|
29. Q2 2007 Service Submissions |
Hi all! As usual, here are my notes on integrating the latest Nmap service submissions. Thanks to everyone who submitted! I've noted a few bizarre service behaviours and some other misc sightings! A couple interesting ways sendmail can break: match smtp m|^220 ;; ESMTP connection timed out; no servers could be reached Sendmail ([\w-_.]+)/| p/Sendmail/ v/$1/ i/broken/ match smtp m|^554 ([\w-_.]+) ESMTP not accepting messages\r\n| p/Sendmail/ h/$1/ i/Not accepting mail/ I noticed that the LPDString probe gives some interesting information to the gpsd service, including the version number and the serial device being used. Just one of those interesting results that comes from gpsd being a character based protocol as I noted in last quarter's update. So I moved the gpsd port to the LPDString probe for more detailed matches: match gpsd m|^GPSD,D=\?,E=\?,F=([\w-_./]+),A=\?,U=\?,L=\d ([\w-_.]+) abcdefgiklmnopqrstuvwxyz,T=\?\r\n| p/gpsd/ v/$2/ i/Serial port $1/ The fingerprint for the telnet port of this SHARP printer was submitted by 4 independent people this quarter! There must've been a large product roll-out to Nmap-friendly organisations. In any case, this printer is also notable in how it handles logins. Notice how user 'GET / HT' was able to log in to the printer. :) ---------- GetRequest ---------- "\xff\xfd\x03\xff\xfb\x01\xff\xfb\x03SHARP MX-2300N Ver 01\.02\.00\.09 TELNET server\.\r\0\nCopyright\(c\) 2001-2005, silextechnology, Inc\.\r\0\nlogin: GET / HTTP/1\.0\r\0\nUser 'GET / HT' logged in\.\r\0\n\r\0\n No\. Item Value \(level\.1\)\r\0\n----------------------------------------------------------------------\r\0\n 1: Configure General\r\0\n2 : Configure TCP/IP\r\0\n 3 : Configure NetWare\r\0\n 4 : Configure AppleTalk\r\0\n 5 : Configure NetBEUI/NetBIOS\r..." On SSH port of a D-Link DSL router? ---------- NULL ---------- "SIOCGIFFLAGS: No such device\r\nSIOCGIFFLAGS: No such device\r\nSIOCGIFFLAGS: No such device\r\nJan 1 12:00:11 cfgmgr\(pppoe0\): Jan 1 12:00:11> Valid Configuration Tree\r\nPVC dB\r\nvpi = -1 vci = -1 in_use = 0\r\nvpi = -1 vci = -1 in_use = 0\r\nvpi = -1 vci = -1 in_us" This Netgear WG-102 WAP has an interesting information leak problem. The (obscured here) IP address of the admin is made visible to anybody who cares to connect to the device while it is being administered: ---------- GetRequest ---------- "HTTP/1\.0 200 OK\r\nServer: RapidLogic/1\.1\r\n...503 Server Busy</H1><tr> admin \(10\.1\.2\.3\) is managing the access point!" The gallery of funny or otherwise noteworthy:
|