HCSW Technical Blog

HCSW Technical Blog


Doug Hoyte

Viewing entries 35 through 35.
Most Recent Blog Entries
RSS Feed

35. Big Nmap Services Update
Mon, Jun 30 2008

Here's the CHANGELOG entry from Nmap 4.68:

o Doug integrated all of your version detection submissions and
  corrections for the year up to May 31.  There were more than 1,000
  new submissions and 18 corrections.  Please keep them coming!  And
  don't forget that corrections are very important, so do submit them
  if you ever catch Nmap making a version detection or OS detection
  mistake.  The version detection DB has grown to 5,054 signatures
  representing 486 service protocols.  Protocols span the gamut from
  abc, acap, access-remote-pc, activefax, and activemq, to zebedee,
  zebra, zenimaging, and zenworks.  The most popular protocols are
  http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
  pop3 (201).

Thanks to everyone who contributed!

This one is interesting. Open up a shell and run "GET / HTTP/1.0" (without the quotes).

match backdoor m|^<HTML>\n<HEAD>\n<TITLE>Directory /</TITLE>\n<BASE HREF=\"file:/\">\n</HEAD>\n<BODY>\n<H1>Directory listing of /</H1>| p/No-auth shell/ i/**BACKDOOR**/ o/Unix/

It always surprises me that it is still common for Nmap to crash poorly written devices. Note to device developers: Please run Nmap on your device before releasing it--someone else out there will, guaranteed.

Telnet management port on Siemens C2-010-I ADSL2+ modem with firmware R100B01.0B_HN_20060406.
The -sV scan makes the device crash! :)

Belkin Network USB Hub F5L009ea
Device crashes during nmap -A run

Here are some interesting misconfigurations. Unknown imapd:

Port 993-TCP
---------- NULL ----------
"\* BYE Fatal error: tls_init\(\) failed\r\n"

Unknown smtpd:

---------- NULL ----------
"421 Cannot connect to SMTP server 127\.0\.0\.1 \(127\.0\.0\.1:25\), connect error 10061\r\n"


---------- NULL ----------
"python: can't open file '/usr/sbin/gandiagent\.py': \[Errno 2\] No such file or directory\n"

Really oops:

match ftp m|^.* klogd: klogd started: BusyBox v([\w-_.]+) \(.*\)\r\nDoing BRCTL \.\.\.\r\nsetfilter br0 0 \r\n/var/tmp/act_firewall: No such file or directory\r\n| p/Actiontec router ftpd/ i/firewall broken; BusyBox $1/ d/broadband router/

Backdoors can be misconfigured too:

match backdoor m=^exec .* failed : No such file or directory\n$= p/failed netcat -e/ i/**BACKDOOR**/

Fingerprinting by typos:

match http m|^HTTP/1\.0 302 Found\r\nLocation: /login\.app\r\nContent-Lenght: 0\r\n\r\n$| p/NetXMS httpd/

I think this one wins the prize for least compliant HTTP/1.1 server ever:

match http m|^HTTP/1\.1 200 OK\r\nCONTENT-LANGUAGE:\r\nCONTENT-LENGTH: 0\r\nCONTENT-TPYE: text/xml\r\nDATE: .*\n\r\n\r\n\(null\)| p/Syabas Popcorn Hour http config/ d/media device/

its a friggin bindshell, detect it

Arrrggghhh.. 4.11 is like 2+ years old, upgrade it.

I'm getting tired of pointing out this bit of information leakage:

match telnet m|^\r\nSorry, this system is engaged by a rlogin session\.\r\nHost IP address: ([\d.]+)\.\nLogin name: ([\w-_.]+)\.\n| p/3Com LANplex switch telnetd/ i/in use by $2 from $1/ d/switch/

And of course, the gallery of funny or otherwise noteworthy fingerprints:

  • Nortel Alteon 2216 layer 7 switch telnetd

    ---------- SMBProgNeg ----------
    "\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\r\n\r\nEnter password: \r\nError 4 upcall; goodbye\.\r\n"
  • Huh?

    match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfb\x1fError2 negotiated with client \d+ and get 1 char is a a d\. \n\r\n\r\*+\n\r\*\* +\*\*\n\r\*\* IP Phone firmware +V([\w-_.]+) | p/Thomson VoIP phone telnetd/ v/$1/ d/VoIP phone/
  • An unknown webserver that doesn't handle GET, HEAD, or POST? I don't believe that version either.

    ---------- GetRequest ----------
    "HTTP/1\.1 501 Method Not Implemented\r\nDate: Sun, 16 Mar 2008 21:50:24 GMT\r\nServer: Apache 2\.50\.21\r\nAllow: TRACE\r\n"
  • Unknown switch http config that gzip encodes content even to clients that don't send an accept-encoding:

    ---------- GetRequest ----------
    HTTP/1\.0 200 OK\r\nConnection: close\r\nContent-Encoding: gzip\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n\x1f\x8b\x08\0\0\0\0\0\x02\x03\xa5\x93
  • Unknown httpd:

    ---------- GetRequest ----------
    "HTTP/1\.0 400 String index out of range: -1\r\nContent-Type: text/html\r\n\r\n"
  • match realport m|^\xff\x17Access to unopened port.$|s p/Digi EtherLite 32 RealPort/ d/terminal server/
  • Hahahaha

    match http m|^HTTP/1\.1 200 OK\r\nServer: peerguardnf/([\w-_.]+) \(Unix\)\r\nX-Powered-By: You need to wind it\r\n| p/Phoenix Labs PeerGuardian httpd/ v/$1/ o/Unix/
All material is (C) Doug Hoyte and/or hcsw.org unless otherwise noted or implied. All rights reserved.