From 4174bd9b1bf235bab6f624c2940bf2c3d3c53fc8 Mon Sep 17 00:00:00 2001 From: fyodor Date: Sat, 23 Apr 2005 02:47:29 +0000 Subject: [PATCH] a bunch of misc changes --- CHANGELOG | 34 +++++++++ config.h | 166 +++++++++++++++++++++++++++++++++++++----- nmap-os-fingerprints | 4 +- nmap-rpc | 59 +++++++++++++-- nmap-service-probes | 170 +++++++++++++++++++++++++++---------------- nmap-services | 8 +- output.cc | 6 +- scan_engine.cc | 8 +- tcpip.cc | 18 ++--- 9 files changed, 372 insertions(+), 101 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index f884f6875..7c219270d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$) +o Fixed a crash problem related to non-portable varargs (vsnprintf) + usage. Reports of this crash came from Alan William Somers + (somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de). + o Fixed the way tcp connect scan (-sT) respons to ICMP network unreachable responses (patch by Richard Moore (rich(a)westpoint.ltd.uk). @@ -10,6 +14,36 @@ o Update random host scan (-iR) to support the latest IANA-allocated o Added some new RPC services to nmap-rpc thanks to a patch from vlad902 (vlad902(a)gmail.com). +o Fixed Nmap compilation on Solaris x86 thanks to a patch from Simon + Burr (simes(a)bpfh.net). + +o Changed from CVS to Subversion source control system (which + rocks!). Neither repository is public (I'm paranoid because both CVS + and SVN have had remotely exploitable security holes), so the main + change users will see is that "Id" tags in file headers use the SVN + format for version numbering and such. + +o ultra_scan() now sets pseudo-random ACK values (rather than 0) for + any TCP scans in which the initial probe packet has the ACK flag set. + This would be the ACK, Xmas, Maimon, and Window scans. + +o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri + (eilon(a)aristo.tau.ac.il) + +o Added a distcc probes and a bunch of smtp matches from Dirk Mueller + (mueller(a)kde.org) to nmap-service-probes. Also added AFS version + probe and matches from Lionel Cons (lionel.cons(a)cern.ch) + +o Updated the Nmap version number, description, and similar fields + that MS Visual Studio places in the binary. This was done by editing + mswin32/nmap.rc as suggested by Chris Paget (chrisp@ngssoftware.com) + +o Increased the buffer size allocated for fingerprints to prevent Nmap + from running out and quitting (error message: "Assertion + `servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz + (mhatz(a)blackcat.com) for the report. [ Actually this was done in a + previous version, but I forgot which one ] + Nmap 3.81 o Nmap now ships with and installs (in the same directory as other diff --git a/config.h b/config.h index 899ef17c3..57dab2703 100644 --- a/config.h +++ b/config.h @@ -1,10 +1,113 @@ -/* config.h. Generated automatically by configure. */ +/* config.h. Generated by configure. */ +/*************************************************************************** + * config.h.in -- Autoconf uses this template, combined with the configure * + * script knowledge about system capabilities, to build the config.h * + * include file that lets nmap better understand system particulars. * + * * + ***********************IMPORTANT NMAP LICENSE TERMS************************ + * * + * The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap * + * is also a registered trademark of Insecure.Com LLC. This program is * + * free software; you may redistribute and/or modify it under the * + * terms of the GNU General Public License as published by the Free * + * Software Foundation; Version 2. This guarantees your right to use, * + * modify, and redistribute this software under certain conditions. If * + * you wish to embed Nmap technology into proprietary software, we may be * + * willing to sell alternative licenses (contact sales@insecure.com). * + * Many security scanner vendors already license Nmap technology such as * + * our remote OS fingerprinting database and code, service/version * + * detection system, and port scanning code. * + * * + * Note that the GPL places important restrictions on "derived works", yet * + * it does not provide a detailed definition of that term. To avoid * + * misunderstandings, we consider an application to constitute a * + * "derivative work" for the purpose of this license if it does any of the * + * following: * + * o Integrates source code from Nmap * + * o Reads or includes Nmap copyrighted data files, such as * + * nmap-os-fingerprints or nmap-service-probes. * + * o Executes Nmap and parses the results (as opposed to typical shell or * + * execution-menu apps, which simply display raw Nmap output and so are * + * not derivative works.) * + * o Integrates/includes/aggregates Nmap into a proprietary executable * + * installer, such as those produced by InstallShield. * + * o Links to a library or executes a program that does any of the above * + * * + * The term "Nmap" should be taken to also include any portions or derived * + * works of Nmap. This list is not exclusive, but is just meant to * + * clarify our interpretation of derived works with some common examples. * + * These restrictions only apply when you actually redistribute Nmap. For * + * example, nothing stops you from writing and selling a proprietary * + * front-end to Nmap. Just distribute it by itself, and point people to * + * http://www.insecure.org/nmap/ to download Nmap. * + * * + * We don't consider these to be added restrictions on top of the GPL, but * + * just a clarification of how we interpret "derived works" as it applies * + * to our GPL-licensed Nmap product. This is similar to the way Linus * + * Torvalds has announced his interpretation of how "derived works" * + * applies to Linux kernel modules. Our interpretation refers only to * + * Nmap - we don't speak for any other GPL products. * + * * + * If you have any questions about the GPL licensing restrictions on using * + * Nmap in non-GPL works, we would be happy to help. As mentioned above, * + * we also offer alternative license to integrate Nmap into proprietary * + * applications and appliances. These contracts have been sold to many * + * security vendors, and generally include a perpetual license as well as * + * providing for priority support and updates as well as helping to fund * + * the continued development of Nmap technology. Please email * + * sales@insecure.com for further information. * + * * + * As a special exception to the GPL terms, Insecure.Com LLC grants * + * permission to link the code of this program with any version of the * + * OpenSSL library which is distributed under a license identical to that * + * listed in the included Copying.OpenSSL file, and distribute linked * + * combinations including the two. You must obey the GNU GPL in all * + * respects for all of the code used other than OpenSSL. If you modify * + * this file, you may extend this exception to your version of the file, * + * but you are not obligated to do so. * + * * + * If you received these files with a written license agreement or * + * contract stating terms other than the terms above, then that * + * alternative license agreement takes precedence over these comments. * + * * + * Source is provided to this software because we believe users have a * + * right to know exactly what a program is going to do before they run it. * + * This also allows you to audit the software for security holes (none * + * have been found so far). * + * * + * Source code also allows you to port Nmap to new platforms, fix bugs, * + * and add new features. You are highly encouraged to send your changes * + * to fyodor@insecure.org for possible incorporation into the main * + * distribution. By sending these changes to Fyodor or one the * + * Insecure.Org development mailing lists, it is assumed that you are * + * offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right * + * to reuse, modify, and relicense the code. Nmap will always be * + * available Open Source, but this is important because the inability to * + * relicense code has caused devastating problems for other Free Software * + * projects (such as KDE and NASM). We also occasionally relicense the * + * code to third parties as discussed above. If you wish to specify * + * special license conditions of your contributions, just say so when you * + * send them. * + * * + * This program is distributed in the hope that it will be useful, but * + * WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * + * General Public License for more details at * + * http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included * + * with Nmap. * + * * + ***************************************************************************/ -/* #undef PCAP_TIMEOUT_IGNORED */ +/* $Id$ */ + +#ifndef CONFIG_H +#define CONFIG_H + +#define PCAP_TIMEOUT_IGNORED 1 #define HAVE_STRUCT_IP 1 -#define HAVE_USLEEP 1 +/* #undef HAVE_USLEEP */ #define HAVE_NANOSLEEP 1 @@ -16,15 +119,19 @@ #define STDC_HEADERS 1 +#define HAVE_UNISTD_H 1 + #define HAVE_STRING_H 1 -/* #undef HAVE_GETOPT_H */ +#define HAVE_GETOPT_H 1 #define HAVE_STRINGS_H 1 +#define HAVE_PWD_H 1 + /* #undef HAVE_BSTRING_H */ -#define WORDS_BIGENDIAN 1 +/* #undef WORDS_BIGENDIAN */ #define HAVE_MEMORY_H 1 @@ -35,19 +142,21 @@ #define HAVE_SYS_PARAM_H 1 -#define HAVE_SYS_SOCKIO_H 1 +/* #undef HAVE_SYS_SOCKIO_H */ + +/* #undef HAVE_PCRE_H */ + +#define HAVE_PCRE_PCRE_H 1 #define BSD_NETWORKING 1 -#define HAVE_SNPRINTF 1 +#define HAVE_INET_ATON 1 -#define HAVE_VSNPRINTF 1 - -/* #undef HAVE_STRCASESTR */ +#define HAVE_STRCASESTR 1 /* #undef HAVE_GETOPT_LONG */ -#define IN_ADDR_DEEPSTRUCT 1 +/* #undef IN_ADDR_DEEPSTRUCT */ /* #undef HAVE_NETINET_IN_SYSTEM_H */ @@ -55,21 +164,42 @@ #define HAVE_NETINET_IF_ETHER_H 1 +#define HAVE_OPENSSL 1 + /* #undef STUPID_SOLARIS_CHECKSUM_BUG */ /* #undef SPRINTF_RETURNS_STRING */ -/* #undef LINUX */ +#define TIME_WITH_SYS_TIME 1 +#define HAVE_SYS_TIME_H 1 + +#define recvfrom6_t socklen_t + +/* #undef NEED_USLEEP_PROTO */ +/* #undef NEED_GETHOSTNAME_PROTO */ + +#ifdef NEED_USLEEP_PROTO +#ifdef __cplusplus +extern "C" int usleep (unsigned int); +#endif +#endif + +#ifdef NEED_GETHOSTNAME_PROTO +#ifdef __cplusplus +extern "C" int gethostname (char *, unsigned int); +#endif +#endif + +/* #undef DEC */ +#define LINUX 1 /* #undef FREEBSD */ /* #undef OPENBSD */ -#define SOLARIS 1 +/* #undef SOLARIS */ /* #undef SUNOS */ /* #undef BSDI */ /* #undef IRIX */ +/* #undef HPUX */ /* #undef NETBSD */ +/* #undef MACOSX */ - - - - - +#endif /* CONFIG_H */ diff --git a/nmap-os-fingerprints b/nmap-os-fingerprints index 29477ea7a..aebd58cef 100644 --- a/nmap-os-fingerprints +++ b/nmap-os-fingerprints @@ -16034,8 +16034,10 @@ PU(DF=Y%TOS=0%IPLEN=138%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) # Sun Solaris 9 Beta through Release on SPARC # solaris 9 i386 # Solaris 9 4/04 version (SPARC) -Fingerprint Sun Solaris 9 +# Solaris 10 +Fingerprint Sun Solaris 9 or 10 Class Sun | Solaris | 9 | general purpose +Class Sun | Solaris | 10 | general purpose TSeq(Class=RI%gcd=<6%SI=116A%IPID=I%TS=100HZ) T1(DF=Y%W=5B4|C0B7|807A%ACK=S++%Flags=AS%Ops=NNTMNW) T2(Resp=N) diff --git a/nmap-rpc b/nmap-rpc index a4ea9dc9b..1c0026247 100644 --- a/nmap-rpc +++ b/nmap-rpc @@ -65,7 +65,7 @@ sprayd 100012 spray rje_mapper 100014 # Remote job entry mapping service. selection_svc 100015 selnsvc database_svc 100016 dbsessionmgr unify netdbms dbms -rexd 100017 rex +rexd 100017 rex remote_exec alis 100018 alice office_auto sched 100019 llockmgr 100020 @@ -138,13 +138,13 @@ amiserv 100146 # AMI Daemon amiaux 100147 # AMI Daemon ocfserv 100150 # OCF (Smart card) Daemon sunvts 100153 -smserverd 100155 rpc.smserverd +smserverd 100155 rpc.smserverd # support removable media devices kcms_server 100221 # SunKCMS Profile Server nfs_acl 100227 # # rpc.metad - SUNWmd - Sun Solstice DiskSuite # -metad 100229 metad rpc.metad +metad 100229 metad rpc.metad # METAD - SLVM metadb Daemon metamhd 100230 metamhd rpc.metamhd # nfsauth 100231 @@ -162,13 +162,15 @@ nis_cache 100301 nis_callback 100302 nispasswd 100303 rpc.nispasswdd fnsypd 100304 # Federated Naming Service (FNS) + +# MDMN_COMMD +mdcommd 100422 # SVM Multi Node Communication Daemon stfsloader 100424 # Standard Type Services Framework (STSF) Font Server rpc.pts 105004 Protoserver # Advanced Printing Software swu_svr 120100 # Software Usage Monitoring daemon nf_snmd 120126 # SunNet Manager nf_snmd 120127 pcnfsd 150001 pcnfs -mapsvc 351455 # # Pyramid # @@ -202,6 +204,9 @@ Magfetch 200050 magfetch Optfetch 200051 optfetch Securitysrv 200052 securitysrv # +bundle 200100 # Delay Tolerant Networking - DTN agent +bundle_demux 200200 # Delay Tolerant Networking - DTN agent +# # EcoTools daemons/programs # ecodisc 200201 @@ -210,8 +215,10 @@ eamon 200203 ecoad 200205 # # VERSANT +# Operator Communications Software (OCS) # rpc.dbserv 211637 dbserv rpc.dbserv_dir +rpc.taped 217843 taped rpc.taped_dir rpc.taped 217854 taped rpc.taped_dir # ADTFileLock 300001 # ADT file locking service. @@ -224,6 +231,9 @@ fmeditor 300007 # FrameMaker Editor fmserver 300009 stdfm FrameServer # FrameMaker Server # amd 300019 amq +# +Steering 300021 # Steering Library +# rpc.ldmd 300029 ldm # Unidata LDM # # DMFE/DAWS (Defense Automated Warning System) @@ -231,6 +241,8 @@ rpc.ldmd 300029 ldm # Unidata LDM UpdtAuditsS 300030 Dbpass 300091 dbpass # +clms 300145 # CenterLine CodeCenter +# # FrameMaker fm_flb 300214 # FrameMaker fm_fls 300215 # FrameMaker licnese server @@ -256,7 +268,10 @@ mcserv 300516 cluinfod 300527 # cluster information server (Digital UNIX) dmispd 300598 # Sun Solstice Enterprise DMI Service Provider prpasswd 300632 +ks 300664 # ACPLT/KS protocol sfs 344444 # SFS - Self-Certifying File System +mapsvc 351455 +berkeleydb 351457 # Sleepycat Software: Berkeley DB prestoctl_svc 390100 presto # Prestoserve control daemon # # Computer Associates @@ -287,7 +302,7 @@ nsrnotd 390400 # NetWorker notary service # Remedy AR System daemons # arserverd 390600 arserverd -ntserverd 390601 ntserverd +ntserverd 390601 ntserverd # Remedy Notifier and AR Server 5.0 ntclientd 390602 ntclientd aresclsrv 390603 aresclsrv arservtcd 390604 arservtcd @@ -412,9 +427,13 @@ asedirector 395175 asedirector # ASE Director Daemon aseagent 395176 aseagent # ASE Agent Daemon asehsm 395177 asehsm # Host Status Monitor Daemon aselogger 395179 aselogger # Logger Daemon +# +pnictl 395250 # BMC EnsignAgent 450000 # Ensign Agent # +drac 900101 # Dynamic Relay Authorization Control +# AdoIfServer 1000002 # RHIC AdoIf Server (Accelerator Device Object) notifServer 2000004 # RHIC notifServer # @@ -567,6 +586,13 @@ ndbserver98 536871042 ndbserver99 536871043 ndbserver100 536871044 # +gnbk 536871680 # ACEDB genome database package +# +# Katie - Revision Control System +# +katie_mount 537208899 +katie_nfs 537208900 katie +# fcagent 541414217 # SGI FibreVault Status/Configuration daemon # pnmd 591751041 # SunCluster - Public Network Management (PNM) @@ -583,18 +609,39 @@ inetray 555555558 inetray 555555559 inetray 555555560 # -drac 900101 # Dynamic Relay Authorization Control +# Keck Long Wavelength Spectrometer (LWS) related rpc daemons +# +collectd 600000001 collect # IRE Computer +xycomd 600000002 xycom # IRE Computer +motord 600000003 motor # IRE Computer +fitsd 600000004 fits writer # Control Room computer +# des_crypt 600100029 freebsd-crypt # FreeBSD fypxfrd 600100069 freebsd-ypxfrd # FreeBSD rdbx 611319808 bminrd 630474513 # MacroModel - BatchMin Network Server bwnfsd 788585389 # (PC)NFS server by Beame & Whiteside, Inc. dmispd 805306368 # Sun Solstice Enterprise DMI Service Provider +sql_disp 805310465 # GNU SQL Server rdict 805898569 # "Internetworking with TCP/IP Vol 3" piktc_svc 806422610 # PIKT: Problem Informant/Killer Tool + 822084608 # OLD - Inter-Language Unification (ILU) +# +# LIGO Global Diagnostics System (GDS) - Diagnostics Test Tool (DTT) +# +testpoint 822087681 # Test point server +awg 822087682 # Arbitrary waveform generator +cgdsrtdd 822087683 # Real-time data server +gdsd 822087684 # Diagnostics message server +chnconfd 822087685 # Channel database daemon for gds +leapconfd 822087686 # Leap second information daemon +# LIGO Global Diagnostics System (GDS) - Diagnostics Test Tool (DTT) +rlaunchd 822087687 # Remote program launcher +# cfsd 824395111 cns 912680550 # Controls Name Server fmproduct 1073741824 _Frame_RPC # FrameMaker +gsql_trn 1073741840 # GNU SQL Server cfsd 1092830567 rdb 1145324612 # Wind River Systems' VxWorks debug stub # diff --git a/nmap-service-probes b/nmap-service-probes index f775886f4..f64394ce7 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -33,9 +33,10 @@ # This is the NULL probe that just compares any banners given to us ##############################NEXT PROBE############################## Probe TCP NULL q|| -# Wait for at least 5 seconds for data. Otherwise an Nmap default is used. -totalwaitms 5000 - +# Wait for at least 6 seconds for data. It used to be 5, but some +# smtp services have lately been instituting an artificial pause (see +# FEATURE('greet_pause') in Sendmail, for example) +totalwaitms 6000 match acap m|^\* ACAP \(IMPLEMENTATION \"CommuniGate Pro ACAP (\d[-.\w]+)\"\) | v/CommuniGate Pro ACAP server//for mail client preference sharing/ match aim m|^\*\x01..\0\x04\0\0\0\x01$|s v/Pyboticide AIM chat filter/// # AMANDA index server 2.4.2p2 on Linux 2.4 @@ -128,6 +129,9 @@ match ftp m|^220 .* \(glftpd (\d[-.0-9a-zA-Z]+)_(\w+)(\+TLS)?\) ready\.\r\n| v/g match ftp m|^220 [-.\w]+ FTP server \(FirstClass v(\d[-.\w]+)\) ready\.\r\n| v/FirstClass FTP server/$1// match ftp m|^220 [-.\w]+ FTP server \(Compaq Tru64 UNIX Version (\d[-.\w]+)\) ready\.\r\n| v/Compaq Tru64 ftp server/$1// match ftp m|^220 AXIS ([-.\w]+) FTP Network Print Server V(\d[-.\w]+) [A-Z][a-z]| v/Axis network print server ftpd/$2/Model $1/ +match ftp m|^220 AXIS ([\d\w]+)V(\d\S+) (.*?) ready\.\n| v/AXIS $1 Webcam/$2/$3/ +match ftp m|^220 Axis (\d+) Network Camera (\d\S+) (.*?) ready\.\n| v/Axis $1 Webcam/$2/$3/ +match ftp m|^220 AXIS (\d+) Video Server (\d\S+) (.*?) ready\.| v/AXIS $1 Video Server/$2/$3/ match ftp m|^220-Cerberus FTP Server Personal Edition\r\n220-UNREGISTERED\r\n| v/Cerberus FTP Server//Personal Edition; Unregistered/ match ftp m|^220-GuildFTPd FTP Server \(c\) 2001\r\n220-Version (\d[-.\w]+)\r\n220 Please enter your name:\r\n| v/GuildFTPd/$1// match ftp m|^220 FTP print service:V-(\d[-.\w]+)/Use the network password for the ID if updating\.\r\n| v/Brother printer ftpd/$1// @@ -214,6 +218,7 @@ match ftp-proxy m/^220-Sidewinder ftp proxy\. You must login to the proxy first match ftp-proxy m/^220-\r\x0a220-Sidewinder ftp proxy/s v/Sidewinder FTP proxy/// # TODO kerio? #match ftp m|^421 Service not available \(The FTP server is not responding\.\)\n$| v/unknown FTP server//service not responding/ +match vdr m|220 \S+ SVDRP VideoDiskRecorder (\d[^\;]+);| v/VDR/$1// softmatch ftp m/^220 [-.\w ]+ftp.*\r\n$/i softmatch ftp m/^220-[-.\w ]+ftp.*\r\n220/i @@ -253,20 +258,8 @@ match imap m|^\* OK [-.\w]+ NetMail IMAP4 Agent server ready <.*>\r\n| v/Novell match imap m|^\* OK [-.\w]+ IMAP4rev1 MDaemon (\d[-.\w]+) ready\r\n| v/Alt-N MDaemon imapd/$1// # Dovecot IMAP Server - http://dovecot.procontrol.fi/ match imap m|^\* OK dovecot ready\.\r\n| v/Dovecot imapd/// -# courier-0.36.1 -match imap m|^\* OK Courier-IMAP ready\. Copyright 1998-2001 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/0.36 - 1.4// -# Courier-Imap 1.4.3-2.3 -match imap m|^\* OK Courier-IMAP ready\. Copyright 1998-2002 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/1.4 - 2.3// -# Courier Imap 1.7.0 on Linux -# Courier IMAP server 1.6.2 on Linux -match imap m|\* OK Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/1.6.X - 1.7.X// -# Courier IMAP courier-imapd-0.42.0-1.7.3 -# Courier IMAP 1.7.2 -match imap m|^\* OK \[CAPABILITY IMAP4rev1 .*Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1/1.7.X// -# courier-imap 2.0.0.20030809 -match imap m|^\* OK \[CAPABILITY IMAP4rev1\].*Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1/2.0.X// -# Courier IMAP 1.7.2 -match imap m|\* OK \[CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA\] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc. See COPYING for distribution information.\r\n$| v/Courier IMAP4rev1/1.7.2// +match imap m|^\* OK.*?Courier-IMAP ready\. Copyright 1998-(\d+) Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imapd//released $1/ +match imap m|^\* OK \[CAPABILITY IMAP4rev1 .*?Courier-IMAP ready\. Copyright 1998-(\d+) Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1 Imapd//released $1/ match imap m|^\* OK CommuniGate Pro IMAP Server ([-.\w]+) at [-.\w]+ ready\r\n$| v/CommuniGate Pro imapd/$1// # W-Imapd-SSL v2001adebian-6 match imap m|^\* OK \[CAPABILITY IMAP4REV1 X-NETSCAPE LOGIN-REFERRALS STARTTLS AUTH=LOGIN\] \S+ IMAP4rev1 ([-.\w]+) at| v/UW-Imapd-SSL/$1// @@ -296,6 +289,8 @@ match irc m|^ERROR :Trying to reconnect too fast\.\r\n| v/Hybrid ircd/// match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Found your hostname\r\nNOTICE AUTH :\*\*\* Got Ident response\r\n| v/Hybrid ircd/// # dircproxy 1.0.3 on Linux 2.4.x match irc-proxy m|^:dircproxy NOTICE AUTH :Looking up your hostname\.\.\.\r\n:dircproxy NOTICE AUTH :Got your hostname\.\r\n| v/dircproxy/// +# dirkproxy (modificated dircproxy) +match irc-proxy m|^:dirkproxy NOTICE AUTH :Looking up your hostname\.\.\.\r\n:dirkproxy NOTICE AUTH :Got your hostname\.\r\n| v/dirkproxy/// # Unreal IRCD Server version 3.2 beta 17 match irc m|^:[-.\w]+ NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\n| v/Unreal ircd/// # dancer-ircd 1.0.31+maint8-1 @@ -346,10 +341,7 @@ match mysql m/^.\0\0\0\n(3\.[-.\w]+)\0...\0/s v/MySQL/$1// # r(NULL,2B,"'\0\0\0\n4.0.13\0\xdf\xbc\x02\0SC7)fHu5\0, \x08\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0") match mysql m/^.\0\0\0\n(4\.[-.\w]+)\0...\0/s v/MySQL/$1// -# Hmmm ... http://seclists.org/lists/incidents/2002/Mar/0047.html -# So "ncacn_http" may be used by multiple services. I'll take this -# one out for now. -# match ncacn_http m|^ncacn_http/([\d.]+)$| v/ncacn_http/$1// +match ncacn_http m|^ncacn_http/([\d.]+)$| v/ncacn_http/$1// # NCD Thinstar 300 running NCD Software 2.31 build 6 match ncd-diag m|^WinCE/WBT Diagnostic port\n\rSerial Number: (\w+) MAC Address: 0000(\w+)\s+.*CPU info: ([ -.+\w/ ]+)\r\n.*(Windows CE Kernel[-.+:\w ]+)\r|s v|NCD Thinster Terminal Diagnostic port||Serial# $1; MAC: $2; CPU: $3; $4| @@ -360,6 +352,7 @@ match netstat m|^Active Internet connections \(servers and established\)\nProto match netstat m|^netstat: invalid option -- f\nusage: netstat \[-veenNcCF\]| v/Linux netstat//broken/ match nntp m|^nnrpd: invalid option -- S\nUsage error\.\n| v/INN NNTPd//broken/ +match nntp m|^502 You have no permission to talk\. Goodbye.\r\n$| v/INN NNTPd//unauthorized/ match nntp m|^200 [-.\w]+ NNTP Service Ready - ([-.\w]+@[-.\w]+) \(DIABLO (\d[-.\w ]+)\)\r\n| v/Diablo NNTP service/$2/Admin: $1/ match nntp m|^200 NNTP Service (\d[-.\w ]+) Version: (\d[-.\w ]+) Posting Allowed \r\n| v/Microsoft NNTP Service/$2/posting ok/ match nntp m|^200 [-.\w]+ DNEWS Version (\d[-.\w]+).*posting OK \r\n| v/Netwinsite DNEWS/$1/posting OK/ @@ -516,6 +509,9 @@ match sftp m|^\+Shiva SFTP Service\0$| v/Shiva LanRover SFTP service/// # HP-UX B.11.00 A 9000/785 match shell m|^\x01remshd: getservbyname\n$| v/HP-UX Remshd/// +# good SMTP banner regexps can be found here: +# http://www.tty1.net/smtp-survey/measurement_en.html + match smtp m|^220 [-/.+\w]+ SMTP AnalogX Proxy (\d[-.\w]+) \(Release\) ready\r\n| v/AnalogX SMTP proxy/$1// match smtp m|^220 [-/.+\w]+ MailGate ready for ESMTP on | v/MailGate smtpd//Windows/ @@ -527,9 +523,11 @@ match smtp m|^220 [-.+\w]+ ESMTP NetIQ MailMarshal \(v(\d[-.\w]+)\) Ready\r\n| v # Dots in Revision to prevent MY CVS from screwing it up match smtp m|^220 [-.+\w]+ Novonyx SMTP ready \$Re..sion: ([\d.]+) \$\r\n| v|Novonyx Novell NetMail smtpd||Revision $1| match smtp m|^554-[-.+\w]+\.us\r\n554 Access denied\r\n$| v/IronPort appliance mail rejector/// -match smtp m|^220 eSafe@[-.+\w]+ Service ready\r\n| v/eSafe anti-virus mail gatewal/// -match smtp m|^220 [-.+\w]+ ESMTP Merak (\d[-.\w]+);| v/Merak Mail Server smtpd/$1/Windows/ -match smtp m|^220 MERCUR SMTP-Server \(v([^)]+)\) for ([-.\w ]+) ready at | v/LAN-ACES MERCUR smtp server/$1/$2/ +match smtp m|^220 eSafe@[-.+\w]+ Service ready\r\n| v/eSafe mail gateway/// +match smtp m|^220 .*?eSafe E?SMTP Service (\d\S+) ready| v/eSafe mail gateway/$1// +match smtp m|^220 .*?eSafe E?SMTP Service ready| v/eSafe mail gateway/// +match smtp m|^220 \S+ ESMTP Merak (\d[^;]+);| v/Merak Mail Server smtpd/$1/Windows/ +match smtp m|^220.*?MERCUR SMTP[\s-]Server \(v([^)]+)\) for ([-.\w ]+) ready at | v/LAN-ACES MERCUR smtp server/$1/$2/ match smtp m|^220 [-.+\w]+ MasqMail (\d[-.\w]+) ESMTP\r\n| v/MasqMail smtpd/$1// # Cisco NetWorks ESMTP server IOS (tm) 5300 Software (C5300-IS-M) on Cisco 5300 Access Server match smtp m|^220 [-.+\w]+ Cisco NetWorks ESMTP server\r\n| v/Cisco IOS NetWorks smtp server/// @@ -559,11 +557,11 @@ match smtp m/^220 X1 NT-ESMTP Server [-.+\w]+ \(IMail ([^)]+)\)\r\n/ v/IMail NT- match smtp m/^220-[-.+\w]+ Microsoft SMTP MAIL ready at.*Version: ([-\w.]+)\r\n/ v/Microsoft SMTP/$1// match smtp m/^220 [-.+\w]+ Microsoft ESMTP MAIL Service, Version: ([-\w.]+) ready/ v/Microsoft ESMTP/$1// match smtp m/^220 [-.+\w]+ ESMTP Server \(Microsoft Exchange Internet Mail Service ([-\w.]+)\) ready/ v/Microsoft Exchange/$1// -match smtp m/^220 [-.+\w]+ ESMTP Sendmail (\d[^;]+);/ v/Sendmail/$1// -match smtp m|^220 [-.+\w]+ SMTP Sendmail ([-/.+\w]+)\r\n| v/Sendmail/$1// -match smtp m|^220 [-.+\w]+ Sendmail (SMI-\S+) ready at .*\r\n$| v/Sendmail/$1// -match smtp m/^220[- ][^\r\n]+ ESMTP Exim (\d\S+)/ v/Exim smtpd/$1// -match smtp m/Failed to open configuration file.*exim/ v/Exim smtpd/// +match smtp m|^220[\s-]\S+ E?SMTP Sendmail (\d[^; ]+)| v/Sendmail/$1// +match smtp m|^220[\s-]\S+ Sendmail (SMI-\S+) ready at .*\r\n$| v/Sendmail/$1// +match smtp m/^220[- ][^\r\n]+ ESMTP Exim (V?\d\S+)/ v/Exim smtpd/$1// +match smtp m|^220 \S+ \S+ ESMTP receiver fssmtpd(\d+) ready| v/fssmtpd/$1// +match smtp m/Failed to open configuration file.*exim/ v/Exim smtpd//broken/ match smtp m/^220 CheckPoint FireWall-1 secure ESMTP server\r\n$/ v/Checkpoint FireWall-1 smtpd/// match smtp m/^220 CheckPoint FireWall-1 secure SMTP server\r\n$/ v/Checkpoint FireWall-1 smtpd/// match smtp m|^220 [-.+\w]+ running IBM AS/400 SMTP V([\w]+)| v|IBM AS/400 smtpd|$1|| @@ -577,13 +575,14 @@ match smtp m|^220-InterScan Version (\S+) .*Ready\r\n220 [-.+\w]+ NTMail \(v([-. match smtp m|^220 [-.\w]+ InterScan VirusWall NT ESMTP (\d[-.\w]+) \(build (\d+)\) ready at | v/Trend Micro InterScan VirusWall SMTP/$1 build $2// match smtp m|^220 [-.+\w]+ GroupWise Internet Agent (\S+) .*Novell, Inc\..*Ready\r\n| v/Novell GroupWise/$1// match smtp m|^220 Matrix SMTP Mail Server v([\w.]+) on Simple Mail Transfer Service Ready\r\n| v/Matrix SMTP Mail Server/$1/on Matrix $2/ -match smtp m|^220 Net_sec WebShield SMTP V(\S+) Network Associates, Inc\. Ready at| v/Network Associates WebShield/$1// +match smtp m|^220 \S+ WebShield SMTP V(\d\S.*?) Network Associates, Inc\. Ready at| v/Network Associates WebShield/$1// +match smtp m|^220 \S+ WebShielde250/SMTP Ready.| v/WebShielde250 smtpd/// match smtp m|^220 [-.+\w]+ ESMTP MailMasher ready to boogie\r\n| v/MailMasher smtpd/// # 220 example.com ESMTP Postfix (2.0.13) (Mandrake Linux) match smtp m|^220 [-.\w]+ ESMTP Postfix \(([-.\w]+)\) \(([-.\w ]+)\)| v/Postfix smtpd/$1/$2/ # postfix 1.1.11-0.woody2 -match smtp m|^220 [-.\w]+ ESMTP Postfix| v/Postfix smtpd/// -match smtp m|^220 \*{10,40}\r\n| v|Cisco PIX sanatized smtpd||| +match smtp m|^220[\s-]\S+ ESMTP Postfix| v/Postfix smtpd/// +match smtp m|^220 [\*\d\ ]{10,300}\r\n| v|Cisco PIX sanatized smtpd||| match smtp m|^220 ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [-.\w]+ \(([-.\w]+)\)\r\n| v/ArGoSoft Mail Server Pro/$1// match smtp m|^220 [-.\w]+ ESMTP server \(Post.Office v([-.\w]+) release ([-.\w]+) ID# | v/Post.Office/$1 release $2// match smtp m|^220 [-.\w]+ ESMTP VisNetic.MailServer.v([-.\w]+); | v/VisNetic MailServer/$1// @@ -596,13 +595,38 @@ match smtp m|^relaylock: Error: PRODUCT_ROOT_D not defined\nrelaylock: Error: PR match smtp m|^220 [-.\w]+ WebSTAR Mail Simple Mail Transfer Service Ready\r\n| v/WebSTAR SMTP server/// match smtp m|^220 [-.\w]+ Lotus SMTP MTA Service Ready\r\n$| v/Lotus Notes SMTP/// match smtp m|^220 [-.\w]+ SMTP NAVGW (\d[-.\w]+);| v/Norton Antivirus Gateway NAVGW/$1// -match smtp m|^220 ([-.\w]+) Kerio MailServer (\d[-.\w]+) ESMTP ready\r\n$| v/Kerio MailServer/$1/$2/ -match smtp m|^220 YSmtp \S+ ESMTP service ready| v/Yahoo! MTA/// -match smtp m|^220 \S+ GMX Mailservices ESMTP| v/GMX MTA/// -match smtp m|214 2\.0\.0 http://www\.google\.com/search.*RFC\+2821\s*\r?\n| v/Google SMTP/// -match smtp m|^220 \S+ ESMTP MailMax (\d[-.\w\d]+)| v/MailMax/$1// -match smtp m|^220 Welcome to the INDY SMTP Server\r\n$| v/INDY smtpd/// -softmatch smtp m|^220 [-.\w ]+SMTP.*\r\n| +match smtp m|^220 [-.\w]+ Kerio MailServer (\d[-.\w]+) ESMTP ready\r\n$| v/Kerio MailServer/$1// +match smtp m|^220 YSmtp \S+ ESMTP service ready| v/Yahoo! smtpd/// +match smtp m|^220 Compuserve Office Mail Service \(lnxc-(\d+)\) ESMTP| v/Compuserve smtpd/$1// +match smtp m|^220 \S+ GMX Mailservices ESMTP| v/GMX smtpd/// +match smtp m|^220 \S+ ESMTP MailMax (\d[-.\w\d]+)| v/MailMax smtpd/$1// +match smtp m|^220 \S+ ESMTP WEB.DE V([^\s\;]+)| v/Web.de smtpd/$1// +match smtp m|^220 Welcome to Nemesis ESMTP server on \S+| v/Nemesis smtpd/// +match smtp m|^220 Welcome to the INDY SMTP Server\r\n$| v/INDY smtpd/// +match smtp m|^220 Postini E?SMTP (\d+) [\w\d_\+-]+ ready| v/Postini smtpd/$1// +match smtp m|^220 [\w\d-]+\.hotmail\.com Sending unsolicited commercial| v/Hotmail smtpd/// +match smtp m|^220[-\s]\S+ \(IntraStore TurboSendmail\) E?SMTP Service ready| v/TurboSendmail smtpd/// +match smtp m|^220[-\s]\S+ E?SMTP Mirapoint (\d[^\;]+);| v/Mirapoint smtpd/$1// +match smtp m|^220[-\s]\S+ Trend Micro InterScan Messaging Security Suite, Version: (\d\S+) ready| v/Trend Micro InterScan smtpd/$1// +match smtp m|^220[-\s]\S+.*?Server ESMTP \(iPlanet Messaging Server (\d[^\(\)]+)| v/Sun iPlanet smtdp/$1// +match smtp m|^220[-\s]\S+ running Eudora Internet Mail Server X (\d\S+)| v/Eudora smtpd/$1// +match smtp m|^220 \S+ - Maillennium E?SMTP| v/Maillennium smtpd/// +match smtp m|^220 \S+.*?SMTP \(Sun Internet Mail Server sims.(\d[^\)]+)\)| v/Sun sims smtpd/$1// +match smtp m|^220 \S+ ESMTP qpsmtpd (\d\S+) ready;| v/qpsmtpd/$1// +match smtp m|^220 \S+ ESMTP XWall v(\d\S+)| v/XWall smtpd/$1// +match smtp m|^220 \S+ ESMTP Service \(Worldmail (\d[^\)]+)\) ready| v/Worldmail smtpd/$1// +match smtp m|^220 \S+ eMail Sentinel (\d+) ESMTP Service ready| v/eMail Sentinel smtpd/$1// +match smtp m|^220 \S+ ESMTP mxl_mta-(\d[^\;]+);| v/mxl smtpd/$1// +match smtp m|^220 \S+ -- Server ESMTP \(SUN JES MTA 6\.x\)| v/SUN JES smtpd/6.x// +match smtp m|^220 \S+ Service ready by DvISE PostMan \((\d+)\) ESMTP Server| v/DvISE PostMan smtpd/$1// +match smtp m|^220 \S+ F-Secure Anti-Virus for Internet Mail ready| v/F-Secure AV SMTP Proxy/// +match smtp m|^220 \S+ Welcome to SpamFilter for ISP SMTP Server v(\d\S+)| v/LogSat SMTP Proxy/$1// +match smtp m|^220-TrendMicro IMSS SMTP proxy\r\n| v/TrendMicro SMTP Proxy/// +match smtp m|^220 \S+ ESMTP server \(InterMail v(\S+)| v/InterMail smtpd/$1// +match smtp m|^220 \S+ -- Server ESMTP \(Sun Java System Messaging Server (\d[^\(\)]+)| v/SUN JSMS smtpd/$1// +match smtp m|^220 jMailer SMTP Server\r\n$| v/jMailer smtpd/// + +softmatch smtp m|^220[\s-].*?E?SMTP[^\r]*\r\n| match snpp m|^220 [-.\w]+ SNPP server \(HylaFAX \(tm\) Version ([-.\w]+)\) ready.\r\n| v/HylaFAX SNPP/$1// match snpp m|^220 QuickPage v(\d[-.\w]+) SNPP server ready at | v/QuickPage SNPP/$1// @@ -737,7 +761,7 @@ match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f.*User Access Ve # Cisco Pix 501 PIX IOS 6.3(1) telnet match telnet m/^\xff\xfb\x03\xff\xfb\x01\xff\xfb\x03\xff\xfb\x01.*\r\nUser Access Verification\r\n\r\nPassword: /s v/Cisco telnetd//IOS 6.X/ # Cisco Catalyst 6509 - WS-C6509 Software, Version NmpSW: 5.5(1) -match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nCisco Systems Console\r\n\r\n\r\n\r\n\r\nEnter password: | v/Cisco Catalyst switch telnetd/// +match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nCisco Systems Console\r\n| v/Cisco Catalyst switch telnetd/// match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nPassword required, but none set\r\n| v/Cisco router telnetd//password required but not set/ match telnet m|^Access not permitted\. Closing connection\.\.\.\n$|s v/Cisco catalyst switch telnetd//access denied/ match telnet m|^\xff\xfd\x18$| v/Cisco microswitch telnetd/// @@ -765,6 +789,13 @@ match telnet m|^\xff\xfd\x18\xff\xfb\x01\xff\xfe\x01Remote Management Console\r\ # Note that openwall telnetd is derived from OpenBSD telnetd match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd\$$| v|Openwall GNU/*/Linux telnetd||| match telnet m|^\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPlease type \"\?\" for HELP, or \"/\" for current settings\r\n> $| v/HP Jet Direct printer telnetd/// +match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\nAXIS (\S+) TELNET| v/AXIS Webcam/$1// +match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nTelebit\'s NetBlazer Version (\S+)\r\n| v/Telebit NetBlazer/$1// +match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03.*?FORE\x20Systems,\x20FORE\x20ES-2810.*?Version (\d[\d\.-]+)| v/FORE Systems ES-2810/$1// +match telnet m|^\xff\xfb\x03\xff\xfb\x01.*ForeRunner ES-3810.*Enter Username: | v/FORE Systems ES-3810/// +match telnet m|^\xff\xfb\x01\r\nCopyright \(C\) 1999 by Extreme Networks\r\r\n| v/Extreme Networks telnetd/// +match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03.*?ES-1000\x20Fast\x20Ethernet\x20Switch\x20Console| v/Marconi ES-1000/// +match telnet m|^\xff\xfb\x01login:\x20$| v/telnet//generic/ # tinc 1.0.2-2 on Linux match tinc m|^0 \w+ 17\n| v/tinc vpn daemon/// @@ -807,6 +838,10 @@ match bpcd m|^gethostbyaddr: [\w ]+\n$| v/Veritas Netbackup//refused/ # PostCast SMTP server 2.6.0 ( http://www.postcastserver.com/ ) match smtp m|^220 PostCast SMTP server.*\r\n$| v/PostCast SMTP server/// +match omapi m|^\0\0\0d\0\0\0\x18$| v/ISC (BIND|DHCPD) OMAPI/// +match svnserve m|^\(\x20success\x20\(\x201\x202\x20\(\x20ANONYMOUS\x20\)\x20\(\x20edit-pipeline\x20\)\x20\)\x20\)\x20$| v/Subversion/// +match icecreamd m|^[\x14-\x1f]\0\0\0$| v/icecreamd/// + ##############################NEXT PROBE############################## Probe TCP GenericLines q|\r\n\r\n| ports 21,23,43,98,110,113,199,505,540,628,1040,1248,1467,1501,2010,3333,5432,5555,6112,6667-6670,11965,30444 @@ -834,7 +869,7 @@ match ftp m|^220 FTP server ready\.\r\n501 Command not supported\.\r\n$| v/D-Lin match ftp m|^220 [-.\w]+ FTP server ready\.\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n$| v/Solaris ftpd/// # vsftpd (Very Secure FTP Daemon) 1.0.0 on linux with custom ftpd_banner # We'll have to see if this match is unique enough -match ftp m|^220 .*\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n|s v/vsFTPd/// +match ftp m|^220 .*\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n|s v/vsFTPd//customized banner/ match ftp m|^220 [-.\w]+ FTP Server ready \.\.\.\r\n530 \r : User not logged in\. Please login with USER and PASS first\.\r\n530 \r : User not logged in\. Please login with USER and PASS first\.\r\n$| v/Bulletproof ftp server//Windows/ # BulletProof FTP 2.21 on Windows 2000 Server match ftp m|^220 ftp\r\n$| v/Bulletproof ftp server//Windows/ @@ -923,6 +958,10 @@ match http m|HTTP/1\.0 404 Not Found\r\nServer: GRISOFT-AVG TCP Server/(\d[-.\w # Ubicom embedded ( http://www.ubicom.com/home.htm ) match http m|^HTTP/1\.1 400 Bad Request\r\nCache-control: no-cache\r\nServer: Ubicom/(\d[-.\w ]+)\r\n| v/Ubicom embedded HTTP server/$1// +# wesnotd multiplayer network daemon (http://www.wesnoth.org/) +match wesnotd m|^\0\0\0\x16\0\0\0\x1f\x02version\0\x040\..\..\0\0\x02mustlogin\0x05\x01\0| v/wesnotd/// + + ##############################NEXT PROBE############################## Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n| ports 70,79,80-85,88,113,139,143,280,497,515,540,554,631,783,993,995,1220,1503,2030,3052,3128,3372,3531,3689,5000,5432,5800,5900,6699,7070,8000-8010,8080-8085,8880-8888,9090,9999,10000,10005,11371,13722,15000,40193,4711 @@ -969,6 +1008,7 @@ match gnutella m|^HTTP/1\.[01] 404 Not Found\r\nServer: gtk-gnutella/(\d[-.\w]+) match gnutella m|^HTTP/1\.1 406 Not Acceptable\r\n$| v/LimeWire Gnutella P2P client/// match gnutella m|^HTTP/1\.0 200\r\nServer: Mutella\r\n| v/Mutella Gnutella P2P client/// match gnutella m|^HTTP/1\.1 404 Not Found\r\nServer: giFT-Gnutella/(\d[-.\w]+)\r\n| v/GiFT P2P client gnutella module/$1// +match gnutella m|^HTTP/1\.1 200 OK\r\n.*\r\nServer: Shareaza (\d\S+)|s v/Shareaza/$1// match gopher m|^HTTP/1\.0 200 Ok\r\nMIME-Version: 1\.0\r\nServer: GopherWEB/(\d[-.\w]+)\r\n| v/Internet Gopher Server//Gopher+ protocol; GopherWeb $1/ match http m|^HTTP/1\.0 401 Unauthorized\r\nPragma: no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: Basic realm=\"Login to the Router Web Configurator\"\r\n\r\n\n \n 401 Unauthorized\n \n\n\n
| v/Draytek Vigor aDSL router webadmin/// @@ -1135,6 +1175,7 @@ match http m|^HTTP/1\.0 \d\d\d .*\r\nServlet-Engine: Tomcat Web Server/(\d[-.\w] match 3dm-http m|^HTTP/1\.0 200 OK\r\nServer: 3ware/(\d[-.\w]+)\r\n.*3ware 3DM - No remote access|s v/3Ware 3DM Raid Daemon/$1/Access denied/ match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: publicfile| v/publicfile httpd/// match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+) ([^\r\n]+)|s v/Apache httpd/$1/$2/ +match http m|^HTTP/1\.[01].*Server: Apache/([\d\.-\w]+)\s*\r?\n|s v/Apache httpd/$1// match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache/(\d[-.\w]+)\r\n.*X-Powered-By: ([^\r\n]+)\r\n|s v/Apache httpd/$1/$2/ match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache/(\d[-.\w]+)\r\n|s v/Apache httpd/$1// # apache 1.3.26-0woody3 or Apache 2.0.45 @@ -1227,6 +1268,8 @@ match http m|^401 Access denied\r\nWWW-Authenticate: Negotiate \r\nContent-lengt match http m|^HTTP/1\.[01] \d\d\d .*\r\nServer: RomPager/([-.\w/ ]+)\r\n|s v/Embedded Allegro RomPager webserver/$1/ZyXEL ZyWALL 2/ match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: IDSL MailGate (\d[-.\w]+)\r\n| v/MailGate web proxy/$1// +match http m|^HTTP/1\.0 \d\d\d .*The AXIS 200 Home|s v/AXIS 200 Webcam/// + # While this response looks like a web admin port, I think the same port is used for the primary # proxy functionality. This is version 3.0 final on Linux. match http-proxy m|^HTTP/1\.1 401 Unauthorized\r\nConnection: closed\r\nContent-Length: \d+\r\nWWW-Authenticate: Basic realm=\"WebWasher configuration\"\r\n| v/WebWasher filtering proxy/// @@ -1388,6 +1431,7 @@ match http m|^HTTP/1\.1 \d\d\d .*\r\nserver: BBC \d[-.\w]+; com\.hp\.openview\.C # Zero One Technology ( http://www.01tech.com/ ) print servers embedded HTTP service match http m|^HTTP/1\.\d\x20200\x20OK\r\nDate:\x20.*\r\nMIME-version:\x201\.\d\r\nServer:\x20ZOT-PS-(\d+)/(\d[-.\w]+)\r\n| v/Zero One Technology print server model $1 HTTP server/$2// +match kmldonkey m|^HTTP/1\.1 400 Bad Request\r\nServer: KMLDonkey/(\d\S+)| v/KMLDonkey/$1// ##############################NEXT PROBE############################## Probe TCP RTSPRequest q|OPTIONS / RTSP/1.0\r\n\r\n| @@ -1588,6 +1632,8 @@ match nameserver m|^\0\x06\x01\0\0\x01\0\0\x03\x03\x02$| v/Solaris Internet Name Probe TCP Help q|HELP\r\n| ports 1,7,21,25,79,113,2401,2627 sslports 465 +totalwaitms 7500 + # CVSD (cvs chrooting service for pserver) cvsd 0.9.18 # CVS 1.11.5 pserver match cvspserver m|^cvs \[pserver aborted\]: bad auth protocol start: HELP\r\n\n$| v/cvs pserver/// @@ -1628,34 +1674,29 @@ match ident m|^\d+, \d+ : USERID : UNIX : [-.@\w]+\r\n| v/Internet Rex identd/// match smtp m|^220 [-.+\w]+ Generic SMTP handler\r\n214 Help not supported by this implementation\r\n$| v/Symantec Enterprise Firewall smtp proxy/// # Lotus Notes Domino 6.1 smtp server on Win2K match smtp m|^220 Welcome to [-.+\w]+ ESMTP Server at .*\r\n214-Enter one of the following commands:\r\n214-HELO EHLO MAIL RCPT DATA RSET NOOP QUIT\r\n214 HELP VRFY EXPN STARTTLS \r\n$| v/Lotus Notes Domino smtpd/// -# Exim 3.33 on FreeBSD -match smtp m|^220 ESMTP\r\n214-Commands supported:\r\n214- HELO EHLO MAIL RCPT DATA ETRN\r\n214 NOOP QUIT RSET HELP \r\n$| v/Exim smtpd/3.33// +match smtp m|^220.*?\n214-Commands supported:\r\n214- HELO EHLO MAIL RCPT DATA(?: ETRN)?(?: AUTH)?\r\n214 NOOP QUIT RSET HELP \r\n$| v/Exim smtpd/3.X// +match smtp m|^220.*?ESMTP.*\n214-Commands supported:\r\n214 AUTH (?:STARTTLS )?HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n$| v/Exim smtpd/4.X// -# Exim 4.22 with SSL compiled in (STARTTLS) custom banner (runtime configuration option) and VRFY and -# EXPN also disabled in config file -match stmp m|^220 [-/.+\w]+ ESMTP\r\n214-Commands supported:\r\n214 AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n| v/Exim smtpd/// -# Exim 4.20 on Astaro Security Linux gateway/proxy/firewall/router. -match smtp m|^220 [-.\w]+ ESMTP ready\.\r\n214-Commands supported:\r\n214 AUTH STARTTLS HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n$| v/Exim smtpd/4.20// - -# Exim 4.0 with exiscan patch and banner removed - Linux 2.1.19 - 2.2.25 -match smtp m|^220 .*SMTP Ready\. Expected Helo with a valid domain\.\r\n214-Commands supported:\r\n214 AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP\r\n| v/Exim smtpd/4.0// - -match smtp m|^220 .* ESMTP ?\r\n214[- ]qmail home page: http://pobox.com/~djb/qmail.html| v/qmail smtpd/// -match smtp m|^220 .* ESMTP ?\r\n214[- ]qmail home page: http://pobox\.com/~djb/qmail\.html\r\n214[- ]qmail-ldap patch home page: http://www\.nrg4u\.com\r\n| v/qmail-ldap smtpd/// -match smtp m|^220 [-.\w]+ ESMTP\r\n214 netqmail home page: http://qmail\.org/netqmail\r\n| v/netqmail smtpd/1.04// +match smtp m|^220[\s-]\S+ ESMTP ?\r\n214[- ]qmail home page: http://pobox.com/~djb/qmail.html| v/qmail smtpd/// +match smtp m|^220[\s-]\S+ ESMTP ?\r\n214[- ]qmail home page: http://pobox\.com/~djb/qmail\.html\r\n214[- ]qmail-ldap patch home page: http://www\.nrg4u\.com\r\n| v/qmail-ldap smtpd/// +match smtp m|^220[\s-].*?ESMTP\r\n214 netqmail home page: http://qmail\.org/netqmail\r\n| v/netqmail smtpd/1.04// # VirusBuster MailShield for SMTP. Version 1.15.030 on Linux 2.4 match smtp m|^220 [-.\w]+ SMTP version 1\.00;\r\n214 We strongly advise you to study of the RFC821\.\.\.\r\n$| v/VirusBuster MailShield for SMTP/// -# Postfix 1.1.11.0-woody3 -# Postfix 1.1.7-2 -match smtp m|^220 [-.\w]+ ESMTP Postfix\r\n$| v/Postfix smtpd/1.X// # Postfix 1.1.12, 1.1.13, 2.0.9, 2.0.16 match smtp m|^220 .*\r\n502 Error: command not implemented\r\n$| v/Postfix smtpd/// # Courier ESMTP courier-0.42.0-1.7.3 match smtp m|^220 [-.\w]+ ESMTP\r\n502 ESMTP command error\r\n$| v/Courier smtpd/// -match smtp m|^220 [-.\w]+ ESMTP Sendmail ([^;]{3,50})| v/Sendmail smtpd/$1// -match smtp m|^220 [-.\w]+ ESMTP Sendmail;| v/Sendmail smtpd/// -match smtp m|220.*214-2\.0\.0 This is sendmail version ([-+.\w]+)\r\n214-2\.0\.0 Topics:\r\n214-2\.0\.0|s v/Sendmail smtpd/$1// +match smtp m|214-2\.0\.0 This is sendmail version (\S+)\r?\n214-2\.0\.0 Topics:|s v/Sendmail/$1// +match smtp m|^220 \S+ E?SMTP Sendmail;| v/Sendmail/// match smtp m|^220.* Sendmail (\d[-.\w]+) -- HELP not implemented\r\n|s v/Sendmail/$1// +match smtp m|^220.*214-This is America Online mail version [vV](\S+)|s v/AOL smtpd/$1// +match smtp m|^220.*214 2\.0\.0 http://www\.google\.com/search.*RFC\+2821\s*\r?\n|s v/Google smtpd/// +match smtp m|^220.*214 SMTP server comments and bug reports to: \<zmhacks\@nic.funet.fi\>|s v/ZMailer smtpd/// +match smtp m|^220.*500 MessageWall: Unrecognized command|s v/MessageWall SMTP proxy/// +match smtp m|^220.*500 Unknown or unimplemented command|s v/MIMEsweeper SMTP proxy/// +match smtp m|^220.*214 See http\:\/\/www\.messagelabs\.com\/support|s v/MessageLabs smtpd/// +match smtp m|^220 \S+ ESMTP Service\r\n502 5\.3\.0 Sendmail Xserve -- HELP not implemented\r\n$| v/Xserve smtpd/// + match tcpmux m|^(sgi_[-.\w]+\r\n([-.\w]+\r\n)*)$| v/SGI IRIX tcpmux//Available services: $SUBST(1, "\r\n", ",")/ # Written in 1986. More info at # http://ftp.rge.com/pub/X/X11R5/contrib/xwebster.README @@ -1865,6 +1906,13 @@ ports 1352 # Lotus Domino (r) Server (Release 6.0.1CF1 for Windows/32 match lotusnotes m|^.\0\0\0.\0\0\0\x03\0\0@\x02\x0f\0.*\x03\0\0\0\0\x02\0/\0.\0\0\0\0\0\0\0@\x1f.*CN=([-.\w ]+)/O=([-.\w ]+)[^-.\w ]|s v/Lotus Domino server//CN=$1;Org=$2/ +##############################NEXT PROBE############################## +Probe TCP DistCCD q|DIST00000001ARGC00000005ARGV00000002ccARGV00000002-cARGV00000006nmap.cARGV00000002-oARGV00000006nmap.oDOTI00000000| +ports 3632 + +match distccd m|^DONE00000001STAT00000000SERR00000000SOUT00000000DOTO.*?GCC: ([^\0]+)| v/distccd/v1/$1/ +match distccd m|^DONE00000001.*?DOTO00| v/distccd/v1/unknown compiler/ + ##############################NEXT PROBE############################## Probe UDP Sqlping q|\x02| ports 1434 diff --git a/nmap-services b/nmap-services index 1d347e46c..153d469ab 100644 --- a/nmap-services +++ b/nmap-services @@ -991,6 +991,7 @@ acp 599/tcp # Aeolon Core Protocol acp 599/udp # Aeolon Core Protocol ipcserver 600/tcp # Sun IPC server ipcserver 600/udp # Sun IPC server +mnotes 603/tcp # CommonTime Mnotes PDA Synchronization urm 606/tcp # Cray Unified Resource Manager urm 606/udp # Cray Unified Resource Manager nqs 607/tcp # @@ -1097,8 +1098,9 @@ hp-collector 781/tcp # hp performance data collector hp-collector 781/udp # hp performance data collector hp-managed-node 782/tcp # hp performance data managed node hp-managed-node 782/udp # hp performance data managed node -hp-alarm-mgr 783/tcp # hp performance data alarm manager -hp-alarm-mgr 783/udp # hp performance data alarm manager +spamassassin 783/tcp # Apache SpamAssassin spamd +# hp-alarm-mgr 783/tcp # hp performance data alarm manager +# hp-alarm-mgr 783/udp # hp performance data alarm manager concert 786/tcp # concert 786/udp # controlit 799/tcp # Remotely possible @@ -1154,6 +1156,8 @@ iad3 1032/tcp # BBN IAD iad3 1032/udp # BBN IAD netinfo 1033/tcp # Netinfo is apparently on many OS X boxes. netsaint 1040/tcp # Netsaint status daemon +boinc-client 1043/tcp # BOINC Client Control +boinc-client 1043/udp # BOINC Client Control java-or-OTGfileshare 1050/tcp # J2EE nameserver, also OTG, also called Disk/Application extender. Could also be MiniCommand backdoor OTGlicenseserv nim 1058/tcp # nim 1058/udp # diff --git a/output.cc b/output.cc index 28a2e07f7..aefee9295 100644 --- a/output.cc +++ b/output.cc @@ -523,9 +523,10 @@ void log_write(int logt, const char *fmt, ...) bool buf_alloced = false; int rc = 0; - va_start(ap, fmt); if (l & LOG_STDOUT) { + va_start(ap, fmt); vfprintf(o.nmap_stdout, fmt, ap); + va_end(ap); l-=LOG_STDOUT; } if (l & LOG_SKID_NOXLT) { skid=0; l -= LOG_SKID_NOXLT; l |= LOG_SKID; } @@ -534,7 +535,9 @@ void log_write(int logt, const char *fmt, ...) { if (!o.logfd[i] || !(l&1)) continue; while(1) { + va_start(ap, fmt); rc = vsnprintf(buf,bufsz, fmt, ap); + va_end(ap); if (rc >= 0 && rc < bufsz) break; // Successful // D'oh! Apparently not enough space - lets try a bigger buffer @@ -545,7 +548,6 @@ void log_write(int logt, const char *fmt, ...) if (skid && ((1<<i)&LOG_SKID)) skid_output(buf); fwrite(buf,1,strlen(buf),o.logfd[i]); } - va_end(ap); if (buf_alloced) free(buf); diff --git a/scan_engine.cc b/scan_engine.cc index 65215b48f..83ac605b0 100644 --- a/scan_engine.cc +++ b/scan_engine.cc @@ -1700,6 +1700,7 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss, int scanflags = 0; int decoy = 0; u32 seq = 0; + u32 ack = 0; u16 sport; u16 ipid = get_random_u16(); @@ -1733,10 +1734,13 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss, } seq = seq32_encode(USI, tryno, pingseq); + if (scanflags & TH_ACK) + ack = rand(); + for(decoy = 0; decoy < o.numdecoys; decoy++) { packet = build_tcp_raw(&o.decoys[decoy], hss->target->v4hostip(), o.ttl, - ipid, sport, destport, seq, 0, scanflags, 0, NULL, - 0, o.extra_payload, o.extra_payload_length, + ipid, sport, destport, seq, ack, scanflags, 0, + NULL, 0, o.extra_payload, o.extra_payload_length, &packetlen); if (decoy == o.decoyturn) { probe->setIP(packet, packetlen); diff --git a/tcpip.cc b/tcpip.cc index e89d0f675..5ce1aecee 100644 --- a/tcpip.cc +++ b/tcpip.cc @@ -139,7 +139,7 @@ void nmapwin_list_interfaces(); int if2nameindex(int ifi); #endif -static PacketCounter PC; +static PacketCounter PktCt; #ifndef WIN32 /* Already defined in wintcpip.c for now */ void sethdrinclude(int sd) { @@ -199,10 +199,10 @@ char *getFinalPacketStats(char *buf, int buflen) { #else "Raw packets sent: %llu (%s) | Rcvd: %llu (%s)", #endif - PC.sendPackets, - ll2shortascii(PC.sendBytes, sendbytesasc, sizeof(sendbytesasc)), - PC.recvPackets, - ll2shortascii(PC.recvBytes, recvbytesasc, sizeof(recvbytesasc))); + PktCt.sendPackets, + ll2shortascii(PktCt.sendBytes, sendbytesasc, sizeof(sendbytesasc)), + PktCt.recvPackets, + ll2shortascii(PktCt.recvBytes, recvbytesasc, sizeof(recvbytesasc))); return buf; } @@ -217,11 +217,11 @@ void PacketTrace::trace(pdirection pdir, const u8 *packet, u32 len, struct timeval tv; if (pdir == SENT) { - PC.sendPackets++; - PC.sendBytes += len; + PktCt.sendPackets++; + PktCt.sendBytes += len; } else { - PC.recvPackets++; - PC.recvBytes += len; + PktCt.recvPackets++; + PktCt.recvBytes += len; } if (!o.packetTrace()) return;