HCSW Technical Blog

Hi everyone! As usual, I've made a blog posting detailing my work this quarter on nmap-service-probes. We got 772 submissions which is probably close to the best quarter yet. Thanks to everyone who submitted!

We are building the best database of this information anywhere and I predict soon we'll see uses for this data in other applications. There has been discussion of using the HTTP regular expressions in iSEC Partners' ProxMon to monitor, by looking at proxy logs, the web servers that your browser is visiting and any vulnerabilities they might have. I think this would be a great use of the match lines! I also plan on writing a common lisp program that uses CL-PPCRE to match the probes file against real-time network traffic.

Anyways, please enjoy the following highlights of my changes to the probes file. As usual, I've chosen a few technical ones but most are the ones I feel are unusual, funny, or otherwise interesting. Thanks again to all who submitted. Keep them coming!

One problem with using the nmap-service-probes data file in other programs is that there are a few situations where the probes file is designed to match a program under Nmap scanning conditions that might not necessarily come up under general usage scenarios. One example is this new match line which takes advantage of extremely aggressive timeout behaviour of a Konica Minolta printer:

very aggressive timeouts on this type of printer
match http m|^HTTP/1\.1 408 Request Time-Out\r\nConnection: Close\r\n\r\n$| p/Konica Minolta Bizhub printer http config/ d/printer/

That whole line of printers is designed really, let's say, uniquely. It looks like the DNSVersionBindReq managed to hack their telnet port:

---------- GenericLines ----------
"\xff\xfb\x01\r\n-> \r\n\r\n-> \r\n-> "

---------- DNSVersionBindReq ----------
"\xff\xfb\x01\r\n-> 3966bc vxTaskEntry    \+5c : shell \(\)\r\n375454 shell          \+180: 375480 \(\)\r\n3755c8 shell \+2f4: ledRead \(\)\r\n3aef08 ledRead        \+164: read \(\)\r\n3312b4 read           \+10 : iosRead \(\)\r\n332740 iosRead \+cc : 3b7170 \(\)\r\n3b7180 ptyDevRemove   \+194: tyRead \(\)\r\n390fe8 tyRead         \+44 : semTake \(\)\r\n356a8 4 semTake        \+134: semBTake \(\)\r\ntShell restarted\.\r\n\r\n-> "

Here's an interesting false result. This Panasonic printer spits out exactly 14 characters on connect and nothing more after been given an X11Probe:

---------- X11Probe ----------
"220  DP-3510\r\n"

This conflicts with the skype v1 match line hack I put in a while ago:

# Skype - Protocol seems to spew out 14 random characters upon
# connection. Luckily, this shouldn't conflict any other X11 services.
match skype m|^.{14}$|s p/Skype VoIP data channel/

Although I've added a separate match line for the printer so it should be matched correctly now in any case, maybe we should look into whether this skype match line still applies. Is this skypev1 data channel protocol still in widespread use? Or does everybody just use the new skypev2 protocol I mentioned in a previous entry and is now dealt with by Brandon's excellent skype NSE script?

I'm always suprised at how much variation programs can have when probed through the network - even in something as simple and standard as the first line of an HTTP response. Here's some oddballs from this quarter:

• This unknown httpd echos the file requested back:

  ---------- FourOhFourRequest ----------
  "HTTP/1\.1 404 /nice%20ports%2C/Tri%6Eity\.txt%2ebak\r\n"
  

• The Dell 1815dn printer forgets the "HTTP":

  match http m|^ 200 OK\r\nConnection: close\r\n|...
  

• m0n0wall thinks it's (null):

  match http m|^\(null\) 400 Bad Request\r\n|...
  

• D-Link WAP: In case you didn't hear me the first time...

  match http m|^HTTP/1\.0 200 200 OK\r\n|...
  

• Just to make it clear, yes, this is a reply from the server:

  match http m|^HTTP/1\.1 200 Reply from server\r\nServer: MERCUR Messaging 2005\r\n| p/Atrium's MERCUR Webmail httpd/ o/Windows/
  

• And Intel just gets it all wrong (see the charset):

  match http m|^\(null\) 302 Found\r\nServer: \r\nDate: .*\r\nLocation: /index\.cgi\r\nContent-Type: text/html; charset=%s\r\nCache-Control: max-age=0\r\n| p/Intel entery SSE4000 storage device http config/ d/storage-misc/
  

Sometimes if you look deep into the copyright notices, banners and other garbage that protocols spit out we can find a piece of information that helps in matching:

match smtp m|^220 Service ESMTP Ready\r\n214-This is Sendmail version ([\d.]+) \((P[\w-_.]+)\)\r\n.*future enhancements, contact your HP representative|s p/Sendmail/ v/$1 patch $2/ o/HP-UX/

And, if nothing else, companies love to brand everything heavily with their logos/banners/etc:

match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Web Server\r\n.*<IMG SRC = \"/base/images/netgear_(\w+)_banner\.gif\"|s p/Netgear $1 gigabit switch http config/ d/switch/

Haha this one was pretty good. Almost (but not quite) believable. Aside from the obviously faked contents, can you tell what's wrong with it?

SF-Port50001-TCP:V=4.20%I=9%D=1/30%Time=45C00A94%P=x86_64-pc-linux-gnu%r(NU
SF:LL,34,"fake fingerprint");

Network application developers sometimes try to prevent DoS attacks by limiting the number of connections or sessions to a certain number but inadvertently open up another DoS in the process. It looks to me as though you can prevent an admin from logging into the telnet port of this Nortel-Extranet "Contivity Secure IP Services Gateway" switch by maintaining 5 TCP connections to it: Probably not the behaviour you want - especially from a security device.

---------- NULL ----------
"\xff\xfb\x01\n\rLogin: "

---------- GenericLines ----------
"\xff\xfb\x01\n\rLogin: \n\r\n\r\n\rLogin: \n\rLogin: "

---------- GetRequest ----------
"\xff\xfb\x01GET / HTTP/1\.0\n\r\n\r\n\rLogin: "

---------- HTTPOptions ----------
"\xff\xfb\x01OPTIONS / HTTP/1\.0\n\r\n\r\n\rLogin: "

---------- RTSPRequest ----------
"\xff\xfb\x01OPTIONS / RTSP/1\.0\n\r\n\r\n\rLogin: "

---------- RPCCheck ----------
"\r\nSorry, all sessions in use\.\r\n"

---------- DNSVersionBindReq ----------
"\r\nSorry, all sessions in use\.\r\n"

Limiting sessions per hostname/IP address limits the scope of this attack but does not eliminate it entirely. The worst security property of Network Address Translation is that it often shares a single outside address between multiple users. With any sort of IP based connection/session limiting, any one of those users is able to deny service to any other.

Here's the rapid-fire gallery of funny or otherwise noteworthy submissions:

• Here's a service that does nothing and doesn't even do that correctly. :)

  match http m|^HTTP/1\.1 404 Not found\n\0$| p/nohttpd 404 responding httpd/
  

• Obviously character based with interesting probe results:

  match gpsd m|^GPSD,G=\?,E=\?,T=\?,T=\?,T=\?,P=\?\r\n| p/gpsd/
  

• Haha seeing Fidonet brought me back!

  match telnet m|^\x11\x11\x11\*\*[\w-_.]+\r\r\[CONNECT TCP/IP/[\d.]+/TELNET\]\r\nT-Mail v\.([^ ]+) \(C\) 1992-99 by Andy Elkin\r\n\*\*| p/T-Mail Fidonet BBS telnetd/ v/$1/ o/Windows/
  

• Nice try, but at least pick a possible version number. :)

  ---------- GetRequest ----------
  "HTTP/1\.1 200 OK\r\nDate: Tue, 16 Jan 2007 14:18:55 GMT\r\nServer: Apache 5\.0\r\n"
  

• distccd always has the best error messages.

  match distccd m|^DONE00000001.*ccache: failed to create /usr/share/distcc/\.ccache \(Permission denied\)\n| p/distccd/ i/broken/
  match distccd m|^DONE00000001.*CRITICAL! distcc seems to have invoked itself recursively!\n|s p/distccd/ i/broken/
  

• match ftp m|^220 Welcome to pyftpd\. Happy downloading\.\r\n500 I'm gonna ignore this command\.\.\. maybe later\.\.\.\r\n| p/pyftpd/
  

• match smtp m|^421 Unexpected log failure, please try later\r\n| p/Postfix smtpd/
  

• match ftp m|^220 ICS FTP Server ready\r\n500 '\r': command not understood\.\r\n500 '\r': command not understood\.\r\n| p/berretz.de mini-ftpd/ o/Windows/
  

• match service-monitor m|^550 Bad syntax\. Go away\.\n$| p/CA Spectrum/