From 9e199c02130698b6c840c04d43ecbf2238571138 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 16 Oct 2014 03:54:51 +0000
Subject: [PATCH] Add Docker probe and matchlines

Probe and output from Claudio Criscione: http://seclists.org/nmap-dev/2014/q4/69
---
 nmap-service-probes | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/nmap-service-probes b/nmap-service-probes
index afab10616..fdca28c33 100644
--- a/nmap-service-probes
+++ b/nmap-service-probes
@@ -13035,3 +13035,20 @@ Probe UDP NetMotionMobility q|\0\x40\x50\0\0\0\0\x85\x5d\xb4\x91\x28\0\0\0\0\0\x
 rarity 7
 ports 5008
 match NetMotionMobility m|^\0\x40\x51\0\0\0\0| p/NetMotion Mobility VPN/
+
+##############################NEXT PROBE##############################
+# Queries Docker APIs for the /version url containing version information.
+# https://docs.docker.com/reference/api/docker_remote_api/
+#
+Probe TCP docker q|GET /version HTTP/1.1\r\n\r\n|
+rarity 8
+ports 2375
+sslports 2376
+
+match docker m|^HTTP/1\.1 200 OK\r\nContent-Type: application/json\r\nJob-Name: version\r\nDate: .*\r\nContent-Length: \d+\r\n\r\n{.*\"ApiVersion\":\"([^"]+)\",.*\"KernelVersion\":\"([^"]+)\",.*\"Os\":\"([^"]+)\",.*\"Version\":\"([^"]+)\"| p/Docker remote API/ v/$4/ i/API $1; KernelVersion $2/ o/$3/
+# Ordering doesn't matter, we'd like to at least grab ApiVersion and Version
+match docker m|^HTTP/1\.1 200 OK\r\nContent-Type: application/json\r\nJob-Name: version\r\nDate: .*\r\nContent-Length: \d+\r\n\r\n{.*\"ApiVersion\":\"([^"]+)\",.*\"Version\":\"(["]+)\"| p/Docker remote API/ v/$2/ i/API $1/
+match docker m|^HTTP/1\.1 200 OK\r\nContent-Type: application/json\r\nJob-Name: version\r\nDate: .*\r\nContent-Length: \d+\r\n\r\n{.*\"Version\":\"([^"]+)\",.*\"ApiVersion\":\"(["]+)\"| p/Docker remote API/ v/$1/ i/API $2/
+# API spec only lists Version, GoVersion, ApiVersion (in API >= 1.12), and GitCommit.
+# Assuming the above matches will get ApiVersion if it's present, this one can report ApiVersion <= 1.11
+match docker m|^HTTP/1\.1 200 OK\r\nContent-Type: application/json\r\nJob-Name: version\r\nDate: .*\r\nContent-Length: \d+\r\n\r\n{.*\"Version\":\"([^"]+)\"| p/Docker remote API/ v/$1/ i/API 1.11 or older/