From 8f36afdbc693efc6b364d6c13176ab2bc405e275 Mon Sep 17 00:00:00 2001 From: dmiller Date: Fri, 2 Mar 2018 19:07:14 +0000 Subject: [PATCH] New payload and improved version matches for memcached --- nmap-payloads | 6 ++++++ nmap-service-probes | 8 +++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/nmap-payloads b/nmap-payloads index ae67d76f8..7c396340a 100644 --- a/nmap-payloads +++ b/nmap-payloads @@ -306,3 +306,9 @@ udp 8767 # http://seclists.org/nmap-dev/2013/q3/72 udp 9987 "\x05\xca\x7f\x16\x9c\x11\xf9\x89\x00\x00\x00\x00\x02\x9d\x74\x8b\x45\xaa\x7b\xef\xb9\x9e\xfe\xad\x08\x19\xba\xcf\x41\xe0\x16\xa2\x32\x6c\xf3\xcf\xf4\x8e\x3c\x44\x83\xc8\x8d\x51\x45\x6f\x90\x95\x23\x3e\x00\x97\x2b\x1c\x71\xb2\x4e\xc0\x61\xf1\xd7\x6f\xc5\x7e\xf6\x48\x52\xbf\x82\x6a\xa2\x3b\x65\xaa\x18\x7a\x17\x38\xc3\x81\x27\xc3\x47\xfc\xa7\x35\xba\xfc\x0f\x9d\x9d\x72\x24\x9d\xfc\x02\x17\x6d\x6b\xb1\x2d\x72\xc6\xe3\x17\x1c\x95\xd9\x69\x99\x57\xce\xdd\xdf\x05\xdc\x03\x94\x56\x04\x3a\x14\xe5\xad\x9a\x2b\x14\x30\x3a\x23\xa3\x25\xad\xe8\xe6\x39\x8a\x85\x2a\xc6\xdf\xe5\x5d\x2d\xa0\x2f\x5d\x9c\xd7\x2b\x24\xfb\xb0\x9c\xc2\xba\x89\xb4\x1b\x17\xa2\xb6" + +# Memcached +# version request (shorter response than stats) +# https://github.com/memcached/memcached/blob/master/doc/protocol.txt +udp 11211 +"\0\x01\0\0\0\x01\0\0version\r\n" diff --git a/nmap-service-probes b/nmap-service-probes index bf9731e88..7f5fd2588 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -15118,10 +15118,12 @@ match stomp m|^ERROR\nmessage:Illegal command\ncontent-type:text/plain\nversion: Probe TCP Memcache q|stats\r\n| rarity 8 ports 2181,11211 -match memcached m|^STAT pid (\d+)\r\nSTAT uptime (\d+)\r\n.*?STAT version ([\w_.-]+)\r\n.*?STAT curr_items (\d+)\r\nSTAT total_items (\d+)\r\nSTAT bytes (\d+)\r\n|s p/Memcached/ v/$3/ i/PID $1; uptime $2 seconds; curr items: $4; total items: $5; bytes cached: $6/ cpe:/a:memcached:memcached:$3/ -match memcached m|^STAT pid (\d+)\r\nSTAT uptime (\d+)\r\nSTAT time \d+\r\nSTAT version ([.\d]+)\r\n|s p/Memcached/ v/$3/ i/PID $1; uptime $2 seconds/ cpe:/a:memcached:memcached:$3/ +match memcached m|^STAT pid \d+\r\nSTAT uptime (\d+)\r\nSTAT time \d+\r\nSTAT version ([.\d]+)\r\n|s p/Memcached/ v/$2/ i/uptime $1 seconds/ cpe:/a:memcached:memcached:$2/ +match memcached m|^STAT pid \d+\r\nSTAT uptime (\d+)\r\nSTAT time \d+\r\nSTAT version ([.\d]+) \(?Ubuntu\)?\r\n|s p/Memcached/ v/$2/ i/uptime $1 seconds; Ubuntu/ o/Linux/ cpe:/a:memcached:memcached:$2/ cpe:/o:canonical:ubuntu_linux/ cpe:/o:linux:linux_kernel/a match zookeeper m|^Zookeeper version: ([\w.-]+), built on ([\w./]+)| p/Zookeeper/ v/$1/ i/Built on $2/ cpe:/a:zookeeper:zookeeper:$1/ +softmatch memcached m|^STAT pid \d+\r\n| + ##############################NEXT PROBE############################## # Beast Trojan v2 Probe TCP beast2 q|666| @@ -15579,7 +15581,7 @@ Probe UDP memcached q|\0\x01\0\0\0\x01\0\0stats\r\n| rarity 8 ports 11211 match memcached m|^\0\x01\0\0\0\x01\0\0STAT pid \d+\r\nSTAT uptime \d+\r\nSTAT time \d+\r\nSTAT version ([.\d]+)\r\n|s p/Memcached/ v/$1/ cpe:/a:memcached:memcached:$1/ -match memcached m|^\0\x01\0\0\0\x01\0\0STAT pid \d+\r\nSTAT uptime \d+\r\nSTAT time \d+\r\nSTAT version ([.\d]+) \(Ubuntu\)\r\n|s p/Memcached/ v/$1/ i/Ubuntu/ o/Linux/ cpe:/a:memcached:memcached:$1/ cpe:/o:canonical:ubuntu_linux/ cpe:/o:linux:linux_kernel/a +match memcached m|^\0\x01\0\0\0\x01\0\0STAT pid \d+\r\nSTAT uptime \d+\r\nSTAT time \d+\r\nSTAT version ([.\d]+) \(?Ubuntu\)?\r\n|s p/Memcached/ v/$1/ i/Ubuntu/ o/Linux/ cpe:/a:memcached:memcached:$1/ cpe:/o:canonical:ubuntu_linux/ cpe:/o:linux:linux_kernel/a # May as well softmatch to avoid further probing softmatch memcached m|^\0\x01\0\0\0\x01\0\0STAT |