Lucene search
This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.FIND_SERVICE2.NASLHistoryNov 18, 2002 - 12:00 a.m.
Service Detection (HELP Request)
2002-11-1800:00:00
This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
695
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives a ‘HELP’ request.
###
# (C) Tenable Network Security, Inc.
###
include("compat.inc");
if (description)
{
script_id(11153);
script_version("1.317");
script_cvs_date("Date: 2018/11/26 9:49:36");
script_name(english:"Service Detection (HELP Request)");
script_summary(english:"Sends 'HELP' to unknown services and looks at the answer.");
script_set_attribute(attribute:"synopsis", value:
"The remote service could be identified.");
script_set_attribute(attribute:"description", value:
"It was possible to identify the remote service by its banner or by
looking at the error message it sends when it receives a 'HELP'
request.");
script_set_attribute(attribute:"solution", value:"n/a");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"2002/11/18");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_timeout(0);
script_copyright(english:"This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english: "Service detection");
script_dependencies("find_service1.nasl", "find_service_3digits.nasl", "rpcinfo.nasl", "dcetest.nasl", "apache_SSL_complain.nasl");
# Do *not* add a port dependency on "Services/unknown"
# Some scripts must run after this script even if there are no
# unknown services
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
if ( get_kb_item("global_settings/disable_service_discovery") )
exit(0, "Service discovery is disabled.");
#------------------------------------#
# Async socket support (Nessus 3.2) #
#------------------------------------#
S_STATE_CONNECTING = 1;
S_STATE_READING = 2;
S_STATE_DONE = 3;
g_timestamps = make_list();
g_sock_state = make_list();
g_sock = make_list();
g_banners = make_list();
g_port_pool = make_list();
g_port_pool_max = 0;
g_port_pool_idx = 0;
CONNECT_TIMEOUT = 4;
TIMEOUT = 4;
MAX_SIMULT_CONNECTIONS = 10;
function port_push()
{
if ( isnull(_FCT_ANON_ARGS[0]) ) return;
g_port_pool[g_port_pool_max++] = _FCT_ANON_ARGS[0];
}
function port_pop()
{
if ( g_port_pool_idx >= g_port_pool_max ) return NULL;
return g_port_pool[g_port_pool_idx++];
}
function port_new()
{
local_var port;
port = port_pop();
if ( port == NULL ) return FALSE;
g_sock_state[port] = S_STATE_CONNECTING;
g_timestamps[port] = unixtime();
g_sock[port] = open_sock_tcp(port, nonblocking:TRUE);
return TRUE;
}
function port_done()
{
local_var port;
port = _FCT_ANON_ARGS[0];
g_sock_state[port] = S_STATE_DONE;
close(g_sock[port]);
g_sock[port] = NULL;
port_new();
}
function select()
{
local_var port;
local_var now;
local_var e;
local_var num;
num = 0;
now = unixtime();
foreach port ( keys(g_sock) )
{
if ( g_sock_state[port] == S_STATE_CONNECTING )
{
num ++;
e = socket_get_error(g_sock[port]);
if ( e != 0 && e != EINPROGRESS ) port_done(port);
else
{
e = socket_ready(g_sock[port]);
if ( e > 0 )
{
send(socket:g_sock[port], data:'HELP\r\n');
g_sock_state[port] = S_STATE_READING;
g_timestamps[port] = unixtime();
}
else if ((e == 0 && socket_get_error(g_sock[port]) != 0 && socket_get_error(g_sock[port]) != EINPROGRESS) ||
(e < 0) ||
( now - g_timestamps[port] >= CONNECT_TIMEOUT ) )
port_done(port);
}
}
else if ( g_sock_state[port] == S_STATE_READING )
{
num ++;
if ( socket_pending(g_sock[port]) )
{
g_banners[port] = recv(socket:g_sock[port], length:65535);
port_done(port);
}
else if ( now - g_timestamps[port] >= TIMEOUT ) port_done(port);
}
}
return num;
}
#-------------------------------------------------------------------------#
function report_and_return(port, data, hole)
{
if (data)
{
local_var c;
c = data[strlen(data)-1];
if (c != '.' && c != '\r' && c != '\n') data += '.';
}
# This plugin should only use security_note.
# Commenting this out instead of removing until the
# appropriate code is moved to another plugin or removed.
#
#if (hole)
#{
# if ( NASL_LEVEL < 3000 ) security_hole(port: port, data: data);
# else security_hole(port: port, extra: data);
#}
#else
#{
security_note(port: port, extra: data);
#}
return 1;
}
#--------------------------------------------------------------------------------------------------------------#
function identify(r, rget, port)
{
local_var rep, a, v, banner, k, r_len, report, linesH, sub;
r_len = strlen(r);
# Java Object Serialized Stream Protocol
# (java.io.ObjectOutputStream)
# https://docs.oracle.com/javase/7/docs/platform/serialization/spec/protocol.html
# Type: help / get_http
# 0x00: AC ED 00 05
if (r_len >= 4 && substr(r, 0, 3) == '\xAC\xED\x00\x05')
{
register_service(port:port, proto:'java-listener');
report_and_return(port:port, data:'A Java Object Serialization Stream Protocol is listening on this port.');
return 1;
}
linesH = split(r);
# Looks like it did not answer to "GET / HTTP/1.0". Strange...
# Submitted by Chuck Hein <[email protected]>
# Port : 1344 - Type : help
# 0x00: 49 43 41 50 2F 31 2E 30 20 34 30 30 20 4F 4B 0D ICAP/1.0 400 OK.
# 0x10: 0A 44 61 74 65 3A 20 54 68 75 2C 20 33 31 20 4A .Date: Thu, 31 J
# 0x20: 75 6C 20 32 30 30 38 20 30 36 3A 33 39 3A 33 31 ul 2008 06:39:31
# 0x30: 20 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 52 65 GMT..Server: Re
# 0x40: 63 6F 6E 6E 65 78 20 49 43 41 50 20 53 65 72 76 connex ICAP Serv
# 0x50: 65 72 2F 31 2E 30 0D 0A 43 6F 6E 6E 65 63 74 69 er/1.0..Connecti
# 0x60: 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 49 53 54 61 67 on: close..ISTag
# 0x70: 3A 20 22 52 65 63 6F 6E 6E 65 78 2D 30 33 32 33 : "Reconnex-0323
# 0x80: 30 36 2D 32 30 30 38 2D 61 31 33 32 66 32 22 0D 06-2008-a132f2".
# 0x90: 0A 45 6E 63 61 70 73 75 6C 61 74 65 64 3A 20 6E .Encapsulated: n
# 0xA0: 75 6C 6C 2D 62 6F 64 79 3D 30 0D 0A 0D 0A ull-body=0....
if (preg(string: chomp(linesH[0]), pattern: "^ICAP/1\.0 +[1-5]0[0-9]"))
{
register_service(port:port, proto:"icap"); # See RFC 3507
report_and_return(port:port, data: "An ICAP server is running on this port.");
return 1;
}
if (
(rget == 'ERROR\r\n' && r == 'ERROR\r\nERROR\r\n' ) ||
(r == 'ERROR\r\n' && rget == 'ERROR\r\nERROR\r\n' )
)
{
set_kb_item(name:"memcached/possible_port", value:port);
# continue the code
}
else if (rget == 'ERROR\r\n')
{
register_service(port:port, proto:"mxdomainmgr");
report_and_return(port:port, data:"The remote host is running a mxdomainmgr service on this port.");
}
# The full banner is (without end of line:
# ( success ( 1 2 ( ANONYMOUS ) ( edit-pipeline ) ) )
if (( "success ( 1 2" >< r ) || ("success ( 2 2" >< r ))
{
register_service(port:port, proto:"subversion");
report_and_return(port:port, data:"A SubVersion server is running on this port.");
return 1;
}
if ( r =~ "^@RSYNC" )
{
register_service(port:port, proto:"rsyncd");
report_and_return(port:port, data:"An rsync server is running on this port.");
return 1;
}
if ( "Invalid protocol verification, illegal ORMI request" >< r )
{
register_service(port:port, proto:"oracle_application_server");
report_and_return(port:port, data:"An Oracle Application Server is running on this port.");
return 1;
}
if ( raw_string(0x51, 0x00, 0x00, 0x00) >< r && port == 264 )
{
register_service(port:port, proto:"checkpoint_fw_ng_gettopo_port");
report_and_return(port:port, data:"A Check Point FW NG gettopo_port service is running on this port.");
return 1;
}
# [root@f00dikator new_nasl_mods]# telnet 10.10.10.7 7110
# Trying 10.10.10.7...
# Connected to 10.10.10.7.
# Escape character is '^]'.
# hash 30026 <------- Server
# yo there my brother from another mother <------- Client
# error NOT AUTHORIZED YET <------- Server
if ("error NOT AUTHORIZED YET" >< r)
{
register_service(port:port, proto:"DMAIL_Admin");
report_and_return(port:port, data:"The remote host is running a DMAIL Administrative service on this port.");
return 1;
}
if ( "From Server : MESSAGE RECEIVED" >< r)
{
register_service(port:port, proto:"shixxnote");
report_and_return(port:port, data:"A shixxnote server is running on this port.");
return 1;
}
# xmlns='jabber:client' xmlns:
# submitted by JYoung ~at- intramedplus.com
if ( "xmlns='jabber:client'" >< r)
{
register_service(port:port, proto:"ejabberd");
report_and_return(port:port, data:"An ejabberd server is running on this port.");
return 1;
}
#0x00: 3C 00 74 00 72 00 61 00 6E 00 73 00 6D 00 69 00 <.t.r.a.n.s.m.i.
#0x10: 73 00 73 00 69 00 6F 00 6E 00 20 00 74 00 79 00 s.s.i.o.n. .t.y.
#0x20: 70 00 65 00 3D 00 22 00 44 00 65 00 6E 00 69 00 p.e.=.".D.e.n.i.
#0x30: 65 00 64 00 22 00 3E 00 3C 00 68 00 65 00 61 00 e.d.".>.<.h.e.a.
#0x40: 64 00 65 00 72 00 20 00 65 00 6E 00 63 00 72 00 d.e.r. .e.n.c.r.
#0x50: 79 00 70 00 74 00 65 00 64 00 3D 00 22 00 46 00 y.p.t.e.d.=.".F.
#0x60: 61 00 6C 00 73 00 65 00 22 00 20 00 63 00 6F 00 a.l.s.e.". .c.o.
#0x70: 6D 00 70 00 72 00 65 00 73 00 73 00 65 00 64 00 m.p.r.e.s.s.e.d.
#0x80: 3D 00 22 00 46 00 61 00 6C 00 73 00 65 00 22 00 =.".F.a.l.s.e.".
#0x90: 20 00 2F 00 3E 00 3C 00 2F 00 74 00 72 00 61 00 ./.>.<./.t.r.a.
#0xA0: 6E 00 73 00 6D 00 69 00 73 00 73 00 69 00 6F 00 n.s.m.i.s.s.i.o.
if ('<\0t\0r\0a\0n\0s\0m\0i\0s\0s\0i\0o\0n\0 \0t\0y\0p\0e\0=\0"\0D\0e\0n\0i\0e\0d\0"\0' >< r &&
'<\0/\0t\0r\0a\0n\0s\0m\0i\0s\0s\0i\0o\0n\0>' >< r )
{
register_service(port:port, proto:"helm");
report_and_return(port:port, data:"A HELM control panel server is running on this port.");
return 1;
}
# Submitted by Scott Bernal
# Port : 2160
# Type : help
# Banner :
# 0x00: 73 65 72 76 65 72 3D 26 74 79 70 65 3D 30 26 69 server=&type=0&i
# 0x10: 64 3D 26 63 6F 75 6E 74 3D 31 26 6F 69 64 3D 2E d=&count=1&oid=.
# 0x20: 33 2E 34 2E 31 39 2E 32 2E 32 26 76 61 6C 75 65 3.4.19.2.2&value
# 0x30: 3D 26 65 72 72 6F 72 3D 34 0A =&error=4.
if (r == 'server=&type=0&id=&count=1&oid=.3.4.19.2.2&value=&error=4\n')
{
register_service(port:port, proto:"apcpbeserver");
report_and_return(port:port, data:"APC PowerChute Business Edition Server is running on this port.");
return 1;
}
if ( "Request with malformed data; connection closed" >< r )
{
register_service(port:port, proto:"moodle-chat-daemom");
report_and_return(port:port, data:"A Moodle Chat Daemon is running on this port.");
return 1;
}
if ( "CONEXANT SYSTEMS, INC." >< r &&
"ACCESS RUNNER ADSL TERMINAL" >< r )
{
register_service(port:port, proto:"conexant_telnet");
report_and_return(port:port, data:"A Conexant configuration interface is running on this port.");
return 1;
}
if (r =~ '^0\\.[67]\\.[0-9] LOG\0 {16}')
{
register_service(port: port, proto: "partimage");
report_and_return(port:port, data:"Partimage is running on this port.
It requires a login.");
return 1;
}
if (r =~ '^0\\.[67]\\.[0-9]\0 {16}')
{
register_service(port: port, proto: "partimage");
report_and_return(port:port, data:"Partimage is running on this port.
It does not require a login.");
return 1;
}
if ("%x%s%p%nh%u%c%z%Z%t%i%e%g%f%a%C" >< r )
{
register_service(port:port, proto:"egcd");
report_and_return(port:port, data:"egcd is running on this port.");
return 1;
}
if ( "f6ffff10" >< hexstr(r) && r_len < 6 )
{
register_service(port:port, proto:"BackupExec");
report_and_return(port:port, data:"A BackupExec Agent is running on this port.");
return 1;
}
if (r == '\x00\x00\x00\x03')
{
register_service(port:port, proto:"godm");
report_and_return(port:port, data:"AIX Global ODM (a component from HACMP) is running on this port.");
return 1;
}
if ('UNKNOWN COMMAND\n' >< r )
{
register_service(port:port, proto:"clamd");
report_and_return(port:port, data:"A clamd daemon, part of Clam AntiVirus, is running on this port.");
return 1;
}
if ( "AdsGone 200" >< r && "HTML Ad" >< r )
{
register_service(port:port, proto:"AdsGone");
report_and_return(port:port, data:"An AdsGone proxy server is running on this port.");
return 1;
}
if (pgrep(pattern:"^Centra AudioServer", string:r) )
{
register_service(port:port, proto:"centra");
report_and_return(port:port, data:"A Centra audio server is running on this port.");
return 1;
}
# TenFour TFS Secure Messaging Server, not RFC compliant
if ('Ok\r\n500 Command unknown' >< r )
{
register_service(port:port, proto:"smtp");
report_and_return(port:port, data:"An SMTP server is running on this port.");
return 1;
}
if (
"VERIFY = F$VERIFY" >< r || # Multinet 4.4 Imap daemon...
"* OK dovecot ready." >< r ||
"* OK Dovecot ready." >< r ||
(
stridx(r, '* OK ') == 0 &&
(
'CallPilot server ready' >< r ||
'HELP BAD Error in IMAP command received by server.' >< r
)
) ||
# nb: hMailServer can be configured with a custom banner, in
# which case this should still identify it.
(
stridx(r, '* OK ') == 0 &&
'\r\nHELP BAD NULL COMMAND\r\n' >< r
)
)
{
register_service(port:port, proto:"imap");
report_and_return(port:port, data:"An IMAP server is running on this port.");
return 1;
}
if ("421 Server is temporarily unavailable - pleast try again later" >< r &&
"421 Service closing control connection" >< r)
{
register_service(port:port, proto:"ftp-disabled");
report_and_return(port:port, data:"A (disabled) FTP server is running on this port.");
return 1;
}
if ("RSTP/1.0 505 RSTP Version not supported" >< r )
{
register_service(port:port, proto:"rtsp");
report_and_return(port:port, data:"A RSTP (shoutcast) server is running on this port.");
return 1;
}
if ("ERR INVALID-ARGUMENT" >< r &&
"ERR UNKNOWN-COMMAND" >< r )
{
register_service(port:port, proto:"nut");
report_and_return(port:port, data:"A Network UPS Tool (NUT) server is running on this port.");
return 1;
}
if ('\x80\x3d\x01\x03\x01' >< r)
{
# http://osiris.shmoo.com/
register_service(port:port, proto:"osiris");
report_and_return(port:port, data:"An Osiris daemon is running on this port.");
return 1;
}
if ( 'CAP PH\r\n' >< r )
{
register_service(port:port, proto:"BrightMail_AntiSpam");
report_and_return(port:port, data:"BrightMail AntiSpam is running on this port.");
return 1;
}
if ('\xea\xdd\xbe\xef' >< r)
{
register_service(port:port, proto:"veritas-netbackup-client");
report_and_return(port:port, data:"Veritas NetBackup Client Service is running on this port.");
return 1;
}
# http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801a62b9.shtml#topic1
if ('\x70\x5f\x0a\x10\x01' >< r)
{
register_service(port:port, proto:"cisco-ris-data-collector");
report_and_return(port:port, data:"A CISCO RIS Data Collector is running on this port.");
return 1;
}
if ("Hello, this is quagga" >< r || "Hello, this is Quagga" >< r)
{
register_service(port:port, proto:"quagga");
report_and_return(port:port, data:"A BGP daemon from Quagga is listening on this port.");
return 1;
}
if ( 'Hello\n' >< r )
{
register_service(port:port, proto:"musicdaemon");
report_and_return(port:port, data:"musicdaemon is listening on this port.");
return 1;
}
if (pgrep(pattern:"^220.*Administrator Service ready\.", string:r) ||
pgrep(pattern:"^220.*eSafe@.*Service ready", string:r))
{
register_service(port:port, proto:"smtp");
return 1;
}
if ( "Integrated port" >< r && "Printer Type" >< r && "Print Job Status" >< r)
{
# This is a "fake" finger server, showing the printer status.
# see bug#496
register_service(port:port, proto:"finger-lexmark");
return 1;
}
if ("Invalid password!!!" >< r ||
"Incorrect password!!!" >< r )
{
register_service(port:port, proto:"wollf");
report_and_return(port:port, data:"A Wollf backdoor is running on this port.");
return 1;
}
if ("version report" >< r )
{
# MA 2006-08-15: other tests report this as "pioneers-meta-server"
register_service(port:port, proto:"gnocatan");
report_and_return(port:port, data:"A Pioneers / Gnocatan game server is running on this port.");
return 1;
}
if ("Welcome on mldonkey command-line" >< r)
{
register_service(port:port, proto:"mldonkey-telnet");
report_and_return(port:port, data:"A MLdonkey telnet interface is running on this port.");
return 1;
}
if ( pgrep(pattern:"^connected\. .*, version:", string:r) ||
r == "PWD" )
{
register_service(port:port, proto:"subseven");
report_and_return(port:port, data:"A subseven backdoor is running on this port.");
return 1;
}
if ( pgrep(pattern:"^220 Bot Server", string:r) ||
'\xb0\x3e\xc3\x77\x4d\x5a\x90' >< r )
{
register_service(port:port, proto:"agobot.fo");
report_and_return(port:port, data:"An Agobot.fo backdoor is running on this port.");
return 1;
}
if ( "RemoteNC Control Password:" >< r )
{
register_service(port:port, proto:"RemoteNC");
report_and_return(port:port, data:"A RemoteNC console is running on this port.");
return 1;
}
if ( "Sensor Console Password:" >< r )
{
register_service(port:port, proto:"fluxay");
report_and_return(port:port, data:"A fluxay sensor is running on this port.");
return 1;
}
if ('\x3c\x65\x72\x72\x6f\x72\x3e\x0a' >< r)
{
register_service(port:port, proto:"gkrellmd");
report_and_return(port:port, data:"A gkrellmd system monitor daemon is running on this port.");
return 1;
}
# QMTP / QMQP
if (r =~ '^[1-9][0-9]*:[KZD]')
{
register_service(port: port, proto: "QMTP");
report_and_return(port: port, data: "A QMTP / QMQP server is running on this port.");
}
# BZFlag Server (a game on SGI)
if (r =~ '^BZFS')
{
register_service(port:port, proto:"bzfs");
report_and_return(port:port, data:"A BZFlag game server seems to be running on this port.");
return 1;
}
# SGUIL (Snort Monitoring Console)
if ( ("SGUIL" >< r) && preg(pattern:"^SGUIL-[0-9]+\.[0-9]+\.[0-9]+ OPENSSL (ENABLED|DISABLED)", string:r))
{
register_service(port:port, proto:"sguil");
report_and_return(port:port, data:"A SGUIL server (Snort Monitoring Console) seems to be running on this port.");
return 1;
}
if ( '!Error\nSession not verified.\n' >< r )
{
register_service(port:port, proto:"brocade-session");
report_and_return(port:port, data:"A Brocade service seems to be running on this port.");
return 1;
}
# (Solaris) lpd server
if(preg(pattern: "^Invalid protocol request.*:HHELP.*", string:r))
{
register_service(port:port, proto:"lpd");
report_and_return(port:port, data:"An LPD server seems to be running on this port.");
return 1;
}
if (r_len == 4 && '\x3d\x15\x1a\x3d' >< r)
{
register_service(port:port, proto:"hacker_defender");
report_and_return(port:port, data:"An 'Hacker Defender' backdoor seems to be running on this port.");
return 1;
}
# http://hea-www.harvard.edu/RD/ds9/
if ("XPA$ERROR unknown xpans request:" >< r )
{
register_service(port:port, proto:"DS9");
report_and_return(port:port, data:'A DS9 service seems to be running on this port.\nSee also : http://hea-www.harvard.edu/RD/ds9/');
return 1;
}
if ('421 Unauthorized connection to server\n' >< r )
{
register_service(port:port, proto:"ncic");
report_and_return(port:port, data:"A NCIC service seems to be running on this port.");
return 1;
}
if ( r_len == 4 && '\x09\x50\x09\x50' >< r)
{
register_service(port:port, proto:"dell_management_client");
report_and_return(port:port, data:"A Dell Management client seems to be running on this port.");
return 1;
}
if ( "gdm already running. Aborting!" >< r )
{
register_service(port:port, proto:"xdmcp");
report_and_return(port:port, data:"An xdmcp server seems to be running on this port.");
return 1;
}
if ( r_len == strlen("20040616105304") &&
preg(pattern:"200[0-9][01][0-9][0-3][0-9][0-2][0-9][0-5][0-9][0-5][0-9]$",
string:r))
{
register_service(port:port, proto:"LPTOne");
report_and_return(port:port, data:"A LPTOne server seems to be running on this port.");
return 1;
}
if ('ERROR Not authenticated\n' >< r )
{
register_service(port:port, proto:"hpjfpmd");
report_and_return(port:port, data:"An HP WebJetAdmin server seems to be running on this port.");
return 1;
}
if ( "500 P-Error" >< r && "220 Hello" >< r )
{
register_service(port:port, proto:"unknown_irc_bot");
report_and_return(port:port, data:"An IRC bot seems to be running on this port.");
return 1;
}
if ( "220 WinSock" >< r )
{
register_service(port:port, proto:"winsock");
report_and_return(port:port, data:"A WinSock server seems to be running on this port.");
return 1;
}
if ( "DeltaUPS:" >< r )
{
register_service(port:port, proto:"delta-ups");
report_and_return(port:port, data:"A DeltaUPS monitoring server seems to be running on this port.");
return 1;
}
if ( preg(pattern:"lpd: .*", string:r) || 'An lpd test connection was' >< r )
{
register_service(port:port, proto:"lpd");
report_and_return(port:port, data:"An LPD server seems to be running on this port.");
return 1;
}
if(preg(pattern: "^/usr/sbin/lpd.*", string:r))
{
register_service(port:port, proto:"lpd");
report_and_return(port:port, data:"An LPD server seems to be running on this port.");
return 1;
}
# See <http://sourceware.org/cluster/conga/> for more info.
if (
'<?xml version="1.0"?>\n<Clients_SSL_certificate_required/>\n' == r ||
'<?xml version="1.0"?>\n<SSL_required/>\n' == r
)
{
register_service(port:port, proto:"ricci");
report_and_return(
port:port,
data:
'A ricci agent seems to be listening on this port. Ricci is the agent\n' +
'component of Conga and is used for cluster and storage configuration /\n' +
'monitoring.'
);
return 1;
}
if ( strlen(r) > 32 ) sub = substr(r, 0, 31);
else sub = r;
if ( "<!doctype html" >< tolower(r) ||
r =~ "^<HEAD><TITLE>" ||
"<html>" >< tolower(sub) )
{
register_service(port:port, proto:"www");
report_and_return(port:port, data:"A web server seems to be running on this port.");
return 1;
}
if("An lpd test connection was completed" >< r ||
"Bad from address." >< r ||
"your host does not have line printer access" >< r ||
"does not have access to remote printer" >< r )
{
register_service(port:port, proto:"lpd");
report_and_return(port:port, data:"An LPD server seems to be running on this port.");
return 1;
}
# PPR
if (r =~ "^lprsrv: unrecognized command:")
{
register_service(port:port, proto:"lpd");
report_and_return(port:port, data:"PPR seems to be running on this port.");
return 1;
}
if(preg(pattern:"^login: Password: (Login incorrect\.)?$", string:r) ||
preg(pattern:"^login: Login incorrect\.", string:r))
{
register_service(port:port, proto:"uucp");
report_and_return(port:port, data:"A UUCP daemon seems to be running on this port.");
return 1;
}
if(preg(pattern:"^login: Login incorrect\.$", string:r))
{
register_service(port:port, proto:"uucp");
report_and_return(port:port, data:"A UUCP daemon seems to be running on this port.");
return 1;
}
# IRC server
if (preg(pattern: "^:.* 451 .*:", string:r))
{
register_service(port: port, proto: "irc");
report_and_return(port: port, data: "An IRC server seems to be running on this port.");
return 1;
}
if(preg(pattern:'^(Mon|Tue|Wed|Thu|Fri|Sat|Sun|Lun|Mar|Mer|Jeu|Ven|Sam|Dim) (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|D[e\xE9]c|F[e\xE9]v|Avr|Mai|Ao[u\xFB]) *(0?[0-9]|[1-3][0-9]) [0-9]+:[0-9]+(:[0-9]+)?( *[ap]m)?( +[A-Z]+)? [1-2][0-9][0-9][0-9].?.?$',
string:r) ||
preg(pattern:'^[0-9][0-9] +(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|D[e\xE9]c|F[e\xE9]v|Avr|Mai|Ao[u\xFB]) +[1-2][0-9][0-9][0-9] +[0-9]+:[0-9]+:[0-9]+( *[ap]m)? [A-Z0-9]+.?.?$', string:r, icase: 1) ||
r =~ '^(0?[0-9]|[1-2][0-9]|3[01])-(0[1-9]|1[0-2])-20[0-9][0-9][\r\n]*$' ||
r =~ '^([01]?[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9] (19|20)[0-9][0-9]-(0[1-9]|1[0-2])-(0[1-9]|[12][0-9]|3[01])[ \t\r\n]*$' ||
preg(pattern:"^(Monday|Tuesday|Wednesday|Thursday|Friday|Saturday|Sunday), (January|February|March|April|May|June|July|August|September|October|November|December) ([0-9]|[1-3][0-9]), [1-2][0-9][0-9][0-9] .*", string:r) ||
# MS flavor of daytime
preg(pattern:"^[0-9][0-9]?:[0-9][0-9]:[0-9][0-9] [AP]M [0-9][0-9]?/[0-9][0-9]?/[0-2][0-9][0-9][0-9].*$", string:r) ||
r =~ '^([01]?[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9] +(0?[1-9]|[12][0-9]|3[01])/(0?[1-9]|1[0-2]|3[01])/(19|20)[0-9][0-9][ \t\r\n]*$' )
{
register_service(port:port, proto:"daytime");
report_and_return(port: port, data: "Daytime is running on this port.");
return 1;
}
# Banner:
# HP OpenView OmniBack II A.03.10:INET, internal build 325, built on Mon Aug 23 15:50:58 1999.
if (match(string: r, pattern: "HP OpenView OmniBack II*"))
{
register_service(port: port, proto: "omniback");
report_and_return(port: port, data: "HP Omniback seems to be running on this port.");
return 1;
}
# Banner:
# HP OpenView Storage Data Protector A.05.00: INET, internal build 190, built on Tue Jul 16 17:37:32 2002.
if (match(string: r, pattern: "HP OpenView Storage Data Protector"))
{
register_service(port: port, proto: "hpov-storage");
report_and_return(port: port, data: "HP OpenView Storage Data Protector seems to be running on this port.");
return 1;
}
# Veritas Netbackup
if (r =~ '^1000 +2\n43\nunexpected message received' ||
"gethostbyaddr: No such file or directory" >< r )
{
register_service(port: port, proto: "netbackup");
report_and_return(port: port, data: "Veritas Netbackup seems to be running on this port.");
return 1;
}
# BMC Patrol
if (r == "SDPACK")
{
register_service(port: port, proto: "bmc-perf-sd");
report_and_return(port: port, data: "BMC Perform Service Daemon seems to be running on this port.");
return 1;
}
# SNPP
if (r =~ '^220 .* SNPP ' || pgrep(string: r, pattern: '^214 .*PAGE'))
{
register_service(port: port, proto: "snpp");
report_and_return(port: port, data: "A SNPP server seems to be running on this port.");
return 1;
}
# HylaFax FTP
if (pgrep(string: r, pattern: '^214-? ') && 'MDMFMT' >< r)
{
register_service(port: port, proto: "hylafax-ftp");
report_and_return(port: port, data: "A HylaFax server seems to be running on this port.");
return 1;
}
# HylaFAX (hylafax spp?)
if ( pgrep(string:r, pattern:"^220.*HylaFAX .*Version.*") )
{
register_service(port: port, proto: "hylafax");
report_and_return(port: port, data: "A HylaFax server seems to be running on this port.");
return 1;
}
if ( pgrep (string:r, pattern:"^S: FTGate [0-9]+\.[0-9]+") )
{
register_service(port: port, proto: "ftgate-monitor");
report_and_return(port: port, data: "A FTGate Monitor server seems to be running on this port.");
return 1;
}
# IRCn
if (r_len == 2048 && r =~ '^[ ,;:.@$#%+HMX\n-]+$' && '-;;=' >< r &&
'.;M####+' >< r && '.+ .%########' >< r && ':%.%#########@' >< r)
{
register_service(port: port, proto: 'IRCn-finger');
report_and_return(port: port, data: "IRCn finger service seems to be running on this port.");
return 1;
}
if ("Melange Chat Server" >< r)
{
register_service(port: port, proto: 'melange-chat');
report_and_return(port: port, data: "Melange Chat Server is running on this port.");
return 1;
}
# http://www.directupdate.net/
if (r =~ '^OK Welcome .*DirectUpdate server')
{
register_service(port: port, proto: 'directupdate');
report_and_return(port: port, data: "A DirectUpdate server is running on this port.");
return 1;
}
# http://www.xboxmediaplayer.de
if (r == "HELLO XBOX!")
{
register_service(port: port, proto: 'xns');
report_and_return(port: port, data: "A XNS streaming server seems to be running on this port.");
return 1;
}
# Windows 2000 BackupExec
if (r == '\xf6\xff\xff\xff\x10')
{
register_service(port: port, proto: "backupexec");
report_and_return(port: port, data: "A BackupExec server seems to be running on this port.");
return 1;
}
# SAP/DB niserver (default port = 7269)
# 0000 4c 00 00 00 03 ff 00 00 ff ff ff ff ff ff ff ff
# 0020 01 00 04 00 4c 00 00 00 00 02 34 00 ff 0d 00 00
# 0040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
# 0060 00 00 00 00 2e 0f 13 40 00 00 00 00 89 74 09 08
# 0100 05 49 2d 31 00 04 50 ff ff 03 52 01
if (substr(r, 0, 15) == hex2raw(s: "4c00000003ff0000ffffffffffffffff"))
{
register_service(port: port, proto: "sap_db_niserver");
report_and_return(port: port, data: "SAP/DB niserver seems to be running on this port.");
return 1;
}
# Submitted by Lyal Collins
# 00: 01 09 d0 02 ff ff 01 03 12 4c .. . ...L
# DB2 V6 and possibly Db2 V7, running on zOS - TCP ports 446 and 448
if (r == '\x01\x09\xD0\x02\xFF\xFF\x01\x03\x12\x4C')
{
register_service(port: port, proto: "db2");
report_and_return(port: port, data: "DB2 is running on this port.");
return 1;
}
# Check Point FW-1 Client Authentication (TCP/259)
# 00: 43 68 65 63 6b 20 50 6f 69 6e 74 20 46 69 72 65 Check Point Fire
# 10: 57 61 6c 6c 2d 31 20 43 6c 69 65 6e 74 20 41 75 Wall-1 Client Au
# 20: 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 53 65 72 thentication Ser
# 30: 76 65 72 20 72 75 6e 6e 69 6e 67 20 6f 6e 20 67 ver running on g
# 40: 61 74 65 6b 65 65 70 65 72 30 31 2e 6b 61 69 73 atekeeper01.kais
# 50: 65 72 6b 72 61 66 74 2e 64 65 0d 0a 0d ff fb 01 erkraft.de... .
# 60: ff fe 01 ff fb 03 55 73 65 72 3a 20 47 45 54 20 . .User: GET
# 70: 2f 20 48 54 54 50 2f 31 2e 30 0d 0a 55 73 65 72 / HTTP/1.0..User
# 80: 20 47 45 54 20 2f 20 48 54 54 50 2f 31 2e 30 20 GET / HTTP/1.0
# 90: 6e 6f 74 20 66 6f 75 6e 64 0d 0a 0d 0d 0a 55 73 not found.....Us
# a0: 65 72 3a 20 er:
if ("Check Point FireWall-1 Client Authentication Server" >< r)
{
register_service(port: port, proto: "fw1_client_auth");
report_and_return(port: port, data: "Check Point FireWall-1 Client Authentication Server seems to be running on this port.");
return 1;
}
# Seen on FW1-topo and other ports
if (r == 'Y\0\0\0')
{
register_service(port: port, proto: "fw1_generic");
report_and_return(port: port, data: "A Check Point FireWall-1 service seems to be running on this port.");
return 1;
}
if (r =~ "^200 .* (PWD Server|poppassd)")
{
register_service(port: port, proto: "pop3pw");
report_and_return(port: port, data: "A poppassd server seems to be running on this port.");
return 1;
}
# Ebola antivirus
if ("Welcome to Ebola " >< r )
{
register_service( port : port, proto: "ebola" );
set_kb_item(name:"ebola/banner/" + port, value: r );
report_and_return(port : port, data: "An Ebola server is running on this port :\n" + r );
return 1;
}
# www.midas.org
if (r =~ '^MIDASd v[2-9.]+[a-z]? connection accepted')
{
register_service(port: port, proto: 'midas');
report_and_return(port: port, data: "A MIDAS server is running on this port.");
return 1;
}
# Crystal Reports
# 00: 73 65 72 76 65 72 20 31 32 38 2e 31 32 38 2e 32 server 128.128.2
# 10: 2e 31 39 37 20 33 2e 35 33 2e 31 61 20 63 6f 6e .197 3.53.1a con
# 20: 6e 65 63 74 69 6f 6e 73 3a 20 32 0a nections: 2.
# MA 2007-03-04
# I got *exactly* the same reply from 4JS on port 6400.
if (r =~ '^server [0-9.]+ connections: [0-9]+' ||
r =~ '^server [0-9.]+ [0-9a-z.]+ connections: [0-9]+')
{
register_service(port: port, proto: 'crystal');
report_and_return(port: port, data: 'Crystal Reports or 4JS seems to be running on this port.');
return 1;
}
# Trueweather taskbar applet
if (r =~ '^TrueWeather\r\n\r\n')
{
register_service(port: port, proto: 'trueweather');
report_and_return(port: port, data: 'TrueWeather taskbar applet is running on this port.');
return 1;
}
# W32.IRCBot.E or W32.IRCBot.F or W32.Randex or W32.Korgo.V
if (r == '220 \r\n331 \r\n230 \r\n')
{
register_service(port: port, proto: 'ircbot');
report_and_return(port: port, data: 'A W32.IRCBot backdoor is running on this port.');
return 1;
}
if (preg(string: r, pattern: "^RTSP/1\.0 "))
{
if (
"403 Proxy denied" >< r ||
"500 Unknown proxy error" >< r ||
"503 Too many proxy users" >< r
)
{
register_service(port:port, proto:'rtsp_proxy');
report_and_return(port:port, data:"A streaming proxy server is running on this port.");
}
else
{
register_service(port:port, proto:'rtsp');
report_and_return(port:port, data:"A streaming server is running on this port.");
}
return 1;
}
# BMC's ECS product (part of Control-M) gateway listener
# 00: 61 20 30 30 30 30 30 30 32 64 47 52 30 39 33 32 a 0000002dGR0932
# 10: 30 30 30 30 39 30 43 47 47 41 54 45 57 41 59 20 000090CGGATEWAY
# 20: 30 43 47 55 31 30 30 33 31 30 30 36 30 43 47 5f 0CGU100310060CG_
# 30: 41 20 32 32 31 47 41 A 221GA
if (r =~ '^a [0-9a-zA-Z]+GATEWAY [0-9A-Z]+_A [0-9A-Z]+')
{
register_service(port: port, proto: 'ctrlm-ecs-gateway');
report_and_return(port: port, data: "An ECS gateway listener (par of Control-M) is running on this port.");
return 1;
}
# Running on 400/tcp?!
if (r == '\xDE\xAD\xF0\x0D')
{
register_service(port: port, proto: 'jwalk');
report_and_return(port: port, data: "A Seagull JWalk server is running on this port.");
return 1;
}
# Contributed by Thomas Reinke - running on TCP/23
# Interface to ADSL router smc7204BRB
if ("CONEXANT SYSTEMS, INC" >< r && "ACCESS RUNNER ADSL CONSOLE PORT" >< r
&& "LOGON PASSWORD" >< r)
{
register_service(port: port, proto: 'conexant-admin');
report_and_return(port: port, data: "Interface of a Conexant ADSL router is running on this port.", hole:1);
return 1;
}
# Default port = 9090
if (r == 'GET %2F HTTP%2F1.0\n')
{
register_service(port: port, proto: 'slimserver');
report_and_return(port: port, data: "The Slimserver streaming server (command interface) is running on this port.", hole:1);
return 1;
}
# 00: 0d 0a 50 72 65 73 73 20 72 65 74 75 72 6e 3a 2a ..Press return:*
# 10: 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a ****************
# 20: 0d 0a 45 6e 74 65 72 20 50 61 73 73 77 6f 72 64 ..Enter Password
# 30: 3a 2a 0d 0a 45 6e 74 65 72 20 50 61 73 73 77 6f :*..Enter Passwo
# 40: 72 64 3a
if ('Press return:*****************' >< r && 'Enter Password:' >< r)
{
register_service(port: port, proto: 'darkshadow-trojan');
report_and_return(port: port, data: "The Darshadow trojan horse seems to be running on this port.", hole:1);
return 1;
}
# Contributed by David C. Shettler
# http://esupport.ca.com/index.html?/public/dto_transportit/infodocs/LI57895.asp
if (r == 'ACK')
{
register_service(port: port, proto: 'tng-cam');
report_and_return(port: port, data: 'CA Messaging (part of Unicenter TNG) is running on this port.', hole:1);
return 1;
}
# Contributed by Jan Dreyer - unfortunately, I could not find much data on
# this Trojan horse. It was found running on port 2400
# The banner is:
# +------------------------+
# | DllTrojan by ScriptGod |
# +------------------------+
# | [27.04.04] |
# +------------------------+
# enter pass:
#
if ("+------------------------+" >< r || "DllTrojan by ScriptGod" >< r)
{
register_service(port: port, proto: 'dll-trojan');
report_and_return(port: port, data: 'A trojan horse (DllTrojan) seems to be running on this port.\nClean your system.', hole:1);
return 1;
}
# Submitted by Paul Weatherhead
if (r == '\x3d\x15\x1a\x3d')
{
register_service(port: port, proto: 'rcserv-trojan');
report_and_return(port: port, data: 'A trojan horse (RCServ) seems to be running on this port.\nYou should clean your system :\nthe executable file might be MDTC.EXE.', hole:1);
return 1;
}
# $ telnet 10.10.1.203 5110
# Trying 10.10.1.203...
# Connected to 10.10.1.203.
# Escape character is '^]'.
# Sifre_Korumasi <------- Server
# HELP <------- Client
# Sifre_Hatasi <------- Server
# 000300Dedected burute force atack from your ip adress <--- alternative response
#
# $ telnet 10.10.1.203 5112 (same for 51100)
# Trying 10.10.1.203...
# Connected to 10.10.1.203.
# Escape character is '^]'.
# 220 Welcom to ProRat Ftp Server <------- Server
# HELP <------- Client
# 500 'HELP': command not understood. <------- Server
# 000300Dedected burute force atack from your ip adress <--- alternative response
if (
# nb: "Sifre Korumasi" means "password-protected" in Turkish
# and "Sifre Hatasi" means "invalid password".
'Sifre_Korumasi' >< r ||
'000300Dedected burute force atack from your ip adress' >< r ||
' Welcom to ProRat Ftp Server' >< r
) {
register_service(port:port, proto:'prorat-trojan');
report_and_return(
port:port,
hole:1,
data:
'The Prorat trojan horse is running on the remote host. Block access\n' +
'to this port immediately and clean the system as soon as possible.'
);
return 1;
}
# False positives reported by Michel
#if (r == 'ERROR\n')
#{
# register_service(port: port, proto: 'streaming21');
#report_and_return(port: port, data: "A Streaming21 server seems to be running on this port");
# return 1;
#}
# Submitted by Adam Baldwin - Reference http://evilpacket.net
# Identifies Symantec ManHunt or SNS console (qsp proxy)
# 32 bytes of data sent when a connection is made
# 01 01 00 08 1C EE 01 00 00 00 00 00 00 00 00 00
# 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
if (r == '\x01\x01\x00\x08\x1c\xee\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
{
register_service(port: port, proto: 'qsp-proxy');
report_and_return(port: port, data: "A Symantec ManHunt / SNS console (QSP Proxy) seems to be running on this port.");
return 1;
}
# sunRay Server - thanks to [email protected] (Kent Engstrom)
if("ERR/InvalidCommand" >< r)
{
register_service(port:port, proto:"sunraySessionMgr");
report_and_return(port:port, data:"sunraySessionMgr server is running on this port.");
return 1;
}
# Sun Ray authentication daemon (contrib from Glenn M. Brunette, Jr.)
if (match(string: r, pattern: "protocolErrorInf error=Missing\*state=disconnected*"))
{
register_service(port:port, proto:"sunray-utauthd");
report_and_return(port:port, data:"sunray authentication daemon is running on this port.");
return 1;
}
# Shoutcast
if (r =~ "^ICY 401")
{
local_var verb;
register_service(port: port, proto: "shoutcast");
if ("icy-notice1:<BR>shoutcast " >< r) verb = "is";
else verb = "seems to be";
report_and_return(port: port, data: "A shoutcast server " + verb + " running on this port.");
return 1;
}
# from Ryan Sweat
if ('invalid password\r\n' == r && (rget == r || strlen(rget) == 0))
{
register_service(port: port, proto: "shoutcast_service");
report_and_return(
port:port,
data:
'The remote service appears to be a SHOUTcast Server\'s service port, used\n' +
'to broadcast streams and administer the server.'
);
return 1;
}
# NFR
if (pgrep(pattern:"^Getserver 1\.0 - identify yourself", string:r ) )
{
register_service(port:port, proto:"nfr-admin-gui");
report_and_return(port:port, data:"An NFR Administrative interface is listening on this port.");
return 1;
}
# remstats.sf.net
if ( "ERROR: unknown directive: " >< r )
{
register_service(port:port, proto:"remstats");
report_and_return(port:port, data:"A remstats service is running on this port.");
return 1;
}
if ( "NCD X Terminal Configuration" >< r )
{
register_service(port:port, proto:"ncdx_term_config");
report_and_return(port:port, data:"A NCD X Terminal Configuration service is running on this port.");
return 1;
}
if ("NPC Telnet permit one" >< r )
{
register_service(port:port, proto:"telnet");
report_and_return(port:port, data:"A (NPC) telnet service is running on this port.");
return 1;
}
if ( ( "Prisma Digital Transport" >< r && "Use the SNMP set community" >< r) ||
( "Wegener Communications Copyright" >< r && "Unit Label" >< r && "Type H for" >< r ) )
{
register_service(port:port, proto:"telnet");
report_and_return(port:port, data:"A telnet service is running on this port.");
return 1;
}
if ( "SiteManager Proxy" >< r )
{
register_service(port:port, proto:"site_manager_proxy");
report_and_return(port:port, data:"A Site Manager Proxy service is running on this port.");
return 1;
}
if ( pgrep(pattern:"^GPSD,.*", string:r) )
{
register_service(port:port, proto:"gpsd");
report_and_return(port:port, data:"A gpsd daemon is running on this port.");
return 1;
}
if ( pgrep(pattern:"^200.*Citadel(/UX| server ready).*", string:r) )
{
register_service(port:port, proto:"citadel/ux");
report_and_return(port:port, data:"A Citadel/UX BBS is running on this port.");
return 1;
}
if ( "Gnome Batalla" >< r )
{
register_service(port:port, proto:"gnome_batalla");
report_and_return(port:port, data:"A Gnome Batalla service is running on this port.");
return 1;
}
if ("System Status" >< r && "Uptime" >< r )
{
register_service(port:port, proto: "systat");
report_and_return(port: port, data: "The systat service is running on this port.");
return 1;
}
if ("ESTABLISHED" >< r && "TCP" >< r)
{
register_service(port:port, proto: "netstat");
report_and_return(port: port, data: "The netstat service is running on this port.");
return 1;
}
if ( "charles dickens" >< tolower(r) || "george bernard shaw" >< tolower(r) || "a. a. milne" >< tolower(a) )
{
register_service(port:port, proto: "qotd");
report_and_return(port: port, data: "qotd (Quote of the Day) seems to be running on this port.");
return 1;
}
if ("Can't locate loadable object for module" >< r && "BEGIN failed--compilation aborted" >< r )
{
register_service(port:port, proto: "broken-perl-script");
report_and_return(port: port, data: "A broken perl script is running on this port.");
return 1;
}
if ("/usr/games/fortune: not found" >< r ||
r =~ '^"[^"]+" *Autor desconocido[ \t\r\n]*$')
{
register_service(port:port, proto: "qotd");
report_and_return(port: port, data: "qotd (Quote of the Day) seems to be running on this port (misconfigured).");
return 1;
}
if ("Check Point FireWall-1 authenticated Telnet server" >< r )
{
register_service(port:port, proto: "fw1-telnet-auth");
report_and_return(port: port, data: "A Firewall-1 authenticated telnet server is running on this port.");
return 1;
}
# Added NOTICE * deviation to handle Charybdis
# :irctest.local NOTICE * :*** Looking up your hostname...
if ( "NOTICE AUTH : " >< r || "NOTICE * :***" >< r)
{
register_service(port:port, proto: "irc");
report_and_return(port: port, data: "An IRC server seems to be running on this port.");
return 1;
}
# 00: 45 52 52 4f 52 3a 20 59 6f 75 72 20 68 6f 73 74 ERROR: Your host
# 10: 20 69 73 20 74 72 79 69 6e 67 20 74 6f 20 28 72 is trying to (r
# 20: 65 29 63 6f 6e 6e 65 63 74 20 74 6f 6f 20 66 61 e)connect too fa
# 30: 73 74 20 2d 2d 20 74 68 72 6f 74 74 6c 65 64 0d st -- throttled.
# 40: 0a .
# Suspicious test?
if (r == 'ERROR: Your host is trying to (re)connect too fast -- throttled\n')
{
register_service(port:port, proto: "irc");
report_and_return(port: port, data: "An IRC server might be running on this port.");
return 1;
}
if (r =~ '^sh-[0-9.]+# ')
{
register_service(port:port, proto: "wild_shell");
report_and_return(port: port, data: "A shell seems to be running on this port! (this is a possible backdoor)", hole:1);
}
if ( ("Microsoft Windows" >< r) &&
pgrep(pattern:"\([c|C]\) (Copyright )?([0-9]+)", string:r) &&
("Microsoft Corp" >< r) ||
# Answer to help
"ASSOC" >< r && "ATTRIB" >< r && "BREAK" >< r && "CALL" >< r &&
"CHDIR" >< r && "CHKDSK" >< r && "CLS" >< r && "COPY" >< r &&
"DATE" >< r && "DEL" >< r )
{
register_service(port:port, proto: "wild_shell");
report_and_return(port: port, data: "A Windows shell seems to be running on this port! (this is a possible backdoor)", hole:1);
}
if ( "1|0|0||" >< r )
{
register_service(port:port, proto: "PigeonServer");
report_and_return(port: port, data: "PigeonServer seems to be running on this port.");
return 1;
}
if (r =~ '^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\n$')
{
register_service(port:port, proto:"kde-lisa");
report_and_return(port:port, data:"KDE Lisa server is running on this port.");
return 1;
}
# Submitted by Lucian Ravac - See http://zabbix.org
if (
stridx(r, 'ZBX_NOTSUPPORTED') == 0 ||
(stridx(r, 'ZBXD') == 0 && stridx(r, 'ZBX_NOTSUPPORTED') == 13)
)
{
register_service(port: port, proto: 'zabbix');
report_and_return(port: port, data: 'A Zabbix agent is running on this port.');
return 1;
}
# Submitted by Brian Spindel - Gopher on Windows NT
# 00: 33 20 2d 2d 36 20 42 61 64 20 52 65 71 75 65 73 3 --6 Bad Reques
# 10: 74 2e 20 0d 0a 2e 0d 0a t.
if (r == '3 --6 Bad request. \r\n.\r\n')
{
register_service(port: port, proto: 'gopher');
report_and_return(port: port, data: 'A Gopher server seems to be running on this port.');
return 1;
}
# 00: 01 72 6c 6f 67 69 6e 64 3a 20 50 65 72 6d 69 73 .rlogind: Permis
# 10: 73 69 6f 6e 20 64 65 6e 69 65 64 2e 0d 0a sion denied...
if (match(string: r, pattern: '\x01rlogind: Permission denied*', icase: 1))
{
register_service(port: port, proto: 'rlogin');
report_and_return(port: port, data: 'rlogind seems to be running on this port.');
return 1;
}
# Submitted by Aaron Daugherty.
#
# 0x00: 01 72 6C 6F 67 69 6E 64 3A 20 4B 65 72 62 65 72 .rlogind: Kerber
# 0x10: 6F 73 20 41 75 74 68 65 6E 74 69 63 61 74 69 6F os Authenticatio
# 0x20: 6E 20 6E 6F 74 20 65 6E 61 62 6C 65 64 2E 2E 0D n not enabled...
# 0x30: 0A
if (match(string: r, pattern: '\x01rlogind: Kerberos Authentication*', icase: 1))
{
register_service(port: port, proto: 'rlogin');
report_and_return(port: port, data: 'A Kerberized rlogind seems to be running on this port.');
return 1;
}
# 00: 73 74 61 74 64 20 76 65 72 73 69 6f 6e 3a 33 2e statd version:3.
# 10: 32 20 6d 73 67 69 64 3a 32 30 30 35 2e 30 35 2e 2 msgid:2005.05.
# 20: 31 38 20 31 30 3a 35 30 3a 33 35 0d 0a 18 10:50:35..
# Note: this is *unreliable*, many clones exist
if (match(string: r, pattern: "statd version:*msgid:*"))
{
register_service(port: port, proto: 'nagios-statd');
report_and_return(port: port, data: 'nagios-statd seems to be running on this port.');
return 1;
}
# Running on 632/tcp
# 00: 54 68 65 20 73 6d 62 72 69 64 67 65 20 69 73 20 The smbridge is
# 10: 75 73 65 64 20 62 79 20 31 37 32 2e 32 30 2e 34 used by 172.20.4
# 20: 35 2e 31 38 38 0a 0d 54 68 65 20 63 6c 69 65 6e 5.188..The clien
# 30: 74 20 69 73 20 63 6c 6f 73 65 64 21 0a 0d t is closed!..
if (match(string: r, pattern: 'The smbridge is used by*'))
{
register_service(port: port, proto: 'smbridge');
report_and_return(port: port, data: 'IBM OSA SMBridge seems to be running on this port.');
return 1;
}
# Running on 8649
# 00: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 <?xml version="1
# 10: 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 49 53 .0" encoding="IS
# 20: 4f 2d 38 38 35 39 2d 31 22 20 73 74 61 6e 64 61 O-8859-1" standa
# 30: 6c 6f 6e 65 3d 22 79 65 73 22 3f 3e 0a 3c 21 44 lone="yes"?>.<!D
# 40: 4f 43 54 59 50 45 20 47 41 4e 47 4c 49 41 5f 58 OCTYPE GANGLIA_X
# 50: 4d 4c 20 5b 0a 20 20 20 3c 21 45 4c 45 4d 45 4e ML [. <!ELEMEN
# 60: 54 20 47 41 4e 47 4c 49 41 5f 58 4d 4c 20 28 47 T GANGLIA_XML (G
# 70: 52 49 44 29 2a 3e 0a 20 20 20 20 20 20 3c 21 41 RID)*>. <!A
if (match(string: r, pattern: '<?xml version=*') && " GANGLIA_XML " >< r &&
"ATTLIST HOST GMOND_STARTED" >< r)
{
register_service(port: port, proto: 'gmond');
report_and_return(port: port, data: 'Ganglia monitoring daemon seems to be running on this port.');
return 1;
}
# Cf. www.nmscommunications.com
if (match(string: r, pattern: 'Natural MicroSystem CTAccess Server *'))
{
register_service(port: port, proto: 'ctaccess');
report_and_return(port: port, data: 'Natural MicroSystem CTAccess Server is running on this port.');
return 1;
}
# From Jason Johnson
if (r == '\x2f\x44\x94\x72')
{
register_service(port: port, proto: 'spysweeper');
report_and_return(port: port, data: 'Spy Sweeper Enterprise client seems to be running on this port.');
return 1;
}
# From Justin Fanning
if (r =~ '^\r\nEfficient [0-9]+ DMT Roter .* Ready.*Login:')
{
register_service(port: port, proto: 'efficient-router');
report_and_return(port: port, data: 'An Efficient router administration interface is running on this port.');
return 1;
}
# From Hartmut Steffin
# HG 1500 Router/Gate (GateKeeper?) built into a siemens HiPath3000
# This is a gate for IP phones.
# 000: 4b 4c 55 47 00 00 00 4a 00 03 00 01 00 00 00 42 KLUG...J.......B
# 010: 02 04 49 50 2d 53 77 41 20 56 30 31 2e 32 38 00 ..IP-SwA V01.28.
# 020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
if (match(string: r, pattern: 'KLUG\0*IP-SwA V*\0\0\0\0*'))
{
register_service(port: port, proto: 'hg-gate');
report_and_return(port: port, data: 'An HG gate for IP phones is running on this port.');
return 1;
}
# Contrib from Lior Rotkovitch
# 00: 32 32 30 20 41 78 69 73 20 44 65 76 65 6c 6f 70 220 Axis Develop
# 10: 65 72 20 42 6f 61 72 64 20 4c 58 20 72 65 6c 65 er Board LX rele
# 20: 61 73 65 20 32 2e 31 2e 30 20 28 4a 75 6c 20 32 ase 2.1.0 (Jul 2
# 30: 37 20 32 30 30 34 29 20 72 65 61 64 79 2e 0a 35 7 2004) ready..5
# 40: 30 33 20 42 61 64 20 73 65 71 75 65 6e 63 65 20 03 Bad sequence
# 50: 6f 66 20 63 6f 6d 6d 61 6e 64 73 2e 0d 0a of commands...
if (match(string: r, pattern: '220 Axis Developer Board*ready*503 Bad sequence*'))
{
report_service(port: port, svc: 'axis-developer-board');
return 1;
}
# From Guenther Konrad
# 00: 68 6f 73 74 73 2f 4b 4c 55 30 31 30 36 65 0a 4b hosts/KLU0106e.K
# 10: 4c 55 30 31 30 35 65 0a LU0105e.
if (substr(r, 0, 5) == 'hosts/')
{
v = split(substr(r, 6), sep: '\n', keep: 0);
if (max_index(v) == 2)
{
register_service(port: port, proto: 'ibm-pssp-spseccfg');
rep = 'IBM PSSP spseccfg is running on this port.\n';
if (strlen(v[0]) > 0)
rep += 'It reports that the DCE hostname is "' + v[0] + '".\n';
else
rep += 'DCE is not configured on this host\n';
rep += 'The system partition name or the local hostname is "' + v[1] + '".';
report_and_return(port: port, data: rep);
return 1;
}
}
# Port 4466
if (r == '\x30\x20\x39\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
{
register_service(port: port, proto: 'ibm-pssp-switchtbld');
report_and_return(port: port, data: 'IBM PSSP switchtbld is running on this port.');
return 1;
}
# 0x00: 15 03 00 00 02 02 0A .......
if (r == '\x15\x03\x00\x00\x02\x02\x0A' ||
r == '\x15\x03\x01\x00\x02\x02\x0A' )
{
report_and_return(port: port, data:
'An unknown server is running on top of SSL/TLS on this port.
You should change find_service preferences to look for
SSL based services and restart your scan.
');
register_service(port: port, proto: 'ssl');
return 1;
}
# 01 00 08 00 00 00 0a 8b f2 58 ca
# 01 00 08 00 00 00 0a 1d 0d 91 84
# 01 00 08 00 00 00 0a cf 99 84 25 ff 00 1e 00 1c 49 6e 76 61 6c 69 64 20 70 61 63 6b 65 74 20 77 69 74 68 20 74 79 70 65 20 31 32 39
# 01 00 08 00 00 00 0a 32 54 b0 a5
if (r_len > 7 && substr(r, 0, 6) == '\x01\x00\x08\x00\x00\x00\x0a')
{
# Let's use the same name as Amap because of external_svc_ident.nasl
register_service(port: port, proto: 'apache-tomcat-connector_ajp12');
report_and_return(
port: port,
data:
'The remote service is a Webapp Connector (also known as a WARP\n' +
'Connector), a connector component typically associated with older\n' +
'versions of Apache Tomcat that communicates with a web connector\n' +
'via the WARP protocol.\n'
);
return 1;
}
# Should be caught by find_service1.nasl, I add this in case it did not
# answer to GET / ...
if (match(string: r, pattern: 'GPSD,E=?,*'))
{
register_service(port:port, proto:"gpsd");
report_and_return(port:port, data:"gpsd is running on this port.");
return 1;
}
if (r == 'ERR password required\r\n'
&& rget == 'ERR password required\r\nERR password required\r\n')
{
register_service(port: port, proto: 'fli4l-imonc');
report_and_return(port: port, data: 'imonc might be running on this port.');
return 1;
}
# Does not answer to GET, only to HELP
if (r == '\x06\x00\x00\x00\x00\x00\x1a\x00\x00\x00')
{
register_service(port: port, proto: 'mldonkey-gui');
report_and_return(port: port, data: 'MLDonkey is running on this port (GUI access).');
return 1;
}
# From Dave Hellman
# Runs on port 900
if (r == '\x12\x00\x00\x80\x01\x10\xDC\x8A\x01\x00\x00\x00\x00\x04\x00\x00\x00\x41\x27\x07\x80\x00')
{
register_service(port: port, proto: 'quest-intrust');
report_and_return(port: port, data: 'Intrust (from Quest software) is running on this port.');
return 1;
}
# <html>
# <head><title>400 Bad Request</title></head>
# <body bgcolor="white">
# <center><h1>400 Bad Request</h1></center>
# <hr><center>nginx/0.7.65</center>
# </body>
# </html>
if (match(string: r, pattern: '<html>\r\n<head><title>400 Bad Request</title></head>\r\n<body bgcolor="*">\r\n<center><h1>400 Bad Request</h1></center>\r\n<hr><center>nginx/*</center>\r\n</body>\r\n</html>\r\n'))
{
register_service(port: port, proto: 'www');
report_and_return(port: port, data:
'nginx is running on this port.
This web server should have been detected earlier; increase the network
timeout and/or decrease the parallelism.');
return 1;
}
# If you do not want to "double check", uncomment the next two lines
# if (! r0) set_unknown_banner(port: port, banner: r);
# return 1;
########################################################################
# **** WARNING **** #
# Do not add anything below unless it should handled by find_service #
# or find_service1 or find_service_3digits #
# The exception is qotd -- look at the bottom of the file #
########################################################################
########################################################################
# All the following services should already have been identified by #
# find_service1.nasl or find_service1.nasl; anyway, we double check in #
# case they failed... #
########################################################################
# See http://www.varnish-cache.org/
# 101 32
# all commands are in lower-case.
# (the first number appears to be a code, e.g. 200 for OK; the 2nd is the
# length of the answer)
if (match(string: r, pattern: '101 *\nall commands are in lower-case.\n*'))
{
register_service(port: port, proto: 'varnish_mngt');
report_and_return(port: port, data: "Varnish Management is running on this port.");
return 1;
}
# Veritas Backup Exec Remote Agent (6103/tcp)
if (r == '\xf6\xff\xff\xff\x10' ||
r == '\xF6\xFF\xFF\xFF\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' )
{
register_service(port: port, proto: "backup_exec");
report_and_return(port: port, data: "Veritas Backup Exec Remote Agent seems to be running on this port.");
return 1;
}
if (r == 'HELP\r\n\r\n')
{
register_service(port: port, proto: 'echo');
return report_and_return(port:port, data: 'Echo "simple TCP/IP service" is running on this port.');
}
# Spamd (port 783) - permissive Regex, just in case
if (r =~ '^SPAMD/[0-9.]+ [0-9]+ Bad header line:')
{
register_service(port:port, proto:"spamd");
return report_and_return(port:port, data:"A SpamAssassin daemon is running on this port.");
}
# SOCKS5
if (strlen(r) >= 4 && ord(r[0]) == 5 && ord(r[1]) <= 8 && ord(r[2]) == 0 && ord(r[3]) <= 4 && ord(r[1]) == strlen(r) - 2)
{
register_service(port: port, proto: "socks5");
return report_and_return(port: port, data: "A SOCKS5 server seems to be running on this port.");
}
# SOCKS4
if (strlen(r) >= 3 && ord(r[0]) == 0 && ord(r[1]) >= 90 && ord(r[1]) <= 93)
{
register_service(port: port, proto: "socks4");
return report_and_return(port: port, data: "A SOCKS4 server seems to be running on this port.");
}
if (pgrep(pattern:"^\+OK.*POP2.*", string:r, icase:1) )
{
register_service(port:port, proto:"pop2");
return report_and_return(port: port, data: "A pop2 server seems to be running on this port.");
}
else if (pgrep(pattern:"^\+OK.*POP.*", string:r, icase:1) )
{
register_service(port:port, proto:"pop3");
return report_and_return(port: port, data: "A pop3 server seems to be running on this port.");
}
# FTP - note that SMTP & SNPP also return 220 & 214 codes
if (pgrep(pattern:"^220[- ].*FTP", string:r, icase: 1) ||
pgrep(pattern:"^214-? .*FTP", string: r, icase: 1) ||
pgrep(pattern:"^220[- ].*CrownNet", string: r, icase: 1) ||
pgrep(pattern:"^220 Axis.*Network Camera", string: r, icase: 1) ||
(pgrep(pattern:"^220 ", string:r)
&& pgrep(pattern: "^530 Please login with USER and PASS", string: r, icase: 1) )
)
{
banner = pgrep(pattern:"^2[01][04]-? ", string: r);
k = "ftp/banner/" + port;
replace_kb_item(name: k, value: banner);
register_service(port: port, proto: "ftp");
return report_and_return(port: port, data: "An FTP server seems to be running on this port.");
}
# SMTP
if (pgrep(pattern:"^220[ -].*(SMTP|mail)", string:r, icase: 1) ||
pgrep(pattern:"^214[ -].*(HELO|MAIL|RCPT|DATA|VRFY|EXPN)", string: r) ||
pgrep(pattern:"^220[ -].*OpenVMS.*ready", string: r) ||
pgrep(pattern:"^554 +E?SMTP ", string: r) ||
pgrep(pattern:"^421[ -].*SMTP", string: r))
{
banner = pgrep(pattern:"^[245][0-5][0-4][ -]", string: r);
k = "smtp/banner/" + port;
replace_kb_item(name: k, value: banner);
register_service(port: port, proto: "smtp");
return report_and_return(port: port, data: "An SMTP server seems to be running on this port.");
}
if ( '(gdb)\nerror, message' >< r )
{
register_service(port:port, proto: "gdb");
report_and_return(port: port, data: "A gdb remote debugger seems to be running on this port.");
return 1;
}
# NNTP
if (pgrep(pattern: "^200 .*(NNTP|NNRP)", string: r) ||
pgrep(pattern: "^100 .*commands", string: r, icase: 1))
{
banner = pgrep(pattern:"^200 ", string: r);
if (banner)
{
k = "nntp/banner/" + port;
replace_kb_item(name: k, value: banner);
}
register_service(port: port, proto: "nntp");
return report_and_return(port: port, data: "An NNTP server seems to be running on this port.");
}
# SSH
banner = pgrep(pattern: "^SSH-", string: r);
if (banner)
{
register_service(port: port, proto: "ssh");
return report_and_return(port: port, data: "An SSH server seems to be running on this port.");
}
# Contrib from Maarten
# 00: 0d 0a 44 65 73 74 69 6e 61 74 69 6f 6e 20 73 65 ..Destination se
# 10: 72 76 65 72 20 64 6f 65 73 20 6e 6f 74 20 68 61 rver does not ha
# 20: 76 65 20 53 73 68 20 61 63 74 69 76 61 74 65 64 ve Ssh activated
# 30: 2e 0d 0a 43 6f 6e 74 61 63 74 20 43 69 73 63 6f ...Contact Cisco
# 40: 20 53 79 73 74 65 6d 73 2c 20 49 6e 63 20 74 6f Systems, Inc to
# 50: 20 70 75 72 63 68 61 73 65 20 61 0d 0a 6c 69 63 purchase a..lic
# 60: 65 6e 73 65 20 6b 65 79 20 74 6f 20 61 63 74 69 ense key to acti
# 70: 76 61 74 65 20 53 73 68 2e 0d 0a vate Ssh...
if ("Destination server does not have Ssh activated" >< r)
{
register_service(port: port, proto: "disabled-ssh");
return report_and_return(port: port, data: "A disabled SSH service seems to be running on this port.");
}
# Auth
if (pgrep(string: r, pattern:"^0 *, *0 *: * ERROR *:") )
{
register_service(port: port, proto: "auth");
return report_and_return(port: port, data: "An Auth/ident server seems to be running on this port.");
}
# Finger
if ((pgrep(string: r, pattern: "HELP: no such user", icase: 1)) ||
(pgrep(string :r, pattern: ".*Line.*User.*Host", icase:1)) ||
(pgrep(string:r, pattern:".*Login.*Name.*TTY", icase:1)) ||
'?Sorry, could not find "GET"' >< r ||
'Login name: HELP' >< r ||
(('Time Since Boot:' >< r) && ("Name pid" >< r) ))
{
register_service(port: port, proto: "finger");
return report_and_return(port: port, data: "A finger server seems to be running on this port.");
}
# HTTP
if (("501 Method Not Implemented" >< r) || (preg(string: r, pattern: "^HTTP/1\.[01]")) || "action requested by the browser" >< r)
{
register_service(port: port, proto: "www");
return report_and_return(port: port, data: "A web server seems to be running on this port.");
}
# BitTorrent - no need to send anything to get the banner, in fact
if (r =~ "^BitTorrent protocol")
{
register_service(port: port, proto: "BitTorrent");
return report_and_return(port: port, data: "A BitTorrent server seems to be running on this port.");
}
# Jabber C2S and S2S servers return the same error and cannot be identified
# precisely by this test only.
if (match(string: r, pattern: "<stream:stream xmlns:stream='http://etherx.jabber.org/streams'*</stream:stream>", icase: 1) ||
# Jabber (http://www.jabber.org) detection (usually on 5222/tcp).
"<stream:error>Invalid XML</stream:error>" >< r ||
# Oracle Messenger (Jabber) detection (usually on 5222/tcp,5223/tcp for TLS).
"<stream:error>Connection is closing</stream:error></stream:stream>" >< r)
{
register_service(port: port, proto: "jabber");
return report_and_return(port: port, data: "A jabber server seems to be running on this port.");
}
# Zebra vty
if (r =~ "Hello, this is ([Zz]ebra|[Qq]uagga)")
{
register_service(port: port, proto: "zebra");
replace_kb_item(name: "zebra/banner/"+port, value: r);
return report_and_return(port: port, data: "A zebra daemon is running on this port.");
}
# Zebra vty
if ("Vty password is not set" >< r)
{
register_service(port: port, proto: "zebra-unconfigured");
replace_kb_item(name: "zebra-unconfigured/banner/"+port, value: r);
return report_and_return(port: port, data: "An unconfigured zebra daemon is running on this port.");
}
# IMAP4
if (
pgrep(pattern:"^\* *OK .* IMAP", string:r) ||
pgrep(pattern:"^\* *OK IMAP ", string:r)
)
{
register_service(port: port, proto: "imap");
replace_kb_item(name: "imap/banner/"+port, value: r);
return report_and_return(port: port, data: "An IMAP server is running on this port.");
}
if ("cvs [pserver]" >< r ||
"cvs [server aborted" >< r )
{
register_service(port: port, proto: "cvspserver");
return report_and_return(port: port, data: "A CVS pserver is running on this port.");
}
if ("@ABCDEFGHIJKLMNOPQRSTUV" >< r )
{
register_service(port:port, proto: "chargen");
return report_and_return(port: port, data: "A chargen server is running on this port.");
}
# This is an IRC bouncer!
if ( pgrep(pattern:":Welcome!.*NOTICE.*psyBNC", icase:TRUE, string:r ) )
{
register_service(port:port, proto: "irc-bnc");
return report_and_return(port: port, hole: 1, data: "psyBNC seems to be running on this port.");
}
if ( r =~ "\[BNC [0-9.]+" )
{
register_service(port:port, proto: "BNC");
return report_and_return(port: port, hole: 1, data: "A BNC proxy seems to be running on this port.");
}
if ( "CCProxy Telnet Service Ready" >< r )
{
register_service(port:port, proto: "ccproxy-telnet");
report_and_return(port: port, data: "CCProxy (telnet) seems to be running on this port.");
return 1;
}
if ( "CCProxy FTP Service" >< r )
{
register_service(port:port, proto: "ccproxy-ftp");
report_and_return(port: port, data: "CCProxy (ftp) seems to be running on this port.");
return 1;
}
if ( "CCProxy " >< r && "SMTP Service Ready" >< r )
{
register_service(port:port, proto: "ccproxy-smtp");
report_and_return(port: port, data: "CCProxy (smtp) seems to be running on this port.");
return 1;
}
# 54 6F 6F 20 4D 61 6E 79 20 55 73 65 72 73 2E 20 Too Many Users.
# 50 6C 65 61 73 65 20 63 6F 6E 74 61 63 74 20 59 Please contact Y
# 6F 75 6E 67 7A 73 6F 66 74 20 66 6F 72 20 73 75 oungzsoft for su
# 70 70 6F 72 74 20 6F 66 20 6D 6F 72 65 20 75 73 pport of more us
# 65 72 73 2E ers.
if (match(string: r, pattern: 'Too Many Users. Please contact Youngzsoft*'))
{
register_service(port:port, proto: "ccproxy");
report_and_return(port: port, data: "An overloaded CCProxy seems to be running on this port.");
return 1;
}
if ( "CMailServer " >< r && "SMTP Service Ready" >< r )
{
register_service(port:port, proto: "cmailserver-smtp");
report_and_return(port: port, data: "CMailServer (smtp) seems to be running on this port.");
return 1;
}
# 0000000 30 11 00 00 00 00 00 00 d7 a3 70 3d 0a d7 0d 40
# 0 021 \0 \0 \0 \0 \0 \0 x PS p = \n x \r @
# 0000020 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00
# \0 \0 \0 \0 \0 \0 \0 \0 001 \0 \0 \0 001 \0 \0 \0
# 0000040 00 00 00 00 02 00 00 00
# \0 \0 \0 \0 002 \0 \0 \0
# 0000050
if ((r =~ '^\x30\x11\x00\x00\x00\x00\x00\x00') && (r_len == 40))
{
register_service(port: port, proto: 'dameware');
report_and_return(port: port, data: "Dameware seems to be running on this port.");
return 1;
}
if ( strlen(r) > 4 )
{
local_var l, ver;
l = ord(r[0]) + (ord(r[1]) << 8) + (ord(r[2]) << 16);
if (
(
# just the HIP or...
strlen(r) == (l+4) ||
# HIP + error packet
strlen(r) > (l+4+4) && ord(r[l+4+4]) == 0xff
) &&
ord(r[3]) == 0 &&
ord(r[4]) > 0
)
{
# A SpinxQL listener look a lot like MySQL but can be
# differentiated by the auth_plugin_data field having
# a constant value of \x01\x02\x03\x04\x05\x06\x07\x08
local_var auth_plugin_data_index, auth_plugin_data;
auth_plugin_data_index = stridx(r, '\x00', 5) + 5;
auth_plugin_data = substr(r, auth_plugin_data_index, auth_plugin_data_index + 7);
if (auth_plugin_data == '\x01\x02\x03\x04\x05\x06\x07\x08')
{
register_service(port:port, proto: "sphinxql");
report_and_return(port:port, data: "A Sphinx search server SphinxQL listener is running on this port.");
return 1;
}
# MySQL
l = ord(r[4]);
# nb: 'ver' denotes the start of the version string but includes
# other stuff after it.
ver = substr(r, 5, l+5-1-1);
if (ver =~ '^[0-9.]+\\.[0-9.]+\\.[0-9.]+')
{
register_service(port: port, proto: 'mysql');
report_and_return(port: port, data: "A MySQL server is running on this port.");
return 1;
}
else if (ver =~ '^[0-9.]+\\.[0-9.]+-')
{
register_service(port: port, proto: 'mysql_im');
report_and_return(port: port, data: "A MySQL Instance Manager is running on this port.");
return 1;
}
}
}
if ( '501 "Invalid command"' >< r && preg(pattern:"^[0-9][0-9][0-9].+(MailSite|WorldMail) Mail Management Server .+ ready", string:r) )
{
local_var vendor;
register_service(port: port, proto: "mailma");
if ("WorldMail " >< r) vendor = "WorldMail";
else vendor = "MailSite";
return report_and_return(port: port, data: vendor+"'s Mail Management Agent (MAILMA) seems to be running on this port.");
}
if ( pgrep(pattern:"^[0-9][0-9][0-9][0-9]-NMAP \$Revision: .+Help", string:r) )
{
register_service(port:port, proto: "novell_nmap");
report_and_return(port: port, data:'A Novell Network Messaging Application Protocol (NMAP) agent seems\r\nto be running on this port.');
return 1;
}
if ( "Open DC Hub, version" >< r && "administrators port" >< r )
{
register_service(port:port, proto: "opendchub");
report_and_return(port: port, data: "Open DC Hub Administrative interface (peer-to-peer) seems to be running on this port.");
return 1;
}
if ( preg(pattern:"^$MyNick ", string:r) )
{
register_service(port:port, proto: "DirectConnect");
report_and_return(port: port, data: "Direct Connect seems to be running on this port.");
return 1;
}
# PPT protocol is documented here:
if (stridx(r, "PPT Can not negotiate, client started the connection with") == 0)
{
register_service(port:port, proto: "PPT");
report_and_return(port: port, data: "An OPeNDAP Back End Server (BES) is listening on this port.");
return 1;
}
# This should be handled by find_service1.nasl.
if ( preg(pattern:"^RFB 00[0-9]\.00", string:r) )
{
register_service(port:port, proto: "vnc");
report_and_return(port: port, data: "A VNC server seems to be running on this port.");
return 1;
}
if ( preg(pattern:"^RFB 003\.889$", string:r) )
{
register_service(port:port, proto: "ard");
report_and_return(port: port, data: "Apple Remote Desktop is running on this port.");
return 1;
}
if ( pgrep(pattern:"^BZFS00", string:r) )
{
register_service(port:port, proto:"bzFlag");
report_and_return(port: port, data: "A bzFlag server seems to be running on this port.");
return 1;
}
# Keep this before MSDTC!
if (r == '\x70\x63\x70\x00\x00\x02')
{
register_service(port: port, proto: 'ekpd');
report_and_return(port: port, data:
"EKPD, a component of Seiko Epson Color Inkjet printing driver for Linux,
is running on this port.");
exit(0);
}
# MS DTC banner is longer that 3 bytes, when we properly handle null bytes
# This test is copied from find_service1, but sometimes, find_service1
# does not catch it.
if ((r_len == 5 || r_len == 6) && r[3] == '\0' &&
r[0] != '\0' && r[1] != '\0' && r[2] != '\0')
{
register_service(port: port, proto: "msdtc");
report_and_return(port: port, data: "An MSDTC server seems to be running on this port.");
return 1;
}
# MS DTC (obsolete)
if (r_len == 3 && (r[2] == '\x10'|| # same test as find_service
r[2] == '\x0b') ||
r == '\x78\x01\x07' || r == '\x10\x73\x0A' || r == '\x78\x01\x07' ||
r == '\x08\x40\x0c' )
{
register_service(port: port, proto: "msdtc");
report_and_return(port: port, data: "An MSDTC server seems to be running on this port.");
return 1;
}
# MA 2008-08-30
# Taken from find_service1 -- for some reason, msdtc was missed at least once
# Examples:
# 00: 90 a2 0a 00 80 94 ..
# 00: F8 2D 0B 00 00 16 .-....
if ((r_len == 5 || r_len == 6) && r[3] == '\0' &&
r[0] != '\0' && r[1] != '\0' && r[2] != '\0')
{
register_service(port: port, proto: "msdtc");
report_and_return(port: port, data: "An MSDTC server seems to be running on this port.");
return 1;
}
if (r == 'GIOP\x01')
{
register_service(port:port, proto:"giop");
report_and_return(port: port, data: "A GIOP-enabled service is running on this port.");
return 1;
}
# http://synergy2.sourceforge.net/
if ( r == '\x00\x00\x00\x0B\x53\x79\x6E\x65\x72\x67\x79\x00\x01\x00\x03' )
{
register_service(port:port, proto:"synergy");
report_and_return(port: port, data: "A Synergy server is running on this port.");
return 1;
}
# 00: 22 49 4d 50 4c 45 4d 45 4e 54 41 54 49 4f 4e 22 "IMPLEMENTATION"
# 10: 20 22 43 79 72 75 73 20 74 69 6d 73 69 65 76 65 "Cyrus timsieve
# 20: 64 20 76 32 2e 32 2e 33 22 0d 0a 22 53 41 53 4c d v2.2.3".."SASL
# 30: 22 20 22 50 4c 41 49 4e 22 0d 0a 22 53 49 45 56 " "PLAIN".."SIEV
# 40: 45 22 20 22 66 69 6c 65 69 6e 74 6f 20 72 65 6a E" "fileinto rej
# 50: 65 63 74 20 65 6e 76 65 6c 6f 70 65 20 76 61 63 ect envelope vac
# 60: 61 74 69 6f 6e 20 69 6d 61 70 66 6c 61 67 73 20 ation imapflags
# 70: 6e 6f 74 69 66 79 20 73 75 62 61 64 64 72 65 73 notify subaddres
# 80: 73 20 72 65 6c 61 74 69 6f 6e 61 6c 20 72 65 67 s relational reg
# 90: 65 78 22 0d 0a 22 53 54 41 52 54 54 4c 53 22 0d ex".."STARTTLS".
# a0: 0a 4f 4b 0d 0a .OK..
if (match(string: r, pattern: '"IMPLEMENTATION" "Cyrus timsieved v*"*"SASL"*'))
{
register_service(port: port, proto: 'sieve');
report_and_return(port: port, data: 'Sieve mail filter daemon seems to be running on this port.');
return 1;
}
#
# xtris is a multiplayer tetris game.
#
# https://github.com/gentoo/gentoo/tree/master/games-puzzle/xtris
#
if ( hexstr(r) == "000000020114" )
{
register_service(port: port, proto: 'xtris');
report_and_return(port: port, data: 'An xtris game server is listening on this port.');
return 1;
}
# Contrib from Roland Clobus,
# http://mail.nessus.org/pipermail/nessus/2006-July/msg00116.html
# 0x00: 77 65 6C 63 6F 6D 65 20 74 6F 20 74 68 65 20 70 welcome to the p
# 0x10: 69 6F 6E 65 65 72 73 2D 6D 65 74 61 2D 73 65 72 ioneers-meta-ser
# 0x20: 76 65 72 20 76 65 72 73 69 6F 6E 20 31 2E 33 0A ver version 1.3.
#
# nb: this will always be on port 5557/tcp according to Roland.
if ("welcome to the pioneers-meta-server version" >< r)
{
register_service(port: port, proto: 'pioneers-meta-server');
report_and_return(port:port, data:"A meta server for the game Pioneers is running on this port.");
return 1;
}
# Contribution from Mark Phillips,
# 0x00: 02 80 02 82 70 62 04 82 6E 6F 6E 65 ....pb..none
#
# http://www.zenoss.com/
if (r == raw_string(0x02, 0x80, 0x02, 0x82, "pb", 0x04, 0x82, "none"))
{
register_service(port:port, proto:'zenhub');
report =
'A zenhub daemon appears to be running on this port. Zenhub is a\n' +
'component of the Zenoss network and systems monitoring application suite\n' +
'that serves as an intermediary connection for almost all Zenoss\n' +
'collection daemons to the Zeo and MySQL databases on the remote host.';
report_and_return(port:port, data:report);
return 1;
}
# See <http://www.faqs.org/docs/ZopeBook/ZEO.html>.
if (r == raw_string(0x00, 0x00, 0x00, 0x04, "Z303"))
{
register_service(port:port, proto:'zss');
report =
'A ZEO Storage Server is listening on the remote host. Zope Enterprise\n' +
'Objects, or ZEO, is a system used for clustering and load-balancing web\n' +
'servers, and a ZEO Storage Server provides a centralized data store for\n' +
'ZEO clients.';
report_and_return(port:port, data:report);
return 1;
}
# Contribution from Ian Ward Comfort.
#
# http://www.sassafras.com/
if ("'QUIT','close KSQL session'" >< r)
{
register_service(port:port, proto:'k2-keyserver');
report =
'A K2 KeyServer daemon is listening on this port. K2 is a toolkit for\n' +
'auditing and license management, and KeyServer is its central auditing\n' +
'and license server component.\n';
report_and_return(port:port, data:report);
return 1;
}
if ('Argus running\n' == r)
{
register_service(port:port, proto:'Argus');
report_and_return(port:port, data:"Argus is running on the remote host.");
return 1;
}
# Part of Versant Object Database, http://www.versant.com/
if (
strlen(r) == 0x44 &&
substr(r, 0, 3) == raw_string(0x01, 0x01, 0x00, 0x50) &&
substr(r, 0x40, 0x43) == raw_string(0xff, 0xff, 0x8a, 0x6a)
)
{
register_service(port:port, proto:'versant_sqlnw');
report_and_return(port:port, data:"A Versant SQL Listener is running on the remote host.");
return 1;
}
# Teamspeak, http://teamspeak.com/
#
# submitted by Arne Bracht.
if (stridx(r, '[TS]\r\ncommand overview:') == 0)
{
register_service(port:port, proto:'teamspeak-tcpquery');
report_and_return(port:port, data:"A TeamSpeak TCPQUERY server is listening on the remote host.");
return 1;
}
# SupportWorks ITSM, http://www.hornbill.com/products/
#
# submitted by John Soltys.
if ("Supportworks Mail Server ready <" >< r)
{
register_service(port:port, proto:'swmailservice');
report_and_return(port:port, data:"The remote service is a Supportworks Mail Server.");
return 1;
}
if ("Supportworks Helpdesk ready <" >< r)
{
register_service(port:port, proto:'swserverservice');
report_and_return(port:port, data:"The remote service is the Supportworks main server, to which\nSupportworks clients connect.");
return 1;
}
if ("Support-Works Messenger Server " >< r)
{
register_service(port:port, proto:'swmessengerservice');
report_and_return(port:port, data:"The remote service is the Supportworks Messenger, which is responsible\nfor popping up messages on Windows workstations.");
return 1;
}
# Lexmark / Dell Laser Printer.
#
# Submitted by Daniel Frazier.
if (stridx(r, 'LXK: \r\nbad command: HELP') == 0)
{
register_service(port:port, proto:'lexmark_admin');
report_and_return(port:port, data:"The admin service for a Lexmark printer is listening on this port.");
return 1;
}
# m-Router
#
# Submitted by David.
if (r == ' \x00\x02\x00')
{
register_service(port:port, proto:'mrouter');
report_and_return(port:port, data:"The remote service appears to be m-Router, used for connecting a\nmobile device to the computer.");
return 1;
}
if (r == '220\r\n')
{
register_service(port:port, proto: "220backdoor");
return 1;
}
# HP Printer.
#
# nb: these banners can also be seen as spontaneous banners or
# responses to GET requests.
if (
stridx(r, '@PJL USTATUS TIMED\r\n') == 0 ||
stridx(r, '@PJL USTATUS DEVICE\r\n') == 0
)
{
register_service(port:port, proto:"appsocket");
report_and_return(port:port, data:'A Socket API service, commonly associated with print servers, is\nlistening on this port.');
return 1;
}
# CrashPlan.
#
# Submitted by David Franco.
if ("com.code42.messaging.security.DHPublicKeyMessage" >< r)
{
register_service(port:port, proto:"crashplan");
report_and_return(port:port, data:'The CrashPlan backup engine service is listening on this port.');
return 1;
}
# Cirrato client
# http://www.cirrato.com/how-it-works/faq/#what-network-ports-need-to-be-open-for-cirrato-to-work
#
# Submitted by Peter Eriksson
if ("Cirrato Client " >< r)
{
register_service(port:port, proto:"cirrato_client");
report_and_return(port:port, data:'A Cirrato client is listening on this port.');
return 1;
}
# ncacn_http
#
# nb: this will generally be picked up by find_service.nasl.
if (substr_at_offset(str:r, blob:"ncacn_http/1.", offset:0))
{
if ( port == 593 )
{
register_service(port:port, proto:"http-rpc-epmap");
report_and_return(port:port, data:'An http-rpc-epmap server is running on this port.');
}
else
{
register_service(port:port, proto:"ncacn_http");
report_and_return(port:port, data:'An ncacn_http server is running on this port.');
}
return 1;
}
# Taken from find_service1 -- for some reason it was missed at least once.
if((r_len > 8) && (substr(r,0,7) == '\x2E\x4E\x45\x54\x01\x00\x02\x00'))
{
register_service(port: port, proto: "remoting_tcp");
# nb: let dotnet_remoting_services_detect.nasl report it.
return 1;
}
# Seems to be slow
if ( '************' >< r &&
' Telnet Administration \r\n' >< r && ' SAP J2EE Engine v' >< r)
{
register_service(port: port, proto: 'sap-j2ee-telnet-admin');
report_and_return(port: port, data:
"A SAP J2EE engine administration service (Telnet) is running on this port.");
return 1;
}
# Taken from find_service -- for some reason it was missed at least once.
if (r =~ "^220 " && "VMware Authentication Daemon" >< r)
{
register_service(port: port, proto: 'vmware_auth');
report_and_return(port: port, data: "A VMware authentication daemon is running on this port.");
return 1;
}
#
# Keep verity-k2 at the end of the list, as it may generate false detection
#
if (r == '-1101\0')
{
register_service(port:port, proto:'verity-k2');
report_and_return(port:port, data:'A Verity K2 Service (Search, Admin or Index), commonly installed\nwith ColdFusion MX, is running on this port.');
return 1;
}
#
# Keep qotd at the end of the list, as it may generate false detection
#
if ( r =~ '^"[^"]+"[ \t\r\n]+[^+*@(){}\\\\/@0-9_]+[ \t\r\n]+\\([0-9]+(-[0-9]+)?\\)[ \t\r\n]+$'
#r =~ '^"[^"]+"[ \t\r\n]+[A-Za-z -]+[ \t\r\n]+\\([0-9]+(-[0-9]+)?\\)[ \t\r\n]+$'
|| pgrep(pattern: "^[A-Za-z. -]+\([0-9-]+\)", string: r) )
{
register_service(port:port, proto: "qotd");
report_and_return(port: port, data: "qotd seems to be running on this port");
return 1;
}
if ( r == 'A\x01\x02\x00' ) # This is already detected by find_service.nasl
{
register_service(port:port, proto: "smux");
report_and_return(port: port, data: "An SNMP Multiplexer (smux) seems to be running on this port");
return 1;
}
if ( "ASSOC" >< r &&
"ATTRIB" >< r &&
"AT" >< r &&
"BREAK" >< r )
{
register_service(port:port, proto: "possibly-ciscoworks-ipm");
return 1;
}
#0000 14 00 01 00 0d 0a 01 37 51 c3 00 00 08 00 00 00 .......7Q.......
#0010 00 69 43 00 .iC.
if(strlen(r) == 20 && hex2raw(s: "140001000d0a013751c300000800000000694300") >< r )
{
register_service(port: port, proto: "Fujitsu-systemcast-deployment-server");
report_and_return(port: port, data: "Fujitsu systemcast deployment server seems to be running on this port.");
return 1;
}
# Measuresoft ScadaPro
if ("-1,8002" >< r && port == 11234)
{
register_service(port: port, proto: 'scadapro-ipc');
report_and_return(port: port, data: 'Measuresoft ScadaPro IPC service (service.exe) seems to be running on this port.');
return 1;
}
return 0;
}
#-------------------------------------------------------------------------------------------------------------#
if ( NASL_LEVEL < 3203 )
{
#
# Nessus 2.x, 3.0.x
#
port = get_kb_item("Services/unknown");
if (! port) exit(0);
if (! get_port_state(port)) exit(0);
if (! service_is_unknown(port: port)) exit(0);
# Check only mute services?
r0 = get_unknown_banner(port: port, dontfetch: 1);
if (!isnull(r0) && identify(r:r0, port:port) ) exit(0);
soc = open_sock_tcp(port);
if (! soc) exit(0);
send(socket: soc, data: 'HELP\r\n');
r = recv(socket:soc, length:4096);
close(soc);
if (isnull(r)) exit(0);
rget = get_kb_banner(port:port, type:'get_http');
set_kb_banner(port:port, type: 'help', banner: r);
identify(r:r, port:port, rget:rget);
########################################################################
# Unidentified service #
########################################################################
if (isnull(r0)) set_unknown_banner(port: port, banner: r);
}
else
{
# Nessus 3.2.x
ports = get_kb_list("Services/unknown");
if ( isnull(ports) ) audit(AUDIT_SVC_KNOWN);
ports = make_list(ports);
foreach port ( ports )
{
if ( get_port_state(port) && service_is_unknown(port: port))
{
r0 = get_unknown_banner(port: port, dontfetch: 1);
if (isnull(r0) || !identify(r:r0, port:port) )
port_push(port);
}
}
for ( i = 0 ; i < MAX_SIMULT_CONNECTIONS ; i ++ )
if ( port_new() == FALSE ) break;
while ( select() != 0 ) usleep(5000);
foreach port ( keys(g_banners) )
{
r = g_banners[port];
if ( isnull(r) ) continue;
set_kb_banner(port: port, type:'help', banner: r);
rget = get_kb_banner(port: port, type:'get_http');
identify(r:r, port:port, rget:rget);
if (isnull(get_unknown_banner(port: port, dontfetch: 1))) set_unknown_banner(port: port, banner: r);
}
}