|31. Third Quarter of 2007 Nmap Updates|
This blog entry describes some of the funny or otherwise interesting fingerprints that were submitted to the Nmap service probes database this quarter. Thanks to everyone who submitted!
This quarter was special because it was the first quarter using data collected by the new submitter web interface that I created during this Google Summer of Code. The results look good! The service names and device types are definitely more consistent because submitters can see the (very informal) Nmap naming conventions as they submit.
But this interface and my integration efforts are only a tiny, relatively insignificant part of the equation. The nmap-service-probes database has been built by the amazing Nmap community and they deserve all the credit! Thanks again to everyone who has ever submitted!
---------- NotesRPC ---------- "\[\0\0\0\0Access violation at address 005EAF58 in module 'Xplorer\.exe'\. Read of address 000000B0"
And although I usually try to avoid this, the service doesn't seem to respond to any other probes so it looks as though the default Nmap behaviour will be to crash this service:
match xplorer m|Access violation at address \w+ in module 'Xplorer\.exe'\. Read of address| p/SoftOne Business Xplorer/ o/Windows/
Some interesting responses from apt-proxy 1.9:
---------- GetRequest ---------- "HTTP/1\.0 403 too few slashes in URI /\r\n" ---------- FourOhFourRequest ---------- "HTTP/1\.0 403 Invalid character in filename at position 5\r\n" ---------- LPDString ---------- "HTTP/1\.0 414 Request-URI Too Long\r\n"
Because we match GWS, google's custom httpd, we may as well try match a few of the other big players. There were a few submissions for amazon's site. Here is how I confirmed it:
$ printf "GET / HTTP/1.0\r\n\r\n" | nc amazon.com 80|head -n4
And here is the output:
HTTP/1.1 200 OK Date: Wed, 10 Oct 2007 21:13:46 GMT Server: Server Set-Cookie: skin=noskin; path=/; domain=.amazon.com; expires=Wed, 10-Oct-2007 21:13:46 GMT
And finally, the resulting match line:
match http m|^HTTP/1\.1 \d\d\d .*Server: Server\r\n.*domain=\.amazon\.com;|s p/Amazon httpd/
This Billion ADSL router suffers from an information leak similar to that of a Netgear router I described in a previous entry. The (here obscured) IP address of the user managing the router is displayed to anybody who connects:
---------- GetRequest ---------- "...Warning !</h2><p>Somebody \(10\.1\.2\.3\) is configuring the router now !..."
The gallery of funny or otherwise interesting submissions: