PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

a bunch of misc changes

Browse Source
This commit is contained in:
fyodor
2005-04-23 02:47:29 +00:00
parent ed60793166
commit 4174bd9b1b
9 changed files with 372 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
CHANGELOG
View File

@@ -1,5 +1,9 @@
# Nmap Changelog ($Id$)
o Fixed a crash problem related to non-portable varargs (vsnprintf)
usage. Reports of this crash came from Alan William Somers
(somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
o Fixed the way tcp connect scan (-sT) respons to ICMP network
unreachable responses (patch by Richard Moore
(rich(a)westpoint.ltd.uk).
@@ -10,6 +14,36 @@ o Update random host scan (-iR) to support the latest IANA-allocated
o Added some new RPC services to nmap-rpc thanks to a patch from
vlad902 (vlad902(a)gmail.com).
o Fixed Nmap compilation on Solaris x86 thanks to a patch from Simon
Burr (simes(a)bpfh.net).
o Changed from CVS to Subversion source control system (which
rocks!). Neither repository is public (I'm paranoid because both CVS
and SVN have had remotely exploitable security holes), so the main
change users will see is that "Id" tags in file headers use the SVN
format for version numbering and such.
o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
any TCP scans in which the initial probe packet has the ACK flag set.
This would be the ACK, Xmas, Maimon, and Window scans.
o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri
(eilon(a)aristo.tau.ac.il)
o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
(mueller(a)kde.org) to nmap-service-probes. Also added AFS version
probe and matches from Lionel Cons (lionel.cons(a)cern.ch)
o Updated the Nmap version number, description, and similar fields
that MS Visual Studio places in the binary. This was done by editing
mswin32/nmap.rc as suggested by Chris Paget (chrisp@ngssoftware.com)
o Increased the buffer size allocated for fingerprints to prevent Nmap
from running out and quitting (error message: "Assertion
`servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz
(mhatz(a)blackcat.com) for the report. [ Actually this was done in a
previous version, but I forgot which one ]
Nmap 3.81
o Nmap now ships with and installs (in the same directory as other

166
config.h
View File

@@ -1,10 +1,113 @@
/* config.h. Generated automatically by configure. */
/* config.h. Generated by configure. */
/***************************************************************************
* config.h.in -- Autoconf uses this template, combined with the configure *
* script knowledge about system capabilities, to build the config.h *
* include file that lets nmap better understand system particulars. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* #undef PCAP_TIMEOUT_IGNORED */
/* $Id$ */
#ifndef CONFIG_H
#define CONFIG_H
#define PCAP_TIMEOUT_IGNORED 1
#define HAVE_STRUCT_IP 1
#define HAVE_USLEEP 1
/* #undef HAVE_USLEEP */
#define HAVE_NANOSLEEP 1
@@ -16,15 +119,19 @@
#define STDC_HEADERS 1
#define HAVE_UNISTD_H 1
#define HAVE_STRING_H 1
/* #undef HAVE_GETOPT_H */
#define HAVE_GETOPT_H 1
#define HAVE_STRINGS_H 1
#define HAVE_PWD_H 1
/* #undef HAVE_BSTRING_H */
#define WORDS_BIGENDIAN 1
/* #undef WORDS_BIGENDIAN */
#define HAVE_MEMORY_H 1
@@ -35,19 +142,21 @@
#define HAVE_SYS_PARAM_H 1
#define HAVE_SYS_SOCKIO_H 1
/* #undef HAVE_SYS_SOCKIO_H */
/* #undef HAVE_PCRE_H */
#define HAVE_PCRE_PCRE_H 1
#define BSD_NETWORKING 1
#define HAVE_SNPRINTF 1
#define HAVE_INET_ATON 1
#define HAVE_VSNPRINTF 1
/* #undef HAVE_STRCASESTR */
#define HAVE_STRCASESTR 1
/* #undef HAVE_GETOPT_LONG */
#define IN_ADDR_DEEPSTRUCT 1
/* #undef IN_ADDR_DEEPSTRUCT */
/* #undef HAVE_NETINET_IN_SYSTEM_H */
@@ -55,21 +164,42 @@
#define HAVE_NETINET_IF_ETHER_H 1
#define HAVE_OPENSSL 1
/* #undef STUPID_SOLARIS_CHECKSUM_BUG */
/* #undef SPRINTF_RETURNS_STRING */
/* #undef LINUX */
#define TIME_WITH_SYS_TIME 1
#define HAVE_SYS_TIME_H 1
#define recvfrom6_t socklen_t
/* #undef NEED_USLEEP_PROTO */
/* #undef NEED_GETHOSTNAME_PROTO */
#ifdef NEED_USLEEP_PROTO
#ifdef __cplusplus
extern "C" int usleep (unsigned int);
#endif
#endif
#ifdef NEED_GETHOSTNAME_PROTO
#ifdef __cplusplus
extern "C" int gethostname (char *, unsigned int);
#endif
#endif
/* #undef DEC */
#define LINUX 1
/* #undef FREEBSD */
/* #undef OPENBSD */
#define SOLARIS 1
/* #undef SOLARIS */
/* #undef SUNOS */
/* #undef BSDI */
/* #undef IRIX */
/* #undef HPUX */
/* #undef NETBSD */
/* #undef MACOSX */
#endif /* CONFIG_H */

4
nmap-os-fingerprints
View File

@@ -16034,8 +16034,10 @@ PU(DF=Y%TOS=0%IPLEN=138%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Sun Solaris 9 Beta through Release on SPARC
# solaris 9 i386
# Solaris 9 4/04 version (SPARC)
Fingerprint Sun Solaris 9
# Solaris 10
Fingerprint Sun Solaris 9 or 10
Class Sun | Solaris | 9 | general purpose
Class Sun | Solaris | 10 | general purpose
TSeq(Class=RI%gcd=<6%SI=<A927C&>116A%IPID=I%TS=100HZ)
T1(DF=Y%W=5B4|C0B7|807A%ACK=S++%Flags=AS%Ops=NNTMNW)
T2(Resp=N)

59
nmap-rpc
View File

@@ -65,7 +65,7 @@ sprayd 100012 spray
rje_mapper 100014 # Remote job entry mapping service.
selection_svc 100015 selnsvc
database_svc 100016 dbsessionmgr unify netdbms dbms
rexd 100017 rex
rexd 100017 rex remote_exec
alis 100018 alice office_auto
sched 100019
llockmgr 100020
@@ -138,13 +138,13 @@ amiserv 100146 # AMI Daemon
amiaux 100147 # AMI Daemon
ocfserv 100150 # OCF (Smart card) Daemon
sunvts 100153
smserverd 100155 rpc.smserverd
smserverd 100155 rpc.smserverd # support removable media devices
kcms_server 100221 # SunKCMS Profile Server
nfs_acl 100227
#
# rpc.metad - SUNWmd - Sun Solstice DiskSuite
#
metad 100229 metad rpc.metad
metad 100229 metad rpc.metad # METAD - SLVM metadb Daemon
metamhd 100230 metamhd rpc.metamhd
#
nfsauth 100231
@@ -162,13 +162,15 @@ nis_cache 100301
nis_callback 100302
nispasswd 100303 rpc.nispasswdd
fnsypd 100304 # Federated Naming Service (FNS)
# MDMN_COMMD
mdcommd 100422 # SVM Multi Node Communication Daemon
stfsloader 100424 # Standard Type Services Framework (STSF) Font Server
rpc.pts 105004 Protoserver # Advanced Printing Software
swu_svr 120100 # Software Usage Monitoring daemon
nf_snmd 120126 # SunNet Manager
nf_snmd 120127
pcnfsd 150001 pcnfs
mapsvc 351455
#
# Pyramid
#
@@ -202,6 +204,9 @@ Magfetch 200050 magfetch
Optfetch 200051 optfetch
Securitysrv 200052 securitysrv
#
bundle 200100 # Delay Tolerant Networking - DTN agent
bundle_demux 200200 # Delay Tolerant Networking - DTN agent
#
# EcoTools daemons/programs
#
ecodisc 200201
@@ -210,8 +215,10 @@ eamon 200203
ecoad 200205
#
# VERSANT
# Operator Communications Software (OCS)
#
rpc.dbserv 211637 dbserv rpc.dbserv_dir
rpc.taped 217843 taped rpc.taped_dir
rpc.taped 217854 taped rpc.taped_dir
#
ADTFileLock 300001 # ADT file locking service.
@@ -224,6 +231,9 @@ fmeditor 300007 # FrameMaker Editor
fmserver 300009 stdfm FrameServer # FrameMaker Server
#
amd 300019 amq
#
Steering 300021 # Steering Library
#
rpc.ldmd 300029 ldm # Unidata LDM
#
# DMFE/DAWS (Defense Automated Warning System)
@@ -231,6 +241,8 @@ rpc.ldmd 300029 ldm # Unidata LDM
UpdtAuditsS 300030
Dbpass 300091 dbpass
#
clms 300145 # CenterLine CodeCenter
#
# FrameMaker
fm_flb 300214 # FrameMaker
fm_fls 300215 # FrameMaker licnese server
@@ -256,7 +268,10 @@ mcserv 300516
cluinfod 300527 # cluster information server (Digital UNIX)
dmispd 300598 # Sun Solstice Enterprise DMI Service Provider
prpasswd 300632
ks 300664 # ACPLT/KS protocol
sfs 344444 # SFS - Self-Certifying File System
mapsvc 351455
berkeleydb 351457 # Sleepycat Software: Berkeley DB
prestoctl_svc 390100 presto # Prestoserve control daemon
#
# Computer Associates
@@ -287,7 +302,7 @@ nsrnotd 390400 # NetWorker notary service
# Remedy AR System daemons
#
arserverd 390600 arserverd
ntserverd 390601 ntserverd
ntserverd 390601 ntserverd # Remedy Notifier and AR Server 5.0
ntclientd 390602 ntclientd
aresclsrv 390603 aresclsrv
arservtcd 390604 arservtcd
@@ -412,9 +427,13 @@ asedirector 395175 asedirector # ASE Director Daemon
aseagent 395176 aseagent # ASE Agent Daemon
asehsm 395177 asehsm # Host Status Monitor Daemon
aselogger 395179 aselogger # Logger Daemon
#
pnictl 395250
# BMC
EnsignAgent 450000 # Ensign Agent
#
drac 900101 # Dynamic Relay Authorization Control
#
AdoIfServer 1000002 # RHIC AdoIf Server (Accelerator Device Object)
notifServer 2000004 # RHIC notifServer
#
@@ -567,6 +586,13 @@ ndbserver98 536871042
ndbserver99 536871043
ndbserver100 536871044
#
gnbk 536871680 # ACEDB genome database package
#
# Katie - Revision Control System
#
katie_mount 537208899
katie_nfs 537208900 katie
#
fcagent 541414217 # SGI FibreVault Status/Configuration daemon
#
pnmd 591751041 # SunCluster - Public Network Management (PNM)
@@ -583,18 +609,39 @@ inetray 555555558
inetray 555555559
inetray 555555560
#
drac 900101 # Dynamic Relay Authorization Control
# Keck Long Wavelength Spectrometer (LWS) related rpc daemons
#
collectd 600000001 collect # IRE Computer
xycomd 600000002 xycom # IRE Computer
motord 600000003 motor # IRE Computer
fitsd 600000004 fits writer # Control Room computer
#
des_crypt 600100029 freebsd-crypt # FreeBSD
fypxfrd 600100069 freebsd-ypxfrd # FreeBSD
rdbx 611319808
bminrd 630474513 # MacroModel - BatchMin Network Server
bwnfsd 788585389 # (PC)NFS server by Beame & Whiteside, Inc.
dmispd 805306368 # Sun Solstice Enterprise DMI Service Provider
sql_disp 805310465 # GNU SQL Server
rdict 805898569 # "Internetworking with TCP/IP Vol 3"
piktc_svc 806422610 # PIKT: Problem Informant/Killer Tool
822084608 # OLD - Inter-Language Unification (ILU)
#
# LIGO Global Diagnostics System (GDS) - Diagnostics Test Tool (DTT)
#
testpoint 822087681 # Test point server
awg 822087682 # Arbitrary waveform generator
cgdsrtdd 822087683 # Real-time data server
gdsd 822087684 # Diagnostics message server
chnconfd 822087685 # Channel database daemon for gds
leapconfd 822087686 # Leap second information daemon
# LIGO Global Diagnostics System (GDS) - Diagnostics Test Tool (DTT)
rlaunchd 822087687 # Remote program launcher
#
cfsd 824395111
cns 912680550 # Controls Name Server
fmproduct 1073741824 _Frame_RPC # FrameMaker
gsql_trn 1073741840 # GNU SQL Server
cfsd 1092830567
rdb 1145324612 # Wind River Systems' VxWorks debug stub
#

170
nmap-service-probes
View File

@@ -33,9 +33,10 @@
# This is the NULL probe that just compares any banners given to us
##############################NEXT PROBE##############################
Probe TCP NULL q||
# Wait for at least 5 seconds for data. Otherwise an Nmap default is used.
totalwaitms 5000
# Wait for at least 6 seconds for data. It used to be 5, but some
# smtp services have lately been instituting an artificial pause (see
# FEATURE('greet_pause') in Sendmail, for example)
totalwaitms 6000
match acap m|^\* ACAP \(IMPLEMENTATION \"CommuniGate Pro ACAP (\d[-.\w]+)\"\) | v/CommuniGate Pro ACAP server//for mail client preference sharing/
match aim m|^\*\x01..\0\x04\0\0\0\x01$|s v/Pyboticide AIM chat filter///
# AMANDA index server 2.4.2p2 on Linux 2.4
@@ -128,6 +129,9 @@ match ftp m|^220 .* \(glftpd (\d[-.0-9a-zA-Z]+)_(\w+)(\+TLS)?\) ready\.\r\n| v/g
match ftp m|^220 [-.\w]+ FTP server \(FirstClass v(\d[-.\w]+)\) ready\.\r\n| v/FirstClass FTP server/$1//
match ftp m|^220 [-.\w]+ FTP server \(Compaq Tru64 UNIX Version (\d[-.\w]+)\) ready\.\r\n| v/Compaq Tru64 ftp server/$1//
match ftp m|^220 AXIS ([-.\w]+) FTP Network Print Server V(\d[-.\w]+) [A-Z][a-z]| v/Axis network print server ftpd/$2/Model $1/
match ftp m|^220 AXIS ([\d\w]+)V(\d\S+) (.*?) ready\.\n| v/AXIS $1 Webcam/$2/$3/
match ftp m|^220 Axis (\d+) Network Camera (\d\S+) (.*?) ready\.\n| v/Axis $1 Webcam/$2/$3/
match ftp m|^220 AXIS (\d+) Video Server (\d\S+) (.*?) ready\.| v/AXIS $1 Video Server/$2/$3/
match ftp m|^220-Cerberus FTP Server Personal Edition\r\n220-UNREGISTERED\r\n| v/Cerberus FTP Server//Personal Edition; Unregistered/
match ftp m|^220-GuildFTPd FTP Server \(c\) 2001\r\n220-Version (\d[-.\w]+)\r\n220 Please enter your name:\r\n| v/GuildFTPd/$1//
match ftp m|^220 FTP print service:V-(\d[-.\w]+)/Use the network password for the ID if updating\.\r\n| v/Brother printer ftpd/$1//
@@ -214,6 +218,7 @@ match ftp-proxy m/^220-Sidewinder ftp proxy\. You must login to the proxy first
match ftp-proxy m/^220-\r\x0a220-Sidewinder ftp proxy/s v/Sidewinder FTP proxy///
# TODO kerio?
#match ftp m|^421 Service not available \(The FTP server is not responding\.\)\n$| v/unknown FTP server//service not responding/
match vdr m|220 \S+ SVDRP VideoDiskRecorder (\d[^\;]+);| v/VDR/$1//
softmatch ftp m/^220 [-.\w ]+ftp.*\r\n$/i
softmatch ftp m/^220-[-.\w ]+ftp.*\r\n220/i
@@ -253,20 +258,8 @@ match imap m|^\* OK [-.\w]+ NetMail IMAP4 Agent server ready <.*>\r\n| v/Novell
match imap m|^\* OK [-.\w]+ IMAP4rev1 MDaemon (\d[-.\w]+) ready\r\n| v/Alt-N MDaemon imapd/$1//
# Dovecot IMAP Server - http://dovecot.procontrol.fi/
match imap m|^\* OK dovecot ready\.\r\n| v/Dovecot imapd///
# courier-0.36.1
match imap m|^\* OK Courier-IMAP ready\. Copyright 1998-2001 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/0.36 - 1.4//
# Courier-Imap 1.4.3-2.3
match imap m|^\* OK Courier-IMAP ready\. Copyright 1998-2002 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/1.4 - 2.3//
# Courier Imap 1.7.0 on Linux
# Courier IMAP server 1.6.2 on Linux
match imap m|\* OK Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/1.6.X - 1.7.X//
# Courier IMAP courier-imapd-0.42.0-1.7.3
# Courier IMAP 1.7.2
match imap m|^\* OK \[CAPABILITY IMAP4rev1 .*Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1/1.7.X//
# courier-imap 2.0.0.20030809
match imap m|^\* OK \[CAPABILITY IMAP4rev1\].*Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1/2.0.X//
# Courier IMAP 1.7.2
match imap m|\* OK \[CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA\] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc. See COPYING for distribution information.\r\n$| v/Courier IMAP4rev1/1.7.2//
match imap m|^\* OK.*?Courier-IMAP ready\. Copyright 1998-(\d+) Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imapd//released $1/
match imap m|^\* OK \[CAPABILITY IMAP4rev1 .*?Courier-IMAP ready\. Copyright 1998-(\d+) Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1 Imapd//released $1/
match imap m|^\* OK CommuniGate Pro IMAP Server ([-.\w]+) at [-.\w]+ ready\r\n$| v/CommuniGate Pro imapd/$1//
# W-Imapd-SSL v2001adebian-6
match imap m|^\* OK \[CAPABILITY IMAP4REV1 X-NETSCAPE LOGIN-REFERRALS STARTTLS AUTH=LOGIN\] \S+ IMAP4rev1 ([-.\w]+) at| v/UW-Imapd-SSL/$1//
@@ -296,6 +289,8 @@ match irc m|^ERROR :Trying to reconnect too fast\.\r\n| v/Hybrid ircd///
match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Found your hostname\r\nNOTICE AUTH :\*\*\* Got Ident response\r\n| v/Hybrid ircd///
# dircproxy 1.0.3 on Linux 2.4.x
match irc-proxy m|^:dircproxy NOTICE AUTH :Looking up your hostname\.\.\.\r\n:dircproxy NOTICE AUTH :Got your hostname\.\r\n| v/dircproxy///
# dirkproxy (modificated dircproxy)
match irc-proxy m|^:dirkproxy NOTICE AUTH :Looking up your hostname\.\.\.\r\n:dirkproxy NOTICE AUTH :Got your hostname\.\r\n| v/dirkproxy///
# Unreal IRCD Server version 3.2 beta 17
match irc m|^:[-.\w]+ NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\n| v/Unreal ircd///
# dancer-ircd 1.0.31+maint8-1
@@ -346,10 +341,7 @@ match mysql m/^.\0\0\0\n(3\.[-.\w]+)\0...\0/s v/MySQL/$1//
# r(NULL,2B,"'\0\0\0\n4.0.13\0\xdf\xbc\x02\0SC7)fHu5\0, \x08\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0")
match mysql m/^.\0\0\0\n(4\.[-.\w]+)\0...\0/s v/MySQL/$1//
# Hmmm ... http://seclists.org/lists/incidents/2002/Mar/0047.html
# So "ncacn_http" may be used by multiple services. I'll take this
# one out for now.
# match ncacn_http m|^ncacn_http/([\d.]+)$| v/ncacn_http/$1//
match ncacn_http m|^ncacn_http/([\d.]+)$| v/ncacn_http/$1//
# NCD Thinstar 300 running NCD Software 2.31 build 6
match ncd-diag m|^WinCE/WBT Diagnostic port\n\rSerial Number: (\w+) MAC Address: 0000(\w+)\s+.*CPU info: ([ -.+\w/ ]+)\r\n.*(Windows CE Kernel[-.+:\w ]+)\r|s v|NCD Thinster Terminal Diagnostic port||Serial# $1; MAC: $2; CPU: $3; $4|
@@ -360,6 +352,7 @@ match netstat m|^Active Internet connections \(servers and established\)\nProto
match netstat m|^netstat: invalid option -- f\nusage: netstat \[-veenNcCF\]| v/Linux netstat//broken/
match nntp m|^nnrpd: invalid option -- S\nUsage error\.\n| v/INN NNTPd//broken/
match nntp m|^502 You have no permission to talk\. Goodbye.\r\n$| v/INN NNTPd//unauthorized/
match nntp m|^200 [-.\w]+ NNTP Service Ready - ([-.\w]+@[-.\w]+) \(DIABLO (\d[-.\w ]+)\)\r\n| v/Diablo NNTP service/$2/Admin: $1/
match nntp m|^200 NNTP Service (\d[-.\w ]+) Version: (\d[-.\w ]+) Posting Allowed \r\n| v/Microsoft NNTP Service/$2/posting ok/
match nntp m|^200 [-.\w]+ DNEWS Version (\d[-.\w]+).*posting OK \r\n| v/Netwinsite DNEWS/$1/posting OK/
@@ -516,6 +509,9 @@ match sftp m|^\+Shiva SFTP Service\0$| v/Shiva LanRover SFTP service///
# HP-UX B.11.00 A 9000/785
match shell m|^\x01remshd: getservbyname\n$| v/HP-UX Remshd///
# good SMTP banner regexps can be found here:
# http://www.tty1.net/smtp-survey/measurement_en.html
match smtp m|^220 [-/.+\w]+ SMTP AnalogX Proxy (\d[-.\w]+) \(Release\) ready\r\n| v/AnalogX SMTP proxy/$1//
match smtp m|^220 [-/.+\w]+ MailGate ready for ESMTP on | v/MailGate smtpd//Windows/
@@ -527,9 +523,11 @@ match smtp m|^220 [-.+\w]+ ESMTP NetIQ MailMarshal \(v(\d[-.\w]+)\) Ready\r\n| v
# Dots in Revision to prevent MY CVS from screwing it up
match smtp m|^220 [-.+\w]+ Novonyx SMTP ready \$Re..sion: ([\d.]+) \$\r\n| v|Novonyx Novell NetMail smtpd||Revision $1|
match smtp m|^554-[-.+\w]+\.us\r\n554 Access denied\r\n$| v/IronPort appliance mail rejector///
match smtp m|^220 eSafe@[-.+\w]+ Service ready\r\n| v/eSafe anti-virus mail gatewal///
match smtp m|^220 [-.+\w]+ ESMTP Merak (\d[-.\w]+);| v/Merak Mail Server smtpd/$1/Windows/
match smtp m|^220 MERCUR SMTP-Server \(v([^)]+)\) for ([-.\w ]+) ready at | v/LAN-ACES MERCUR smtp server/$1/$2/
match smtp m|^220 eSafe@[-.+\w]+ Service ready\r\n| v/eSafe mail gateway///
match smtp m|^220 .*?eSafe E?SMTP Service (\d\S+) ready| v/eSafe mail gateway/$1//
match smtp m|^220 .*?eSafe E?SMTP Service ready| v/eSafe mail gateway///
match smtp m|^220 \S+ ESMTP Merak (\d[^;]+);| v/Merak Mail Server smtpd/$1/Windows/
match smtp m|^220.*?MERCUR SMTP[\s-]Server \(v([^)]+)\) for ([-.\w ]+) ready at | v/LAN-ACES MERCUR smtp server/$1/$2/
match smtp m|^220 [-.+\w]+ MasqMail (\d[-.\w]+) ESMTP\r\n| v/MasqMail smtpd/$1//
# Cisco NetWorks ESMTP server IOS (tm) 5300 Software (C5300-IS-M) on Cisco 5300 Access Server
match smtp m|^220 [-.+\w]+ Cisco NetWorks ESMTP server\r\n| v/Cisco IOS NetWorks smtp server///
@@ -559,11 +557,11 @@ match smtp m/^220 X1 NT-ESMTP Server [-.+\w]+ \(IMail ([^)]+)\)\r\n/ v/IMail NT-
match smtp m/^220-[-.+\w]+ Microsoft SMTP MAIL ready at.*Version: ([-\w.]+)\r\n/ v/Microsoft SMTP/$1//
match smtp m/^220 [-.+\w]+ Microsoft ESMTP MAIL Service, Version: ([-\w.]+) ready/ v/Microsoft ESMTP/$1//
match smtp m/^220 [-.+\w]+ ESMTP Server \(Microsoft Exchange Internet Mail Service ([-\w.]+)\) ready/ v/Microsoft Exchange/$1//
match smtp m/^220 [-.+\w]+ ESMTP Sendmail (\d[^;]+);/ v/Sendmail/$1//
match smtp m|^220 [-.+\w]+ SMTP Sendmail ([-/.+\w]+)\r\n| v/Sendmail/$1//
match smtp m|^220 [-.+\w]+ Sendmail (SMI-\S+) ready at .*\r\n$| v/Sendmail/$1//
match smtp m/^220[- ][^\r\n]+ ESMTP Exim (\d\S+)/ v/Exim smtpd/$1//
match smtp m/Failed to open configuration file.*exim/ v/Exim smtpd///
match smtp m|^220[\s-]\S+ E?SMTP Sendmail (\d[^; ]+)| v/Sendmail/$1//
match smtp m|^220[\s-]\S+ Sendmail (SMI-\S+) ready at .*\r\n$| v/Sendmail/$1//
match smtp m/^220[- ][^\r\n]+ ESMTP Exim (V?\d\S+)/ v/Exim smtpd/$1//
match smtp m|^220 \S+ \S+ ESMTP receiver fssmtpd(\d+) ready| v/fssmtpd/$1//
match smtp m/Failed to open configuration file.*exim/ v/Exim smtpd//broken/
match smtp m/^220 CheckPoint FireWall-1 secure ESMTP server\r\n$/ v/Checkpoint FireWall-1 smtpd///
match smtp m/^220 CheckPoint FireWall-1 secure SMTP server\r\n$/ v/Checkpoint FireWall-1 smtpd///
match smtp m|^220 [-.+\w]+ running IBM AS/400 SMTP V([\w]+)| v|IBM AS/400 smtpd|$1||
@@ -577,13 +575,14 @@ match smtp m|^220-InterScan Version (\S+) .*Ready\r\n220 [-.+\w]+ NTMail \(v([-.
match smtp m|^220 [-.\w]+ InterScan VirusWall NT ESMTP (\d[-.\w]+) \(build (\d+)\) ready at | v/Trend Micro InterScan VirusWall SMTP/$1 build $2//
match smtp m|^220 [-.+\w]+ GroupWise Internet Agent (\S+) .*Novell, Inc\..*Ready\r\n| v/Novell GroupWise/$1//
match smtp m|^220 Matrix SMTP Mail Server v([\w.]+) on <MATRIX_([\w]+)> Simple Mail Transfer Service Ready\r\n| v/Matrix SMTP Mail Server/$1/on Matrix $2/
match smtp m|^220 Net_sec WebShield SMTP V(\S+) Network Associates, Inc\. Ready at| v/Network Associates WebShield/$1//
match smtp m|^220 \S+ WebShield SMTP V(\d\S.*?) Network Associates, Inc\. Ready at| v/Network Associates WebShield/$1//
match smtp m|^220 \S+ WebShielde250/SMTP Ready.| v/WebShielde250 smtpd///
match smtp m|^220 [-.+\w]+ ESMTP MailMasher ready to boogie\r\n| v/MailMasher smtpd///
# 220 example.com ESMTP Postfix (2.0.13) (Mandrake Linux)
match smtp m|^220 [-.\w]+ ESMTP Postfix \(([-.\w]+)\) \(([-.\w ]+)\)| v/Postfix smtpd/$1/$2/
# postfix 1.1.11-0.woody2
match smtp m|^220 [-.\w]+ ESMTP Postfix| v/Postfix smtpd///
match smtp m|^220 \*{10,40}\r\n| v|Cisco PIX sanatized smtpd|||
match smtp m|^220[\s-]\S+ ESMTP Postfix| v/Postfix smtpd///
match smtp m|^220 [\*\d\ ]{10,300}\r\n| v|Cisco PIX sanatized smtpd|||
match smtp m|^220 ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [-.\w]+ \(([-.\w]+)\)\r\n| v/ArGoSoft Mail Server Pro/$1//
match smtp m|^220 [-.\w]+ ESMTP server \(Post.Office v([-.\w]+) release ([-.\w]+) ID# | v/Post.Office/$1 release $2//
match smtp m|^220 [-.\w]+ ESMTP VisNetic.MailServer.v([-.\w]+); | v/VisNetic MailServer/$1//
@@ -596,13 +595,38 @@ match smtp m|^relaylock: Error: PRODUCT_ROOT_D not defined\nrelaylock: Error: PR
match smtp m|^220 [-.\w]+ WebSTAR Mail Simple Mail Transfer Service Ready\r\n| v/WebSTAR SMTP server///
match smtp m|^220 [-.\w]+ Lotus SMTP MTA Service Ready\r\n$| v/Lotus Notes SMTP///
match smtp m|^220 [-.\w]+ SMTP NAVGW (\d[-.\w]+);| v/Norton Antivirus Gateway NAVGW/$1//
match smtp m|^220 ([-.\w]+) Kerio MailServer (\d[-.\w]+) ESMTP ready\r\n$| v/Kerio MailServer/$1/$2/
match smtp m|^220 YSmtp \S+ ESMTP service ready| v/Yahoo! MTA///
match smtp m|^220 \S+ GMX Mailservices ESMTP| v/GMX MTA///
match smtp m|214 2\.0\.0 http://www\.google\.com/search.*RFC\+2821\s*\r?\n| v/Google SMTP///
match smtp m|^220 \S+ ESMTP MailMax (\d[-.\w\d]+)| v/MailMax/$1//
match smtp m|^220 Welcome to the INDY SMTP Server\r\n$| v/INDY smtpd///
softmatch smtp m|^220 [-.\w ]+SMTP.*\r\n|
match smtp m|^220 [-.\w]+ Kerio MailServer (\d[-.\w]+) ESMTP ready\r\n$| v/Kerio MailServer/$1//
match smtp m|^220 YSmtp \S+ ESMTP service ready| v/Yahoo! smtpd///
match smtp m|^220 Compuserve Office Mail Service \(lnxc-(\d+)\) ESMTP| v/Compuserve smtpd/$1//
match smtp m|^220 \S+ GMX Mailservices ESMTP| v/GMX smtpd///
match smtp m|^220 \S+ ESMTP MailMax (\d[-.\w\d]+)| v/MailMax smtpd/$1//
match smtp m|^220 \S+ ESMTP WEB.DE V([^\s\;]+)| v/Web.de smtpd/$1//
match smtp m|^220 Welcome to Nemesis ESMTP server on \S+| v/Nemesis smtpd///
match smtp m|^220 Welcome to the INDY SMTP Server\r\n$| v/INDY smtpd///
match smtp m|^220 Postini E?SMTP (\d+) [\w\d_\+-]+ ready| v/Postini smtpd/$1//
match smtp m|^220 [\w\d-]+\.hotmail\.com Sending unsolicited commercial| v/Hotmail smtpd///
match smtp m|^220[-\s]\S+ \(IntraStore TurboSendmail\) E?SMTP Service ready| v/TurboSendmail smtpd///
match smtp m|^220[-\s]\S+ E?SMTP Mirapoint (\d[^\;]+);| v/Mirapoint smtpd/$1//
match smtp m|^220[-\s]\S+ Trend Micro InterScan Messaging Security Suite, Version: (\d\S+) ready| v/Trend Micro InterScan smtpd/$1//
match smtp m|^220[-\s]\S+.*?Server ESMTP \(iPlanet Messaging Server (\d[^\(\)]+)| v/Sun iPlanet smtdp/$1//
match smtp m|^220[-\s]\S+ running Eudora Internet Mail Server X (\d\S+)| v/Eudora smtpd/$1//
match smtp m|^220 \S+ - Maillennium E?SMTP| v/Maillennium smtpd///
match smtp m|^220 \S+.*?SMTP \(Sun Internet Mail Server sims.(\d[^\)]+)\)| v/Sun sims smtpd/$1//
match smtp m|^220 \S+ ESMTP qpsmtpd (\d\S+) ready;| v/qpsmtpd/$1//
match smtp m|^220 \S+ ESMTP XWall v(\d\S+)| v/XWall smtpd/$1//
match smtp m|^220 \S+ ESMTP Service \(Worldmail (\d[^\)]+)\) ready| v/Worldmail smtpd/$1//
match smtp m|^220 \S+ eMail Sentinel (\d+) ESMTP Service ready| v/eMail Sentinel smtpd/$1//
match smtp m|^220 \S+ ESMTP mxl_mta-(\d[^\;]+);| v/mxl smtpd/$1//
match smtp m|^220 \S+ -- Server ESMTP \(SUN JES MTA 6\.x\)| v/SUN JES smtpd/6.x//
match smtp m|^220 \S+ Service ready by DvISE PostMan \((\d+)\) ESMTP Server| v/DvISE PostMan smtpd/$1//
match smtp m|^220 \S+ F-Secure Anti-Virus for Internet Mail ready| v/F-Secure AV SMTP Proxy///
match smtp m|^220 \S+ Welcome to SpamFilter for ISP SMTP Server v(\d\S+)| v/LogSat SMTP Proxy/$1//
match smtp m|^220-TrendMicro IMSS SMTP proxy\r\n| v/TrendMicro SMTP Proxy///
match smtp m|^220 \S+ ESMTP server \(InterMail v(\S+)| v/InterMail smtpd/$1//
match smtp m|^220 \S+ -- Server ESMTP \(Sun Java System Messaging Server (\d[^\(\)]+)| v/SUN JSMS smtpd/$1//
match smtp m|^220 jMailer SMTP Server\r\n$| v/jMailer smtpd///
softmatch smtp m|^220[\s-].*?E?SMTP[^\r]*\r\n|
match snpp m|^220 [-.\w]+ SNPP server \(HylaFAX \(tm\) Version ([-.\w]+)\) ready.\r\n| v/HylaFAX SNPP/$1//
match snpp m|^220 QuickPage v(\d[-.\w]+) SNPP server ready at | v/QuickPage SNPP/$1//
@@ -737,7 +761,7 @@ match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f.*User Access Ve
# Cisco Pix 501 PIX IOS 6.3(1) telnet
match telnet m/^\xff\xfb\x03\xff\xfb\x01\xff\xfb\x03\xff\xfb\x01.*\r\nUser Access Verification\r\n\r\nPassword: /s v/Cisco telnetd//IOS 6.X/
# Cisco Catalyst 6509 - WS-C6509 Software, Version NmpSW: 5.5(1)
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nCisco Systems Console\r\n\r\n\r\n\r\n\r\nEnter password: | v/Cisco Catalyst switch telnetd///
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nCisco Systems Console\r\n| v/Cisco Catalyst switch telnetd///
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nPassword required, but none set\r\n| v/Cisco router telnetd//password required but not set/
match telnet m|^Access not permitted\. Closing connection\.\.\.\n$|s v/Cisco catalyst switch telnetd//access denied/
match telnet m|^\xff\xfd\x18$| v/Cisco microswitch telnetd///
@@ -765,6 +789,13 @@ match telnet m|^\xff\xfd\x18\xff\xfb\x01\xff\xfe\x01Remote Management Console\r\
# Note that openwall telnetd is derived from OpenBSD telnetd
match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd\$$| v|Openwall GNU/*/Linux telnetd|||
match telnet m|^\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPlease type \"\?\" for HELP, or \"/\" for current settings\r\n> $| v/HP Jet Direct printer telnetd///
match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\nAXIS (\S+) TELNET| v/AXIS Webcam/$1//
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nTelebit\'s NetBlazer Version (\S+)\r\n| v/Telebit NetBlazer/$1//
match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03.*?FORE\x20Systems,\x20FORE\x20ES-2810.*?Version (\d[\d\.-]+)| v/FORE Systems ES-2810/$1//
match telnet m|^\xff\xfb\x03\xff\xfb\x01.*ForeRunner ES-3810.*Enter Username: | v/FORE Systems ES-3810///
match telnet m|^\xff\xfb\x01\r\nCopyright \(C\) 1999 by Extreme Networks\r\r\n| v/Extreme Networks telnetd///
match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03.*?ES-1000\x20Fast\x20Ethernet\x20Switch\x20Console| v/Marconi ES-1000///
match telnet m|^\xff\xfb\x01login:\x20$| v/telnet//generic/
# tinc 1.0.2-2 on Linux
match tinc m|^0 \w+ 17\n| v/tinc vpn daemon///
@@ -807,6 +838,10 @@ match bpcd m|^gethostbyaddr: [\w ]+\n$| v/Veritas Netbackup//refused/
# PostCast SMTP server 2.6.0 ( http://www.postcastserver.com/ )
match smtp m|^220 PostCast SMTP server.*\r\n$| v/PostCast SMTP server///
match omapi m|^\0\0\0d\0\0\0\x18$| v/ISC (BIND|DHCPD) OMAPI///
match svnserve m|^\(\x20success\x20\(\x201\x202\x20\(\x20ANONYMOUS\x20\)\x20\(\x20edit-pipeline\x20\)\x20\)\x20\)\x20$| v/Subversion///
match icecreamd m|^[\x14-\x1f]\0\0\0$| v/icecreamd///
##############################NEXT PROBE##############################
Probe TCP GenericLines q|\r\n\r\n|
ports 21,23,43,98,110,113,199,505,540,628,1040,1248,1467,1501,2010,3333,5432,5555,6112,6667-6670,11965,30444
@@ -834,7 +869,7 @@ match ftp m|^220 FTP server ready\.\r\n501 Command not supported\.\r\n$| v/D-Lin
match ftp m|^220 [-.\w]+ FTP server ready\.\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n$| v/Solaris ftpd///
# vsftpd (Very Secure FTP Daemon) 1.0.0 on linux with custom ftpd_banner
# We'll have to see if this match is unique enough
match ftp m|^220 .*\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n|s v/vsFTPd///
match ftp m|^220 .*\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n|s v/vsFTPd//customized banner/
match ftp m|^220 [-.\w]+ FTP Server ready \.\.\.\r\n530 \r : User not logged in\. Please login with USER and PASS first\.\r\n530 \r : User not logged in\. Please login with USER and PASS first\.\r\n$| v/Bulletproof ftp server//Windows/
# BulletProof FTP 2.21 on Windows 2000 Server
match ftp m|^220 ftp\r\n$| v/Bulletproof ftp server//Windows/
@@ -923,6 +958,10 @@ match http m|HTTP/1\.0 404 Not Found\r\nServer: GRISOFT-AVG TCP Server/(\d[-.\w
# Ubicom embedded ( http://www.ubicom.com/home.htm )
match http m|^HTTP/1\.1 400 Bad Request\r\nCache-control: no-cache\r\nServer: Ubicom/(\d[-.\w ]+)\r\n| v/Ubicom embedded HTTP server/$1//
# wesnotd multiplayer network daemon (http://www.wesnoth.org/)
match wesnotd m|^\0\0\0\x16\0\0\0\x1f\x02version\0\x040\..\..\0\0\x02mustlogin\0x05\x01\0| v/wesnotd///
##############################NEXT PROBE##############################
Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n|
ports 70,79,80-85,88,113,139,143,280,497,515,540,554,631,783,993,995,1220,1503,2030,3052,3128,3372,3531,3689,5000,5432,5800,5900,6699,7070,8000-8010,8080-8085,8880-8888,9090,9999,10000,10005,11371,13722,15000,40193,4711
@@ -969,6 +1008,7 @@ match gnutella m|^HTTP/1\.[01] 404 Not Found\r\nServer: gtk-gnutella/(\d[-.\w]+)
match gnutella m|^HTTP/1\.1 406 Not Acceptable\r\n$| v/LimeWire Gnutella P2P client///
match gnutella m|^HTTP/1\.0 200\r\nServer: Mutella\r\n| v/Mutella Gnutella P2P client///
match gnutella m|^HTTP/1\.1 404 Not Found\r\nServer: giFT-Gnutella/(\d[-.\w]+)\r\n| v/GiFT P2P client gnutella module/$1//
match gnutella m|^HTTP/1\.1 200 OK\r\n.*\r\nServer: Shareaza (\d\S+)|s v/Shareaza/$1//
match gopher m|^HTTP/1\.0 200 Ok\r\nMIME-Version: 1\.0\r\nServer: GopherWEB/(\d[-.\w]+)\r\n| v/Internet Gopher Server//Gopher+ protocol; GopherWeb $1/
match http m|^HTTP/1\.0 401 Unauthorized\r\nPragma: no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: Basic realm=\"Login to the Router Web Configurator\"\r\n\r\n<html>\n <head>\n <title>401 Unauthorized</title>\n </head>\n<body>\n\n<div align=\"center\">| v/Draytek Vigor aDSL router webadmin///
@@ -1135,6 +1175,7 @@ match http m|^HTTP/1\.0 \d\d\d .*\r\nServlet-Engine: Tomcat Web Server/(\d[-.\w]
match 3dm-http m|^HTTP/1\.0 200 OK\r\nServer: 3ware/(\d[-.\w]+)\r\n.*<title>3ware 3DM - No remote access</title>|s v/3Ware 3DM Raid Daemon/$1/Access denied/
match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: publicfile| v/publicfile httpd///
match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+) ([^\r\n]+)|s v/Apache httpd/$1/$2/
match http m|^HTTP/1\.[01].*Server: Apache/([\d\.-\w]+)\s*\r?\n|s v/Apache httpd/$1//
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache/(\d[-.\w]+)\r\n.*X-Powered-By: ([^\r\n]+)\r\n|s v/Apache httpd/$1/$2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache/(\d[-.\w]+)\r\n|s v/Apache httpd/$1//
# apache 1.3.26-0woody3 or Apache 2.0.45
@@ -1227,6 +1268,8 @@ match http m|^401 Access denied\r\nWWW-Authenticate: Negotiate \r\nContent-lengt
match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: RomPager/([-.\w/ ]+)\r\n|s v/Embedded Allegro RomPager webserver/$1/ZyXEL ZyWALL 2/
match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: IDSL MailGate (\d[-.\w]+)\r\n| v/MailGate web proxy/$1//
match http m|^HTTP/1\.0 \d\d\d .*<TITLE>The AXIS 200 Home|s v/AXIS 200 Webcam///
# While this response looks like a web admin port, I think the same port is used for the primary
# proxy functionality. This is version 3.0 final on Linux.
match http-proxy m|^HTTP/1\.1 401 Unauthorized\r\nConnection: closed\r\nContent-Length: \d+\r\nWWW-Authenticate: Basic realm=\"WebWasher configuration\"\r\n| v/WebWasher filtering proxy///
@@ -1388,6 +1431,7 @@ match http m|^HTTP/1\.1 \d\d\d .*\r\nserver: BBC \d[-.\w]+; com\.hp\.openview\.C
# Zero One Technology ( http://www.01tech.com/ ) print servers embedded HTTP service
match http m|^HTTP/1\.\d\x20200\x20OK\r\nDate:\x20.*\r\nMIME-version:\x201\.\d\r\nServer:\x20ZOT-PS-(\d+)/(\d[-.\w]+)\r\n| v/Zero One Technology print server model $1 HTTP server/$2//
match kmldonkey m|^HTTP/1\.1 400 Bad Request\r\nServer: KMLDonkey/(\d\S+)| v/KMLDonkey/$1//
##############################NEXT PROBE##############################
Probe TCP RTSPRequest q|OPTIONS / RTSP/1.0\r\n\r\n|
@@ -1588,6 +1632,8 @@ match nameserver m|^\0\x06\x01\0\0\x01\0\0\x03\x03\x02$| v/Solaris Internet Name
Probe TCP Help q|HELP\r\n|
ports 1,7,21,25,79,113,2401,2627
sslports 465
totalwaitms 7500
# CVSD (cvs chrooting service for pserver) cvsd 0.9.18
# CVS 1.11.5 pserver
match cvspserver m|^cvs \[pserver aborted\]: bad auth protocol start: HELP\r\n\n$| v/cvs pserver///
@@ -1628,34 +1674,29 @@ match ident m|^\d+, \d+ : USERID : UNIX : [-.@\w]+\r\n| v/Internet Rex identd///
match smtp m|^220 [-.+\w]+ Generic SMTP handler\r\n214 Help not supported by this implementation\r\n$| v/Symantec Enterprise Firewall smtp proxy///
# Lotus Notes Domino 6.1 smtp server on Win2K
match smtp m|^220 Welcome to [-.+\w]+ ESMTP Server at .*\r\n214-Enter one of the following commands:\r\n214-HELO EHLO MAIL RCPT DATA RSET NOOP QUIT\r\n214 HELP VRFY EXPN STARTTLS \r\n$| v/Lotus Notes Domino smtpd///
# Exim 3.33 on FreeBSD
match smtp m|^220 ESMTP\r\n214-Commands supported:\r\n214- HELO EHLO MAIL RCPT DATA ETRN\r\n214 NOOP QUIT RSET HELP \r\n$| v/Exim smtpd/3.33//
match smtp m|^220.*?\n214-Commands supported:\r\n214- HELO EHLO MAIL RCPT DATA(?: ETRN)?(?: AUTH)?\r\n214 NOOP QUIT RSET HELP \r\n$| v/Exim smtpd/3.X//
match smtp m|^220.*?ESMTP.*\n214-Commands supported:\r\n214 AUTH (?:STARTTLS )?HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n$| v/Exim smtpd/4.X//
# Exim 4.22 with SSL compiled in (STARTTLS) custom banner (runtime configuration option) and VRFY and
# EXPN also disabled in config file
match stmp m|^220 [-/.+\w]+ ESMTP\r\n214-Commands supported:\r\n214 AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n| v/Exim smtpd///
# Exim 4.20 on Astaro Security Linux gateway/proxy/firewall/router.
match smtp m|^220 [-.\w]+ ESMTP ready\.\r\n214-Commands supported:\r\n214 AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n$| v/Exim smtpd/4.20//
# Exim 4.0 with exiscan patch and banner removed - Linux 2.1.19 - 2.2.25
match smtp m|^220 .*SMTP Ready\. Expected Helo with a valid domain\.\r\n214-Commands supported:\r\n214 AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n| v/Exim smtpd/4.0//
match smtp m|^220 .* ESMTP ?\r\n214[- ]qmail home page: http://pobox.com/~djb/qmail.html| v/qmail smtpd///
match smtp m|^220 .* ESMTP ?\r\n214[- ]qmail home page: http://pobox\.com/~djb/qmail\.html\r\n214[- ]qmail-ldap patch home page: http://www\.nrg4u\.com\r\n| v/qmail-ldap smtpd///
match smtp m|^220 [-.\w]+ ESMTP\r\n214 netqmail home page: http://qmail\.org/netqmail\r\n| v/netqmail smtpd/1.04//
match smtp m|^220[\s-]\S+ ESMTP ?\r\n214[- ]qmail home page: http://pobox.com/~djb/qmail.html| v/qmail smtpd///
match smtp m|^220[\s-]\S+ ESMTP ?\r\n214[- ]qmail home page: http://pobox\.com/~djb/qmail\.html\r\n214[- ]qmail-ldap patch home page: http://www\.nrg4u\.com\r\n| v/qmail-ldap smtpd///
match smtp m|^220[\s-].*?ESMTP\r\n214 netqmail home page: http://qmail\.org/netqmail\r\n| v/netqmail smtpd/1.04//
# VirusBuster MailShield for SMTP. Version 1.15.030 on Linux 2.4
match smtp m|^220 [-.\w]+ SMTP version 1\.00;\r\n214 We strongly advise you to study of the RFC821\.\.\.\r\n$| v/VirusBuster MailShield for SMTP///
# Postfix 1.1.11.0-woody3
# Postfix 1.1.7-2
match smtp m|^220 [-.\w]+ ESMTP Postfix\r\n$| v/Postfix smtpd/1.X//
# Postfix 1.1.12, 1.1.13, 2.0.9, 2.0.16
match smtp m|^220 .*\r\n502 Error: command not implemented\r\n$| v/Postfix smtpd///
# Courier ESMTP courier-0.42.0-1.7.3
match smtp m|^220 [-.\w]+ ESMTP\r\n502 ESMTP command error\r\n$| v/Courier smtpd///
match smtp m|^220 [-.\w]+ ESMTP Sendmail ([^;]{3,50})| v/Sendmail smtpd/$1//
match smtp m|^220 [-.\w]+ ESMTP Sendmail;| v/Sendmail smtpd///
match smtp m|220.*214-2\.0\.0 This is sendmail version ([-+.\w]+)\r\n214-2\.0\.0 Topics:\r\n214-2\.0\.0|s v/Sendmail smtpd/$1//
match smtp m|214-2\.0\.0 This is sendmail version (\S+)\r?\n214-2\.0\.0 Topics:|s v/Sendmail/$1//
match smtp m|^220 \S+ E?SMTP Sendmail;| v/Sendmail///
match smtp m|^220.* Sendmail (\d[-.\w]+) -- HELP not implemented\r\n|s v/Sendmail/$1//
match smtp m|^220.*214-This is America Online mail version [vV](\S+)|s v/AOL smtpd/$1//
match smtp m|^220.*214 2\.0\.0 http://www\.google\.com/search.*RFC\+2821\s*\r?\n|s v/Google smtpd///
match smtp m|^220.*214 SMTP server comments and bug reports to: \<zmhacks\@nic.funet.fi\>|s v/ZMailer smtpd///
match smtp m|^220.*500 MessageWall: Unrecognized command|s v/MessageWall SMTP proxy///
match smtp m|^220.*500 Unknown or unimplemented command|s v/MIMEsweeper SMTP proxy///
match smtp m|^220.*214 See http\:\/\/www\.messagelabs\.com\/support|s v/MessageLabs smtpd///
match smtp m|^220 \S+ ESMTP Service\r\n502 5\.3\.0 Sendmail Xserve -- HELP not implemented\r\n$| v/Xserve smtpd///
match tcpmux m|^(sgi_[-.\w]+\r\n([-.\w]+\r\n)*)$| v/SGI IRIX tcpmux//Available services: $SUBST(1, "\r\n", ",")/
# Written in 1986. More info at
# http://ftp.rge.com/pub/X/X11R5/contrib/xwebster.README
@@ -1865,6 +1906,13 @@ ports 1352
# Lotus Domino (r) Server (Release 6.0.1CF1 for Windows/32
match lotusnotes m|^.\0\0\0.\0\0\0\x03\0\0@\x02\x0f\0.*\x03\0\0\0\0\x02\0/\0.\0\0\0\0\0\0\0@\x1f.*CN=([-.\w ]+)/O=([-.\w ]+)[^-.\w ]|s v/Lotus Domino server//CN=$1;Org=$2/
##############################NEXT PROBE##############################
Probe TCP DistCCD q|DIST00000001ARGC00000005ARGV00000002ccARGV00000002-cARGV00000006nmap.cARGV00000002-oARGV00000006nmap.oDOTI00000000|
ports 3632
match distccd m|^DONE00000001STAT00000000SERR00000000SOUT00000000DOTO.*?GCC: ([^\0]+)| v/distccd/v1/$1/
match distccd m|^DONE00000001.*?DOTO00| v/distccd/v1/unknown compiler/
##############################NEXT PROBE##############################
Probe UDP Sqlping q|\x02|
ports 1434

8
nmap-services
View File

@@ -991,6 +991,7 @@ acp 599/tcp # Aeolon Core Protocol
acp 599/udp # Aeolon Core Protocol
ipcserver 600/tcp # Sun IPC server
ipcserver 600/udp # Sun IPC server
mnotes 603/tcp # CommonTime Mnotes PDA Synchronization
urm 606/tcp # Cray Unified Resource Manager
urm 606/udp # Cray Unified Resource Manager
nqs 607/tcp #
@@ -1097,8 +1098,9 @@ hp-collector 781/tcp # hp performance data collector
hp-collector 781/udp # hp performance data collector
hp-managed-node 782/tcp # hp performance data managed node
hp-managed-node 782/udp # hp performance data managed node
hp-alarm-mgr 783/tcp # hp performance data alarm manager
hp-alarm-mgr 783/udp # hp performance data alarm manager
spamassassin 783/tcp # Apache SpamAssassin spamd
# hp-alarm-mgr 783/tcp # hp performance data alarm manager
# hp-alarm-mgr 783/udp # hp performance data alarm manager
concert 786/tcp #
concert 786/udp #
controlit 799/tcp # Remotely possible
@@ -1154,6 +1156,8 @@ iad3 1032/tcp # BBN IAD
iad3 1032/udp # BBN IAD
netinfo 1033/tcp # Netinfo is apparently on many OS X boxes.
netsaint 1040/tcp # Netsaint status daemon
boinc-client 1043/tcp # BOINC Client Control
boinc-client 1043/udp # BOINC Client Control
java-or-OTGfileshare 1050/tcp # J2EE nameserver, also OTG, also called Disk/Application extender. Could also be MiniCommand backdoor OTGlicenseserv
nim 1058/tcp #
nim 1058/udp #

6
output.cc
View File

@@ -523,9 +523,10 @@ void log_write(int logt, const char *fmt, ...)
bool buf_alloced = false;
int rc = 0;
va_start(ap, fmt);
if (l & LOG_STDOUT) {
va_start(ap, fmt);
vfprintf(o.nmap_stdout, fmt, ap);
va_end(ap);
l-=LOG_STDOUT;
}
if (l & LOG_SKID_NOXLT) { skid=0; l -= LOG_SKID_NOXLT; l |= LOG_SKID; }
@@ -534,7 +535,9 @@ void log_write(int logt, const char *fmt, ...)
{
if (!o.logfd[i] || !(l&1)) continue;
while(1) {
va_start(ap, fmt);
rc = vsnprintf(buf,bufsz, fmt, ap);
va_end(ap);
if (rc >= 0 && rc < bufsz)
break; // Successful
// D'oh! Apparently not enough space - lets try a bigger buffer
@@ -545,7 +548,6 @@ void log_write(int logt, const char *fmt, ...)
if (skid && ((1<<i)&LOG_SKID)) skid_output(buf);
fwrite(buf,1,strlen(buf),o.logfd[i]);
}
va_end(ap);
if (buf_alloced)
free(buf);

8
scan_engine.cc
View File

@@ -1700,6 +1700,7 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss,
int scanflags = 0;
int decoy = 0;
u32 seq = 0;
u32 ack = 0;
u16 sport;
u16 ipid = get_random_u16();
@@ -1733,10 +1734,13 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss,
}
seq = seq32_encode(USI, tryno, pingseq);
if (scanflags & TH_ACK)
ack = rand();
for(decoy = 0; decoy < o.numdecoys; decoy++) {
packet = build_tcp_raw(&o.decoys[decoy], hss->target->v4hostip(), o.ttl,
ipid, sport, destport, seq, 0, scanflags, 0, NULL,
0, o.extra_payload, o.extra_payload_length,
ipid, sport, destport, seq, ack, scanflags, 0,
NULL, 0, o.extra_payload, o.extra_payload_length,
&packetlen);
if (decoy == o.decoyturn) {
probe->setIP(packet, packetlen);

18
tcpip.cc
View File

@@ -139,7 +139,7 @@ void nmapwin_list_interfaces();
int if2nameindex(int ifi);
#endif
static PacketCounter PC;
static PacketCounter PktCt;
#ifndef WIN32 /* Already defined in wintcpip.c for now */
void sethdrinclude(int sd) {
@@ -199,10 +199,10 @@ char *getFinalPacketStats(char *buf, int buflen) {
#else
"Raw packets sent: %llu (%s) | Rcvd: %llu (%s)",
#endif
PC.sendPackets,
ll2shortascii(PC.sendBytes, sendbytesasc, sizeof(sendbytesasc)),
PC.recvPackets,
ll2shortascii(PC.recvBytes, recvbytesasc, sizeof(recvbytesasc)));
PktCt.sendPackets,
ll2shortascii(PktCt.sendBytes, sendbytesasc, sizeof(sendbytesasc)),
PktCt.recvPackets,
ll2shortascii(PktCt.recvBytes, recvbytesasc, sizeof(recvbytesasc)));
return buf;
}
@@ -217,11 +217,11 @@ void PacketTrace::trace(pdirection pdir, const u8 *packet, u32 len,
struct timeval tv;
if (pdir == SENT) {
PC.sendPackets++;
PC.sendBytes += len;
PktCt.sendPackets++;
PktCt.sendBytes += len;
} else {
PC.recvPackets++;
PC.recvBytes += len;
PktCt.recvPackets++;
PktCt.recvBytes += len;
}
if (!o.packetTrace()) return;