Wow! Between jan-02-2006 and apr-20-2006 Nmap users
submitted
948 fingerprints covering a huge range of diverse protocols. That's nearly
9 submissions per day! No other product on the planet has a database like we
are building! Thanks go to everyone who submitted. Keep those submissions rolling!
I hope you enjoy a few miscellaneous notes I made
regarding services I haven't covered in previous blog entries:
-
Every once in a while I get a great submission that includes not only fingerprints
but also match lines that I can adapt for the nmap-service-probes file. This time
around I received one of the best I've ever seen. This submission deals with
customised BIND versions and I incorporated it mostly unchanged into the
nmap-service-probes file. I'll let the submitter's words speak for themselves:
This is an example of a customized ISC Bind version - this is commonly done to obscure the
exact version. The following match rule can be used as a catch-all for many common choices:
# This fallback is because many people customize their BIND version to avoid
# revealing specific version information. This rule should always be below the
# detailed rules above.
match domain m|\x07version\x04bind.*[\0x4-\x1f][\x03-\x1e]([-\w._ ,;?()[\]+:/@\n]{3,30})|s p/ISC Bind/ v/($1)/
Incidentally, the second ISC Bind version match rule has a glitch in that the byte-length character range doesn't match the corresponding string regexp; these should be:
# Allow 3-20 character version numbers
match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})$|s p/ISC Bind/ v/$1/
match domain m|\x07version\x04bind.*[\x08-\x19]BIND ([-\w._]{3,20})$|s p/ISC Bind/ v/$1/
There's an interesting audit of BIND version information at http://www.phaze.org/dnsaudit/bindaudit-20010203.txt - I used this to generate the set of random punctuation for the catch-all pattern; although five years old, it gives a general idea of what one might expect to find.
To the submitter: Thank you very much! I'm more than happy to give credit where
credit is due: just email me from the
same email address you put in the web form!
-
An unusual DNS submission that I couldn't really determine the source of
is the following:
"\0\x89\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07version\x04bind\0\0\x10\0\x03\xc0
\x0c\0\x10\0\x03\0\0\0\0\0_\^If you have a legitimate reason for requesting
this info, please contact hostmaster@Level3\.net"
The submitter described it as Trick Or Treat Deamon:
a DNS-proxy for IPv4/IPv6 translation. I'm not saying I don't believe this, I just need to be
sure this is consistent for this application - I need more submissions! Also notice
the interesting warning from the level3 hostmaster!
-
Another interesting submission that speaks for itself:
The mysterious Lexmark 9200 port. Googling around reveals something about perhaps
being used to print directly from as/400!? Witchcraft, I say.
"\x1e\0\0\0\0Dell Laser Printer W5300\0"
More information on this? Email me!
-
Unfortunatley, with some protocols we don't get very much version information in the
normal responses. Take VNC for example:
match vnc m|^RFB 003\.00(\d)\n$| p/VNC/ i/protocol 3.$1/
However, sometimes we get lucky! :)
"RFB 003\.003\n\0\0\0\0\0\0\0jServer license key is missing, invalid or has expired\.\n
Visit http://www\.realvnc\.com to purchase a licence\."
-
Finally, let's not forget you have to be careful when running Nmap
against mission critical services. But also remember attackers probably
won't be so careful!
Description: Intel RAID Configuration Service 5.3.0.13
Currently a service scan causes this service to spike the CPU to 100% until the service is restarted. I plan on doing a little more work to identify what causes this.
|