github
/
PenetrationTestingScripts
mirror of https://github.com/ym2011/PenetrationTestingScripts
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

PEST

pull/4/head
InfoSec 2018-04-24 23:11:04 +08:00
parent 6db2ffd703
commit 94364e2e09
16 changed files with 402191 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

345
nmap_scripts/erpscan/README.md Normal file
View File

@ -0,0 +1,345 @@
SAP Services detection via nmap probes
--------------------------------------
- [SAP Services detection via nmap probes](#sap-services-detection-via-nmap-probes)
- [How nmap can help us](#how-nmap-can-help-us)
- [SAP existing support in nmap](#sap-existing-support-in-nmap)
* [Version and service detection](#version-and-service-detection)
- [How to generate and test probes](#how-to-generate-and-test-probes)
- [How to handle scan port range](#how-to-handle-scan-port-range)
* [Port generation tool](#port-generation-tool)
* [What about port customization by the admin?](#what-about-port-customization-by-the-admin)
- [How a scan looks like with custom SAP probes](#how-a-scan-looks-like-with-custom-sap-probes)
- [Issues encountered: SSL](#issues-encountered-ssl)
- [What can be improved](#what-can-be-improved)
- [What to do next with that information?](#what-to-do-next-with-that-information)
- [Conclusion](#conclusion)
- [Authors](#authors)
This article aims at showing how to improve the capability of the nmap
network scanner to detect SAP services. This is by no mean a complete
and 100% exact way of doing service detection as a lot of corner cases
exist that are not covered in this text. If you want a more
comprehensive way to do SAP services detection and even much more, the
[ERPScan Monitoring Suite](https://erpscan.com/products/erpscan-security-monitoring-suite-for-sap/)
is a good starting point with its port scanner feature.
## How nmap can help us
Our goal is to detect every network service exposed by SAP servers.
Those servers are complex beasts with numerous components exposed to
the network by default and each of these components potentially has
vulnerabilities. So we want to send specific network probes to detect
the presence of these services and then better assess if a service is
vulnerable or not.
Nmap is an open source network port scanner that can do many things
and especially service detection via fingerprints. We will explain how
one could implement a SAP-aware port scanner with this tool.
## SAP existing support in nmap
First, if you look closely at the official nmap release you will
notice that there are some traces of SAP support. It is actually very
sparse and can be confirmed by scanning a real SAP server:
```
Nmap scan report for 172.16.30.29
Host is up (0.00018s latency).
Not shown: 65508 closed ports
PORT STATE SERVICE VERSION
1128/tcp open soap gSOAP 2.7
3201/tcp open cpq-tasksmart?
3299/tcp open saprouter?
3301/tcp open unknown
3901/tcp open nimsh?
4901/tcp open sybase-adaptive Sybase Adaptive Server
4902/tcp open sybase-backup Sybase Backup Server
4903/tcp open unknown
8101/tcp open http SAP Message Server httpd release 745
30101/tcp open unknown
30102/tcp open unknown
30103/tcp open unknown
30104/tcp open unknown
30107/tcp open unknown
30108/tcp open unknown
30111/tcp open http BaseHTTPServer 0.3 (Python 2.7.10)
30116/tcp open unknown
40000/tcp open safetynetp?
40001/tcp open unknown
40002/tcp open unknown
40080/tcp open http SAP Internet Graphics Server httpd
46287/tcp open status 1 (RPC #100024)
50000/tcp open http SAP WebDispatcher
50001/tcp open ssl/http SAP WebDispatcher
50004/tcp open unknown
50007/tcp open unknown
50013/tcp open soap gSOAP 2.7
50014/tcp open ssl/soap gSOAP 2.7
50020/tcp open unknown
50113/tcp open soap gSOAP 2.7
50114/tcp open ssl/soap gSOAP 2.7
```
The columns SERVICE and VERSION shows us plenty of unknown or
improperly named fields. This situation can be improved if we analyze
each unknown port/protocol.
If you dig a bit more you'll find that Core Security researcher Martin
Gallo wrote much more improved support for SAP proprietary protocol
(available at
[corelabs-nmap-service-probes.txt](https://www.coresecurity.com/system/files/publications/2016/05/corelabs-nmap-service-probes.txt))
that does smarter stuff like extracting technical server information
from answers. That is a very good starting point and as we included
some of these probes we enlarged the support a bit more.
### Version and service detection
Nmap key file for service detection is `nmap-service-probes` (stored
in `/usr/share/nmap/` for Linux installation).
The format is quite self-explanatory for its main features. Let us
consider one of the simplest example:
```
Probe TCP NULL q||
match sajpoin m|SAP_Cluster_Manager| p/SAP Java Cluster Join Service/
```
The `Probe` line describes the TCP payload that we send to the server.
In this case, we connect to the TCP port without sending any TCP
payload after the 3-way handshake.
The next line beginning with `match` describes what we want to check
from the server's answer. A match is final, the parser won't check
another match for the given probe (as long as we don't use
`softmatch`). In this example, we look for the ASCII string
`SAP_Clutser_Manager` via a regular expression. If the expression is
matched, then nmap tags the matching port with the product name "SAP
Java Cluster Join Service".
That probe can be used many times for all those protocols that are
based on the first message sent by the server to the client (SSH, FTP,
mail protocols, for example). We just add other `match` lines after
the `Probe`.
Full documentation of this file format can be found at
[https://nmap.org/book/vscan-fileformat.html](https://nmap.org/book/vscan-fileformat.html)
## How to generate and test probes
So now, we need a way to know which packets need to be sent and what
specific piece of information inside an answer can allow us to
identify with a good assurance what protocol is being used and from
that determine what is the service using this protocol. In order to
illustrate the difference about service and protocol, you can look at
the HTTP protocol and all the different services that will make use of
it.
SAP services implement many different binary protocols that does not
ease our task.
Let's have a look at a simple probe for a service using a binary
protocol: SAP Router.
```
Probe TCP SAProuter q|\x00\x00\x00\x00|
ports 3299
match saprouter m|SAProuter ([\d.]+) on '(\w+)'| p/SAProuter/ v/$1/ h/$2/
match saprouter m|SAProuter| p/SAProuter/
```
Per official documentation SAP router service should be listening to
the port tcp/3299.
When sending the binary request `\x00\x00\x00\x00` to a SAP Router we
can get several answers depending on the router version/configuration.
Sometime the SAP Router can leak information like version + hostname,
so we try to match this specific answer first and then we try to match
the more generic answer without the information disclosure.
The additional information we gather in the first `match` can be
propagated and printed nicely by nmap using the version field and the
hostname. That is what we accomplish with help of regular expression
groups (using parenthesis inside the expression) and by referencing
them via their position in the `v//` and `h//` statement ('v' standing
for version, and 'h' for hostname).
## How to handle scan port range
Usually with nmap, if we do not specify -p option it will scan the
1000 most used port (from Internet statistics). Unfortunately, many
SAP ports will be missed by doing so. Therefore, we need to scan all
65535 ports at a big scan time cost or we look a bit closer at how to
generate these SAP ports. For efficiency, we decide to choose the
second option.
If we look at SAP documentation, we see their rules to define
potential ports for each services. So by using these rules, we can
expand the full list of potential SAP ports.
SAP services have the notion of instance number, this is a number that
can vary from 00 to 99 and the port of the service will depend on it.
SAP official documentation on all SAP TCP ports used by their services
can be accessed at
[https://cp.hana.ondemand.com/dps/d/preview/47673f06bd494db680ff6150c0b08108/2.0/en-US/frameset.htm](https://cp.hana.ondemand.com/dps/d/preview/47673f06bd494db680ff6150c0b08108/2.0/en-US/frameset.htm)
For example the web ports for ICM HTTP service are noted 80NN, with NN
being this instance number. It means they can cover the range
8000-8099.
If we look at another example the SAP TREX nameserver service will
listen on ports 3NN01. So our potential port range will be from 30001,
30101, 30201,...,39901.
You can find port collision with two (and more) different
services/protocols using theoretically the same port. Some examples:
32NN used on the Netweaver Java platform by the Enqueue service and on
the Netweaver ABAP platform by the Dispatcher service. Another one is
the previous example with port 3NN01 being used by SAP TREX nameserver
and SAP HANA TREXNet internal nameserver port.
Nmap handle all of that nicely with its service detection algorithm
given a proper `nmap-service-probe` file: we can have the same port
used in a `Probe` rule, and several `match` on a single port.
### Port generation tool
The following python tool [sap_ports.py](sap_ports.py) takes care of
port generation and prints out a comma-separated list of ports that
can be used as the nmap `-p` parameter as following:
```
$ nmap -p $(sap_ports.py) $TARGETS
```
The main idea of `sap_ports.py` is to use a statically defined
dictionary with information gathered from SAP on-line documentation to
generate the list of ports with possibility to generate a subset of
the ports depending on several criteria.
### What about port customization by the admin?
During our security audit we saw rarely cases of port
customization. One example case lead to wrong assumption on the
instance number of a service by analyzing the port number. For
instance: using 3617 for the message server service on the instance
number 32... In this case it is necessary to inspect the protocol and
use information disclosures to be able to disambiguate this situation.
There is no generic answer to this problem if we do not want to scan
the 64k TCP ports. We accept in this article the low risk that some
port customization could be out of our static port range from our
experience of seeing it very rarely.
## How a scan looks like with custom SAP probes
```
Nmap scan report for 172.16.30.29
Host is up (0.00018s latency).
Not shown: 6563 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.2 (protocol 2.0)
111/tcp open rpcbind 2-4 (RPC #100000)
1128/tcp open sapstartservice SAP Management Console (SID SAP, NR 99)
3201/tcp open sapjavaenq SAP Enqueue Server
3299/tcp open saprouter SAProuter 40.4
3301/tcp open sapgateway SAP Gateway
3901/tcp open sapms SAP Message Server
4901/tcp open sapase SAP ASE Database
4902/tcp open sybase-backup Sybase Backup Server
4903/tcp open unknown
8101/tcp open sapmshttp SAP Message Server httpd release 745 (SID J45)
30201/tcp open saptrex SAP TREX Name server
30202/tcp open saptrex SAP TREX Preprocessor
30203/tcp open saptrex SAP TREX Index server
30204/tcp open saptrex SAP TREX Queue server
30207/tcp open saptrex SAP TREX RFC server
30208/tcp open saptrex SAP TREX Cruise server
30211/tcp open saptrex SAP TREX AlertServer (BaseHTTP/0.3 Python/2.7.10)
30216/tcp open saptrex SAP TREX Index server
40080/tcp open sapigs SAP Internet Graphics Server
50000/tcp open sapjavaweb SAP NetWeaver Application Server (Kernel version 7.45, Java version 7.50)
50001/tcp open ssl/sapjavaweb SAP NetWeaver Application Server (Kernel version 7.45, Java version 7.50)
50004/tcp open sapjavap4 SAP JAVA P4 (Potential internal IP 172.16.30.29)
50007/tcp open sapp4iiop (Internel IP 172.16.30.29)
50013/tcp open sapstartservice SAP Management Console (SID J45, NR 00)
50014/tcp open ssl/sapstartservice SAP Management Console (SID J45, NR 00)
50020/tcp open sapjoin SAP Java Cluster Join Service
50113/tcp open sapstartservice SAP Management Console (SID J45, NR 01)
50114/tcp open ssl/sapstartservice SAP Management Console (SID J45, NR 01)
50213/tcp open sapstartservice SAP Management Console (SID TRX, NR 02)
Service Info: Host: java745;
```
## Issues encountered: SSL
In theory there is the keyword `sslports` in the service-probe file
that may indicate on which port a specific probe should be checked
upon the SSL layer. In practice these specified ports were not
properly validated as SSL ones without ripping the whole probes
related to SSL in the original nmap-service-probe file (begins in our
custom probe file at the `Probe TCP SSLSessionReq`).
## What can be improved
Code exploits / port information disclosure in NSE Lua scripts tagged
by categories:
- version, discovery, exploit, auth, dos
- safe, intrusive
## What to do next with that information?
If you are a pentester, you probably have a bag full of exploits for
specific SAP services, so you want to automatically link open ports to
exploits attempts. That can be easily done by storing the nmap scan into
an XML file (-oX option) and then writing a parser that will generate
exploit command-line to be executed on the specific open ports.
On the other hand, if you are a security analyst or doing operational
security you probably want to store those results and be able
afterwards to search them to detect change in the landscape or be able
to pinpoint vulnerable services by their version. For this mean, we
use the [IVRE framework](https://ivre.rocks/) that can import our XML
nmap scans and provides a nice web interface to query scan results and
allows doing basic statistics/reporting tasks.
The attached screenshots shows a scan in IVRE with filtering OFFICE
(internal lab) scan source and looking for P4 service (present on Java
NetWeaver application servers) detected on the network. The right
column shows the top ports histogram computed from those specific scan
results.
![](ivre_nmap.png)
## Conclusion
We hope that this will help you better understand what is hidden
behind those cryptic SAP servers and show you that only with network
level probes we can go deep in this knowledge of what is behind an SAP
server.
This blog post is a way to remind that SAP servers have a huge
exposition surface and that enforcing a strict networking policy
including them is part of a good security hygiene.
This article and the associated Nmap files are available at
[github.com](https://github.com/gelim/nmap-erpscan). A web-only
version is available at
https://erpscan.com/press-center/blog/sap-services-detection-via-nmap-probes/
## Authors
Name | Mail | Involvement
------|-------|------------
Mathieu Geli | <m.geli@erpscan.com> | Main author/maintainer of those files
Michael Medvedev | <m.medvedev@erpscan.com> | Second author
Martin Gallo | <mgallo@coresecurity.com> | Initial support on Diag/RFC/MS/Enqueue protocols
Joris van de Vis | <jvdvis@erp-sec.com> | Improvements over RFC probes

8
nmap_scripts/erpscan/USAGE.md Normal file
View File

@ -0,0 +1,8 @@
How to use nmap-service-probes custom file
------------------------------------------
```
$ git clone https://github.com/gelim/nmap-erpscan
$ cd nmap-erpscan
$ nmap -n --open --datadir . -sV -p $(./sap_ports.py) $TARGET
```

BIN
nmap_scripts/erpscan/ivre_nmap.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 163 KiB

605
nmap_scripts/erpscan/nmap-service-probes Normal file
View File

@ -0,0 +1,605 @@
# Authors: Mathieu Geli <m.geli@erpscan.com>
# Michael Medvedev <m.medvedev@erpscan.com>
# Martin Gallo <mgallo@coresecurity.com>
# Joris van de Vis <jvdvis@erp-sec.com>
Probe TCP NULL q||
totalwaitms 6000
tcpwrappedms 3000
match sapjoin m|SAP_Cluster_Manager| p/SAP Java Cluster Join Service/
match jdwp m|^JDWP-Handshake$| p/Java Debug Wire Protocol/
# quick and not complete SSH support (see nmap original probe for that)
match ssh m/^SSH-([\d.]+)-OpenSSH[_-]([\S ]+)/i p/OpenSSH/ v/$2/ i/protocol $1/
match ssh m/^(SSH-.*)/ p/SSH/ i/$1/
##############################NEXT PROBE##############################
Probe TCP SAPSOAP q|GET / HTTP/1.0\r\n\r\n|
ports 1128,50013,50113,50213,50313,50413,50513,50613,50713,50813,50913,51013,51113,51213,51313,51413,51513,51613,51713,51813,51913,52013,52113,52213,52313,52413,52513,52613,52713,52813,52913,53013,53113,53213,53313,53413,53513,53613,53713,53813,53913,54013,54113,54213,54313,54413,54513,54613,54713,54813,54913,55013,55113,55213,55313,55413,55513,55613,55713,55813,55913,56013,56113,56213,56313,56413,56513,56613,56713,56813,56913,57013,57113,57213,57313,57413,57513,57613,57713,57813,57913,58013,58113,58213,58313,58413,58513,58613,58713,58813,58913,59013,59113,59213,59313,59413,59513,59613,59713,59813,59913
sslports 1129,50014,50114,50214,50314,50414,50514,50614,50714,50814,50914,51014,51114,51214,51314,51414,51514,51614,51714,51814,51914,52014,52114,52214,52314,52414,52514,52614,52714,52814,52914,53014,53114,53214,53314,53414,53514,53614,53714,53814,53914,54014,54114,54214,54314,54414,54514,54614,54714,54814,54914,55014,55114,55214,55314,55414,55514,55614,55714,55814,55914,56014,56114,56214,56314,56414,56514,56614,56714,56814,56914,57014,57114,57214,57314,57414,57514,57614,57714,57814,57914,58014,58114,58214,58314,58414,58514,58614,58714,58814,58914,59014,59114,59214,59314,59414,59514,59614,59714,59814
rarity 9
match sapstartservice m|SID=(\w+)&NR=(\d+)&HOST=(\S+)\r\nServer: gSOAP| p/SAP Management Console/ i/SID $1, NR $2/ h/$3/
match sapstartservice m|Location: /sapmc/sapmc\.html\r\nServer: gSOAP| p/SAP Management Console/
match saphostcontrol m|HOST=(\S+)\r\nServer: gSOAP| p/SAPHostControl/ h/$1/
##############################NEXT PROBE##############################
Probe TCP SAPGW q|\x00\x00\x00@\x02\t\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00|
ports 3300-3399,4800-4899
rarity 9
match sapgateway m|\x00\x00\x00\x00| p/SAP Gateway/ i/Monitoring mode disabled/
##############################NEXT PROBE##############################
Probe TCP SAPGW q|\x00\x00\x00@\x02\x03\xac\x10\x00w\x00\x00\x00\x00startrfc\x00\x001100\x00\x00\x00\x00\x00\x00default_startrfc \x06\xcb\xff\xff\x00\x00\x00\x00\x00\x00|
ports 3300-3399,4800-4899
rarity 9
match sapgateway m|\x00\x00\x00\x40\x02\x03\xac\x10\x00\x77\x00\x00\x00\x00\x73\x74| p/SAP Gateway/
##############################NEXT PROBE##############################
# https://www.coresecurity.com/system/files/publications/2016/05/corelabs-nmap-service-probes.txt
#
#Probe TCP SAPMSDumpRelease q|\x00\x00\x00\xa2**MESSAGE**\x00\x04\x00MSG_SERVER\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01-\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x01\x03\x02\x00\x00\x00\x00\x00\x00\x08-\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00|
ports 3600-3699,3900-3999
#match sapms m|^....\*\*MESSAGE\*\*.*Release no = (\d+).*System name = (\w+).*patch number = (\d+)|s p/SAP Message Server/ i/SID $2 (release $1, patch level $3)/
#match sapms m|^\x00\x00..\*\*MESSAGE\*\*|s p/SAP Message Server/
Probe TCP MessageServer q|\x00\x00\x00\x72**MESSAGE**\x00\x04\x00MSG_SERVER\x00\x00msxxi.c\x00%s: MsSndName failed\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01\x2D\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x00\x05\x00\x68\x03|
ports 3600-3699,3900-3999
rarity 9
match sapms m|MESSAGE.*\W+(\w+)_(\w+)_(\w+)\s{16}| p/SAP Message Server/ h/$1/ i/SID $2, ID $3/
match sapms m|MESSAGE| p/SAP Message Server/
##############################NEXT PROBE##############################
# FIXME: in some case (noip) we will fall into the tcpwrapped case
Probe TCP SAPP4 q|v1\x18#p#4None:127.0.0.1:33170|
ports 50004,50104,50204,50304,50404,50504,50604,50704,50804,50904,51004,51104,51204,51304,51404,51504,51604,51704,51804,51904,52004,52104,52204,52304,52404,52504,52604,52704,52804,52904,53004,53104,53204,53304,53404,53504,53604,53704,53804,53904,54004,54104,54204,54304,54404,54504,54604,54704,54804,54904,55004,55104,55204,55304,55404,55504,55604,55704,55804,55904,56004,56104,56204,56304,56404,56504,56604,56704,56804,56904,57004,57104,57204,57304,57404,57504,57604,57704,57804,57904,58004,58104,58204,58304,58404,58504,58604,58704,58804,58904,59004,59104,59204,59304,59404,59504,59604,59704,59804,59904
rarity 9
match sapjavap4 m|v1.*:(\d+\.\d+\.\d+\.\d+)| p/SAP JAVA P4/ i/Potential internal IP $1/
match sapjavap4 m|v1| p/SAP JAVA P4/
##############################NEXT PROBE##############################
Probe TCP WEB q|GET / HTTP/1.0\r\n\r\n|
ports 8000-8099,8080,8100-8199,50000,50100,50200,50300,50400,50500,50600,50700,50800,50900,51000,51100,51200,51300,51400,51500,51600,51700,51800,51900,52000,52100,52200,52300,52400,52500,52600,52700,52800,52900,53000,53100,53200,53300,53400,53500,53600,53700,53800,53900,54000,54100,54200,54300,54400,54500,54600,54700,54800,54900,55000,55100,55200,55300,55400,55500,55600,55700,55800,55900,56000,56100,56200,56300,56400,56500,56600,56700,56800,56900,57000,57100,57200,57300,57400,57500,57600,57700,57800,57900,58000,58100,58200,58300,58400,58500,58600,58700,58800,58900,59000,59100,59200,59300,59400,59500,59600,59700,59800,59900
sslports 50001,50101,50201,50301,50401,50501,50601,50701,50801,50901,51001,51101,51201,51301,51401,51501,51601,51701,51801,51901,52001,52101,52201,52301,52401,52501,52601,52701,52801,52901,53001,53101,53201,53301,53401,53501,53601,53701,53801,53901,54001,54101,54201,54301,54401,54501,54601,54701,54801,54901,55001,55101,55201,55301,55401,55501,55601,55701,55801,55901,56001,56101,56201,56301,56401,56501,56601,56701,56801,56901,57001,57101,57201,57301,57401,57501,57601,57701,57801,57901,58001,58101,58201,58301,58401,58501,58601,58701,58801,58901,59001,59101,59201,59301,59401,59501,59601,59701,59801,59901,44300-44399,44400-44499,30030
rarity 9
match sapmshttp m|server: SAP Message Server, release (\d+) \((\w+)\)| p/SAP Message Server httpd/ v/release $1/ i/SID $2/
match sapjavaweb m|SAP J2EE Engine/([\d.]+)| p/SAP JAVA EE Dispatcher HTTP/ v/$1/
match sapjavaweb m|SAP J2EE Engine| p/SAP JAVA EE Dispatcher HTTP/
match sapwebapp m|sap-system: (\w+).*SAP Web Application Server \(.*?\)| p/SAP Web Application Server/ v/$1/
match sapjavaweb m|SAP NetWeaver Application Server ([\d.]+) / AS Java ([\d.]+)| p/SAP NetWeaver Application Server/ i/Kernel version $1, Java version $2/
match sapicm m|SAP NetWeaver Application Server ([\d.]+) / ICM ([\d.]+)| p/SAP Internet Communication Manager/ v/$2/
match sapnetweaver m|SAP NetWeaver Application Server \(([\d.]+);([\d.]+)\)| p/SAP Internet Communication Manager/ v/$2/
match sapicm m|SAP Internet Communication Framework| p/SAP Internet Communication Manager/
match sapicm m|<H2><b>403 Access denied</b></H2><br>You do not have the permissions to access this resource<br>| p/SAP Internet Communication Manager/
match sapwebas m|SAP Web Application Server| p/SAP Web Application Server/
match saphttpmsgserv m|msg_server \((\w+)\)| p/SAP HTTP Message Server/ i/SID $1/
match sapwebmobile m|SAP Mobile Platform| p/SAP Mobile Platform/
match sapsmtp m|(\S+) SAP (\S+) E?SMTP service ready| p/SAP SMTP Server/ h/$1/ v/$2/
match sapxscontroller m|SAP SE| p/SAP XSA Controller/
##############################NEXT PROBE##############################
Probe TCP HANAXS q|GET / HTTP/1.0\r\n\r\n|
ports 8000-8099
sslports 4300-4399
rarity 9
match saphanaxs m|XSEngine| p/SAP HANA XS Engine/
##############################NEXT PROBE##############################
Probe TCP HANAXSA q|GET / HTTP/1.0\r\n\r\n|
ports 50000-50005
rarity 9
match hanatomcat m|WWW-Authenticate: Basic realm="([\w ]+)| p/SAP HANA XSA/ i/basic "$1"/
match hanatomcat m|WWW-Authenticate: Bearer realm="([\w ]+)| p/SAP HANA XSA/ i/bearer $1/
match hanasinopia m|X-Powered-By: ([\w+ ]+)| p/SAP HANA XSA $1/
##############################NEXT PROBE##############################
Probe TCP HANAXSC q|GET /v2/info HTTP/1.0\r\nHost: 127.0.0.1:30030\r\n\r\n|
sslports 30030
rarity 9
match xscontroller2 m|build":"(.*?)".*"controllerEndpoint":"https://(.*?):30030.*"databaseType":"(.*?)","databaseInfo":"(.*?)".*"apps":(\d+),"services":(\d+)| i/HDB_VERSION:$4, HDB_TYPE: $3/ v/$1/ h/$2/ p/XSA APPS:$5 SERVICES:$6/
match xscontroller1 m|build":"(.*?)".*"controllerEndpoint":"https://(.*?):30030.*"databaseType":"(.*?)","limits".*"apps":(\d+),"services":(\d+)| i/HDB_TYPE: $3/ v/$1/ h/$2/ p/XSA APPS:$4 SERVICES:$5/
##############################NEXT PROBE##############################
Probe TCP SAPHTTPP4 q|GET / HTTP/1.0\r\nHost: 1.1.1.1:1\r\nHttpTunneling: 1\r\nIdentificator: .E\r\nLocal-IP: \r\nLocal-port: 1\r\nContent-Length: 8\r\n\r\n\r\n\r\n\r\n\r\n|
ports 50005,50105,50205,50305,50405,50505,50605,50705,50805,50905,51005,51105,51205,51305,51405,51505,51605,51705,51805,51905,52005,52105,52205,52305,52405,52505,52605,52705,52805,52905,53005,53105,53205,53305,53405,53505,53605,53705,53805,53905,54005,54105,54205,54305,54405,54505,54605,54705,54805,54905,55005,55105,55205,55305,55405,55505,55605,55705,55805,55905,56005,56105,56205,56305,56405,56505,56605,56705,56805,56905,57005,57105,57205,57305,57405,57505,57605,57705,57805,57905,58005,58105,58205,58305,58405,58505,58605,58705,58805,58905,59005,59105,59205,59305,59405,59505,59605,59705,59805,59905
rarity 9
match sapjavahttpp4 m|HTTP/1.0 200 OK\r\nServer: SAP J2EE Engine| p/SAP JAVA P4 over HTTP tunneling/
match sapjavahttpp4 m|\x15\x03\x00\x00\x02\x02\x28| p/SAP JAVA P4 over SSL/
##############################NEXT PROBE##############################
Probe TCP SAPjava q|\r\n|
ports 50008,50108,50208,50308,50408,50508,50608,50708,50808,50908,51008,51108,51208,51308,51408,51508,51608,51708,51808,51908,52008,52108,52208,52308,52408,52508,52608,52708,52808,52908,53008,53108,53208,53308,53408,53508,53608,53708,53808,53908,54008,54108,54208,54308,54408,54508,54608,54708,54808,54908,55008,55108,55208,55308,55408,55508,55608,55708,55808,55908,56008,56108,56208,56308,56408,56508,56608,56708,56808,56908,57008,57108,57208,57308,57408,57508,57608,57708,57808,57908,58008,58108,58208,58308,58408,58508,58608,58708,58808,58908,59008,59108,59208,59308,59408,59508,59608,59708,59808,59908
rarity 9
match sapjavatelnet m|\xff\xfb\x01\xff\xfb\x03\xff\xfd\x1f| p/SAP JAVA Telnet/
match saplogviewer m|^READY#Logviewer#([\d.]+)\r\n| p/SAP NetWeaver Logviewer/ v/$1/ cpe:/a:sap:netweaver_logviewer:$1/
##############################NEXT PROBE##############################
Probe TCP SAPJMS q|\x00\x00\x00\x00|
ports 50010,50110,50210,50310,50410,50510,50610,50710,50810,50910,51010,51110,51210,51310,51410,51510,51610,51710,51810,51910,52010,52110,52210,52310,52410,52510,52610,52710,52810,52910,53010,53110,53210,53310,53410,53510,53610,53710,53810,53910,54010,54110,54210,54310,54410,54510,54610,54710,54810,54910,55010,55110,55210,55310,55410,55510,55610,55710,55810,55910,56010,56110,56210,56310,56410,56510,56610,56710,56810,56910,57010,57110,57210,57310,57410,57510,57610,57710,57810,57910,58010,58110,58210,58310,58410,58510,58610,58710,58810,58910,59010,59110,59210,59310,59410,59510,59610,59710,59810,59910
rarity 9
match sapjms m|Packet length| p/SAP Java Message Service/
match sapjms m|Packet with i| p/SAP Java Message Service/
##############################NEXT PROBE##############################
# P_SAPJAVAENQ
Probe TCP SAPJAVAENQ q|\x00\x00\x00\x56\xab\xcd\xe1\x23\x00\x00\x00\x00\x00\x00\x00\x56\x00\x00\x00\x56\x06\x01\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x03sap730_4016_1\x00\x00\x00\x00\x02\x00\x00\x00\x3b\x00\x00\x00\x05\x00\x00\x00\x03\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x01|
ports 3200-3299
rarity 9
match sapjavaenq m|\W+(\w+)_IOThread_| p/SAP Enqueue Server/ h/$1/
##############################NEXT PROBE##############################
# P_NIPING
Probe TCP SAPNIPING q|\x00\x00\x00\x03SAP|
ports 3298
rarity 9
match sapniping m|\x00\x00\x00\x03SAP| p/SAP NIPing/
##############################NEXT PROBE##############################
# P_SAProuter
Probe TCP SAProuter q|\x00\x00\x00\x00|
ports 3200-3299
rarity 9
match saprouter m|SAProuter ([\d.]+) on '(\w+)'| p/SAProuter/ v/$1/ h/$2/
match saprouter m|SAProuter| p/SAProuter/
##############################NEXT PROBE##############################
# P_SAPIGS
Probe TCP SAPIGS q|GET /a HTTP/1.0\r\n\r\n|
ports 40080,40180,40280,40380,40480,40580,40680,40780,40880,40980,41080,41180,41280,41380,41480,41580,41680,41780,41880,41980,42080,42180,42280,42380,42480,42580,42680,42780,42880,42980,43080,43180,43280,43380,43480,43580,43680,43780,43880,43980,44080,44180,44280,44380,44480,44580,44680,44780,44880,44980,45080,45180,45280,45380,45480,45580,45680,45780,45880,45980,46080,46180,46280,46380,46480,46580,46680,46780,46880,46980,47080,47180,47280,47380,47480,47580,47680,47780,47880,47980,48080,48180,48280,48380,48480,48580,48680,48780,48880,48980,49080,49180,49280,49380,49480,49580,49680,49780,49880,49980
rarity 9
match sapigs m|SAP Internet Graphics Server| p/SAP Internet Graphics Server/
##############################NEXT PROBE##############################
# TREX (old) packet version
Probe TCP SAPTREXGEN q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17|
ports 30001,30101,30201,30301,30401,30501,30601,30701,30801,30901,31001,31101,31201,31301,31401,31501,31601,31701,31801,31901,32001,32101,32201,32301,32401,32501,32601,32701,32801,32901,33001,33101,33201,33301,33401,33501,33601,33701,33801,33901,34001,34101,34201,34301,34401,34501,34601,34701,34801,34901,35001,35101,35201,35301,35401,35501,35601,35701,35801,35901,36001,36101,36201,36301,36401,36501,36601,36701,36801,36901,37001,37101,37201,37301,37401,37501,37601,37701,37801,37901,38001,38101,38201,38301,38401,38501,38601,38701,38801,38901,39001,39101,39201,39301,39401,39501,39601,39701,39801,39901
rarity 9
match saptrex m|\xc7\xff\x17| p/SAP TREX Name server/
# HANA trexnet packet detection (Working for HANA trexnet from SPS7 to SPS12)
Probe TCP SAPHANATREX q|\x3f\x00\x08\x10\x18\x09\x00\x00\x00\x01\x02\x07\x25\x00\x00\x00\x63\x6f\x72\x65\x2f\x70\x69\x6e\x67\x44\x02\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00\x05\xfd\xff\xff\xff\x0b\xff\xff\xff\xff\xff\xff\xff\xff\x05\xff\xff\xff\xff\x05\xff\xff\xff\xff\x05\xff\xff\xff\xff\x05\xff\xff\xff\xff\x05\xff\xff\xff\xff\x07\xff\xff\xff\xff\xff\xff\xff\xff\x07\xff\xff\xff\xff\xff\xff\xff\xff\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x05\xff\xff\xff\xff\x01\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00\x01\x00\x01\x00\x0b\x98\x7d\x00\x00\x00\x00\x00\x00\x05\x00\x04\x00\x00\x06\x01\x00\x00\x00\x06\x43\x7d\x00\x00\x06\x98\x7d\x00\x00\x0b\x04\x00\x00\x00\x00\x00\x00\x00\x09\x09\x00\x00\x00\x68\x61\x6e\x61\x73\x65\x72\x76\x72\x09\x06\x00\x00\x00\x70\x79\x74\x68\x6f\x6e\x09\x01\x00\x00\x00\x30\x05\x00\x00\x00\x00\x07\x50\x49\x4e\x47\x50\x4f\x4e\x47\x17|
ports 30001,30101,30201,30301,30401,30501,30601,30701,30801,30901,31001,31101,31201,31301,31401,31501,31601,31701,31801,31901,32001,32101,32201,32301,32401,32501,32601,32701,32801,32901,33001,33101,33201,33301,33401,33501,33601,33701,33801,33901,34001,34101,34201,34301,34401,34501,34601,34701,34801,34901,35001,35101,35201,35301,35401,35501,35601,35701,35801,35901,36001,36101,36201,36301,36401,36501,36601,36701,36801,36901,37001,37101,37201,37301,37401,37501,37601,37701,37801,37901,38001,38101,38201,38301,38401,38501,38601,38701,38801,38901,39001,39101,39201,39301,39401,39501,39601,39701,39801,39901,30002,30102,30202,30302,30402,30502,30602,30702,30802,30902,31002,31102,31202,31302,31402,31502,31602,31702,31802,31902,32002,32102,32202,32302,32402,32502,32602,32702,32802,32902,33002,33102,33202,33302,33402,33502,33602,33702,33802,33902,34002,34102,34202,34302,34402,34502,34602,34702,34802,34902,35002,35102,35202,35302,35402,35502,35602,35702,35802,35902,36002,36102,36202,36302,36402,36502,36602,36702,36802,36902,37002,37102,37202,37302,37402,37502,37602,37702,37802,37902,38002,38102,38202,38302,38402,38502,38602,38702,38802,38902,39002,39102,39202,39302,39402,39502,39602,39702,39802,39902,30006,30106,30206,30306,30406,30506,30606,30706,30806,30906,31006,31106,31206,31306,31406,31506,31606,31706,31806,31906,32006,32106,32206,32306,32406,32506,32606,32706,32806,32906,33006,33106,33206,33306,33406,33506,33606,33706,33806,33906,34006,34106,34206,34306,34406,34506,34606,34706,34806,34906,35006,35106,35206,35306,35406,35506,35606,35706,35806,35906,36006,36106,36206,36306,36406,36506,36606,36706,36806,36906,37006,37106,37206,37306,37406,37506,37606,37706,37806,37906,38006,38106,38206,38306,38406,38506,38606,38706,38806,38906,39006,39106,39206,39306,39406,39506,39606,39706,39806,39906
rarity 9
match saphanatrex12 m|\x07PINGPONG\x18\x45\xff| p/SAP HANA Trexnet Name Server/ v/SPS12/
match saphanatrex11 m|PoolThread.cpp:389| p/SAP HANA Trexnet Name Server/ v/SPS11/
match saphanatrex10 m|PoolThread.cpp:402| p/SAP HANA Trexnet Name Server/ v/SPS10/
match saphanatrex09 m|PoolThread.cpp:274| p/SAP HANA Trexnet Name Server/ v/SPS9/
match saphanatrex08 m|PoolThread.cpp:265| p/SAP HANA Trexnet Name Server/ v/SPS8/
match saphanatrex07 m|PoolThread.cpp:278| p/SAP HANA Trexnet Name Server/ v/SPS7/
Probe TCP SAPTREXGEN q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17|
ports 30002,30102,30202,30302,30402,30502,30602,30702,30802,30902,31002,31102,31202,31302,31402,31502,31602,31702,31802,31902,32002,32102,32202,32302,32402,32502,32602,32702,32802,32902,33002,33102,33202,33302,33402,33502,33602,33702,33802,33902,34002,34102,34202,34302,34402,34502,34602,34702,34802,34902,35002,35102,35202,35302,35402,35502,35602,35702,35802,35902,36002,36102,36202,36302,36402,36502,36602,36702,36802,36902,37002,37102,37202,37302,37402,37502,37602,37702,37802,37902,38002,38102,38202,38302,38402,38502,38602,38702,38802,38902,39002,39102,39202,39302,39402,39502,39602,39702,39802,39902
rarity 9
match saptrex m|\xc7\xff\x17| p/SAP TREX Preprocessor/
Probe TCP SAPTREXGEN q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17|
ports 30003,30103,30203,30303,30403,30503,30603,30703,30803,30903,31003,31103,31203,31303,31403,31503,31603,31703,31803,31903,32003,32103,32203,32303,32403,32503,32603,32703,32803,32903,33003,33103,33203,33303,33403,33503,33603,33703,33803,33903,34003,34103,34203,34303,34403,34503,34603,34703,34803,34903,35003,35103,35203,35303,35403,35503,35603,35703,35803,35903,36003,36103,36203,36303,36403,36503,36603,36703,36803,36903,37003,37103,37203,37303,37403,37503,37603,37703,37803,37903,38003,38103,38203,38303,38403,38503,38603,38703,38803,38903,39003,39103,39203,39303,39403,39503,39603,39703,39803,39903,30016,30116,30216,30316,30416,30516,30616,30716,30816,30916,31016,31116,31216,31316,31416,31516,31616,31716,31816,31916,32016,32116,32216,32316,32416,32516,32616,32716,32816,32916,33016,33116,33216,33316,33416,33516,33616,33716,33816,33916,34016,34116,34216,34316,34416,34516,34616,34716,34816,34916,35016,35116,35216,35316,35416,35516,35616,35716,35816,35916,36016,36116,36216,36316,36416,36516,36616,36716,36816,36916,37016,37116,37216,37316,37416,37516,37616,37716,37816,37916,38016,38116,38216,38316,38416,38516,38616,38716,38816,38916,39016,39116,39216,39316,39416,39516,39616,39716,39816,39916
rarity 9
match saptrex m|\xc7\xff\x17| p/SAP TREX Index server/
Probe TCP SAPTREXGEN q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17|
ports 30004,30104,30204,30304,30404,30504,30604,30704,30804,30904,31004,31104,31204,31304,31404,31504,31604,31704,31804,31904,32004,32104,32204,32304,32404,32504,32604,32704,32804,32904,33004,33104,33204,33304,33404,33504,33604,33704,33804,33904,34004,34104,34204,34304,34404,34504,34604,34704,34804,34904,35004,35104,35204,35304,35404,35504,35604,35704,35804,35904,36004,36104,36204,36304,36404,36504,36604,36704,36804,36904,37004,37104,37204,37304,37404,37504,37604,37704,37804,37904,38004,38104,38204,38304,38404,38504,38604,38704,38804,38904,39004,39104,39204,39304,39404,39504,39604,39704,39804,39904
rarity 9
match saptrex m|\xc7\xff\x17| p/SAP TREX Queue server/
Probe TCP SAPTREXHTTP q|GET /TREX?CMD=PING HTTP/1.0\r\n\r\n|
ports 30005,30105,30205,30305,30405,30505,30605,30705,30805,30905,31005,31105,31205,31305,31405,31505,31605,31705,31805,31905,32005,32105,32205,32305,32405,32505,32605,32705,32805,32905,33005,33105,33205,33305,33405,33505,33605,33705,33805,33905,34005,34105,34205,34305,34405,34505,34605,34705,34805,34905,35005,35105,35205,35305,35405,35505,35605,35705,35805,35905,36005,36105,36205,36305,36405,36505,36605,36705,36805,36905,37005,37105,37205,37305,37405,37505,37605,37705,37805,37905,38005,38105,38205,38305,38405,38505,38605,38705,38805,38905,39005,39105,39205,39305,39405,39505,39605,39705,39805,39905
rarity 9
match saptrexhttp m|OK Server Connection| p/SAP TREX HTTP Server/
Probe TCP SAPTREXALERT q|GET / HTTP/1.0\r\n\r\n|
ports 30011,30111,30211,30311,30411,30511,30611,30711,30811,30911,31011,31111,31211,31311,31411,31511,31611,31711,31811,31911,32011,32111,32211,32311,32411,32511,32611,32711,32811,32911,33011,33111,33211,33311,33411,33511,33611,33711,33811,33911,34011,34111,34211,34311,34411,34511,34611,34711,34811,34911,35011,35111,35211,35311,35411,35511,35611,35711,35811,35911,36011,36111,36211,36311,36411,36511,36611,36711,36811,36911,37011,37111,37211,37311,37411,37511,37611,37711,37811,37911,38011,38111,38211,38311,38411,38511,38611,38711,38811,38911,39011,39111,39211,39311,39411,39511,39611,39711,39811,39911
rarity 9
match saptrex m|Server: ([\w./ ]+)| p/SAP TREX AlertServer/ i/$1/
Probe TCP SAPTREXRFC q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17|
ports 30007,30107,30207,30307,30407,30507,30607,30707,30807,30907,31007,31107,31207,31307,31407,31507,31607,31707,31807,31907,32007,32107,32207,32307,32407,32507,32607,32707,32807,32907,33007,33107,33207,33307,33407,33507,33607,33707,33807,33907,34007,34107,34207,34307,34407,34507,34607,34707,34807,34907,35007,35107,35207,35307,35407,35507,35607,35707,35807,35907,36007,36107,36207,36307,36407,36507,36607,36707,36807,36907,37007,37107,37207,37307,37407,37507,37607,37707,37807,37907,38007,38107,38207,38307,38407,38507,38607,38707,38807,38907,39007,39107,39207,39307,39407,39507,39607,39707,39807,39907
rarity 9
match saptrex m|\xc7\xff\x17| p/SAP TREX RFC server/
Probe TCP SAPTREXCRUISE q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17|
ports 30008,30108,30208,30308,30408,30508,30608,30708,30808,30908,31008,31108,31208,31308,31408,31508,31608,31708,31808,31908,32008,32108,32208,32308,32408,32508,32608,32708,32808,32908,33008,33108,33208,33308,33408,33508,33608,33708,33808,33908,34008,34108,34208,34308,34408,34508,34608,34708,34808,34908,35008,35108,35208,35308,35408,35508,35608,35708,35808,35908,36008,36108,36208,36308,36408,36508,36608,36708,36808,36908,37008,37108,37208,37308,37408,37508,37608,37708,37808,37908,38008,38108,38208,38308,38408,38508,38608,38708,38808,38908,39008,39108,39208,39308,39408,39508,39608,39708,39808,39908
rarity 9
match saptrex m|\xc7\xff\x17| p/SAP TREX Cruise server/
##############################NEXT PROBE##############################
Probe TCP SAPLOGVIEWER q|JRMI\x00\x02K|
ports 1099, 5465, 26000
rarity 9
match saplogviewer m|N\x00| p/SAP Logviewer Standalone/
match saplogviewer m|\x52\x45\x41\x44\x59\x23| p/SAP Logviewer Standalone Socket/
match saplogviewer m|\x76\x31| p/SAP Logviewer Standalone Socket/
##############################NEXT PROBE##############################
Probe TCP SAPHANAHDB q|\xFF\xFF\xFF\xFF\x04\x00\x14\x04\x00\x01\x00\x01\x01\x01|
ports 30015,30041-39998
rarity 9
match saphanahdb m|\x04\x01\x00\x00\x00| p/SAP HANA HDB/
##############################NEXT PROBE##############################
Probe TCP SAPMOBILE q|GET / HTTP/1.0\r\n\r\n|
ports 5001
rarity 9
match sapmobile m|WWW-Authenticate: Basic realm="Unwired Platform"| p/SAP Mobile Platform/
##############################NEXT PROBE##############################
Probe TCP SAPMPSP q|SAP|
sslports 8083
rarity 9
match sapmpsp m|Certificate| p/SAP Mobile Platform Administration Secure Port/
#
# https://www.coresecurity.com/system/files/publications/2016/05/corelabs-nmap-service-probes.txt
#
##############################NEXT PROBE##############################
Probe TCP SAPDIAG q|\x00\x00\x01\x06\xff\xff\xff\xff\n\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff>\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x10\x04\x02\x00\x0c\x00\x00\x00\x80\x00\x00\x04L\x00\x00\x13\x89\x10\x04\x0b\x00 \xff\x7f\xfe-\xda\xb77\xd6t\x08~\x13\x05\x97\x15\x97\xef\xf2?\x8d\x07p\xff\x0f\x00\x00\x00\x00\x00\x00\x00\x00|
ports 3200-3299
rarity 9
softmatch sapgui m|^\x00\x00..\x00\x00\x11\x00\x00\x01\x00\x00.*\x10\x06\x02..(\w\w\w).*\x10\x06\x03..([\w._-]+).*\x10\x06\x29..(\d+)\x00(\d+)\x00(\d+)\x00|s p/SAP Dispatcher/ i/DB name $1/ h/$2/ v/release $4, patch level $5, database release $3/
##############################NEXT PROBE##############################
Probe TCP SAPDISP q|\x00\x00\x00\x00|
ports 3200-3299
rarity 9
match sapdisp m|DPTMMSG| p/SAP ABAP Dispatcher/
##############################NEXT PROBE##############################
# FIXME: do version grabbing when COMMAND=version is honored.
Probe TCP ORACLETNS q|\x00Z\x00\x00\x01\x00\x00\x00\x016\x01,\x00\x00\x08\x00\x7f\xff\x7f\x08\x00\x00\x00\x01\x00 \x00:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\xe6\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00(CONNECT_DATA=(COMMAND=version))|
ports 1520-1599
rarity 9
match oracledb m|DESCRIPTION.*ERROR| p/Oracle TNS Listener/
match oracledb m|TNSLSNR for (.*?): Version ([\d.]+)| p/Oracle TNS Listener/ v/$2/ o/$1/
##############################NEXT PROBE##############################
Probe TCP SAPPCOMGT q|GET /PCoManagement?wsdl HTTP/1.0\r\n\r\n|
ports 50050
rarity 9
match sappcomgt m|200 OK| p/SAP Plant Connectivity Management SOAP/
##############################NEXT PROBE##############################
Probe TCP SAPXMII q|<?xml version="1.0" encoding="UTF-8"?><pco:request xmlns:pco="uri:sap-pco-request" pco:version="1.0"><pco:features/></pco:request>|
ports 9000-9010
rarity 9
match sapxmii m|xMII| p/SAP xMII query agent/
##############################NEXT PROBE##############################
Probe TCP SAPBOCMS q|aps|
ports 6400
rarity 9
match sapbocms m|seagatesoftware| p/SAP Business Object CMS/
##############################NEXT PROBE##############################
Probe TCP SAPBOWEB4 q|POST /BOE/CMC/ HTTP/1.0\r\n\r\n|
ports 8080
rarity 9
match sapboweb m|200 OK| p/SAP Business Object Web Frontend/ v/4.x/
Probe TCP SAPBOWEB3 q|GET /CmcApp/logon.faces HTTP/1.0\r\n\r\n|
ports 8080
rarity 9
match sapboweb m|200 OK| p/SAP Business Object Web Frontend/ v/3.x/
##############################NEXT PROBE##############################
#Probe TCP SAPASE q|\x00\x02\x00\x02\x00\x00\x00\x00|
#ports 4901-4999
#rarity 9
#match sapase m|Login failed| p/SAP ASE Database/
##############################NEXT PROBE##############################
Probe TCP RPCCheck q|\x80\0\0\x28\x72\xFE\x1D\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xA0\0\x01\x97\x7C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|
ports 4901-4999
match ase-adaptive m|^\0\x01\0\x08\0\0\x00\0$| p/SAP ASE DB/ o/Windows/ cpe:/a:sybase:adaptive_server/ cpe:/o:microsoft:windows/a
match ase-backup m|^\0\x01\0\x08\0\0\x01\0$| p/SAP ASE DB backup/ o/Windows/ cpe:/a:sybase:backup_server/ cpe:/o:microsoft:windows/a
##############################NEXT PROBE##############################
#### BEWARE THIS PROBE WILL WORK WITH NMAP PATCHED !! ####
######################################################################
# line buffer is 2048 only, needs to be extended to 4096 for this probe to be parsed
# diff --git a/service_scan.cc b/service_scan.cc
# index c424314..435c1f8 100644
# --- a/service_scan.cc
# +++ b/service_scan.cc
# @@ -1265,7 +1265,7 @@ void ServiceProbe::addMatch(const char *match, int lineno) {
# (servicematch) which use this */
# void parse_nmap_service_probe_file(AllProbes *AP, char *filename) {
# ServiceProbe *newProbe = NULL;
# - char line[2048];
# + char line[4096];
#
#
#Probe TCP SAPASE q|\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00probe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x002936\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x03\x01\x06\n\t\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00probe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05DDD\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
#splitted here to avoid nmap bug (even if line is commented)...
#\x00\x00\x00\x00\x00\x00\x00\x02\x05\x00\x00\x00CT-Library\n\x0f\x07\x00\r\x00\r\x11\x00s_english\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01\x00k\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n\x00\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00utf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00512\x00\x00\x00\x03\x00\x00\x00\x00\xe2 \x00\x01\x0e\x01<\xe2\xf9\xb5\x87\xea\xbbm\x7f\xff\xff\xff\xfe\x02\x0e\x00\x00\x00\x00\x00\x18b\x00\x00\xa2h\x00\x00\x00|
#ports 4901-4999
#rarity 9
#match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x10\x00\x02\x05| p/SAP ASE Database ($1)/ v/16.0.2.5/
#match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x10\x00\x02\x04| p/SAP ASE Database ($1)/ v/16.0.2.4/
#match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x10\x00\x02\x00| p/SAP ASE Database ($1)/ v/16.0.2.0/
#match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x0f\x07\x00\x00| p/SAP ASE Database ($1)/ v/15.7.0.0/
#match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x0f\x07| p/SAP ASE Database ($1)/ v/15.7.x/
#match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x10\x00\x02| p/SAP ASE Database ($1)/ v/16.0.2.x/
#match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x10| p/SAP ASE Database ($1)/ v/16.x/
#match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x0f| p/SAP ASE Database ($1)/ v/15.x/
#match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE| p/SAP ASE Database ($1)/ v/unknown/
#match sapase m|\x0f\x01\x00\x3e\x00\x00\x00\x00\xad\x0d\x00\x07\x05\x00\x00\x00\x03ASE| p/SAP ASE Database (vulnerable to probe login)/
#match sapase m|^\x03ASE| p/SAP ASE Database (vulnerable to probe login)/
##############################NEXT PROBE##############################
Probe TCP SAPSDMADM q|\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x31\x31|
ports 50017,50117,50217,50317,50417,50517,50617,50717,50817,50917,51017,51117,51217,51317,51417,51517,51617,51717,51817,51917,52017,52117,52217,52317,52417,52517,52617,52717,52817,52917,53017,53117,53217,53317,53417,53517,53617,53717,53817,53917,54017,54117,54217,54317,54417,54517,54617,54717,54817,54917,55017,55117,55217,55317,55417,55517,55617,55717,55817,55917,56017,56117,56217,56317,56417,56517,56617,56717,56817,56917,57017,57117,57217,57317,57417,57517,57617,57717,57817,57917,58017,58117,58217,58317,58417,58517,58617,58717,58817,58917,59017,59117,59217,59317,59417,59517,59617,59717,59817,59917
rarity 9
match sapsdmadmin m| 334Sorry| p/SAP SDM Administration/
##############################NEXT PROBE##############################
Probe TCP SAPSDMGUI q|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x31\x31|
ports 50018,50118,50218,50318,50418,50518,50618,50718,50818,50918,51018,51118,51218,51318,51418,51518,51618,51718,51818,51918,52018,52118,52218,52318,52418,52518,52618,52718,52818,52918,53018,53118,53218,53318,53418,53518,53618,53718,53818,53918,54018,54118,54218,54318,54418,54518,54618,54718,54818,54918,55018,55118,55218,55318,55418,55518,55618,55718,55818,55918,56018,56118,56218,56318,56418,56518,56618,56718,56818,56918,57018,57118,57218,57318,57418,57518,57618,57718,57818,57918,58018,58118,58218,58318,58418,58518,58618,58718,58818,58918,59018,59118,59218,59318,59418,59518,59618,59718,59818,59918
rarity 9
match sapsdmgui m|<Error><Er>This| p/SAP SDM GUI/
##############################NEXT PROBE##############################
Probe TCP SAPSMTP q|HEAD / HTTP/1.0\r\n\r\n|
ports 25
rarity 9
match sapsmtp m|(\S+) SAP (\S+) E?SMTP service ready| p/SAP SMTP Server/ h/$1/ v/$2/
##############################NEXT PROBE##############################
Probe TCP P4IIOP q|GIOP\x01\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x03\x00\x00\x00\x11\x00\x00\x00\x02\x00\x02\x00\x00NEO\x00\x00\x00\x00\x02\x00\x14\x00\x00\x00\x00\x00\x06\x00\x00\x00\xa6\x00\x00\x00\x00\x00\x00\x00(IDL:omg.org/SendingContext/CodeBase:0.0\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00j\x00\x01\x02\x00\x00\x00\x00\n127.0.1.1\x00\x9bF\x00\x00\x00\x19\xaf\xab\xcb\x00\x00\x00\x00\x02%a2+\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00 \x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x00\x02\x05\x01\x00\x01\x00\x01\x00 \x00\x01\x01\t\x00\x00\x00\x01\x00\x01\x01\x00\x00\x00\x00&\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x05\x01\x00\x00\x00\x00\x00\x00\x04INIT\x00\x00\x00\x04get\x00\x00\x00\x00\x00\x00\x00\x00\x0cNameService\x00|
ports 50007,50107,50207,50307,50407,50507,50607,50707,50807,50907,51007,51107,51207,51307,51407,51507,51607,51707,51807,51907,52007,52107,52207,52307,52407,52507,52607,52707,52807,52907,53007,53107,53207,53307,53407,53507,53607,53707,53807,53907,54007,54107,54207,54307,54407,54507,54607,54707,54807,54907,55007,55107,55207,55307,55407,55507,55607,55707,55807,55907,56007,56107,56207,56307,56407,56507,56607,56707,56807,56907,57007,57107,57207,57307,57407,57507,57607,57707,57807,57907,58007,58107,58207,58307,58407,58507,58607,58707,58807,58907,59007,59107,59207,59307,59407,59507,59607,59707,59807
rarity 9
match sapp4iiop m|IDL:omg.org/SendingContext/CodeBase:1.0.*?(\d+\.\d+\.\d+\.\d+)| p/SAP P4 over IIOP/ i/Potential internal IP $1/
##############################NEXT PROBE##############################
Probe TCP POSXPRESSDATA q|lalala|
ports 2202
rarity 9
match xpresserver m|201 XPRESS SERVER (\d+\.\d+\.\d+)+ (SP\d+\s)?(Build\s\d+\s)?([\w-]+)?| p/SAP XPRESS Server/ v/Version $1 $2 $3/ h/$4/
##############################NEXT PROBE##############################
Probe TCP POSXPRESSCLIENT q|{D0045}\x14\x64\x00\x0a\x00\x02\x16\x00\x03\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd9\x88\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00|
ports 2200
rarity 9
match xpresserverclinet m|{D\d\d\d\d}| p/SAP XPRESS Server client's port/
##############################NEXT PROBE##############################
# Added this one that clashes with SAP 33NN port rules for gateway #
######################################################################
Probe TCP MSRDP q|\x03\x00\x00\x0b\x06\xe0\x00\x00\x00\x00\x00\x00|
ports 3389
rarity 9
match ms-wbt-server m#^\x03\x00\x00(\x0b|\x17|\x11)# p/Microsoft Terminal Service/
############################################
# _____ _ ____ ______ ____ _ #
#|_ _| | / ___| / / ___/ ___|| | #
# | | | | \___ \ / /\___ \___ \| | #
# | | | |___ ___) / / ___) |__) | |___ #
# |_| |_____|____/_/ |____/____/|_____| #
#Ripped from official nmap-services-probes #
#without that ssl detection on non standard#
#ports will fail badly. #
############################################
##############################NEXT PROBE##############################
# SSLv3 ClientHello probe. Will be able to reliably identify the SSL version
# used, unless the server is running SSLv2 only. Note that it will also detect
# TLSv1-only servers, based on a failed handshake alert.
Probe TCP SSLSessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0|
rarity 9
ports 443,444,465,548,636,989,990,992,993,994,995,1241,1311,1443,2000,2252,2443,3443,4443,4444,5061,5443,5550,6443,7210,7272,7443,8009,8181,8194,8443,9001,9443,10443,14443,44443,60443,30030
#fallback WEB
match adabas m|^,\0,\0\x03\x02\0\0G\xd7\xf7\xbaO\x03\0\?\x05\0\0\0\0\x02\x18\0\xfd\x0b\0\0<=\xdbo\xef\x10n \xd5\x96\xc8w\x9b\xe6\xc4\xdb$| p/ADABAS database/
# Apple Filing Protocol (AFP) over TCP on Mac OS X
# Sometimes we can get a host name or an IP address; those with come before those without.
# These are mostly sorted by the flags field.
# Flags \x80\xfb.
match afp m|^\x01\x03\0\0........\0\0\0\0........\x80\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x05\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 2.2; Mac OS X 10.1.*/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.1/
# Flags \x83\xfb.
match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x06\x06AFP3\.1\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128.*[\x04\x05]([\w.-]+)\0|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.2.*/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.2/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x06\x06AFP3\.1\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.2.*/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.2/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\x06Recon1\rClient Krb v20\0.*[\x04\x05]([\w.-]+)\x01.afpserver/([\w.@-]+)\0|s p/Apple AFP/ i/name: $1; afpserver: $3; protocol 3.1; Mac OS X 10.2.*/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.2/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver/([\w.@-]+)\0|s p/Apple AFP/ i/name: $1; afpserver: $3; protocol 3.1; Mac OS X 10.3.*/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.3/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\0|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.3.*/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.3/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.3.*/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.3/
# Flags \x8f\xfa.
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfa.([^\0\x01]+)[\0\x01].*\tMacintosh\x01\x06AFP3\.1.\tDHCAST128|s p/Apple Airport Extreme AFP/ i/name: $1; protocol 3.1/ d/WAP/ cpe:/h:apple:airport_extreme/
# Flags \x8f\xfb.
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver/([-\w_.@]+)\0|s p/Apple AFP/ i/name: $1; afpserver: $3; protocol 3.2; Mac OS X 10.3 - 10.5/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver|s p/Apple AFP/ i/name: $1; protocol 3.2; Mac OS X 10.3 - 10.5/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\0|s p/Apple AFP/ i/name: $1; protocol 3.2; Mac OS X 10.3 - 10.5/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\x06Recon1\rClient Krb v2\x0fNo User Authent\0.*[\x04\x05]([\w.-]+)\x01.afpserver/([-\w_.@]+)\0|s p/Apple AFP/ i/name: $1; afpserver: $3; protocol 3.2; Mac OS X 10.5 Server/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x_server:10.5/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh.\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver|s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.5/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh.\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.5/
match afp m=^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver=s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5 - 10.6; $2/ o/Mac OS X/ h/$3/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.5/ cpe:/o:apple:mac_os_x:10.6/
# Patched version of OS X 10.5 may match these too... wait for corrections
match afp m=^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128.*[\x04\x05]([\w.-]+)\0\0=s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.6; $2/ o/Mac OS X/ h/$3/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.6/
match afp m=^\x01\x03\0\x80........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver=s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5 - 10.6; $2/ o/Mac OS X/ h/$3/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.5/ cpe:/o:apple:mac_os_x:10.6/
match afp m|^\x01\x03\0\x80........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh.\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver|s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.5/
match afp m=^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver=s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.6; $2/ o/Mac OS X/ h/$3/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.6/
# Flags \x8f\xfb.
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*AirPort.*AFP3\.2|s p|Apple Airport Extreme/Time Capsule AFP| i/name: $1; protocol 3.2 WAP/ cpe:/h:apple:airport_extreme/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*TimeCapsule.*AFP3\.3\x06AFP3\.2\x06AFP3\.1.\tDHCAST128.*[\x04\x05]([\w.-]+)\0|s p/Apple Time Capsule AFP/ i/name: $1; protocol 3.3/ h/$2/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*TimeCapsule.*AFP3\.3\x06AFP3\.2\x06AFP3\.1.\tDHCAST128|s p/Apple Time Capsule AFP/ i/name: $1; protocol 3.3/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tVMware7,1\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128\x04DHX2\x06Recon1\rClient\x20Krb\x20v2\0\0.*[\x04\x05]([\w.-]+)\x01.afpserver/([\w.@-]+)\0|s p/Apple AFP/ i/name: $1; afpserver: $3; protocol 3.1; Mac OS X 10.6.3/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a
# Sometimes the hostname isn't included
match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.2; Mac OS X 10.3 - 10.5/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a
# Flags \x9f\xf3
match afp m=^\x01\x03\0\0........\0\0\0\0........\x9f\xf3.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03=s p/Apple AFP/ i/name: $1; protocol 3.4; Mac OS X 10.9 - 10.10; $2/ o/Mac OS X/ cpe:/a:apple:afp_server/ cpe:/o:apple:mac_os_x:10.10/ cpe:/o:apple:mac_os_x:10.9/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x9f\xf3.([^\0\x01]+).*?VMware(\d+),(\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03|s p/Apple AFP/ i/name: $1; protocol 3.4; VMware $2.$3/ o/Mac OS X/ cpe:/a:apple:afp_server/ cpe:/o:apple:mac_os_x/a
# Flags \x9f\xfb.
match afp m=^\x01\x03\0\0........\0\0\0\0........\x9f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06\tDHCAST128\x04DHX2\x06Recon1\rClient Krb v2\x03GSS\x0fNo User Authent.*\x1b\$not_defined_in_RFC4178@please_ignore$=s p/Apple AFP/ i/name: $1; protocol 3.4; Mac OS X 10.6 - 10.8; $2/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.6/ cpe:/o:apple:mac_os_x:10.7/ cpe:/o:apple:mac_os_x:10.8/
match afp m=^\x01\x03\0\0........\0\0\0\0........\x9f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x05\tDHCAST128\x04DHX2\x06Recon1\rClient Krb v2\x03GSS.*\x1b\$not_defined_in_RFC4178@please_ignore=s p/Apple AFP/ i/name: $1; protocol 3.4; Mac OS X 10.6 - 10.8; $2/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.6/ cpe:/o:apple:mac_os_x:10.7/ cpe:/o:apple:mac_os_x:10.8/
match afp m|^\x01\x03\0\0........\0\0\0\0........\x9f\xfb.([^\0\x01]+)[\0\x01].*VMware(\d+),(\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06\tDHCAST128\x04DHX2\x06Recon1\rClient Krb v2\x03GSS\x0fNo User Authent.*\x1b\$not_defined_in_RFC4178@please_ignore$|s p/Apple AFP/ i/name: $1; protocol 3.4; Mac OS X 10.6; VMware $2.$3/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a
match afp m|^\x01\x03\0\0........\0\0\0\0........\x9f\xfb.([^\0\x01]+)[\0\x01].*Xserve\d+,\d+\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x05\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.4; Xserve/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a
match afp m=^\x01\x03\0\0........\0\0\0\0........\x9f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x05\tDHCAST128\x04DHX2\x06Recon1\x03GSS\x0fNo User Authent=s p/Apple AFP/ i/name: $1; protocol 3.4; Mac OS X 10.8; $2/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.8/
softmatch afp m|^\x01\x03\0\0........\0\0\0\0.*AFP|s
match ajp13 m|^AB\0N\x04\x01\x94\0\x06/cccb/\0\0\x02\0\x0cContent-Type\0\0\x17text/html;charset=utf-8\0\0\x0eContent-Length\0\0\x03970\0AB\x03| p/Apache Jserv/
match cpu m|^unsupported auth method\0| p/Plan 9 cpu/ o/Plan 9/ cpe:/o:belllabs:plan_9/a
match decomsrv m|^\x02\0\0\x01\x03\0U\xd0DSQ\x02\0\0\x01\x03\0U\xd0DSQ$| p/Lotus Domino decommission server/ i/decomsrv.exe/ cpe:/a:ibm:lotus_domino/
match dsr-video m|^\0\0\0\0\0\x84\0\x10\x01\xa3{\x10\0\0\0\0$| p/Avocent KVM DSR video/
match h323q931 m|^\x03\0\x000\x08\x02\0\0}\x08\x02\x80\xe2\x14\x01\0~\0\x1d\x05\x08 \x19\0\x06\0\x08\x91J\0\x05\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Polycom ViewStation H.323/
match http m|^HTTP/1\.0 500 Internal Server Error\r\nConnection: Close\r\nContent-Type: text/html\r\n.*<p>java\.lang\.Exception: Invalid request: \x16\x03|s p/Dell PowerEdge OpenManage Server Administrator httpd/ o/Windows/ cpe:/a:dell:openmanage_server_administrator/ cpe:/o:microsoft:windows/a
match http m|^HTTP/1\.0 400 Bad Request\nContent-type: text/html\r\nDate: .*\r\nConnection: close\r\n\r\n<HEAD><TITLE>400 Bad Request</TITLE></HEAD>\n<BODY><H1>400 Bad Request</H1>\nUnsupported method\.\n</BODY>\n| p/Brivo EdgeReader access control http interface/ d/security-misc/
match http-proxy m|^ 400 badrequest\r\nVia: 1\.0 ([\w.-]+) \(McAfee Web Gateway ([\w._-]+)\)\r\nConnection: Close\r\n| p/McAfee Web Gateway/ v/$2/ i/Via $1/ cpe:/a:mcafee:web_gateway:$2/
match ilo-vm m|^\"\0\x03\0$| p/HP Integrated Lights-Out Virtual Media/ cpe:/h:hp:integrated_lights-out/
match login m|^\0\r\nlogin: \^W\^@\^@\^@\^| p/VxWorks logind/ o/VxWorks/ cpe:/o:windriver:vxworks/a
match maxdb m|^.Rejected bad connect packet\0$|s p/SAP MaxDB/
match msexchange-logcopier m|^\x15\x01\0\0\x08\0\0\0\0\x80\t\x03\x08$| p/Microsoft Exchange 2010 log copier/ cpe:/a:microsoft:exchange_server:2010/
match modbus m|^\x16\x03\0\0\0\x03\0\x80\x01| p/Modbus TCP/
match netbios-ssn m|^\0\0\0%G\xd7\xf7\xba,\xff\xea\xff\xff~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0\0\0\x16\0$| p/Konica Minolta bixhub 350 printer smbd/ d/printer/ cpe:/h:konicaminolta:bixhub_350/a
match pbx-alarm m|^1\x0c5\x0c9\x0c\x0b\x03$| p/Aastra Open Interfaces Platform PBX alarm server/ d/PBX/ cpe:/a:aastra:oip/
match pop3-proxy m|^ERR concurrent connection limit in avast! exceeded\(pass:\d+, processes:([\w._-]+)\[\d+\]\)\r\n| p/Avast! anti-virus pop3 proxy/ i/connection limit exceeded by $1/ o/Windows/ cpe:/o:microsoft:windows/
# This funny service runs on port 9001 and seems to echo other service probes,
# however they don't seem to come in any obvious order. Examples:
# ---------- GenericLines ----------
# m|^GET / HTTP/1\.0|
# ---------- WEB ----------
# m|^OPTIONS / HTTP/1\.0|
# ---------- SSLSessionReq ----------
# m|^OPTIONS / RTSP/1\.0|
# ---------- SSLv23SessionReq ----------
# m|^\x80\0\0\(r\xfe\x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\x7c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0|
match postx-reporting m|^OPTIONS / RTSP/1\.0| p/PostX IP Reporting alarm system/
match remoting m|^\.NET\x01\0\x02\0\0\0\0\0\0\0\x02\0\x03\x01\0\x03\0\x01\x01..\0\0System\.Runtime\.Remoting\.RemotingException: |s p/MS .NET Remoting services/ cpe:/a:microsoft:.net_framework/
match siebel m|^\0\0\0\x40\0\0\0\0\0\0\0\x01\0\0\0\0\0\0..\0\0\0\x05\0\0\0\0\0\0\0\0\x4e...\0...\0\0\0\0\0\0\0\0\0\0\0\x05\0\0\0\x0c\0\0\0\x08\0\x12\0\x68\0\0\0\0$| p/Siebel Gateway Name Server/ cpe:/a:oracle:siebel_suite/
# OpenSSL/0.9.7aa, 0.9.8e
match ssl m|^\x16\x03\0\0J\x02\0\0F\x03\0| p/OpenSSL/ i/SSLv3/ cpe:/a:openssl:openssl/
# Microsoft-IIS/5.0 - note that OpenSSL must go above this one because this is more general
match ssl m|^\x16\x03\0..\x02\0\0F\x03\0|s p/Microsoft IIS SSL/ o/Windows/ cpe:/a:microsoft:iis/ cpe:/o:microsoft:windows/a
# Novell Netware 6 Enterprise Web server 5.1 https
# Novell Netware Ldap over SSL or enterprise web server 5.1 over SSL
match ssl m|^\x16\x03\0\0:\x02\0\x006\x03\0| p/Novell NetWare SSL/ o/NetWare/ cpe:/o:novell:netware/a
# Cisco IDS 4.1 Appliance
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\xd10:\xbd\\\x8e\xe3\x15\x1c\x0fZ\xe4\x04\x87\x07\xc0\x82\xa9\xd4\x0e\x9c1LXk\xd1\xd2\x0b\x1a\xc6/p\0\0\n\0\x16\x03\0\x026\x0b\0\x022\0| p/Cisco IDS SSL/ d/firewall/
# PGP Corporation Keyserver Web Console 7.0 - custom Apache 1.3
# PGP LDAPS Keyserver 8.X
match ssl m|^\x16\x03\0\0\+\x02\0\0'\x03\0...\?|s p/PGP Corporation product SSL/
# Unreal IRCd SSL
# RemotelyAnywhere
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\?|
# Tumbleweed SecureTransport 4.1.1 Transaction Manager Secure Port on Solaris
# Dell Openmanage
match ssl m|^\x15\x03[\x01\x00]\0\x02\x01\0$| p/multi-vendor SSL/
# Probably Oracle https?
match ssl m|^}\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Oracle https/
match ssl m|^\x15\x03\0\0\x02\x02\(31666:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr\.c:881:\n| p/Webmin SSL Control Panel/
match ssl m|^20928:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr\.c:565:\n| p/qmail-pop3d behind stunnel/
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0B| p/Tor over SSL/ cpe:/a:torproject:tor/
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03.*IOS-Self-Signed-Certificate|s p/Cisco IOS ssl/ d/router/
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03.*\nCalifornia.*\tPalo Alto.*\x0cVMware, Inc\..*\x1bVMware Management Interface|s p/VMware management interface SSLv3/
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03.*\x0edropbox-client0|s p/Dropbox client SSLv3/ cpe:/a:dropbox:dropbox/
match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03.*vCenterServer_([\w._-]+)|s p/VMware ESXi Server httpd/ v/$1/ cpe:/o:vmware:esxi:$1/
# Alert (Level: Fatal, Description: Protocol Version|Handshake Failure)
match ssl m|^\x15\x03[\x00-\x03]\0\x02\x02[F\x28]|
match xtel m|^\x15Annuaire \xe9lectronique| p/xteld/ i/French/
match tor m|^\x16\x03\0\0\*\x02\0\0&\x03\0.*T[oO][rR]1.*[\x00-\x20]([-\w_.]+) <identity>|s p/Tor node/ i/Node name: $1/ cpe:/a:torproject:tor/
# Sophos Message Router
match ssl/sophos m|^\x16\x03\0.*Router\$([a-zA-Z0-9_-]+).*Sophos EM Certification Manager|s p/Sophos Message Router/ h/$1/
match ssl/sophos m|^\x16\x03\0.*Sophos EM Certification Manager|s p/Sophos Message Router/
match ssl/openvas m|^\x16\x03\x01\0J\x02\0\0F\x03\x01| p/OpenVAS server/
# Generic: TLSv1.3 ServerHello
match ssl m|^\x16\x03\x03..\x02...\x03\x03|s p/TLSv1.2/
# Generic: TLSv1.2 ServerHello
match ssl m|^\x16\x03\x02..\x02...\x03\x02|s p/TLSv1.1/
# Generic: TLSv1.1 ServerHello
match ssl m|^\x16\x03\x01..\x02...\x03\x01|s p/TLSv1.0/
# Generic: SSLv3 ServerHello
match ssl m|^\x16\x03\0..\x02...\x03\0|s p/SSLv3/
match storagecraft-image m|^\x15\x01\0\0\x08\0\0\0\0\x80\t\x03\x08\.NET\x01\0\x02\0\0\0\0\0\0\0\x02\0\x03\x01\0\x03\0\x01\x01 \0\0\0Authentication failure on server\x05\0\0\0\0$| p/StorageCraft Image Manager/
match xamarin m|^ERROR: Another instance is running\n| p/Xamarin MonoTouch/
##############################NEXT PROBE##############################
# TLSv1.2 ClientHello probe. TLS implementations may choose to ignore (close
# silently) incompatible ClientHello messages like the one in SSLSessionReq.
# This one should be widely compatible, and if we avoid adding non-ssl service
# matches here, we can continue to upgrade it (bytes 10 and 11 and the ranges
# in the match lines)
Probe TCP TLSSessionReq q|\x16\x03\0\0\x69\x01\0\0\x65\x03\x03U\x1c\xa7\xe4random1random2random3random4\0\0\x0c\0/\0\x0a\0\x13\x009\0\x04\0\xff\x01\0\0\x30\0\x0d\0,\0*\0\x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\x05\x03\x05\x02|
rarity 5
ports 443,444,465,636,989,990,992,993,994,995,1241,1311,2252,3389,4444,5061,6679,6697,8443,9001,30030
#fallback WEB
# SSLv3 - TLSv1.2 ServerHello
match ssl m|^\x16\x03[\0-\x03]..\x02\0\0.\x03[\0-\x03]|s
# SSLv3 - TLSv1.2 Alert
match ssl m|^\x15\x03[\0-\x03]\0\x02[\x01\x02].$|s
##############################NEXT PROBE##############################
# SSLv2-compatible ClientHello, 39 ciphers offered.
# Will elicit a ServerHello from most SSL implementations, apart from those
# that are TLSv1-only or SSLv3-only. As it comes after the SSLv3 probe
# (SSLSessionReq), its only added value is the detection of SSLv2-only servers.
# SSLv2-only servers are rare so this probe has a high rarity.
Probe TCP SSLv23SessionReq q|\x80\x9e\x01\x03\x01\x00u\x00\x00\x00 \x00\x00f\x00\x00e\x00\x00d\x00\x00c\x00\x00b\x00\x00:\x00\x009\x00\x008\x00\x005\x00\x004\x00\x003\x00\x002\x00\x00/\x00\x00\x1b\x00\x00\x1a\x00\x00\x19\x00\x00\x18\x00\x00\x17\x00\x00\x16\x00\x00\x15\x00\x00\x14\x00\x00\x13\x00\x00\x12\x00\x00\x11\x00\x00\n\x00\x00\t\x00\x00\x08\x00\x00\x06\x00\x00\x05\x00\x00\x04\x00\x00\x03\x07\x00\xc0\x06\x00@\x04\x00\x80\x03\x00\x80\x02\x00\x80\x01\x00\x80\x00\x00\x02\x00\x00\x01\xe4i<+\xf6\xd6\x9b\xbb\xd3\x81\x9f\xbf\x15\xc1@\xa5o\x14,M \xc4\xc7\xe0\xb6\xb0\xb2\x1f\xf9)\xe8\x98|
rarity 5
ports 443,444,465,548,636,989,990,992,993,994,995,1241,1311,2000,4444,5550,7210,7272,8009,8194,8443,9001,30030
#fallback WEB
# SSLv2 ServerHello
match ssl m|^..\x04\0.\0\x02|s p/SSLv2/
# TLSv1 ServerHello, compatible with SSLv2:
match ssl m|^\x16\x03\x01..\x02...\x03\x01|s p/TLSv1/
# SSLv3 ServerHello, compatible with SSLv2:
match ssl m|^\x16\x03\0..\x02...\x03\0|s p/SSLv3/
# SSLv3 - TLSv1.2 Alert
match ssl m|^\x15\x03[\0-\x03]\0\x02[\x01\x02].$|s

19927
nmap_scripts/erpscan/nmap-services Normal file
View File

File diff suppressed because it is too large Load Diff

289
nmap_scripts/erpscan/sap_ports.py Normal file
View File

@ -0,0 +1,289 @@
#!/usr/bin/env python
#
# Generate a list of SAP TCP ports
#
# based on reference document:
# https://help.sap.com/viewer/ports
#
# This code can be used to generate only specific SAP ports
# during a network scan
#
# -- gelim
from pprint import pprint
import argparse
import sys
import re
help_desc='''
Script used to generate list of SAP services ports.
Main idea is to expand SAP notation '32NN' to a lists of ports
3200, 3201, 3202, ...
Example of usage:
- Dump all SAP existing ports
$ sap_ports.py
- Know what kind of services this scripts proposes
$ sap_ports.py --verbose
Admin Services | Start Service SSL | 5NN14
Admin Services | Start Service | 5NN13
Admin Services | SAPlpd | 515
Admin Services | SDM | 5NN17,5NN18,5NN19
[...]
- Get details about specific port rule
$ sap_ports.py --verbose 33NN
ABAP AS | Gateway | 33NN
Java Central Service | Enqueue Replication | 33NN
Java Central Service | Gateway | 33NN
- Dump all SAP HANA ports for 10 first instances (00 to 09)
$ sap_ports.py --hana --instance 10
- Use this program combined with Nmap
$ nmap -p $(sap_ports.py) 10.3.3.7 -sV --open
Not shown: 4496 closed ports
PORT STATE SERVICE VERSION
1128/tcp open saphostcontrol SAPHostControl
3201/tcp open sapjavaenq SAP Enqueue Server
3301/tcp open sapgateway SAP Gateway
3901/tcp open sapmsgserver SAP Message Server
8101/tcp open sapms SAP Message Server httpd release 745 (SID J45)
50000/tcp open sapnetweawer2 SAP NetWeaver Application Server (Kernel version 7.45, Java version 7.50)
50004/tcp open sapjavap4 SAP JAVA P4 (Potential internal IP 10.3.3.7)
50007/tcp open tcpwrapped
50013/tcp open sapstartservice SAP Maganement Console (SID J45, NR 00)
50014/tcp open tcpwrapped
50020/tcp open sapjoin SAP Java Cluster Join Service
50021/tcp open jdwp Java Debug Wire Protocol (Reference Implementation) version 1.8 1.8.0_51
50113/tcp open sapstartservice SAP Maganement Console (SID J45, NR 01)
50114/tcp open tcpwrapped
Service Info: Host: java745
'''
ports = { "ABAP AS": {"Dispatcher": "32NN",
"Gateway": "33NN",
"Gateway2": "48NN",
"ICM HTTP": ["80NN", "80"],
"ICM HTTPS": ["443NN", "443"],
"ICM SMTP": "25",
"ICM Admin": "650NN",
"Message Server": ["36NN", "39NN"],
"Message Server HTTP": "81NN",
"Message Server HTTPS": "444NN",
"Central System Log *UDP*": ["12NN", "13NN", "14NN", "15NN"],
},
"Java AS": {"HTTP": ["5NN00", "80"],
"HTTP over SSL": ["5NN01", "443"],
"IIOP initial context": "5NN02",
"IIOP over SSL": "5NN03",
"P4": "5NN04",
"P4 over HTTP": "5NN05",
"P4 over SSL": "5NN06",
"IIOP": "5NN07",
"Telnet": "5NN08",
"JMS": "5NN10",
"Server Join port": "5NN20",
"Server Debug Port": "5NN21"},
"Java Central Service": {"Enqueue Server": "32NN",
"Enqueue Replication": "33NN",
"Enqueue Replication2": "5NN16",
"Gateway": "33NN",
"Gateway SNC": "48NN",
"Message Server": "36NN",
"Message Server HTTP": "81NN",
"Message Server HTTPS": "444NN"},
"Admin Services": {"SAPHostControl": "1128",
"SAPHostControl SSL": "1129",
"Start Service": "5NN13",
"Start Service SSL": "5NN14",
"SDM": ["5NN17", "5NN18", "5NN19"],
"SAP Router": "3299",
"NIping": "3298",
"SAPlpd": "515",
"DTR": "5NN15",
"IGS HTTP": "4NN80"
},
"TREX": {"RFC Server": "3NN07",
"Cruiser": "3NN08",
"Python Alert Server": "3NN11",
"Indexserver": "3NN16",},
"HANA": {"SQL indexserver": "3NN15",
"SQL multitenant indexserver (41 to 98)": "3NN41",
"SQL statisserver": "3NN17",
"XS HTTP": "80NN",
"XS HTTPS": "43NN",
"Internal daemon": "3NN00",
"Internal nameserver": "3NN01",
"Internal preprocessor": "3NN02",
"Internal indexserver": "3NN03",
"Internal scriptserver": "3NN04",
"Internal statisserver": "3NN05",
"Internal webdispatcher": "3NN06",
"Internal xsengine": "3NN07",
"Internal compileserver": "3NN10",
"Internal compileserver": "3NN10",
"Internal indexservers": "3NN40",
"SAP support hdbrss": "3NN09",
"Internal diserver": "3NN25",
"xscontroller": "3NN29",
"xscontroller data access": "3NN30",
"xuaaserver": "3NN31",
"xscontroller authentication": "3NN32",
"XSA routing by hostnames": "3NN33",
"SAP HANA xscontroller app instances": ["510NN", "511NN", "512NN", "513NN", "514NN", "515NN"]},
"SAP Business Suite": {"CSDM": "20201",
"DCOM": "135",
"Lotus Domino Connector 1": "62026",
"Lotus Domino Connector 2": "62027",
"Lotus Domino Connector 3": "62028",
"Lotus Domino Connector 4": "62029",
},
"SAP Enterprise Threat Detection": {
"ESP Web Sevice Provider": "9786",
"SAP Enterprise Threat Detection": "10514",
"Encrypted connection for all others providers (TLS)": "10443"
},
"Database":{
"SAP ASE Databsae": "49NN",
"MSSQL": "1433",
"MaxDB": ["7200", "7210", "7269", "7270", "7575"],
"Oracle Listener": "1527",
},
"SAP POS":{
"Xpress Clinet": "2200",
"Xpress Server telnet": "2202",
"Store Data": "10000",
"Messaging Client": "8300",
"Mobile POS Think Client": "4NN0",
"Mobile printer": "61NN",
"Upgrade Server": ["4404", "4405"],
"File Transfer Server": "8008",
"Message Transfer Server": "8400"
}
}
port_re = r'(\w+)(NN)(\w+)?'
# takes string '33NN' and returns list of str
# ['3300', '3301', ... '3399']
def expand_ports(port_rule, maxi=100):
port_list = re.split(port_re, port_rule) # split list
port_list = [e for e in port_list if e not in ['', None]] # clean list
if len(port_list) > 1:
temp_list = list()
for i in xrange(0, maxi):
port = ''.join(port_list)
temp_list.append(port.replace('NN', '%.2d' % i))
return temp_list
else:
return port_list
def generate_ports(p, maxi):
merged_list = list()
for e in p:
merged_list += expand_ports(e, maxi)
print ','.join(set(merged_list))
def print_ports(flt=None, ssl=False):
pl = list()
for ass in ports.keys():
for proto in ports[ass].keys():
if ssl:
if 'ssl' in proto.lower() or 'https' in proto.lower() or 'tls' in proto.lower():
continue
pl = ports[ass][proto]
if isinstance(pl, list):
k = ','.join(pl)
else:
k = pl
if flt:
if flt.lower() in proto.lower(): print ("%s" % ass).ljust(20) + (" | %s" % proto).ljust(30) + " | %s" % k
else:
print ("%s" % ass).ljust(20) + (" | %s" % proto).ljust(30) + " | %s" % k
def list_add_or_merge(port_list, elem):
if isinstance(elem, list):
port_list += elem
else:
port_list.append(elem)
return port_list
# Get subset of ports via root keys of main port dict
def get_ports_by_cat(asname, ssl=False):
port_list = list()
for proto in ports[asname]:
if ssl:
if 'ssl' in proto.lower() or 'https' in proto.lower():
continue
pl = ports[asname][proto]
port_list = list_add_or_merge(port_list, pl)
return port_list
# svc == keyword mayching one of the keys of each application server
# used to match any specific protocol/service indicated as additional argument in command-line
# we walk the main 'port' dict, look for matching subkeys and stack up their port for further
# rendering
def get_ports_by_svc(svc, ssl=False):
port_list = list()
for ass in ports.keys():
for proto in ports[ass].keys():
if ssl:
if 'ssl' in proto.lower() or 'https' in proto.lower():
continue
if svc.lower() in proto.lower():
pl = ports[ass][proto]
port_list = list_add_or_merge(port_list, pl)
return port_list
if __name__ == '__main__':
parser = argparse.ArgumentParser(description=help_desc,
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('-a', '--abap', action='store_true', help='all ports available on ABAP AS')
parser.add_argument('-j', '--java', action='store_true', help='all ports available on JAVA AS')
parser.add_argument('-H', '--hana', action='store_true', help='all ports available on HANA AS')
parser.add_argument('-p', '--pos', action='store_true', help='all ports available on SAP POS')
parser.add_argument('-v', '--verbose', action='store_true', help='List ports in verbose way')
parser.add_argument('-i', '--instance', default=100, type=int,
help='Set max instances number (default: 100)')
parser.add_argument('arguments', metavar='arguments', nargs='*', help='additional parameters like port')
args = parser.parse_args()
ports_active = list()
if args.instance > 100:
print "Instance number can be maximum 100."
exit(0)
if args.verbose:
if args.arguments:
print_ports(args.arguments[0])
else:
print_ports()
exit(0)
# keyword mode
if len(args.arguments) > 0:
ports_active += get_ports_by_svc(args.arguments[0])
if args.java:
ports_active += get_ports_by_cat('Java AS')
if args.abap:
ports_active += get_ports_by_cat('ABAP AS')
if args.hana:
ports_active += get_ports_by_cat('HANA')
if args.pos:
ports_active += get_ports_by_cat('SAP POS')
# select all ports if no filtering options are set
if not args.java and not args.abap and not args.hana and not args.pos and not len(args.arguments):
for k in ports.keys():
ports_active += get_ports_by_cat(k)
else:
# always add the Admin services if we use the filtering options
ports_active += get_ports_by_cat('Admin Services')
ports_active += get_ports_by_cat('Database')
generate_ports(ports_active, args.instance)

64255
nmap_scripts/vulscan/cve.csv Normal file
View File

File diff suppressed because it is too large Load Diff

26405
nmap_scripts/vulscan/exploitdb.csv Normal file
View File

File diff suppressed because it is too large Load Diff

28079
nmap_scripts/vulscan/openvas.csv Normal file
View File

File diff suppressed because it is too large Load Diff

94562
nmap_scripts/vulscan/osvdb.csv Normal file
View File

File diff suppressed because it is too large Load Diff

9610
nmap_scripts/vulscan/scipvuldb.csv Normal file
View File

File diff suppressed because it is too large Load Diff

56792
nmap_scripts/vulscan/securityfocus.csv Normal file
View File

File diff suppressed because it is too large Load Diff

18485
nmap_scripts/vulscan/securitytracker.csv Normal file
View File

File diff suppressed because it is too large Load Diff

504
nmap_scripts/vulscan/vulscan.nse Normal file
View File

@ -0,0 +1,504 @@
description = [[
INTRODUCTION
Vulscan is a module which enhances nmap to a vulnerability scanner. The
nmap option -sV enables version detection per service which is used to
determine potential flaws according to the identified product. The data
is looked up in an offline version scip VulDB.
INSTALLATION
Please install the files into the following folder of your Nmap
installation:
Nmap\scripts\vulscan\*
USAGE
You have to run the following minimal command to initiate a simple
vulnerability scan:
nmap -sV --script=vulscan/vulscan.nse www.example.com
VULNERABILITY DATABASE
There are the following pre-installed databases available at the
moment:
scipvuldb.csv | http://www.scip.ch/en/?vuldb
cve.csv | http://cve.mitre.org
osvdb.csv | http://www.osvdb.org
securityfocus.csv | http://www.securityfocus.com/bid/
securitytracker.csv | http://www.securitytracker.com
xforce.csv | http://xforce.iss.net
expliotdb.csv | http://www.exploit-db.com
openvas.csv | http://www.openvas.org
SINGLE DATABASE MODE
You may execute vulscan with the following argument to use a single
database:
--script-args vulscandb=your_own_database
It is also possible to create and reference your own databases. This
requires to create a database file, which has the following structure:
<id>;<title>
Just execute vulscan like you would by refering to one of the pre-
delivered databases. Feel free to share your own database and
vulnerability connection with me, to add it to the official
repository.
UPDATE DATABASE
The vulnerability databases are updated and assembled on a regularly
basis. To support the latest disclosed vulnerabilities, keep your local
vulnerability databases up-to-date.
If you want to update your databases, go to the following web site and
download these files:
http://www.computec.ch/mruef/software/nmap_nse_vulscan/cve.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/exploitdb.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/openvas.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/osvdb.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/scipvuldb.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/securityfocus.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/securitytracker.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/xforce.csv
Copy the files into your vulscan folder:
/vulscan/
VERSION DETECTION
If the version detection was able to identify the software version and
the vulnerability database is providing such details, also this data
is matched.
Disabling this feature might introduce false-positive but might also
eliminate false-negatives and increase performance slighty. If you want
to disable additional version matching, use the following argument:
--script-args vulscanversiondetection=0
Version detection of vulscan is only as good as Nmap version detection
and the vulnerability database entries are. Some databases do not
provide conclusive version information, which may lead to a lot of
false-positives (as can be seen for Apache servers).
MATCH PRIORITY
The script is trying to identify the best matches only. If no positive
match could been found, the best possible match (with might be a false-
positive) is put on display.
If you want to show all matches, which might introduce a lot of false-
positives but might be useful for further investigation, use the
following argument:
--script-args vulscanshowall=1
INTERACTIVE MODE
The interactive mode helps you to override version detection results
for every port. Use the following argument to enable the interactive
mode:
--script-args vulscaninteractive=1
REPORTING
All matching results are printed one by line. The default layout for
this is:
[{id}] {title}\n
It is possible to use another pre-defined report structure with the
following argument:
--script-args vulscanoutput=details
--script-args vulscanoutput=listid
--script-args vulscanoutput=listlink
--script-args vulscanoutput=listtitle
You may enforce your own report structure by using the following
argument (some examples):
--script-args vulscanoutput='{link}\n{title}\n\n'
--script-args vulscanoutput='ID: {id} - Title: {title} ({matches})\n'
--script-args vulscanoutput='{id} | {product} | {version}\n'
Supported are the following elements for a dynamic report template:
{id} ID of the vulnerability
{title} Title of the vulnerability
{matches} Count of matches
{product} Matched product string(s)
{version} Matched version string(s)
{link} Link to the vulnerability database entry
\n Newline
\t Tab
Every default database comes with an url and a link, which is used
during the scanning and might be accessed as {link} within the
customized report template. To use custom database links, use the
following argument:
--script-args "vulscandblink=http://example.org/{id}"
DISCLAIMER
Keep in mind that this kind of derivative vulnerability scanning
heavily relies on the confidence of the version detection of nmap, the
amount of documented vulnerebilities and the accuracy of pattern
matching. The existence of potential flaws is not verified with
additional scanning nor exploiting techniques.
LINKS
Download: http://www.computec.ch/mruef/?s=software&l=x
]]
--@output
-- PORT STATE SERVICE REASON VERSION
-- 25/tcp open smtp syn-ack Exim smtpd 4.69
-- | osvdb (22 findings):
-- | [2440] qmailadmin autorespond Multiple Variable Remote Overflow
-- | [3538] qmail Long SMTP Session DoS
-- | [5850] qmail RCPT TO Command Remote Overflow DoS
-- | [14176] MasqMail Piped Aliases Privilege Escalation
--@changelog
-- v2.0 | 08/14/2013 | Marc Ruef | Considering version data
-- v1.0 | 06/18/2013 | Marc Ruef | Dynamic report structures
-- v0.8 | 06/17/2013 | Marc Ruef | Multi-database support
-- v0.7 | 06/14/2013 | Marc Ruef | Complete re-write of search engine
-- v0.6 | 05/22/2010 | Marc Ruef | Added interactive mode for guided testing
-- v0.5 | 05/21/2010 | Marc Ruef | Seperate functions for search engine
-- v0.4 | 05/20/2010 | Marc Ruef | Tweaked analysis modules
-- v0.3 | 05/19/2010 | Marc Ruef | Fuzzy search for product names included
-- v0.2 | 05/18/2010 | Marc Ruef | Uniqueness of found vulnerabilities
-- v0.1 | 05/17/2010 | Marc Ruef | First alpha running basic identification
--@bugs
-- Fuzzy search is sometimes catching wrong products
--@todos
-- Create product lookup table to match nmap<->db
-- Enhance nmap/db to be CPE compliant (http://cpe.mitre.org)
-- Display of identification confidence (e.g. +full_match, -partial_match)
-- Add auto-update feature for databases (download & install)
--@thanks
-- I would like to thank a number of people which supported me in
-- developing this script: Stefan Friedli, Simon Zumstein, Sean Rütschi,
-- Pascal Schaufelberger, David Fifield, Nabil Ouchn, Doggy Dog, Matt
-- Brown, Matthew Phillips, and Sebastian Brabetzl.
author = "Marc Ruef, marc.ruef-at-computec.ch, http://www.computec.ch/mruef/"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "safe", "vuln"}
local stdnse = require("stdnse")
portrule = function(host, port)
if port.version.product ~= nil and port.version.product ~= "" then
return true
else
stdnse.print_debug(1, "vulscan: No version detection data available. Analysis not possible.")
end
end
action = function(host, port)
local prod = port.version.product -- product name
local ver = port.version.version -- product version
local struct = "[{id}] {title}\n" -- default report structure
local db = {} -- vulnerability database
local db_link = "" -- custom link for vulnerability databases
local vul = {} -- details for the vulnerability
local v_count = 0 -- counter for the vulnerabilities
local s = "" -- the output string
stdnse.print_debug(1, "vulscan: Found service " .. prod)
-- Go into interactive mode
if nmap.registry.args.vulscaninteractive == "1" then
stdnse.print_debug(1, "vulscan: Enabling interactive mode ...")
print("The scan has determined the following product:")
print(prod)
print("Press Enter to accept. Define new string to override.")
local prod_override = io.stdin:read'*l'
if string.len(prod_override) ~= 0 then
prod = prod_override
stdnse.print_debug(1, "vulscan: Product overwritten as " .. prod)
end
end
-- Read custom report structure
if nmap.registry.args.vulscanoutput ~= nil then
if nmap.registry.args.vulscanoutput == "details" then
struct = "[{id}] {title}\nMatches: {matches}, Prod: {product}, Ver: {version}\n{link}\n\n"
elseif nmap.registry.args.vulscanoutput == "listid" then
struct = "{id}\n"
elseif nmap.registry.args.vulscanoutput == "listlink" then
struct = "{link}\n"
elseif nmap.registry.args.vulscanoutput == "listtitle" then
struct = "{title}\n"
else
struct = nmap.registry.args.vulscanoutput
end
stdnse.print_debug(1, "vulscan: Custom output structure defined as " .. struct)
end
-- Read custom database link
if nmap.registry.args.vulscandblink ~= nil then
db_link = nmap.registry.args.vulscandblink
stdnse.print_debug(1, "vulscan: Custom database link defined as " .. db_link)
end
if nmap.registry.args.vulscandb then
stdnse.print_debug(1, "vulscan: Using single mode db " .. nmap.registry.args.vulscandb .. " ...")
vul = find_vulnerabilities(prod, ver, nmap.registry.args.vulscandb)
if #vul > 0 then
s = s .. nmap.registry.args.vulscandb
if db_link ~= "" then s = s .. " - " .. db_link end
s = s .. ":\n" .. prepare_result(vul, struct, db_link) .. "\n\n"
end
else
-- Add your own database, if you want to include it in the multi db mode
db[1] = {name="scip VulDB", file="scipvuldb.csv", url="http://www.scip.ch/en/?vuldb", link="http://www.scip.ch/en/?vuldb.{id}"}
db[2] = {name="MITRE CVE", file="cve.csv", url="http://cve.mitre.org", link="http://cve.mitre.org/cgi-bin/cvename.cgi?name={id}"}
db[3] = {name="OSVDB", file="osvdb.csv", url="http://www.osvdb.org", link="http://www.osvdb.org/{id}"}
db[4] = {name="SecurityFocus", file="securityfocus.csv", url="http://www.securityfocus.com/bid/", link="http://www.securityfocus.com/bid/{id}"}
db[5] = {name="SecurityTracker", file="securitytracker.csv", url="http://www.securitytracker.com", link="http://www.securitytracker.com/id/{id}"}
db[6] = {name="IBM X-Force", file="xforce.csv", url="http://xforce.iss.net", link="http://xforce.iss.net/xforce/xfdb/{id}"}
db[7] = {name="Exploit-DB", file="exploitdb.csv", url="http://www.exploit-db.com", link="http://www.exploit-db.com/exploits/{id}"}
db[8] = {name="OpenVAS (Nessus)", file="openvas.csv", url="http://www.openvas.org", link="http://www.tenable.com/plugins/index.php?view=single&id={id}"}
stdnse.print_debug(1, "vulscan: Using multi db mode (" .. #db .. " databases) ...")
for i,v in ipairs(db) do
vul = find_vulnerabilities(prod, ver, v.file)
s = s .. v.name .. " - " .. v.url .. ":\n"
if #vul > 0 then
v_count = v_count + #vul
s = s .. prepare_result(vul, struct, v.link) .. "\n"
else
s = s .. "No findings\n\n"
end
stdnse.print_debug(1, "vulscan: " .. #vul .. " matches in " .. v.file)
end
stdnse.print_debug(1, "vulscan: " .. v_count .. " matches in total")
end
if s then
return s
end
end
-- Find the product matches in the vulnerability databases
function find_vulnerabilities(prod, ver, db)
local v = {} -- matching vulnerabilities
local v_id -- id of vulnerability
local v_title -- title of vulnerability
local v_title_lower -- title of vulnerability in lowercase for speedup
local v_found -- if a match could be found
-- Load database
local v_entries = read_from_file("scripts/vulscan/" .. db)
-- Clean useless dataparts (speeds up search and improves accuracy)
prod = string.gsub(prod, " httpd", "")
prod = string.gsub(prod, " smtpd", "")
prod = string.gsub(prod, " ftpd", "")
local prod_words = stdnse.strsplit(" ", prod)
stdnse.print_debug(1, "vulscan: Starting search of " .. prod ..
" in " .. db ..
" (" .. #v_entries .. " entries) ...")
-- Iterate through the vulnerabilities in the database
for i=1, #v_entries, 1 do
v_id = extract_from_table(v_entries[i], 1, ";")
v_title = extract_from_table(v_entries[i], 2, ";")
if type(v_title) == "string" then
v_title_lower = string.lower(v_title)
-- Find the matches for the database entry
for j=1, #prod_words, 1 do
v_found = string.find(v_title_lower, escape(string.lower(prod_words[j])), 1)
if type(v_found) == "number" then
if #v == 0 then
-- Initiate table
v[1] = {
id = v_id,
title = v_title,
product = prod_words[j],
version = "",
matches = 1
}
elseif v[#v].id ~= v_id then
-- Create new entry
v[#v+1] = {
id = v_id,
title = v_title,
product = prod_words[j],
version = "",
matches = 1
}
else
-- Add to current entry
v[#v].product = v[#v].product .. " " .. prod_words[j]
v[#v].matches = v[#v].matches+1
end
stdnse.print_debug(2, "vulscan: Match v_id " .. v_id ..
" -> v[" .. #v .. "] " ..
"(" .. v[#v].matches .. " match) " ..
"(Prod: " .. prod_words[j] .. ")")
end
end
-- Additional version matching
if nmap.registry.args.vulscanversiondetection ~= "0" and ver ~= nil and ver ~= "" then
if v[#v] ~= nil and v[#v].id == v_id then
for k=0, string.len(ver)-1, 1 do
v_version = string.sub(ver, 1, string.len(ver)-k)
v_found = string.find(string.lower(v_title), string.lower(" " .. v_version), 1)
if type(v_found) == "number" then
v[#v].version = v[#v].version .. v_version .. " "
v[#v].matches = v[#v].matches+1
stdnse.print_debug(2, "vulscan: Match v_id " .. v_id ..
" -> v[" .. #v .. "] " ..
"(" .. v[#v].matches .. " match) " ..
"(Version: " .. v_version .. ")")
end
end
end
end
end
end
return v
end
-- Prepare the resulting matches
function prepare_result(v, struct, link)
local grace = 0 -- grace trigger
local match_max = 0 -- counter for maximum matches
local match_max_title = "" -- title of the maximum match
local s = "" -- the output string
-- Search the entries with the best matches
if #v > 0 then
-- Find maximum matches
for i=1, #v, 1 do
if v[i].matches > match_max then
match_max = v[i].matches
match_max_title = v[i].title
end
end
stdnse.print_debug(2, "vulscan: Maximum matches of a finding are " ..
match_max .. " (" .. match_max_title .. ")")
if match_max > 0 then
for matchpoints=match_max, 1, -1 do
for i=1, #v, 1 do
if v[i].matches == matchpoints then
stdnse.print_debug(2, "vulscan: Setting up result id " .. i)
s = s .. report_parsing(v[i], struct, link)
end
end
if nmap.registry.args.vulscanshowall ~= "1" and s ~= "" then
-- If the next iteration shall be approached (increases matches)
if grace == 0 then
stdnse.print_debug(2, "vulscan: Best matches found in 1st pass. Going to use 2nd pass ...")
grace = grace+1
elseif nmap.registry.args.vulscanshowall ~= "1" then
break
end
end
end
end
end
return s
end
-- Parse the report output structure
function report_parsing(v, struct, link)
local s = struct
--database data (needs to be first)
s = string.gsub(s, "{link}", escape(link))
--layout elements (needs to be second)
s = string.gsub(s, "\\n", "\n")
s = string.gsub(s, "\\t", "\t")
--vulnerability data (needs to be third)
s = string.gsub(s, "{id}", escape(v.id))
s = string.gsub(s, "{title}", escape(v.title))
s = string.gsub(s, "{matches}", escape(v.matches))
s = string.gsub(s, "{product}", escape(v.product))
s = string.gsub(s, "{version}", escape(v.version))
return s
end
-- Get the row of a CSV file
function extract_from_table(line, col, del)
local val = stdnse.strsplit(del, line)
if type(val[col]) == "string" then
return val[col]
end
end
-- Read a file
function read_from_file(file)
local filepath = nmap.fetchfile(file)
if filepath then
local f, err, _ = io.open(filepath, "r")
if not f then
stdnse.print_debug(1, "vulscan: Failed to open file" .. file)
end
local line, ret = nil, {}
while true do
line = f:read()
if not line then break end
ret[#ret+1] = line
end
f:close()
return ret
else
stdnse.print_debug(1, "vulscan: File " .. file .. " not found")
return ""
end
end
-- We don't like unescaped things
function escape(s)
s = string.gsub(s, "%%", "%%%%")
return s
end

82312
nmap_scripts/vulscan/xforce.csv Normal file
View File

File diff suppressed because it is too large Load Diff

13
nmap_scripts/vulscan/安装说明.txt Normal file
View File

@ -0,0 +1,13 @@
INSTALLATION
Please install the files into the following folder of your Nmap
installation:
Nmap\scripts\vulscan\*
USAGE
You have to run the following minimal command to initiate a simple
vulnerability scan:
nmap -sV --script=vulscan/vulscan.nse www.example.com