HCSW Technical Blog

HCSW Technical Blog


Doug Hoyte

Viewing entries 37 through 37.
Most Recent Blog Entries
RSS Feed

37. Nmap Services Update
Tue, Feb 24 2009

I just finished a big update to the nmap-service-probes file that incorporates the fingerprints submitted over the last 6 months or so. As usual, here's a summary of the most interesting or notable services.

Big thanks to everyone who contributed!

Several services fail on tls_init() and then broadcast this to the client. For example, this unknown pop3d:

---------- NULL ----------
"-ERR \[SYS/PERM\] Fatal error: tls_init\(\) failed\r\n"

And this unknown imapd:

---------- NULL ----------
"\* BYE Fatal error: tls_init\(\) failed\r\n"

The HTTPOptions probe successfully telnets into a PRICOM print server:

---------- HTTPOptions ----------
"\xff\xfd\x03\xff\xfb\x01\xff\xfb\x03PRICOM 3100 Ver 1\.1\.0 TELNET server\.\r\0\nCopyright \(C\) 2002-2004 silex technology, Inc\.\r\0\nlogin: OPTIONS / HTTP/1\.0\r\0\nUser 'OPTIONS ' logged in\.\r\0\n\r\0\n No\.  Item Value            \(level\.1\)\r\0\n----------------------------------------------------------------------\r\0\n  1 : Configure General\r\0\n  2 : Configure TCP/IP\r\0\n  3 : Configure NetWare\r\0\n  4 : Configure AppleTalk\r\0\n  5 : Configure NetBEUI/NetBIOS\r\0\n  6 : Configure SNMP\r\0\n  7 : Configure Print Port\r\0\n 96 : Display Status\r\0\n 97 : Reset Settings to Defaults\r\0\n 98 : Restart Print Server\r\0\n 99 : Exit\r\0\nPlease select\(1 - 99\)\? \r\0\n\r\0\n No\.  Item Value            \(level\.1\)\r\0\n----------------------------------------------------------------------\r\0\n  1 : Configure General\r\0\n  2 : Configure TCP/IP\r\0\n  3 : Configure NetWare\r\0\n  4 : Configure AppleTalk\r\0\n  5 : Configure NetBEUI/NetBIO"

Strange error message on this Aironet BR500E: "Ethernet Error : 11 Misses":

---------- NULL ----------
"\xff\xfb\x01\xff\xfe\x01Connected\r\n\n\rAironet BR500E V8\.24                Main Menu                        HQ-PTPool\r\n\r\n    Option            Value       Description\r\n\r\n1 - Configuration   \[ menu  \]   - General configuration\r\n2 - Statistics      \[ menu  \]   - Display statistics\r\n3 - Association     \[ menu  \]   - Association table maintenance\r\n4 - Filter          \[ menu  \]   - Control packet filtering\r\n5 - Logs            \[ menu  \]   - Alarm and log control\r\n6 - Diagnostics     \[ menu  \]   - Maintenance and testing commands\r\n7 - Privilege       \[ write \]   - Set privilege level\r\n8 - Close                       - Close the telnet session\r\n9 - Help                        - Introduction\r\n\r\nEnter an option number or name\r\n> 1:48:20 E Ethernet Error : 11 Misses\r\n"

This telnet service was allegedly blocked by China's firewall. Unfortunately I didn't have enough info to add a match line:

Port 23-TCP
---------- NULL ----------
"\r\nInfo:Connection was denied by remote host according to ACL!\0\0\0\r"

in chinas great firewall?

Interesting. Netkit telnetd sends a LASTPATCH date:

Port 23-TCP
---------- NULL ----------
"Linux 2\.4\.32-gentoo-r4 \[INSTALL: 17-01-06\]\nLASTPATCH: 01-12-08-03:44:34\n"

This Sharp copier sends a special Extend-sharp-setting-status header (significance currently unknown). Remember that for custom headers you're supposed to prefix them with X-, ie X-Extend-sharp-setting-status.

match http m|^HTTP/1\.0 200 OK\r\nServer: RapidLogic/([\w-_.]+)\r\nMIME-version: 1\.0\r\nContent-type: text/html\r\nExtend-sharp-setting-status: \d+\r\n.*<title>MX-M450U</title>|s p/Sharp MX-M450U copier http config/ d/printer/ i/RapidLogic httpd $1/

This one is bizarre:

This is from a LinkSys RV082 router firmware 1.3.6 when in the Firewall settings you have "Remote Management" Disabled and "HTTPS" Enabled.
With "Remote Management" Enabled you get the login page and with "HTTPS" Disabled you get no connection.

"tor is inherently impossible to satisfy" and "Not Implementedd is not implemented by this server" ??

Port 443-TCP
---------- GetRequest ----------
"HTTP/1\.0 501 Not Implemented\r\nContent-type: text/html\r\nPragma: no-cache\r\nDate: Tue, 12 Aug 2008 08:55:17 GMT\r\nLast-modified: Tue, 12 Aug 2008 08:55:17 GMT\r\nAccept-Ranges: bytes\r\nConnection: close\r\n\r\n\r\n\n\n  \n\n\n  tor is inherently impossible to satisfy\.\n\nl>\n"

---------- HTTPOptions ----------
"HTTP/1\.0 501 Not Implemented\r\nContent-type: text/html\r\nPragma: no-cache\r\nDate: Tue, 12 Aug 2008 08:55:18 GMT\r\nLast-modified: Tue, 12 Aug 2008 08:55:18 GMT\r\nAccept-Ranges: bytes\r\nConnection: close\r\n\r\n\r\n\n\n  \n\n\n  0Not Implementedd is not implemented by this server\.\n\nl>\n"

No idea why this Pixord IP camera sends the httpd's UID and PID in response to our FourOhFourRequest probe, but thanks for all the fish:

match http m|^HTTP/1\.1 200 OK\r\nConnection: close\r\nCache-Control: no-cache\r\nServer: WEBCAM\r\nCONTENT-LENGTH:\d+\r\n\r\n\r\nHTTP requested /nice%20ports%2C/Tri%6Eity\.txt%2ebak was not found  UID (\d+) PID (\d+)\n| p/Pixord IP Camera http config/ d/webcam/ i/UID $1; PID $2/

Notice the redirect to http://(null)/config/log_off_page.htm in this Dell PowerConnect switch match line:

match http m|^HTTP/1\.1 302 Redirect\r\nServer: GoAhead-Webs\r\nDate: .*\r\nConnection: close\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nContent-Type: text/html\r\nLocation: http://\(null\)/config/log_off_page\.htm\r\n\r\n| p/Dell PowerConnect Gigabit switch http config/ d/switch/ i/GoAhead-Webs httpd/

This is actually relatively common and I'm 90% sure I know why this happens. These services probably pick out the Host: line sent by browsers and use this as the host to redirect to. Since GetRequest doesn't send a Host header, these services have a NULL pointer instead of a pointer to a Host string. When the URL is created with a printf() function, (null) is inserted instead of a host:

doug@eclipse:~/tp8$ cat tp.c
#include <stdio.h>
main() {
  printf("%s\n", NULL);
doug@eclipse:~/tp8$ gcc tp.c
doug@eclipse:~/tp8$ ./a.out

Modified lighttpd for the FreeBSD project called "Gualala"? Some speculation agrees with this guess.

---------- GetRequest ----------
"HTTP/1\.0 301 Moved Permanently\r\nConnection: close\r\nLocation: http://www\.freebsd\.org/\r\nContent-Length: 0\r\nDate: Fri, 03 Oct 2008 17:43:42 GMT\r\nServer: httpd/1\.4\.x Gualala\r\n\r\n"

The most popular httpd you've never heard of. Netcraft recently estimated it to be the 7th most popular httpd. Looks like this is due to these guys using it to squat on millions of domains.

match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nServer: Oversee Webserver v([\w-_.]+)\r\n| p/Oversee httpd/ v/$1/

This Dinion IP NWC webcam's telnetd goes nuts (IP addrs changed):

Port 23-TCP
---------- NULL ----------
"\r\nonly one telnet session supported\r\ncurrent connection to 192\.168\.1\.3\r\nbye\r\n\r\n"

---------- GenericLines ----------
"\xff\xfb\x01\xff\xfb\x03\r\n\r\nWelcome to Dinion-IP-NWC 192\.168\.1\.115 from 192\.168\.1\.3\r\ntelnet last socket error 0x0000013f\r\ntelnet -1 !!!\r\n\r\n\r\n\r\ninvalid username\r\n\r\nenter username  -> "

---------- HTTPOptions ----------
"\xff\xfb\x01\xff\xfb\x03\r\n\r\nWelcome to Dinion-IP-NWC 192\.168\.1\.115 from 192\.168\.1\.3\r\nsecond telnet session from 192\.168\.1\.3 discarded\r\r\nOPTIONS / H\r\ninput too long\r\nTLS invalid record length\r\nTLS version 0300 not supported\r\nTLS version 000b not supported\r\ntry again:\r\n"

I don't know what to make of this one either:

Service: zeus-admin

nmap thinks this is zeus admin, I have no idea.

Port 9090-TCP
---------- NULL ----------
"Usage: basename String \[Suffix\]\nUsage: mv \[-i \| -f\] \[-E{force\|ignore\|warn}\] \[--\] src target\n   or: mv \[-i \| -f\] \[-E{force\|ignore\|warn}\] \[--\] src1 \.\.\. srcN directory\nps: A flag requires a parameter: p\nUsage: ps \[-ANaedfklm\] \[-n namelist\] \[-F Format\] \[-o specifier\[=header\],\.\.\.\]\n\t\t\[-p proclist\]\[-G\|-g grouplist\] \[-t termlist\] \[-U\|-u userlist\] \[-c classlist\]\nUsage: ps \[aceglnsuvwxU\] \[t tty\] \[processnumber\]\nLanguage received from client: C\nSetlocale: C C C C C C\n"

Nmap causing more havoc:

Service: ADP IP Timeclock
Device: specialized

match telnet m|^\n\rCMI SEC\n\rProgram: +\d+\n\rMajor\.Minor\.Rel:  ([\w-_.]+)\n\rMAC Address:      ([\w:]+)\n\r\n\rPress <ENTER> to go into setup mode\.| p/ADP IP Timeclock telnetd/ v/$1/ i/MAC $2/ d/specialized/

And here's the gallery of unusual or funny submissions:

  • Polycom ViewStation HDX 8000 HD:

    ---------- NULL ----------
    "\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\nSocket bind error: Address already in use\r\n"
  • Sagem livebox:

    ---------- RPCCheck ----------
    "\xff\xfb\x01\xff\xfb\x03\xff\xfb\0\xff\xfd\0login: data_error\r\r\n\(rdata_error\r\r\ndata_error\r\r\ndata_error\r\r\ndata_error\r\r\ndata_error\r\r\ndata_error\r\r\ndata_error\r\r\ndata_error\r\r\ndata_error\r\r\n\|"
  • Apache JMeter http proxy not failing gracefully:

    match http-proxy m|^\njava\.net\.UnknownHostException: /\r\n\tat java\.net\.PlainSocketImpl\.connect\(Unknown Source\)\r\n| p/Apache JMeter http proxy/
  • Unknown httpd. Close but not quite HTTP:

    Port 80-TCP
    ---------- GetRequest ----------
    "HTTP/1\.0 404 Not Found\n404 Object Not Found\n"
  • Misconfigured SSH on a Cisco switch:

    Port 22-TCP
    ---------- NULL ----------
    "Could not load host key\. Closing connection\.\.\."
  • Woah, something went wrong here. Are we telnet or http?

    match http m|^\[ menu  \]   - Control packet filtering\r\n5 - Logs            \[ menu  \]   - Alarm and log control\r\n6HTTP/1\.0 200 OK\r\n.*<font color=\"#ffffff\">Aironet BR500E V([\w-_.]+)</td>|s p/Aironet BR500E WAP http config/ d/WAP/ v/$1/
  • Redirect to ","?

    match http m|^HTTP/1\.0 302 \r\nLocation: ,\r\n\r\n$| p/BlackBox LWU0200-POE-M ethernet-optical bridge http config/ d/bridge/
  • Unknown execd:

    Port 512-TCP
    ---------- NULL ----------
    "\x01Where are you\?\n"
  • Fun reaction to the HELP probe:

    match printer m|^\x01Socket \d+ received unknown command 0x48 with arguments ELP$| p/RPM Print Manager lpd/ o/Windows/
  • WTF? :)

    match http m|^HTTP/1\.1 200 OK\r\nContent-type: text/html\r\nServer: Mono-HTTPAPI/([\w-_.]+)\r\n.*<H1>Ooops!</H1><P>The page you requested has been obsconded with by knomes\. Find hippos quick!</P>|s p/OpenSimulator httpd/ i/Mono HTTP API $1/
All material is (C) Doug Hoyte and/or hcsw.org unless otherwise noted or implied. All rights reserved.