|35. Big Nmap Services Update|
Here's the CHANGELOG entry from Nmap 4.68:
o Doug integrated all of your version detection submissions and corrections for the year up to May 31. There were more than 1,000 new submissions and 18 corrections. Please keep them coming! And don't forget that corrections are very important, so do submit them if you ever catch Nmap making a version detection or OS detection mistake. The version detection DB has grown to 5,054 signatures representing 486 service protocols. Protocols span the gamut from abc, acap, access-remote-pc, activefax, and activemq, to zebedee, zebra, zenimaging, and zenworks. The most popular protocols are http (1,672 signatures), telnet (519), ftp (459), smtp (344), and pop3 (201).
Thanks to everyone who contributed!
This one is interesting. Open up a shell and run "GET / HTTP/1.0" (without the quotes).
match backdoor m|^<HTML>\n<HEAD>\n<TITLE>Directory /</TITLE>\n<BASE HREF=\"file:/\">\n</HEAD>\n<BODY>\n<H1>Directory listing of /</H1>| p/No-auth shell/ i/**BACKDOOR**/ o/Unix/
It always surprises me that it is still common for Nmap to crash poorly written devices. Note to device developers: Please run Nmap on your device before releasing it--someone else out there will, guaranteed.
Notes: Telnet management port on Siemens C2-010-I ADSL2+ modem with firmware R100B01.0B_HN_20060406. The -sV scan makes the device crash! :) Notes: Belkin Network USB Hub F5L009ea Device crashes during nmap -A run
Here are some interesting misconfigurations. Unknown imapd:
Port 993-TCP V=4.53 ---------- NULL ---------- "\* BYE Fatal error: tls_init\(\) failed\r\n"
---------- NULL ---------- "421 Cannot connect to SMTP server 127\.0\.0\.1 \(127\.0\.0\.1:25\), connect error 10061\r\n"
---------- NULL ---------- "python: can't open file '/usr/sbin/gandiagent\.py': \[Errno 2\] No such file or directory\n"
match ftp m|^.* klogd: klogd started: BusyBox v([\w-_.]+) \(.*\)\r\nDoing BRCTL \.\.\.\r\nsetfilter br0 0 \r\n/var/tmp/act_firewall: No such file or directory\r\n| p/Actiontec router ftpd/ i/firewall broken; BusyBox $1/ d/broadband router/
Backdoors can be misconfigured too:
match backdoor m=^exec .* failed : No such file or directory\n$= p/failed netcat -e/ i/**BACKDOOR**/
Fingerprinting by typos:
match http m|^HTTP/1\.0 302 Found\r\nLocation: /login\.app\r\nContent-Lenght: 0\r\n\r\n$| p/NetXMS httpd/
I think this one wins the prize for least compliant HTTP/1.1 server ever:
match http m|^HTTP/1\.1 200 OK\r\nCONTENT-LANGUAGE:\r\nCONTENT-LENGTH: 0\r\nCONTENT-TPYE: text/xml\r\nDATE: .*\n\r\n\r\n\(null\)| p/Syabas Popcorn Hour http config/ d/media device/
Notes: its a friggin bindshell, detect it
Arrrggghhh.. 4.11 is like 2+ years old, upgrade it.
I'm getting tired of pointing out this bit of information leakage:
match telnet m|^\r\nSorry, this system is engaged by a rlogin session\.\r\nHost IP address: ([\d.]+)\.\nLogin name: ([\w-_.]+)\.\n| p/3Com LANplex switch telnetd/ i/in use by $2 from $1/ d/switch/
And of course, the gallery of funny or otherwise noteworthy fingerprints: