|
26. First 2007 fingerprints |
Hi everyone! As usual, I've made a blog posting detailing my work this quarter on nmap-service-probes. We got 772 submissions which is probably close to the best quarter yet. Thanks to everyone who submitted! We are building the best database of this information anywhere and I predict soon we'll see uses for this data in other applications. There has been discussion of using the HTTP regular expressions in iSEC Partners' ProxMon to monitor, by looking at proxy logs, the web servers that your browser is visiting and any vulnerabilities they might have. I think this would be a great use of the match lines! I also plan on writing a common lisp program that uses CL-PPCRE to match the probes file against real-time network traffic. Anyways, please enjoy the following highlights of my changes to the probes file. As usual, I've chosen a few technical ones but most are the ones I feel are unusual, funny, or otherwise interesting. Thanks again to all who submitted. Keep them coming! One problem with using the nmap-service-probes data file in other programs is that there are a few situations where the probes file is designed to match a program under Nmap scanning conditions that might not necessarily come up under general usage scenarios. One example is this new match line which takes advantage of extremely aggressive timeout behaviour of a Konica Minolta printer: very aggressive timeouts on this type of printer match http m|^HTTP/1\.1 408 Request Time-Out\r\nConnection: Close\r\n\r\n$| p/Konica Minolta Bizhub printer http config/ d/printer/ That whole line of printers is designed really, let's say, uniquely. It looks like the DNSVersionBindReq managed to hack their telnet port: ---------- GenericLines ---------- "\xff\xfb\x01\r\n-> \r\n\r\n-> \r\n-> " ---------- DNSVersionBindReq ---------- "\xff\xfb\x01\r\n-> 3966bc vxTaskEntry \+5c : shell \(\)\r\n375454 shell \+180: 375480 \(\)\r\n3755c8 shell \+2f4: ledRead \(\)\r\n3aef08 ledRead \+164: read \(\)\r\n3312b4 read \+10 : iosRead \(\)\r\n332740 iosRead \+cc : 3b7170 \(\)\r\n3b7180 ptyDevRemove \+194: tyRead \(\)\r\n390fe8 tyRead \+44 : semTake \(\)\r\n356a8 4 semTake \+134: semBTake \(\)\r\ntShell restarted\.\r\n\r\n-> " Here's an interesting false result. This Panasonic printer spits out exactly 14 characters on connect and nothing more after been given an X11Probe:
---------- X11Probe ---------- "220 DP-3510\r\n" This conflicts with the skype v1 match line hack I put in a while ago: # Skype - Protocol seems to spew out 14 random characters upon # connection. Luckily, this shouldn't conflict any other X11 services. match skype m|^.{14}$|s p/Skype VoIP data channel/ Although I've added a separate match line for the printer so it should be matched correctly now in any case, maybe we should look into whether this skype match line still applies. Is this skypev1 data channel protocol still in widespread use? Or does everybody just use the new skypev2 protocol I mentioned in a previous entry and is now dealt with by Brandon's excellent skype NSE script? I'm always suprised at how much variation programs can have when probed through the network - even in something as simple and standard as the first line of an HTTP response. Here's some oddballs from this quarter:
Sometimes if you look deep into the copyright notices, banners and other garbage that protocols spit out we can find a piece of information that helps in matching: match smtp m|^220 Service ESMTP Ready\r\n214-This is Sendmail version ([\d.]+) \((P[\w-_.]+)\)\r\n.*future enhancements, contact your HP representative|s p/Sendmail/ v/$1 patch $2/ o/HP-UX/ And, if nothing else, companies love to brand everything heavily with their logos/banners/etc: match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Web Server\r\n.*<IMG SRC = \"/base/images/netgear_(\w+)_banner\.gif\"|s p/Netgear $1 gigabit switch http config/ d/switch/ Haha this one was pretty good. Almost (but not quite) believable. Aside from the obviously faked contents, can you tell what's wrong with it? SF-Port50001-TCP:V=4.20%I=9%D=1/30%Time=45C00A94%P=x86_64-pc-linux-gnu%r(NU SF:LL,34,"fake fingerprint"); Network application developers sometimes try to prevent DoS attacks by limiting the number of connections or sessions to a certain number but inadvertently open up another DoS in the process. It looks to me as though you can prevent an admin from logging into the telnet port of this Nortel-Extranet "Contivity Secure IP Services Gateway" switch by maintaining 5 TCP connections to it: Probably not the behaviour you want - especially from a security device. ---------- NULL ---------- "\xff\xfb\x01\n\rLogin: " ---------- GenericLines ---------- "\xff\xfb\x01\n\rLogin: \n\r\n\r\n\rLogin: \n\rLogin: " ---------- GetRequest ---------- "\xff\xfb\x01GET / HTTP/1\.0\n\r\n\r\n\rLogin: " ---------- HTTPOptions ---------- "\xff\xfb\x01OPTIONS / HTTP/1\.0\n\r\n\r\n\rLogin: " ---------- RTSPRequest ---------- "\xff\xfb\x01OPTIONS / RTSP/1\.0\n\r\n\r\n\rLogin: " ---------- RPCCheck ---------- "\r\nSorry, all sessions in use\.\r\n" ---------- DNSVersionBindReq ---------- "\r\nSorry, all sessions in use\.\r\n" Limiting sessions per hostname/IP address limits the scope of this attack but does not eliminate it entirely. The worst security property of Network Address Translation is that it often shares a single outside address between multiple users. With any sort of IP based connection/session limiting, any one of those users is able to deny service to any other. Here's the rapid-fire gallery of funny or otherwise noteworthy submissions:
|