HCSW Technical Blog

HCSW Technical Blog


Doug Hoyte

Viewing entries 33 through 33.
Most Recent Blog Entries
RSS Feed

33. Q4'2007 Nmap Updates
Thu, Jan 17 2008

The fourth quarter of 2007 was big for Nmap. We had the first stable release in over a year: 4.50! I integrated many of your fingerprints for that release so some of the entries described here will be supported there. For the latest and greatest, you can find the probes file here or in the Nmap SVN repository.

Thanks to everyone who submitted fingerprints, and keep em coming!

The HP166XC Logic Analyzer developers seemed to have misinterpreted a field when setting up this ftpd (see the email address we're supposed to direct comments to).

---------- Help ----------
"220  HP166XC V01\.00 FUSION FTP server \(Version 3\.3\) ready\.\r\n214-The following commands are recognized \(\* =>'s unimplemented\)\.\r\n    USER     PORT     RETR     MSND\*    ALLO\*    DELE     SITE\*    MKD      XCUP \n    PASS\*    PASV\* STOR     MSOM\*    REST\*    CWD      STAT\*    XRMD     CDUP \n    ACCT\*    TYPE     APPE\*    MSAM\*    RNFR\*    XCWD  HELP     RMD      XDLS \n    REIN\*    STRU\*    MLFL\*    MRSQ\*    RNTO\*    LIST     NOOP     XPWD \n    QUIT     MODE     MAIL\*    MRCP\*    ABOR\*    NLST     XMKD     PWD \n214 Direct comments to ftp-bugs@ HP166XC V01\.00\.\r\n"

These HP Logic Analyzers are strange devices. The HP 1662C seems to echo the data backwards!

Port 818-TCP
---------- GenericLines ----------

---------- GetRequest ----------
"\r\n\r0\.1/PTTH / TEG!\r\n"

---------- HTTPOptions ----------
"\r\n\r0\.1/PTTH / SNOITPO%\r\n"

VMS, still alive and kicking (ah, fond memories.. The first time I used the internet it was on a VMS VAX).

match ftp m|^211 Hello \[[\w-_.]+\], Secure/IP Authentication Server ([\w-_.]+) at your service\.\r\n| p|OpenVMS Secure/IP ftpd| v/$1/ o/OpenVMS/

Always fun to see protocols using non-English languages. Senha is Portugese for "password":

---------- GetRequest ----------
"\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\nGET / HTTP/1\.0\r\n\r\n\x1b\[H\x1b\[JLogin: \[: /: unknown operand\r\nSenha: \[: /: unknown operand\r\n\x1b\[H\x1b\[JLogin: "

And this unknown SMTPd is, I think, Italian.

---------- NULL ----------
"220 Server di posta generico\. Wed, 14 Nov 2007 10:28:56 \+0100\r\n"

Another amusing (maybe it's just me?) language observation. Look at this product name: "DocuCentre Color". "Centre" is spelled british and "color" is spelled american. D'oh!

match http m|^HTTP/1\.1 \d\d\d .*\r\nDocuCentre Color (\d+) -|s p/Fuji Xerox DocuCentre Color $1 http config/ d/printer/

Another WAP that proudly announces its default password to the world. Does anybody care about wireless security? (not Schneier!)

match http m|^HTTP/1\.0 \d\d\d .*Server: Boa/([\w-_.]+) \(with Intersil Extensions\)\r\nConnection: close\r\nWWW-Authenticate: Basic realm=\"CONNECT2AIR AP-600RP-USB LOGIN Enter Password \(default is connect\)\"\r\n|s p/Fujitsu Siemens CONNECT2AIR AP-600RP-USB WAP http config/ d/WAP/ i/Boa httpd $1; default passwd "connect"/

And, of course, the gallery of funny or otherwise noteworthy submissions:

  • An unknown telnetd:

    ---------- RPCCheck ----------
    "\xff\xfb\x01\xff\xfb\x03\xff\xfb\0\xff\xfd\0Username: data_error\r\r\n\(rdata_error\r\r\n data_error\r\r\ndata_error\r\r\ndata_error\r\r\ndata_error\r\r\ndata_error\r\r\n data_error\r\r\ndata_error\r\r\ndata_error\r\r\n\|"
  • match ftp m|^230 FTP Server Ready\r\n504 Comand length not supported\.\r\n| p/HP JetDirect ftpd/ d/printer/
  • match ftp m|^550 no more people, max connections is reached\r\n| p/Avalaunch XBOX ftpd/ d/game console/ i/Max connections reached/
  • I don't know what this service is but I know it's crippled proprietary software:

    ---------- GenericLines ----------
    "LICN:\[Server:123456\]Connection rejected, the server license allows connections from only 5 unique IP addresses\.\n"
  • Sure looks like a backdoor to me.

    ---------- GenericLines ----------
    "bash: line 1: \r: command not found\nbash: line 2: \r: command not found\n"
  • Misconfigured popper:

    ---------- NULL ----------
    "Unable to open trace file \"/var/spool/popper/popper\.log\": No such file or directory \(2\)\n"
  • Unknown service on tcp/5554:

    ---------- SMBProgNeg ----------
    "error in socket read, expecting 2092 len of data\. got -1\. len mismatch"
  • Unknown service on tcp/1280:

    ---------- NULL ----------
    "sucess open port\r\n"
  • Linux NetworX Network ICE Management Protocol:

    ---------- DNSStatusRequest ----------
    "V3\.1\r\nBuffer overrun attempt\r\n"
All material is (C) Doug Hoyte and/or hcsw.org unless otherwise noted or implied. All rights reserved.