HCSW Technical Blog

HCSW Technical Blog


Doug Hoyte

Viewing entries 16 through 16.
Most Recent Blog Entries
RSS Feed

16. Wrapping up the marathon!
Tue, May 9 2006

Wow! Between jan-02-2006 and apr-20-2006 Nmap users submitted 948 fingerprints covering a huge range of diverse protocols. That's nearly 9 submissions per day! No other product on the planet has a database like we are building! Thanks go to everyone who submitted. Keep those submissions rolling!

I hope you enjoy a few miscellaneous notes I made regarding services I haven't covered in previous blog entries:

  • Every once in a while I get a great submission that includes not only fingerprints but also match lines that I can adapt for the nmap-service-probes file. This time around I received one of the best I've ever seen. This submission deals with customised BIND versions and I incorporated it mostly unchanged into the nmap-service-probes file. I'll let the submitter's words speak for themselves:

    This is an example of a customized ISC Bind version - this is commonly done to obscure the exact version. The following match rule can be used as a catch-all for many common choices: # This fallback is because many people customize their BIND version to avoid # revealing specific version information. This rule should always be below the # detailed rules above. match domain m|\x07version\x04bind.*[\0x4-\x1f][\x03-\x1e]([-\w._ ,;?()[\]+:/@\n]{3,30})|s p/ISC Bind/ v/($1)/ Incidentally, the second ISC Bind version match rule has a glitch in that the byte-length character range doesn't match the corresponding string regexp; these should be:
    # Allow 3-20 character version numbers
    match domain m|\x07version\x04bind.*[\x03-\x14]([-\w._ ]{3,20})$|s p/ISC Bind/ v/$1/
    match domain m|\x07version\x04bind.*[\x08-\x19]BIND ([-\w._]{3,20})$|s p/ISC Bind/ v/$1/
    There's an interesting audit of BIND version information at http://www.phaze.org/dnsaudit/bindaudit-20010203.txt - I used this to generate the set of random punctuation for the catch-all pattern; although five years old, it gives a general idea of what one might expect to find.

    To the submitter: Thank you very much! I'm more than happy to give credit where credit is due: just email me from the same email address you put in the web form!

  • An unusual DNS submission that I couldn't really determine the source of is the following:

     \x0c\0\x10\0\x03\0\0\0\0\0_\^If you have a legitimate reason for requesting 
      this info, please contact hostmaster@Level3\.net"
    The submitter described it as Trick Or Treat Deamon: a DNS-proxy for IPv4/IPv6 translation. I'm not saying I don't believe this, I just need to be sure this is consistent for this application - I need more submissions! Also notice the interesting warning from the level3 hostmaster!

  • Another interesting submission that speaks for itself:

    The mysterious Lexmark 9200 port. Googling around reveals something about perhaps being used to print directly from as/400!? Witchcraft, I say.

    "\x1e\0\0\0\0Dell Laser Printer W5300\0"
    More information on this? Email me!

  • Unfortunatley, with some protocols we don't get very much version information in the normal responses. Take VNC for example:

    match vnc m|^RFB 003\.00(\d)\n$| p/VNC/ i/protocol 3.$1/
    However, sometimes we get lucky! :)
    "RFB 003\.003\n\0\0\0\0\0\0\0jServer license key is missing, invalid or has expired\.\n
     Visit http://www\.realvnc\.com to purchase a licence\."

  • Finally, let's not forget you have to be careful when running Nmap against mission critical services. But also remember attackers probably won't be so careful!

    Description: Intel RAID Configuration Service

    Currently a service scan causes this service to spike the CPU to 100% until the service is restarted. I plan on doing a little more work to identify what causes this.

All material is (C) Doug Hoyte and/or hcsw.org unless otherwise noted or implied. All rights reserved.