

    ---------- RPCCheck ----------
"\xff\xfb\x01\xff\xfb\x03\xff\xfb\0\xff\xfd\0Username: data_error\r\r\n\(rdata_error\r\r\n data_error\r\r\ndata_error\r\r\ndata_error\r\r\ndata_error\r\r\ndata_error\r\r\n data_error\r\r\ndata_error\r\r\ndata_error\r\r\n\|"

  • match ftp m|^230 FTP Server Ready\r\n504 Comand length not supported\.\r\n| p/HP JetDirect ftpd/ d/printer/

  • match ftp m|^550 no more people, max connections is reached\r\n| p/Avalaunch XBOX ftpd/ d/game console/ i/Max connections reached/

  • I don't know what this service is but I know it's crippled proprietary software: 

    ---------- GenericLines ----------
"LICN:\[Server:123456\]Connection rejected, the server license allows connections from only 5 unique IP addresses\.\n"

  • Sure looks like a backdoor to me. 

    ---------- GenericLines ----------
"bash: line 1: \r: command not found\nbash: line 2: \r: command not found\n"

  • Misconfigured popper: 

    ---------- NULL ----------
"Unable to open trace file \"/var/spool/popper/popper\.log\": No such file or directory \(2\)\n"

  • Unknown service on tcp/5554: 

    ---------- SMBProgNeg ----------
"error in socket read, expecting 2092 len of data\. got -1\. len mismatch"

  • Unknown service on tcp/1280: 

    ---------- NULL ----------
"sucess open port\r\n"

  • Linux NetworX Network ICE Management Protocol: 

    ---------- DNSStatusRequest ----------
"V3\.1\r\nBuffer overrun attempt\r\n"
λ


All material is (C) Doug Hoyte and/or hcsw.org unless otherwise noted or implied. All rights reserved.