diff --git a/CHANGELOG b/CHANGELOG index 9a72c92f5..0ceb07f2c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,10 @@ #Nmap Changelog ($Id$); -*-text-*- +o [GH#1454] New service probes and match lines for v1 and v2 of the Ubiquiti + Discovery protocol. Devices often leave the related service open and it + exposes significant amounts of information as well as the risk of being used + as part of a DDoS. New nmap-payload entry for v1 of the protocol. [Tom Sellers] + o [NSE] Removes hostmap-ip2hosts.nse as the API has been broken for a while and the service will be completely shutdown on Feb 17th. [Paulino Calderon] diff --git a/nmap-payloads b/nmap-payloads index 7c396340a..e13971302 100644 --- a/nmap-payloads +++ b/nmap-payloads @@ -242,6 +242,9 @@ udp 5353 # CoAP GET .well-known/core udp 5683 "@\x01\x01\xce\xbb.well-known\x04core" +# Ubiquiti Discovery Service - v1 +udp 10001 "\x01\x00\x00\x00" + # Amanda backup service noop request. I think that this does nothing on the # server but only asks it to send back its feature list. In reply we expect an # ACK or (more likely) an ERROR. I couldn't find good online documentation of diff --git a/nmap-service-probes b/nmap-service-probes index c596fd269..a6a5c8b44 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -16291,6 +16291,36 @@ ports 4533 # Maybe rigctld also? match rotctld m|^get_info: (.*)\nRPRT 0\n| p/Hamlib rotctld/ i/model: $1/ +##############################NEXT PROBE############################## +# Ubiquiti Discovery Protocol +Probe UDP UbiquitiDiscoveryv1 q|\x01\0\0\0| +rarity 9 +ports 10001 + +# Valid response is protocol version (\x01) and cmd (\0) followed +# by 2 bytes of length then TLV groups +match ubiquiti-discovery m|^\x01\0.[^\0].*\x0c\0\x06AirCam|s p/Ubiquiti Discovery Service/ i/v1 protocol, AirCam/ cpe:/h:ubnt:aircam:/ +match ubiquiti-discovery m|^\x01\0.[^\0].*\x0c\0\nAirCamDome|s p/Ubiquiti Discovery Service/ i/v1 protocol, AirCamDome/ cpe:/h:ubnt:aircam_dome:/ + +# Match short model name = \x0c followed by 2 byte len then value +# No known type bytes fall in \w the following regex should be safe +match ubiquiti-discovery m|^\x01\0.[^\0].*\x0c\0.([\w-]+)|s p/Ubiquiti Discovery Service/ i/v1 protocol, $1/ + +softmatch ubiquiti-discovery m|^\x01\0.[^\0].{48}|s p/Ubiquiti Discovery Service/ i/v1 protocol/ + +##############################NEXT PROBE############################## +# Ubiquiti Discovery Protocol +Probe UDP UbiquitiDiscoveryv2 q|\x02\x08\0\0| +rarity 9 +ports 10001 + +# Valid response is protocol version (\x02 ) and cmd followed +# by 2 bytes of length then TLV groups +# Known cmd values are \x06, \x09, and \x0b +match ubiquiti-discovery m|^\x02[\x06\x09\x0b].[^\0].*\x15\0.([\w-]+)\x16\0.([\d.]+)|s p/Ubiquiti Discovery Service/ i/v2 protocol, $1 software ver. $2/ +match ubiquiti-discovery m|^\x02[\x06\x09\x0b].[^\0].*\x15\0.([\w-]+)|s p/Ubiquiti Discovery Service/ i/v2 protocol, $1/ +softmatch ubiquiti-discovery m|^\x02[\x06\x09\x0b].[^\0].{48}|s p/Ubiquiti Discovery Service/ i/v2 protocol/ + ##############################NEXT PROBE############################## # Sharp TV IP/Serial remote control protocol # 4 requests: device name, model name, software version, IP protocol version.