HCSW Technical Blog

Hi all! As usual, here are my notes on integrating the latest Nmap service submissions. Thanks to everyone who submitted! I've noted a few bizarre service behaviours and some other misc sightings!

A couple interesting ways sendmail can break:

match smtp m|^220 ;; ESMTP connection timed out; no servers could be reached Sendmail ([\w-_.]+)/| p/Sendmail/ v/$1/ i/broken/
match smtp m|^554 ([\w-_.]+) ESMTP not accepting messages\r\n| p/Sendmail/ h/$1/ i/Not accepting mail/

I noticed that the LPDString probe gives some interesting information to the gpsd service, including the version number and the serial device being used. Just one of those interesting results that comes from gpsd being a character based protocol as I noted in last quarter's update. So I moved the gpsd port to the LPDString probe for more detailed matches:

match gpsd m|^GPSD,D=\?,E=\?,F=([\w-_./]+),A=\?,U=\?,L=\d ([\w-_.]+) abcdefgiklmnopqrstuvwxyz,T=\?\r\n| p/gpsd/ v/$2/ i/Serial port $1/

The fingerprint for the telnet port of this SHARP printer was submitted by 4 independent people this quarter! There must've been a large product roll-out to Nmap-friendly organisations. In any case, this printer is also notable in how it handles logins. Notice how user 'GET / HT' was able to log in to the printer. :)

---------- GetRequest ----------
"\xff\xfd\x03\xff\xfb\x01\xff\xfb\x03SHARP MX-2300N Ver 01\.02\.00\.09 TELNET server\.\r\0\nCopyright\(c\) 2001-2005, silextechnology, Inc\.\r\0\nlogin: GET / HTTP/1\.0\r\0\nUser 'GET / HT' logged in\.\r\0\n\r\0\n No\.  Item         Value       \(level\.1\)\r\0\n----------------------------------------------------------------------\r\0\n  1: Configure General\r\0\n2 : Configure TCP/IP\r\0\n  3 : Configure NetWare\r\0\n  4 : Configure AppleTalk\r\0\n  5 : Configure NetBEUI/NetBIOS\r..."

On SSH port of a D-Link DSL router?

---------- NULL ----------
"SIOCGIFFLAGS: No such device\r\nSIOCGIFFLAGS: No such device\r\nSIOCGIFFLAGS: No such device\r\nJan  1 12:00:11 cfgmgr\(pppoe0\): Jan  1 12:00:11> Valid Configuration Tree\r\nPVC dB\r\nvpi = -1 vci = -1 in_use = 0\r\nvpi = -1 vci = -1 in_use = 0\r\nvpi = -1 vci = -1 in_us"

This Netgear WG-102 WAP has an interesting information leak problem. The (obscured here) IP address of the admin is made visible to anybody who cares to connect to the device while it is being administered:

---------- GetRequest ----------
"HTTP/1\.0 200 OK\r\nServer: RapidLogic/1\.1\r\n...503 Server Busy</H1><tr>  admin \(10\.1\.2\.3\)    is managing the access point!"

The gallery of funny or otherwise noteworthy:

• Airaya WirelessGRID Bridge telnetd

  ---------- RTSPRequest ----------
  "\xff\xfb\x01\r\nAIRAYA login: OPTIONS / RTSP/1\.0\r\n\r\nPassword: Rebooting AP\.\.\.\r\n\n"
  

• An apparently undocumented adminstrator interface

  match rationalsoft m|^\0\0\0\x10ip_infilter=true$| p/Rational Soft Hidden Administrator Server/ o/Windows/ i/ha_server.exe/
  

• match http m|^HTTP/1\.1 0 \(null\)\r\nContent-Length: 0\r\n\r\n| p/Simpserver MSN encryption or DAAP from Rhythmbox httpd/
  

• match bittorrent-tracker m|^This is not a rootkit or other backdoor, it's a BitTorrent\r\nclient\. Really\.| p/Transmission bittorrent tracker/
  

• ---------- GenericLines ----------
  "\+OK UserGate: forward ready\r\n-ERR UserGate: Mistake of the protocol\r\n"
  

• I try to pick out SSIDs if ever possible:

  match http m|^HTTP/1\.0 200 Ok\r\nServer: httpd\r\n.*<!--- Vendor:LINKSYS\nModelName:DD-WRT\n.*\nRF SSID:([^\r\n]+)\n|s p/Linksys DD-WRT WAP http config/ d/WAP/ i/SSID $1/