ID IPSWITCH_IMSERVER_DETECT.NASL Type nessus Reporter Tenable Modified 2012-07-20T00:00:00
Description
The remote service is an Ipswitch IM Server, the server portion of
Ipswitch Instant Messaging, a secure, instant messaging product
targeted at businesses and running on Windows.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(25761);
script_version("$Revision: 1.7 $");
script_cvs_date("$Date: 2012/07/20 18:51:35 $");
script_name(english:"Ipswitch Instant Messaging Server Detection");
script_summary(english:"Tries to log in to IMServer");
script_set_attribute(attribute:"synopsis", value:
"An instant messaging server is listening on the remote host." );
script_set_attribute(attribute:"description", value:
"The remote service is an Ipswitch IM Server, the server portion of
Ipswitch Instant Messaging, a secure, instant messaging product
targeted at businesses and running on Windows." );
script_set_attribute(attribute:"see_also", value:"http://www.ipswitch.com/products/instant_messaging/index.asp" );
script_set_attribute(attribute:"solution", value:
"Limit incoming traffic to this port if desired." );
script_set_attribute(attribute:"risk_factor", value:"None" );
script_set_attribute(attribute:"plugin_publication_date", value: "2007/07/25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:ipswitch:imserver");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Service detection");
script_copyright(english:"This script is Copyright (C) 2007-2012 Tenable Network Security, Inc.");
script_dependencies("find_service1.nasl");
script_require_ports("Services/unknown", 5177);
exit(0);
}
include("byte_func.inc");
include("global_settings.inc");
include("misc_func.inc");
if (thorough_tests && ! get_kb_item("global_settings/disable_service_discovery") )
{
port = get_unknown_svc(5177);
if (!port) exit(0);
}
else port = 5177;
if (known_service(port:port)) exit(0);
if (!get_tcp_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (!soc) exit(0);
set_byte_order(BYTE_ORDER_BIG_ENDIAN);
# Simulate a login.
req1 = mkdword(0x07) + mkdword(0x01);
req2 = raw_string(
0x80, 0xd5, 0x20, 0x4a, 0xef, 0x0d, 0x0a, 0xc0,
0xd9, 0x9f, 0x1e, 0x07, 0x4e, 0x81, 0xb4, 0xcf,
0x87, 0xc4, 0x1a, 0x75, 0x7c, 0x94, 0x1c, 0xb8,
0x84, 0x3d, 0x5d, 0xb6, 0xb6, 0xa8, 0xc7, 0xb9,
0xdd, 0x44, 0x1d, 0xcc, 0x59, 0x25, 0x9c, 0x2e,
0x47, 0xf7, 0xed, 0xcd, 0x47, 0x61, 0x72, 0x45,
0x0c, 0xd4, 0x77, 0x01, 0x8f, 0xf9, 0x91, 0xe8,
0x16, 0xeb, 0x19, 0xb1, 0x35, 0x37, 0x04, 0xe1,
0xf5, 0xf3, 0x15, 0x89, 0xf6, 0xbb, 0x8e, 0x4f,
0x99, 0x5d, 0x51, 0x2c, 0x4e, 0x3a, 0x0a, 0x3f,
0x67, 0x8e, 0x2b, 0x10, 0x4b, 0x09, 0xf1, 0xbb,
0x53, 0x76, 0xdd, 0x0f, 0xf1, 0x97, 0x39, 0xc0
);
send(socket:soc, data:req1+req2);
res1 = recv(socket:soc, length:8);
# If...
if (
# we got 8 characters and...
strlen(res1) == 8 &&
# the response equals our first packet
res1 == req1
)
{
# Receive the next packet.
res2 = recv(socket:soc, length:128);
subres2 = substr(res2, 0, 7);
# If that looks like...
if (
# an unsuccessful login response or...
subres2 == raw_string(0x88, 0x50, 0xb7, 0x26, 0xc4, 0x8f, 0x4f, 0x09) ||
# a successful login response
subres2 == raw_string(0xd9, 0x9f, 0x1e, 0x07, 0x4e, 0x81, 0xb4, 0xcf)
)
{
# Register and report the service.
register_service(port:port, ipproto:"tcp", proto:"ipswitch_imserver");
security_note(port);
}
}
close(soc);
{"id": "IPSWITCH_IMSERVER_DETECT.NASL", "bulletinFamily": "scanner", "title": "Ipswitch Instant Messaging Server Detection", "description": "The remote service is an Ipswitch IM Server, the server portion of\nIpswitch Instant Messaging, a secure, instant messaging product\ntargeted at businesses and running on Windows.", "published": "2007-07-25T00:00:00", "modified": "2012-07-20T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=25761", "reporter": "Tenable", "references": ["http://www.ipswitch.com/products/instant_messaging/index.asp"], "cvelist": [], "type": "nessus", "lastseen": "2019-01-16T20:07:24", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote service is an Ipswitch IM Server, the server portion of Ipswitch Instant Messaging, a secure, instant messaging product targeted at businesses and running on Windows.", "edition": 1, "enchantments": {}, "hash": "b338b35c34063733a78e331feaf52b5c20afad05175d21d4418616da51774f19", "hashmap": [{"hash": "5064e58291b6fc9e55f12984b03c811d", "key": "title"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "f838653dadc0732215222a1e0fd8190f", "key": "pluginID"}, {"hash": "9c5a8f2ef03b47facd4049259ce36b6b", "key": "modified"}, {"hash": "a3d3c73c01505d0383b007174b5bb5ac", "key": "naslFamily"}, {"hash": "8dd0b937ef7d53628b57e61050f3bdf9", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "86dda90489f2c7a49a953e97c9aa38c8", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00d3fa8e3b936f0414798e465a35dd1e", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "9d23f767c44de7677f1438b85e3e456b", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "b0f99b76baeebd6fa784b5c48bc7f1ce", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25761", "id": "IPSWITCH_IMSERVER_DETECT.NASL", "lastseen": "2016-09-26T17:25:28", "modified": "2012-07-20T00:00:00", "naslFamily": "Service detection", "objectVersion": "1.2", "pluginID": "25761", "published": "2007-07-25T00:00:00", "references": ["http://www.ipswitch.com/products/instant_messaging/index.asp"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25761);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2012/07/20 18:51:35 $\");\n\n script_name(english:\"Ipswitch Instant Messaging Server Detection\");\n script_summary(english:\"Tries to log in to IMServer\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An instant messaging server is listening on the remote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote service is an Ipswitch IM Server, the server portion of\nIpswitch Instant Messaging, a secure, instant messaging product\ntargeted at businesses and running on Windows.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.ipswitch.com/products/instant_messaging/index.asp\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Limit incoming traffic to this port if desired.\" );\n script_set_attribute(attribute:\"risk_factor\", value:\"None\" );\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/25\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ipswitch:imserver\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Service detection\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2012 Tenable Network Security, Inc.\");\n\n script_dependencies(\"find_service1.nasl\");\n script_require_ports(\"Services/unknown\", 5177);\n\n exit(0);\n}\n\n\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (thorough_tests && ! get_kb_item(\"global_settings/disable_service_discovery\") )\n{\n port = get_unknown_svc(5177);\n if (!port) exit(0);\n}\nelse port = 5177;\nif (known_service(port:port)) exit(0);\nif (!get_tcp_port_state(port)) exit(0);\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\n\nset_byte_order(BYTE_ORDER_BIG_ENDIAN);\n\n\n# Simulate a login.\nreq1 = mkdword(0x07) + mkdword(0x01);\nreq2 = raw_string(\n 0x80, 0xd5, 0x20, 0x4a, 0xef, 0x0d, 0x0a, 0xc0, \n 0xd9, 0x9f, 0x1e, 0x07, 0x4e, 0x81, 0xb4, 0xcf, \n 0x87, 0xc4, 0x1a, 0x75, 0x7c, 0x94, 0x1c, 0xb8, \n 0x84, 0x3d, 0x5d, 0xb6, 0xb6, 0xa8, 0xc7, 0xb9, \n 0xdd, 0x44, 0x1d, 0xcc, 0x59, 0x25, 0x9c, 0x2e, \n 0x47, 0xf7, 0xed, 0xcd, 0x47, 0x61, 0x72, 0x45, \n 0x0c, 0xd4, 0x77, 0x01, 0x8f, 0xf9, 0x91, 0xe8, \n 0x16, 0xeb, 0x19, 0xb1, 0x35, 0x37, 0x04, 0xe1, \n 0xf5, 0xf3, 0x15, 0x89, 0xf6, 0xbb, 0x8e, 0x4f, \n 0x99, 0x5d, 0x51, 0x2c, 0x4e, 0x3a, 0x0a, 0x3f, \n 0x67, 0x8e, 0x2b, 0x10, 0x4b, 0x09, 0xf1, 0xbb, \n 0x53, 0x76, 0xdd, 0x0f, 0xf1, 0x97, 0x39, 0xc0\n);\nsend(socket:soc, data:req1+req2);\nres1 = recv(socket:soc, length:8);\n\n\n# If...\nif (\n # we got 8 characters and...\n strlen(res1) == 8 &&\n # the response equals our first packet\n res1 == req1\n)\n{\n # Receive the next packet.\n res2 = recv(socket:soc, length:128);\n subres2 = substr(res2, 0, 7);\n \n # If that looks like...\n if (\n # an unsuccessful login response or...\n subres2 == raw_string(0x88, 0x50, 0xb7, 0x26, 0xc4, 0x8f, 0x4f, 0x09) ||\n # a successful login response\n subres2 == raw_string(0xd9, 0x9f, 0x1e, 0x07, 0x4e, 0x81, 0xb4, 0xcf)\n )\n {\n # Register and report the service.\n register_service(port:port, ipproto:\"tcp\", proto:\"ipswitch_imserver\");\n security_note(port);\n }\n}\nclose(soc);\n", "title": "Ipswitch Instant Messaging Server Detection", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:25:28"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ipswitch:imserver"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote service is an Ipswitch IM Server, the server portion of Ipswitch Instant Messaging, a secure, instant messaging product targeted at businesses and running on Windows.", "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "eb511278edf8b9bae5dbad2c42a8b588ad6fea4850c1475929cd23d4f6a22faf", "hashmap": [{"hash": "5064e58291b6fc9e55f12984b03c811d", "key": "title"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "5b14a29693a9fd434513104d4501a2c7", "key": "cpe"}, {"hash": "f838653dadc0732215222a1e0fd8190f", "key": "pluginID"}, {"hash": "9c5a8f2ef03b47facd4049259ce36b6b", "key": "modified"}, {"hash": "a3d3c73c01505d0383b007174b5bb5ac", "key": "naslFamily"}, {"hash": "8dd0b937ef7d53628b57e61050f3bdf9", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "86dda90489f2c7a49a953e97c9aa38c8", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00d3fa8e3b936f0414798e465a35dd1e", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "9d23f767c44de7677f1438b85e3e456b", "key": "references"}, {"hash": "b0f99b76baeebd6fa784b5c48bc7f1ce", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25761", "id": "IPSWITCH_IMSERVER_DETECT.NASL", "lastseen": "2017-10-29T13:41:15", "modified": "2012-07-20T00:00:00", "naslFamily": "Service detection", "objectVersion": "1.3", "pluginID": "25761", "published": "2007-07-25T00:00:00", "references": ["http://www.ipswitch.com/products/instant_messaging/index.asp"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25761);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2012/07/20 18:51:35 $\");\n\n script_name(english:\"Ipswitch Instant Messaging Server Detection\");\n script_summary(english:\"Tries to log in to IMServer\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An instant messaging server is listening on the remote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote service is an Ipswitch IM Server, the server portion of\nIpswitch Instant Messaging, a secure, instant messaging product\ntargeted at businesses and running on Windows.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.ipswitch.com/products/instant_messaging/index.asp\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Limit incoming traffic to this port if desired.\" );\n script_set_attribute(attribute:\"risk_factor\", value:\"None\" );\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/25\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ipswitch:imserver\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Service detection\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2012 Tenable Network Security, Inc.\");\n\n script_dependencies(\"find_service1.nasl\");\n script_require_ports(\"Services/unknown\", 5177);\n\n exit(0);\n}\n\n\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (thorough_tests && ! get_kb_item(\"global_settings/disable_service_discovery\") )\n{\n port = get_unknown_svc(5177);\n if (!port) exit(0);\n}\nelse port = 5177;\nif (known_service(port:port)) exit(0);\nif (!get_tcp_port_state(port)) exit(0);\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\n\nset_byte_order(BYTE_ORDER_BIG_ENDIAN);\n\n\n# Simulate a login.\nreq1 = mkdword(0x07) + mkdword(0x01);\nreq2 = raw_string(\n 0x80, 0xd5, 0x20, 0x4a, 0xef, 0x0d, 0x0a, 0xc0, \n 0xd9, 0x9f, 0x1e, 0x07, 0x4e, 0x81, 0xb4, 0xcf, \n 0x87, 0xc4, 0x1a, 0x75, 0x7c, 0x94, 0x1c, 0xb8, \n 0x84, 0x3d, 0x5d, 0xb6, 0xb6, 0xa8, 0xc7, 0xb9, \n 0xdd, 0x44, 0x1d, 0xcc, 0x59, 0x25, 0x9c, 0x2e, \n 0x47, 0xf7, 0xed, 0xcd, 0x47, 0x61, 0x72, 0x45, \n 0x0c, 0xd4, 0x77, 0x01, 0x8f, 0xf9, 0x91, 0xe8, \n 0x16, 0xeb, 0x19, 0xb1, 0x35, 0x37, 0x04, 0xe1, \n 0xf5, 0xf3, 0x15, 0x89, 0xf6, 0xbb, 0x8e, 0x4f, \n 0x99, 0x5d, 0x51, 0x2c, 0x4e, 0x3a, 0x0a, 0x3f, \n 0x67, 0x8e, 0x2b, 0x10, 0x4b, 0x09, 0xf1, 0xbb, \n 0x53, 0x76, 0xdd, 0x0f, 0xf1, 0x97, 0x39, 0xc0\n);\nsend(socket:soc, data:req1+req2);\nres1 = recv(socket:soc, length:8);\n\n\n# If...\nif (\n # we got 8 characters and...\n strlen(res1) == 8 &&\n # the response equals our first packet\n res1 == req1\n)\n{\n # Receive the next packet.\n res2 = recv(socket:soc, length:128);\n subres2 = substr(res2, 0, 7);\n \n # If that looks like...\n if (\n # an unsuccessful login response or...\n subres2 == raw_string(0x88, 0x50, 0xb7, 0x26, 0xc4, 0x8f, 0x4f, 0x09) ||\n # a successful login response\n subres2 == raw_string(0xd9, 0x9f, 0x1e, 0x07, 0x4e, 0x81, 0xb4, 0xcf)\n )\n {\n # Register and report the service.\n register_service(port:port, ipproto:\"tcp\", proto:\"ipswitch_imserver\");\n security_note(port);\n }\n}\nclose(soc);\n", "title": "Ipswitch Instant Messaging Server Detection", "type": "nessus", "viewCount": 3}, "differentElements": ["description"], "edition": 2, "lastseen": "2017-10-29T13:41:15"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "5b14a29693a9fd434513104d4501a2c7"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "80a4162c8285aa236f8ca656c42049ef"}, {"key": "href", "hash": "b0f99b76baeebd6fa784b5c48bc7f1ce"}, {"key": "modified", "hash": "9c5a8f2ef03b47facd4049259ce36b6b"}, {"key": "naslFamily", "hash": "a3d3c73c01505d0383b007174b5bb5ac"}, {"key": "pluginID", "hash": "f838653dadc0732215222a1e0fd8190f"}, {"key": "published", "hash": "00d3fa8e3b936f0414798e465a35dd1e"}, {"key": "references", "hash": "9d23f767c44de7677f1438b85e3e456b"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "86dda90489f2c7a49a953e97c9aa38c8"}, {"key": "title", "hash": "5064e58291b6fc9e55f12984b03c811d"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "e18e807aae7a501fd288934273ee1832c41720a966be8b69b28263823a1293f6", "viewCount": 3, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25761);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2012/07/20 18:51:35 $\");\n\n script_name(english:\"Ipswitch Instant Messaging Server Detection\");\n script_summary(english:\"Tries to log in to IMServer\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An instant messaging server is listening on the remote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote service is an Ipswitch IM Server, the server portion of\nIpswitch Instant Messaging, a secure, instant messaging product\ntargeted at businesses and running on Windows.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.ipswitch.com/products/instant_messaging/index.asp\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Limit incoming traffic to this port if desired.\" );\n script_set_attribute(attribute:\"risk_factor\", value:\"None\" );\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/25\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ipswitch:imserver\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Service detection\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2012 Tenable Network Security, Inc.\");\n\n script_dependencies(\"find_service1.nasl\");\n script_require_ports(\"Services/unknown\", 5177);\n\n exit(0);\n}\n\n\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (thorough_tests && ! get_kb_item(\"global_settings/disable_service_discovery\") )\n{\n port = get_unknown_svc(5177);\n if (!port) exit(0);\n}\nelse port = 5177;\nif (known_service(port:port)) exit(0);\nif (!get_tcp_port_state(port)) exit(0);\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\n\nset_byte_order(BYTE_ORDER_BIG_ENDIAN);\n\n\n# Simulate a login.\nreq1 = mkdword(0x07) + mkdword(0x01);\nreq2 = raw_string(\n 0x80, 0xd5, 0x20, 0x4a, 0xef, 0x0d, 0x0a, 0xc0, \n 0xd9, 0x9f, 0x1e, 0x07, 0x4e, 0x81, 0xb4, 0xcf, \n 0x87, 0xc4, 0x1a, 0x75, 0x7c, 0x94, 0x1c, 0xb8, \n 0x84, 0x3d, 0x5d, 0xb6, 0xb6, 0xa8, 0xc7, 0xb9, \n 0xdd, 0x44, 0x1d, 0xcc, 0x59, 0x25, 0x9c, 0x2e, \n 0x47, 0xf7, 0xed, 0xcd, 0x47, 0x61, 0x72, 0x45, \n 0x0c, 0xd4, 0x77, 0x01, 0x8f, 0xf9, 0x91, 0xe8, \n 0x16, 0xeb, 0x19, 0xb1, 0x35, 0x37, 0x04, 0xe1, \n 0xf5, 0xf3, 0x15, 0x89, 0xf6, 0xbb, 0x8e, 0x4f, \n 0x99, 0x5d, 0x51, 0x2c, 0x4e, 0x3a, 0x0a, 0x3f, \n 0x67, 0x8e, 0x2b, 0x10, 0x4b, 0x09, 0xf1, 0xbb, \n 0x53, 0x76, 0xdd, 0x0f, 0xf1, 0x97, 0x39, 0xc0\n);\nsend(socket:soc, data:req1+req2);\nres1 = recv(socket:soc, length:8);\n\n\n# If...\nif (\n # we got 8 characters and...\n strlen(res1) == 8 &&\n # the response equals our first packet\n res1 == req1\n)\n{\n # Receive the next packet.\n res2 = recv(socket:soc, length:128);\n subres2 = substr(res2, 0, 7);\n \n # If that looks like...\n if (\n # an unsuccessful login response or...\n subres2 == raw_string(0x88, 0x50, 0xb7, 0x26, 0xc4, 0x8f, 0x4f, 0x09) ||\n # a successful login response\n subres2 == raw_string(0xd9, 0x9f, 0x1e, 0x07, 0x4e, 0x81, 0xb4, 0xcf)\n )\n {\n # Register and report the service.\n register_service(port:port, ipproto:\"tcp\", proto:\"ipswitch_imserver\");\n security_note(port);\n }\n}\nclose(soc);\n", "naslFamily": "Service detection", "pluginID": "25761", "cpe": ["cpe:/a:ipswitch:imserver"]}
{"nessus": [{"lastseen": "2019-01-16T20:05:17", "references": [], "pluginID": "11154", "description": "Nessus was unable to identify a service on the remote host even though\nit returned a banner of some type.", "edition": 3, "reporter": "Tenable", "published": "2002-11-18T00:00:00", "title": "Unknown Service Detection: Banner Retrieval", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Service detection", "bulletinFamily": "scanner", "cvelist": [], "modified": "2018-07-24T00:00:00", "cpe": [], "id": "UNKNOWN_SERVICES.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=11154", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11154);\n script_version(\"1.68\");\n script_cvs_date(\"Date: 2018/07/24 17:29:25\");\n\n script_name(english:\"Unknown Service Detection: Banner Retrieval\");\n script_summary(english:\"Displays the unknown services banners.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"There is an unknown service running on the remote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"Nessus was unable to identify a service on the remote host even though\nit returned a banner of some type.\");\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/11/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_END);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Service detection\");\n script_dependencies(\n \"apcnisd_detect.nasl\",\n \"asip-status.nasl\",\n \"auth_enabled.nasl\",\n \"aximilter_detect.nasl\",\n \"bugbear.nasl\",\n \"cacam_detect.nasl\",\n \"cifs445.nasl\",\n \"cp-firewall-auth.nasl\",\n \"dcetest.nasl\",\n \"dns_server.nasl\",\n \"dotnet_remoting_services_detect.nasl\",\n \"echo.nasl\",\n \"find_service1.nasl\",\n \"find_service2.nasl\",\n \"flexnet_publisher_detection.nbin\",\n \"hp_openview_ovalarmsrv.nasl\",\n \"hp_openview_ovtopmd.nasl\",\n \"hp_openview_ovuispmd.nasl\",\n \"hp_data_protector_installed.nasl\",\n \"ipswitch_imclient_detect.nasl\",\n \"ipswitch_imserver_detect.nasl\",\n \"landesk_remote_control_detect.nbin\",\n \"lisa_detect.nasl\",\n \"memcached_detect.nasl\",\n \"mldonkey_telnet.nasl\",\n \"mssqlserver_detect.nasl\",\n \"mysql_version.nasl\",\n \"nagios_statd_detect.nasl\",\n \"nessus_detect.nasl\",\n \"PC_anywhere_tcp.nasl\",\n \"perforce_server_detect.nasl\",\n \"postfix_policyd_detect.nbin\",\n \"qmtp_detect.nasl\",\n \"quote.nasl\",\n \"radmin_detect.nasl\",\n \"res_wm_agent_detection.nasl\",\n \"res_wm_relay_detection.nasl\",\n \"rpc_portmap.nasl\",\n \"rpcinfo.nasl\",\n \"rsh.nasl\",\n \"rtsp_detect.nasl\",\n \"sap_router_detect.nbin\",\n \"SHN_discard.nasl\",\n \"squeezecenter_cli_detect.nasl\",\n \"telnet.nasl\",\n \"tinc_vpn_detect.nbin\",\n \"veritas_agent_detect.nasl\",\n \"veritas_netbackup_detect.nasl\",\n \"veritas_netbackup_vmd_detect.nasl\",\n \"weblogic_nodemanager_detect.nasl\",\n \"X.nasl\",\n \"xmpp_server_detect.nasl\",\n \"xtel_detect.nasl\",\n \"xtelw_detect.nasl\",\n \"zebedee_detect.nasl\",\n \"zenworks_rma_detect.nasl\"\n );\n script_require_ports(\"Services/unknown\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\nif ( get_kb_item(\"global_settings/disable_service_discovery\") ) exit(0);\n\nport = get_unknown_svc();\nif (!port) audit(AUDIT_SVC_KNOWN);\n\nif (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\nif (port == 139) exit(0, \"Port 139 is ignored.\");\t# Avoid silly messages\nif (!service_is_unknown(port: port)) exit(0, \"The service listening on port \"+port+\" is already known.\");\n\na = get_unknown_banner2(port: port, dontfetch: 1);\nif (isnull(a)) exit(0, \"Did not receive a banner from the service listening on port \"+port+\".\");\nbanner = a[0]; type = a[1];\nif (isnull(banner)) exit(0, \"There is no banner from the service listening on port \"+port+\".\");\n\nh = hexdump(ddata: banner);\nif( strlen(banner) >= 3 )\n{\n # See if the service is maybe SSL-wrapped.\n test_ssl = get_preference(\"Service Detection[radio]:Test SSL based services\");\n encaps = get_port_transport(port);\n\n if (\n (strlen(test_ssl) && \"All\" >!< test_ssl) &&\n encaps == ENCAPS_IP &&\n (\n # nb: TLSv1 alert of some type.\n stridx(banner, '\\x15\\x03\\x01\\x00\\x02') == 0 ||\n # nb: TLSv1 handshake.\n stridx(banner, '\\x16\\x03\\x01') == 0 ||\n # nb: SSLv3 alert of some type.\n stridx(banner, '\\x15\\x03\\x00\\x00\\x02') == 0 ||\n # nb: SSLv3 handshake.\n stridx(banner, '\\x16\\x03\\x00') == 0 ||\n # nb: SSLv2 alert of some type.\n stridx(banner, '\\x80\\x03\\x00\\x00\\x01') == 0\n )\n )\n {\n info = '\\n' + \"The service on this port appears to be encrypted with SSL. If you\" +\n '\\n' + \"would like Nessus to try harder to detect it, change the 'Test SSL\" +\n '\\n' + \"based services' preference to 'All' and re-run the scan.\" +\n '\\n';\n }\n else\n {\n h = str_replace(find:'\\n', replace:'\\n ', string:h);\n info = '\\n' + 'If you know what this service is and think the banner could be used to' +\n '\\n' + 'identify it, please send a description of the service along with the' +\n '\\n' + 'following output to svc-signatures@nessus.org :' +\n '\\n' +\n '\\n' + ' Port : ' + port +\n '\\n' + ' Type : ' + type +\n '\\n' + ' Banner : ' +\n '\\n' + h +\n '\\n';\n }\n\n # only one process should be detected per port, but just to be on the safe side\n # this will do a get_kb_list() to ensure the plugin won't fork\n exes = get_kb_list('Host/Listeners/tcp/' + port); # Linux / AIX\n if (isnull(exes))\n exes = get_kb_list('Host/Windows/ListenProcess/tcp/' + port); # Windows\n\n if (!isnull(exes))\n {\n info +=\n '\\nNessus detected the following process listening on this port :\\n\\n' +\n join(make_list(exes), sep:'\\n') +\n '\\n';\n }\n\n security_note(port:port, extra:info);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}
