HCSW Technical Blog

HCSW Technical Blog

by

Doug Hoyte


through
Viewing entries 31 through 31.
Most Recent Blog Entries
RSS Feed

31. Third Quarter of 2007 Nmap Updates
Fri, Oct 12 2007

This blog entry describes some of the funny or otherwise interesting fingerprints that were submitted to the Nmap service probes database this quarter. Thanks to everyone who submitted!

This quarter was special because it was the first quarter using data collected by the new submitter web interface that I created during this Google Summer of Code. The results look good! The service names and device types are definitely more consistent because submitters can see the (very informal) Nmap naming conventions as they submit.

But this interface and my integration efforts are only a tiny, relatively insignificant part of the equation. The nmap-service-probes database has been built by the amazing Nmap community and they deserve all the credit! Thanks again to everyone who has ever submitted!


Another example of Nmap sploiting a service without even trying: :)

---------- NotesRPC ----------
"\[\0\0\0\0Access violation at address 005EAF58 in module 'Xplorer\.exe'\. Read of address 000000B0"

And although I usually try to avoid this, the service doesn't seem to respond to any other probes so it looks as though the default Nmap behaviour will be to crash this service:

match xplorer m|Access violation at address \w+ in module 'Xplorer\.exe'\. Read of address| p/SoftOne Business Xplorer/ o/Windows/

Some interesting responses from apt-proxy 1.9:

---------- GetRequest ----------
"HTTP/1\.0 403 too few slashes in URI /\r\n"

---------- FourOhFourRequest ----------
"HTTP/1\.0 403 Invalid character in filename at position 5\r\n"

---------- LPDString ----------
"HTTP/1\.0 414 Request-URI Too Long\r\n"

Because we match GWS, google's custom httpd, we may as well try match a few of the other big players. There were a few submissions for amazon's site. Here is how I confirmed it:

$ printf "GET / HTTP/1.0\r\n\r\n" | nc amazon.com 80|head -n4

And here is the output:

HTTP/1.1 200 OK
Date: Wed, 10 Oct 2007 21:13:46 GMT
Server: Server
Set-Cookie: skin=noskin; path=/; domain=.amazon.com; expires=Wed, 10-Oct-2007 21:13:46 GMT

And finally, the resulting match line:

match http m|^HTTP/1\.1 \d\d\d .*Server: Server\r\n.*domain=\.amazon\.com;|s p/Amazon httpd/

This Billion ADSL router suffers from an information leak similar to that of a Netgear router I described in a previous entry. The (here obscured) IP address of the user managing the router is displayed to anybody who connects:

---------- GetRequest ----------
"...Warning !</h2><p>Somebody \(10\.1\.2\.3\) is configuring the router now !..."

The gallery of funny or otherwise interesting submissions:

  • At least it's honest:

    ---------- GenericLines ----------
    "220 CompuMaster SRL, WT-6500 Ftp Server \(Version 1\.12\)\.\r\n500 The only thing you can do is to quit\.\r\n"
    
  • Unknown broadband router:

    ---------- SSLSessionReq ----------
    "\xff\xfd\x18\xff\xfb\x01\xff\xfb\x03\x1b\[2J\0\x1b\[10;25HHandshake error, socket is closed!"
    
  • Why POPFile returns 200 for a 404 is beyond me:

    ---------- FourOhFourRequest ----------
    "HTTP/1\.0 200 OK\r\n...\nAn error has occurred which has caused POPFile to return the error 404\.\n"
    
  • Not sure what Yoggie httpd doesn't like about GetRequest:

    match http m|^HTTP/1\.0 403 Request error by HAVP\r\n.*Yoggie - Unknown Request|s p/Yoggie httpd/
    
  • D-Link DCS-900 Webcam

    ---------- FourOhFourRequest ----------
    "HTTP/1\.0 501 Method Not Implemented\r\n\r\n501 Method Not Implemented"
    
  • Another good use of the 404 probe: Jetty always gives itself away on 404s but not necessarily on valid requests:

    match http m|^HTTP/1\.1 404 Not Found\r\n.*<a href=\"http://jetty\.mortbay\.org/\">Powered by Jetty://>/a<|s p/Jetty httpd/
    
  • Rogatkin's TJWS httpd:

    ---------- GetRequest ----------
    "HTTP/1\.0 400 No any servlet found for serving /\r\n
    
  • Funny service:

    match avauthsrvprtcl m|^BEEF\x83\0\0| p/Avocent AutoView 1000R KVM daemon/
    
  • This http is apparently "like Apache", whatever that means:

    match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Cpanel::Httpd like Apache\r\n.*\r\nWWW-Authenticate: Basic realm=\"cPanel WebDisk\"\r\n\r\n|s p/cPanel WebDisk httpd/ o/Linux/
    
  • Proprietary software, less reliable by design:

    match rtsp-proxy m|^RTSP/1\.0 403 Forbidden: Proxy not licensed\r\nSession: \w+\r\n\r\n| p/Blue Coat rtsp proxy/ i/Unlicensed/
    
λ
All material is (C) Doug Hoyte and/or hcsw.org unless otherwise noted or implied. All rights reserved.