HCSW Technical Blog

HCSW Technical Blog

by

Doug Hoyte


through
Viewing entries 24 through 24.
Most Recent Blog Entries
RSS Feed

24. Q4'06 Service Submissions
Sun, Apr 15 2007

I just finished processing the last service submissions from 2006. Thanks to everyone who contributed!

Here's the stats:

$ cat nmap-service-probes|grep '^Probe'|wc -l
43
$ cat nmap-service-probes|grep '^match'|wc -l
4028
$ cat nmap-service-probes|grep '^match'|awk '{ print $2 }'|sort|uniq|wc -l
431

That's over 4000 lines covering over 400 protocols using over 40 probes. Keep those submissions coming everyone!

This post outlines some of the more interesting additions as well as talking about "getting our hands dirty" with some obscure low-level protocols so you don't have to. Enjoy.

Jason DePriest and Brandon Enright researched and created a new SMTP probe: Hello.

Thanks a lot guys! This should be a great probe for SMTP and I'm looking forward to seeing some submissions:

##############################NEXT PROBE##############################
Probe TCP Hello q|EHLO\r\n|
rarity 8
ports 25,587
sslports 465
totalwaitms 7500

match smtp m|^220\s+(DP-\d+)\r\n250-Hello\r\n250-DSN\r\n| p/Panasonic smtpd/ v/$1/ i/Panasonic printer/ d/printer/

The only thing I changed was the rarity. I don't think Hello will be that useful outside of SMTP servers and, at least for now, I don't see a compelling enough reason to have it in the default scan. Of course, Hello will still be run against the ports specified in the ports directive (see the reference).

One submitter went to enough trouble to read the RFCs and create his/her own IMAP server to test Nmap against. That's pretty cool and can be a great way to learn a protocol but I'm afraid the submitter misunderstands the function of -sV:

This is based on a purusal [sic] of the referenced RFC. I'm somewhat surprised you don't have scans for IMAP already. 
---------- NULL ----------
"\* OK Hi!\r\n"

---------- GenericLines ----------
"\* OK Hi!\r\n BAD NULL COMMAND\r\n BAD NULL COMMAND\r\n"

---------- GetRequest ----------
"\* OK Hi!\r\nGET BAD Unknown or NULL command\r\n BAD NULL COMMAND\r\n"

Of course when the submitter ran Nmap it was the first run against this IMAP daemon ever so it makes sense we should see a new fingerprint! That's the point of service detection, after all. We try to make match lines as specific as possible so we can see more instances of every service and offer more details in the match lines.

Here's an example of where being specific in our match lines pays off. I noticed some submissions for HP JetWebAdmin. I remember adding a match line I thought would cover that service so I checked why these new ones were breaking. It turned out that all the previous submissions were for windows versions so unix versions of the program (it's apparently portable between at least windows and solaris) were breaking the windows C:\ style prompt matching. So in this case getting multiple submissions was a good thing and resulted in the following useful distinction between platforms: 

match http m|^HTTP/1\.0 200 OK\r\nServer: HP-Web-Server-(\d[-.\w]+)\r\n.*<!-- framework\.ini ([A-Z]:\\[-.\w \\]+)-->|s p/HP Web Jetwebadmin/ v/$1/ i/framework.ini: $2/ o/Windows/
match http m|^HTTP/1\.0 200 OK\r\nServer: HP-Web-Server-(\d[-.\w]+)\r\n.*<!-- framework\.ini (/[\w\\/-_. ]+)-->|s p/HP Web Jetwebadmin/ v/$1/ i/framework.ini: $2/ o/Unix/

Kojoney is a SSH honeypot that pretends to be a regular SSH daemon in order to capture passwords, spy on users, etc. Nmap was able to detect older versions of Kojoney with the following match line: 

match ssh m|^SSH-2\.0-Twisted\r\n| p/Kojoney SSH honeypot/ i/protocol 2.0/

I hope the Kojoney developers aren't too upset, but it looks like we can detect newer versions of Kojoney that pretend to be OpenSSH just as easily. Since Kojoney doesn't perform a full SSH handshake and spits out more data than a regular SSH server we can match it with the following: 

match ssh m|^SSH-([\d.]+)-OpenSSH_([\w.]+)\r\n.*aes256|s p/Kojoney SSH honeypot/ i/Pretending to be $2; protocol $1/

Remember that an Nmap version scan probes an application in many strange ways that, very probably, nobody has ever thought to try before. This is intentional and gives us lots of information vectors to classify services with. But remember that because of this probing property -sV can crash many poorly written network daemons. It's pretty fun to look at these submissions and figure out exactly what killed the daemon. It looks like the DNSVersionBindReq probe did in this Ambit cable modem's telnet service: 

---------- NULL ----------
"\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03AMBIT Cable Modem\r\n\r\nlogin: "

---------- GenericLines ----------
"\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03AMBIT Cable Modem\r\n\r\nlogin: \r\n\rPassword: \r\n\rTry to connect to TACACS Server X\.X\.X\.X \.\.\r\nAUTH\.\.\.\.TIMEOUT\r\nUser login failure\.\r\n\r\nlogin: "

...

---------- DNSVersionBindReq ----------
"\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03AMBIT Cable Modem\r\n\r\nlogin: "

---------- DNSStatusRequest ----------
"Error: Please restart Cable Modem\.\r\n"

---------- Help ----------
"Error: Please restart Cable Modem\.\r\n"

...

The last entry in this blog post discusses another "Nmap DoS attack" :) .

At least this trojan has a sense of humor. Does anybody know its name? 

match http m|^HTTP/1\.0 200 Ok\nDate: .*\nContent-type: text/html\n\n<font size=\"-4\">\nIf you can read this, you are sitting too close to the monitor\.\n</font>\n| p/Unknown trojan/ i/**BACKDOOR**/ o/Windows/

Found another good use for the FourOhFour probe we added a while back. The following service was known to give false positives but was left in because removing it resulted in a tidal-wave of apt-cache submissions: 

# This one can cause false results!
match http m|^HTTP/1\.0 404 Not Found\r\nConnection: close\r\n\r\n$| p/apt-cache httpd/

Luckily the new FourOhFour probe identifies this service easily so we can get rid of that problematic match line: 

match http m|^HTTP/1\.0 403 File not found - unknown extension\r\n\r\n| p/apt-cache httpd/ o/Linux/
match http m|^HTTP/1\.1 403 Sorry, not allowed to fetch that type of file: Tri%6Eity\.txt%2ebak\r\n\r\n| p/apt-cache httpd/ o/Linux/

This one is a bit of a mystery. Why someone would configure an FTP banner with an SSH header is beyond me. The only reason I can think of is to mess with the person processing these fingerprints, but you guys would never do that, right? 

Port 21-TCP
V=4.11
---------- NULL ----------
"220 SSH-1\.99-OpenSSH_3\.9p1\r\n"

---------- GenericLines ----------
"220 SSH-1\.99-OpenSSH_3\.9p1\r\n500 '': Command not understood\.\r\n500 '': Command not understood\.\r\n"

---------- Help ----------
"220 SSH-1\.99-OpenSSH_3\.9p1\r\n530 Please log in first\.\r\n"

UPDATE: Brandon Enright sent nmap-dev a match line to identify this service (I wasn't sure how to interpret it so thanks a lot Brandon!). Here it is:

match ftp m|^220-?\s+SSH-[\d.]+-([a-zA-Z]+)| p/FTP masquerading as $1/ i/**BACKDOOR**/
Hows this one for obscure... :P
Verified with my client that this is in fact a Reactivity XML Security Gateway.
http://www.reactivity.com/solutions/reactivity_xml_gateway.html
What a waste of money.....

The submitter makes a good point, you have to wonder about buzzword products like these. And XML? Yeech. It's time for something better. But anyways, here's the match line: 

match http m|^HTTP/1\.1 .*\r\nServer: Reactivity Gateway\r\n|s p/Reactivity XML Security Gateway/

The gallery:

  • Clients open ports sometimes too! This is an FTP client that for some unfathomable artifact of windows design idiocy opens an ident server when connecting: 
    match ident m|^,  : USERID : UNIX : [^\r\n]+\r\n$| p/FTPRush FTP client identd/ o/Windows/
  • This looks like a product designed with security in mind: 
    ---------- GetRequest ----------
"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\xff\xfd\x18\xff\xfd\x1fWelcome to your TiVo\r\n\r\n=\[tivo:root\]-# "
  • Guess they should've spent less time on their error messages and more on dodging patents? 
    match http m|^UNKNOWN 400 Bad Request\r\nServer: \r\nContent-Type: text/html\r\n.*<H2>400 Bad Request</H2>\nYour request has bad syntax or is inherently impossible to satisfy\.\n|s p/Vonage http config/ d/VoIP adapter/
  • Not %100 sure how to interpret this one (Mac OS X Server Admin SSL Port): 
    ---------- GetRequest ----------
"HTTP/1\.1 401 Authorization Required\r\nServer: servermgrd\r\nSupportsXMLRPC\r\nSupportsBinaryPlist\r\nContent-Type: \xe2\x
80\xa0%\xc6\x92<\r\n"

  • Haha I don't think so. :)

    ---------- GetRequest ----------
"HTTP/1\.0 200\nServer: Lexi's WWW-NEXT-GENERATION Server/0\.0\.0\.0\.0\.0\.0\.0\.0\.0\.0\.0\.0\.0\.0\.0\.1-alpha-rc666\n"
  • "Not modified"? That FourOhFour probe is sure rough on some httpds. (McData fibre switch http config) 
    ---------- FourOhFourRequest ----------
"HTTP/1\.0 304 Not Modified\r\nContent-Length: 0\r\nServer: Unknown\r\n\r\n"
  • Another funny one. 
    match http m|^HTTP/1\.1 0 \(null\)\r\nContent-Length: 0\r\n\r\n| p/Simpserver MSN encryption httpd/
  • Sendmail Mailstream Manager http config: 
    ---------- GenericLines ----------
"HTTP/1\.1 500 Internal server error\r\nContent-Length: 7\r\n\r\nBummah\."
  • Another conveniently located default password... 
    match http m|^HTTP/1\.1 401 \r\nServer: PrintSir WEBPORT ([\d.]+)\r\nDate: .*\r\nWWW-Authenticate: Basic realm=\"Default password:sitecom\"\r\n\r\n| p/Sitecom print server http config/ i/Webport httpd $1; default password sitecom/ d/print server/
  • Took me a bit to figure out what NOYB stands for. Can you? 
    "HTTP/1\.1 200 OK\r\nDate: Mon, 18 Dec 2006 11:57:51 GMT\r\nServer: NOYB\r\n"
λ
All material is (C) Doug Hoyte and/or hcsw.org unless otherwise noted or implied. All rights reserved.