1# $Id: thcrut-os-fingerprints,v 1.15 2003/05/25 18:19:16 skyper Exp $ 2# 3# -------------------------------------- 4# @@@@@@@@@@@ @@@ @@@ @@@@@@ 5# @@@ @@@@@@@@@@@ @@@ 6# @@@ @@@ @@@ @@@@@@ 7# -------------------------------------- 8# HTTP://WWW.THC.ORG 9# 10# Perl-style regular expression and port characteristic database. 11# 12# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 13# DONT ADD YOUR OWN TESTS. YOU WILL FUCK IT UP ANYWAY. USE 14# ----> http://www.thehackerschoice.com/thc-rut <---- 15# AND WAIT FOR THE UPDATED FINGERPRINT FILE. 16# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 17# 18# @@@@@@@@@@@@ 19# @@ y0y0. I'm currently rewriting the FP loading stuff and the format 20# @@ of this file will change. Do not rely on it :> 21# @@@@@@@@@@@@ 22# 23# Credits: 24# - jc/THC for lot's of fingerprints. 25# 26# This file contains THCRUT OS FINGERPRINT PORT CHARACTERISTICS/BANNERS. 27# A banner can contain regular expressions (perl syntax!). 28# 29# It is quite simple to map Windows machienes and Routers, switches that way. 30# It becomes more complicated with Unix derivates. They are are usually 31# reconfigured by the admin. 32# 33# The matches dont need to be to specific. They are used to remove 34# false positives from a nmap test which always follows the port-state 35# and banner matching test. 36# 37# The field of operation is the INTRANET where we expect to have 38# most ports unfirewalled. 39# 40# A port has 3 states: Open, Closed, Unknown (firewalled). 41# Ports in state 'Unkown' are ignored. 42# 43# The result of these tests prioritize the results of the nmap tests. 44# This means we discard all nmap results that do not match with these 45# results. (we use these results as a kind of filter to filter out false 46# positives). 47# 48# The file is organized upward-down: Earlier fingerprints have less 49# priority than later ones. First name a generic tests line to identify 50# the genre, then become more specific. 51# 52# The engine always launches all listed tests. 53# 54# --[ Port Characteristics test 55# 56# The accuracy is incremented by 1 for every port test that matches and 57# decremented by 1 if the test matches the opposite. The accuracy value is 58# not changed if the port state is not listed in the test line (e.g. dont care). 59# The port state test is ignored if no open port matches. The engine relies on 60# the banner test in this case. 61# 62# A match against a closed ports is primarily used to negate an earlier 63# decission. For example has Samba 135T closed. This port on the other hand is 64# open on Windows. All other ports are either for both systems closed or open. 65# The 135T=Closed test is used here to remove the Windows choise from the 66# decsisson matrix. 67# 68# A test line in which no Open port matches is discared. Other behavior 69# would result in false positives. A host with all ports closed would otherwise 70# match 50% of the Samba test line. 71# 72# --[ Banner test 73# 74# The accuracy is incremented by 2 for every match and decremented by 1 75# for every failed match. The accuracy value stays untouched if the banner 76# could not be retrieved (firewalled, readtimeout, ...). 77# 78# Banner tests is a perl style regular expression. 79# 80# --[ Legend: 81# 82# T TCP sync test (O=Open, C=Closed, default is to ignore if no answer at all) 83# W Web 'Server:' 84# B Banner 85# U DCE BIND request (ALL windows 135U). 86# S SNMP 'public' GET-NEXT system.sysDescr.0 87# N NVT terminal banner test (telnetd banner) 88# 89# Notes: 90# - Nice2know: NT 4.0 replies to an empty UDP packet on port 135, W2K not. 91# - The telnetd banner is 'stripped': \x00 is removed, every \r is converted 92# to a \n and all multiple occurances of non alpha-char 93# (not inside 0x7F > x > 0x20) are reduced to one occurence. Some 94# telnet banners contain 1k of \x00 and multiple \r\n (hi AIX!) which 95# would exceed the storage space if we FP 1000 hosts in parallel. 96# - Many Routers/Switches can be distinguished by the NVT negotiation 97# protocol messages. (We answer on ever Do with a Wont). 98# 99# --[ Structure 100# 101# ^Fingerprint:[0-15]{0,6}\s[a-zA-Z0-9]{0,80}[#[.*]]\n 102# [%[\s\t]*[0-9]{1,5}[TUWBS][-]*[0..9]*=[OUC[".*"]]]*[#[.*]]\n 103# ... 104# where '%' is optional at the beginning of the test line. 105# (not exactly, but you will get the point) 106# 107# The first line is called 'Class' or 'Fingerprint' line. 108# The second line is called 'test line' as it contains one or many tests 109# seperated by a '%'. 110# 111# The number following the ':' is the Class which categorizes the Fingerprint 112# by a digital value. See below for the Class format structure. 113# A class value is required for thcrut-os-fingerprints and optional for 114# nmap-os-fingerprints. 115# 116# TUWBS are the different tests against that port. A number which 117# is interpreted as the accuracy value follows (-20..20). 118# The accuracy is computed for each test line. 119# The accuracy is decremented by 1 for every test that fails within the 120# current test line (negative judging). 121# 122# 123# FIXME: This must be reworked. 124# FIXME: use () constructs for speedup (matching). 125# Class: 126# A class is currently represendet as NUMBER. Later on you might want 127# to change this into Names and translate them internally. 128# 129# Goal: Classes are introduced to catetogize hosts on the internet. 130# Queries like 'WHERE Genre=Mainframe AND Vendor=IBM OR OS!=AIX' should 131# be possible. 132# 133# GENRE.VENDOR.OS-GENRE[.OS.[DETAIL.DETAIL]] 134# This is currently work in progress. BRAINDUMPS: 135# 136# OS: (Unix(Solaris|SCO|..),Windows(NT,XP,..)) 137# 138# Vendor: MS, SuSE, Cisco, 139# Type: Firewall, Router, Switch, Filesharing system, Printer, Workstation 140# PDC, 141# 142# Both, Genre and Vendor tag can be ignored to recognize the OS. 143# Genre and Vendor tag numbers are unique and assigned by THC. 144# (wanna add a new Genre? please let us know!) 145# 146# Please check info-db.txt for the assigned numbers. 147# ALso need some 'Special configuration' (ipsec enabled) tag etc. 148# 149# FIXME: 150# sometimes it would be nice to negate/bail out if the string would have 151# matched against antoher class (if match again 0.1.1 for example then 152# bail out). 153# 154# - Need some 'must match' statement. Example is APC powerswitch. 155# Many other host also have 21B="220 \r\n". We need some statement 156# that says '23N=..'-must-match and the 21B= is optional. But if 23N 157# does not match then do not evaluate 21B at all (because to many other 158# hosts also reply with this). 159# 160# - Need variables: 161# $WINDOWS_LIKE = {21B="Windows", 21B="Serv-U", .....} 162# Variable can then be used like: 163# $WINDOWS_LIKE && !UNIX_LIKE 164# UNIX_LIKE && DEBIAN && 22B="potato" -> Linux Debian Potato! 165 166# 167# Various unsorted stuff: 168# oracle open ports: http://owas.proxis.be/portlist 169# 170# 171 172### HOST-> Various (uncategorized) ##################### 173# Also other device of which we dont know if they are router, switch or host. 174# 175Fingerprint:0.0.0.1 GoldStream Telnet Server 176 23N="GoldStream Telnet server" # \xff\xfb\x01\xff\xfb\x03\nGoldStream Telnet server v2\.1\n Press \[ENTER] \n" 177 178Fingerprint:0.15.0 Cisco device 179 21B="220 Cisco CacheOS"%23N="^\xff\xfb\x01\nUsername:" 180 # 23N="\xff\xfb\x01\nUsername: \nUsername: " 181 182### HOST-> Microsoft ########################################################## 183Fingerprint:0.1.1 Windows # most likely a windows if _just_ this found. 184 Testme:=135T=O%135U=U%139T=O 185 135T=O 186 135U=U 187 139T=O 188 21B=" Microsoft " 189 21B="for WinSock ready" 190# 21B="WarFTPd" 191 21B="^220 Please enter your user name[:\.]\r\n" # WarFTPd 192 21B=" G6 FTP Server ready \.\.\.\r\n" 193 21B="^220 Gene6 \(gene6@gene6\.com\)\r\n" 194 21B="^220-cRoc\r\n" 195 21B="^220 want\.\r\n" # cRoc ftp banner 196 21B="^220 Created by Grant Averett\r\n" # Cerberus 197 22B="Windows" 198 22B=" VShell" 199 22B=" RemotelyAnywhere " # "SSH-1.99-2.4.0 RemotelyAnywhere 4.10.284\n" 200 80W="Lotus-Domino" 201 80W="Citrix Web" 202 80W="^ Xitami" 203 23N="\xff\xfd%\xff\xfb\x01\xff\xfb\x03\xff\xfd'\xff\xfd\x1f\xff\xfd\xff\xfb" # from 147.32.80.115, windows 2000 NVT negotiation 204 23N="\nWelcome to Microsoft Telnet Service " 205 25B="Microsoft " 206 25B="Eudora Internet Mail Server" 207 25B="P MAIL Service, Version:" 208 25B="MDaemon " 209 80W="\(Win32\)" 210 80W="TinyWeb" 211 80W="Microsoft" 212 80W="\(Win32\)" 213 80W=" OmniHTTPd/" # " OmniHTTPd/2.10" 214 80W=" Cougar" # Cougar 4.1.0.3858 / Cougar/9.00 215 80W="^ Oracle9iAS" # " Oracle9iAS/9.0.2.1.1 Oracle HTTP Server" 216 161S="Windows" 217 218# various FP's but missing OS/PLATFORM: 219# 80W=".* Netscape-Enterprise/3.5.1" 220# Runs on Solaris often or Windows. 221# 80W=".* NetWare-Enterprise" 222# 80W=".* Netware HTTP Stack" 223# 80W=".* Novell-HTTP" 224# 80W=".* WebSTAR" 225# Raptor Firewall HTTP Proxy: 226# 80W=".* Simple, Secure Web Server 1.1" 227# Cisco PIX Firewall SMTP Proxy v4.x 228# 25B=".* SMTP/cmap ready" 229# Also check out http://www.hoobie.net/mingsweeper 230# http://www.oueb.org/netexplorer/count_httpservers.html 231# FAILED: 130.89.145.4 232# POP MDaemon 6.5.2 ready 233# IMAP4rev1 MDaemon 6.5.2 ready 234# What is: 235# (UNIX_SV 2.1.3) 236 237# 70T=O%21T=O 238Fingerprint:0.1.1.1 Windows 95/98/NT <=4.0 239 139T=O%135T=O%445T=C 240 241Fingerprint:0.1.1.2 Windows NT 4.0 242 22T=C%139T=O%135T=O%445T=C%21B=" Microsoft FTP Service \(Version 2\.0\)" 243 22T=C%139T=O%135T=O%445T=C%21B=" for WinSock ready" 244 22T=C%139T=O%135T=O%445T=C%161S="Windows NT Version 4" 245 22B="Secure Shell Windows NT" # Secure Shell Windows NT Server 246 22B=" F-Secure SSH Windows NT Server" 247 # 21B="220 Serv-U FTP Server v4\.1 for WinSock ready\.\.\.\r\n" 248 249Fingerprint:0.1.1.4 Windows 2000 / XP 250 139T=O%135U=U%445T=O 251 23N=" Windows 2000 " # 23N="\xff\xfd%\xff\xfb\x01\xff\xfb\x03\xff\xfd'\xff\xfd\x1f\xff\xfd\xff\xfbMicrosoft \(R\) Windows 2000 \(TM\) Version 5\.00 \(Build 2195\)\nWelcome to Microsoft Telnet Service \nTelnet Server" 252 253Fingerprint:0.1.1.3 Windows 2000 254 21B=" Microsoft FTP Service \(Version 5\.0\)"%80W="Win2000"%161S4="Windows 2000 Version 5\.0"%25B="Version: 5\.0\.2172\.1"%%445T=O%139T=O%135T=O 255 21B=" Microsoft FTP Service \(Version 5\.0\)"%80W="Win2000"%161S4="Windows 2000 Version 5\.0"%25B="Version: 4\.0\.2195\.5329"%445T=O%139T=O%135T=O 256 257Fingerprint:0.1.1.5 Windows XP 258 80W="^ Microsoft-IIS/5\.1"%25B="Microsoft ESMTP MAIL .* Version: 6\.0\.2600\.1"%161S4="Windows 2000 Version 5\.1"%445T=O%139T=O%135T=O 259 260 261# All DSL users in .at using w2k have this open :> 262#Fingerprint:1.4 Windows 2000 with IPSEC 263# 1723T=O%21B=".* Microsoft FTP Service \(Version 5.0\)" 264# 1723T=O%80W="Win2000" 265# 1723T=O%161S="Windows 2000" 266 267### HOST -> Unix ############################################################## 268Fingerprint:0.0.2 Unix 269 80W0="\(Win32\)"%80W="Apache" 270 80W="thttpd/.*" 271 80W="\(Unix\)" 272 80W=" Squid" 273 80W=" publicfile" 274 21B=" FTP server \(Version wu-" 275 21B="220 ProFTPD " 276 #22B=".*-OpenSSH.*" 277 22T=O # Hopefully! Can also be some appliance that we dont recognize 278 22B="-OpenSSH" 279 25B="220 .* Smail3\." 280 25B=" Exim " 281 25B=" ESMTP Postfix" 282 25B=" Sendmail " 283 284# Need to distinguish samba from windows. Take care. 285#Fingerprint:0.0.2 Unix (Samba running) 286 #%139T=O%135T=C%137T=C # 3 points accuracy 287 #139T=O%137T=C%445T=C # 2 points accuracy 288 289# What we check here is what follows the 'Server: ' statement. 290# The first two characters are used for hashing. 291Fingerprint:0.4.3 Linux SuSE 292 80W="SuSE" # (Linux/SuSE); (SuSE/Linux) 293 21B="powered by SuSE Linux" 294 25B="SuSE Linux" 295 296Fingerprint:0.4.3.1 Linux SuSE 7.x 297 25B=".*SuSE Linux 7\." 298 299Fingerprint:0.6.3 Linux Debian 300 21B="Server \(Debian\)"%22B3=" Debian"%25B="Sendmail .*Debian"%80W="Debian" 301 # 25B="220 hostname ESMTP Postfix \(Debian/GNU\)\r\n" 302 80W="Debian"%25B=" Debian"%22B3=" Debian" 303 304Fingerprint:0.6.3.1 Linux Debian 'Potato' 305 22B3="potato" # Debian 1:3.4p1-0.0potato1 306 307Fingerprint:0.6.3.2 Linux Debian 'Woody' 308 22B3="woody" # Debian 1:3.4p1-0.0woody1 309 310Fingerprint:0.5.3 Linux Redhat 311 80W="Red[- ]Hat"%23N="Red[- ]Hat " 312 313Fingerprint:0.5.3.5.1 Linux Red Hat 5.1 (Manhattan) 314 21B="Thu May 7 23:18:51 EDT 1998\) ready\.\r\n" 315 23N="\(Manhattan\)" 316 317Fingerprint:0.5.3.6 Linux Red Hat 6.0 (Hedwig) 318 23N="\(Hedwig\)" 319 320Fingerprint:0.5.3.6.1 Linux Red Hat 6.1 (Cartman) 321 23N="\(Cartman\)" 322# Identd test currently not implemented. 323# 113I="pidentd 3\.0\.7 .* \(Sep 13 1999 20:16:57\)" 324 325# Im currently uncertain if i should match againt strict banners. 326# How many hosts are there that do not update their apache regulary? 327Fingerprint:0.5.3.7.2 Linux Red Hat 7.2 (Enigma) 328 23N="\(Enigma\)"%80W="^ Apache/1\.3\.27 \(Unix\) mod_gzip/1\.3\.19\.1a PHP/4\.2\.3 mod_ssl/2\.8" 329 330Fingerprint:0.5.3.7.3 Linux Red Hat 7.3 (Valhalla) 331 23N="\(Valhalla\)" 332 333Fingerprint:0.7.3 Turbo Linux 334 80W="\(TurboLinux\)" 335 336Fingerprint:0.8.3 Conectiva Linux 337 80W="\(Conectiva/Linux\)" 338 339Fingerprint:0.8.3.1 Conectiva Linux 8.0 340 80W="1\.3\.26 \(Unix\) \(Conectiva/Linux\)" 341 342Fingerprint:0.9.3 Linux Mandrake 343 80W="\(Mandrake" 344 80W="-Mandrake" 345 # 80W=" Apache-AdvancedExtranetServer/1.3.22 (Linux-Mandrake/1.3mdk)" 346 347Fingerprint:0.10.3 Gentoo Linux 348 80W="Gentoo" 349 350Fingerprint:0.11.8 OpenBSD 351 # 21B4: "(Version 6.5/OpenBSD, linux" (<-- newer release?) 352 # OpenBSD 2.8: "\(Version 6\.5/OpenBSD\) ready 353 21B4="OpenBSD"%23N4="OpenBSD/" 354 # 23N="\xff\xfd%\xff\xfb&\xff\xfd&\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd\$\xff\xfa\x18\x01\xff\xf0\xff\xfb\x03\xff\xfd\x01\xff\xfd\"\xff\xfd\x1f\xff\xfb\x05\xff\xfd\!\xff\xfb\x01\xff\xfd\x06\nOpenBSD/i386 \(merlin\) \(ttyp3\)\nlogin: login: " 355 21B4="OpenBSD" 356 # This string is also default on Debian: %23N="^\xff\xfd%\xff\xfb&\xff\xfd&\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd\$\xff\xfa\x18\x01\xff\xf0\xff\xfb\x03\xff\xfd\x01\xff\xfd\"\xff\xfd\x1f\xff\xfb\x05\xff\xfd\!\xff\xfb\x01" 357 358Fingerprint:0.11.6 FreeBSD 359 22B=" FreeBSD" 360 23N="FreeBSD/" 361 80W=" FreeBSD" 362 21B=" FTP server \(Version 6\.00LS\)" 363 21B=" FTP server \(Version 6\.00\) ready\.\r\n" # 4.1? 364 80W=" FreeBSD"%22B=" FreeBSD-" 365 366# OpenBSD has the 23N string somewhere in the middle of the negotiation. 367Fingerprint:0.11.6.0.1 FreeBSD 4.1 368 23N1="\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd\$\xff\xfa\x18\x01\xff\xf0\xff\xfb\x03\xff\xfd\x01\xff\xfd\"\xff\xfd\x1f\xff\xfb\x05\xff\xfd\!\xff\xfb\x01" 369 370Fingerprint:0.11.6.1 FreeBSD 4.7 # or -RC2 371 22B=" FreeBSD-20020702"%25B=" ESMTP Sendmail 8\.12\.6/8\.12\.6; " 372 373Fingerprint:0.11.7 NetBSD 374 22B="NetBSD" # NetBSD_Secfure_Shell-20020626 375 376Fingerprint:0.2.9 Solaris 377 21B=" \(SunOS"%22B="-Sun_"%25B="Sendmail .*\+Sun"%80W=" Sun_WebServer" 378 21B=" \(SunOS"%22B="-Sun_"%25B="Sendmail .*\+Sun"%80W=" Sun Cobalt" 379 # 22: Sun9 started shipping their boxes with this. 380 # 25: Solaris 7 or later 381 382# FIXME: 383# - make variable useable. 384# - implement grouping under a Fingerprint line 385# - mmap() the file (easier to parse then) 386# - (25B="lala"\n25B="lulu") etc should work. 387# We step through it until we have a hit and 388# exit immediatly. The higest accuracy should be named first. 389# With this we can group together all the 80W windows crap. 390# The result is that for every test we for sure 391# get only ONE result. This can btw. also be verified 392# if we already checked this testnr_cat on comparsion 393# and step to the next one. That might be easier than using the 394# () stuff. It would be faster on comparsion if we would have 395# a linked list for every test. 396# % operations would then become useless. Everything under a 397# Fingerprint:-line would be evaluated in any combination that 398# exist. 399# - Negative tests are hardly possible then. We must use != in that case 400# and list them first. != mean 'must not be equal', e.g. we stop 401# processing if equal immediatly and do not evaluate the rest of 402# the entire Fingerprint:-line. 403# 404# Fingerprint { 405# CLASS = 0.2.9 406# NAME = "Solaris" 407# VAR=[80W="lalal"%..] 408# VAR2=[ 409# 80W="Web" 410# 21B="OpenFTP" 411# ] 412# } 413# 414Fingerprint:0.2.9 Solaris 415 21B=" \(SunOS"%22B="-Sun_"%23N="SunOS"%%25B="Sendmail .*\+Sun" 416 80W=" Sun_WebServer" 417 80W=" Sun Cobalt" 418 161S="^Sun SNMP Agent" 419 420Fingerprint:0.2.9.6 Solaris 6 421 21B4=".* \(SunOS 5\.6\)" 422 25B="-SVR4 ready" 423 424Fingerprint:0.2.9.7 Solaris 7 425 21B=".* \(SunOS 5\.7\)"%22B="SSH-1\.5-1\.2\.32"%23N="SunOS 5\.7"%25B="Sendmail .*\+Sun"%161S="SunOS .* 5\.7 Gen" 426 427Fingerprint:0.2.9.8 Solaris 8 428 21B4=" \(SunOS 5\.8\)"%23N4="SunOS 5\.8"%25B="Sendmail .*\+Sun/8"%161S4="SunOS .* 5\.8 Gen" 429 21B4=" \(SunOS 5\.8\)"%23N4="SunOS 5\.8"%25B="Sendmail .*\+Sun/8"%161S="^Sun SNMP Agent" 430 431 432# FIXME: very sloppy. match version number directly. Need info here guys. 433# some linuxes have this installed too 434#Fingerprint:2.2 Solaris 435# 22B=".* SSH Secure Shell \(non-commercial\)" 436 437#Fingerprint:2.2.8 Solaris 8 438# 22B="SSH-2.0-3.1.0 SSH Secure Shell \(non-commercial\)" 439 440#Fingerprint:2.2.9 Solaris 8 441# 22B="SSH-2.0-3.2.0 SSH Secure Shell \(non-commercial\)" 442 443Fingerprint:0.12.10 Plan9 (2nd Edition) 444 21B="220 Plan 9 FTP server" 445 446Fingerprint:0.3.12 AIX 447 161S="IBM PowerPC .* AIX" 448 449# \xff\xfd\x18\xff\xfe\x18\xff\xfb\x01\xff\xfb\x03\xff\xfd\x1f\xff\xfc\xc8\xff\xfd\x01\ntelnet ()\nAIX Version 4\n(C) Copyrights by IBM a 450Fingerprint:0.3.12.4 AIX 4 451 161S="IBM PowerPC .* AIX version: 04"%21B="\(Version 4\.1 Mon Aug 21 10:34:44 CDT 1995\)"%23N="\nAIX Version 4"%25B=" AIX 4" # Sendmail AIX 4.1/UCB 5.64/4.03 ready 452 453Fingerprint:0.3.12.4.3 AIX 4.33 454 161S="IBM PowerPC .* AIX version: 04\.03" # AIX version: 04.03.0002 455 456Fingerprint:0.3.13 OS/390 V5R0M0 457 161S="SNMPv3 agent version 1\.0 with DPI version 2\.0" 458 459Fingerprint:0.3.0 IBM 460 21B="IBM "%25B="IBM "%80W="IBM-HTTP-Server" 461 # IBM VM SMTP Level 310 462 # IBM AS/400 463 464Fingerprint:0.3.0.1 IBM VM (310?) 465 21B=" IBM VM "%25B=" IBM VM " 466 467Fingerprint:0.13.11 Apple Macintosh 468 21B="Macintosh FTP" 469 21B="220 NetPresenz v" # NetPresenz v4.1 awaits your command. 470 80W=" PersonalNetFinder/" # " PersonalNetFinder/1.0 ID/ACGI" 471 472Fingerprint:0.13.11.1 Mac OSX 473 80W="MacOSX" 474 80W="Mac OS X Server" 475 80W="MacHTTP/" 476 80W=" Web Sharing" 477Fingerprint:0.13.11.2 MAC OS-9 478# 23N="\nOS-9/" # \xff\xfb\x01\nOS-9/68K V2.4 Quanterra Q4124 - 68030 102/12/21 21:45:34 479 23N="\nOS-9/"%21B=" OS-9 ftp server ready"%80W="Msheer/" 480 481# Holly shit, we categorized Novell under Unix! 482Fingerprint:0.14.14 Novell NetWare 483 21B="^220 Service Ready for new User\r\n$"%25B=" Novell, Inc"%23N="^\xff\xfd\x18$"%80W="^ NetWare-Enterprise-Web-Server" # 80W=" NetWare-Enterprise-Web-Server/5.1" 484 21B=" for NW " # 21B="220 FTP Server for NW 3\.1x, 4\.xx \(v1\.10\), \(c\) 1994 HellSoft\.\r\n" 485 21B="\(NetWare " 486 23N="X11 Console Session to the NetWare Server" 487 25B="Novell, Inc" 488 23N="Help is Ctrl-\? or Ctrl-w"%25B="^520 Connection not authorised from this address"%80W="^ Novell-HTTP-Server"%80W="^ NetWare HTTP Stack" 489 161S="Novell NetWare" 490 # 25B="220 tigra GroupWise Internet Agent 5\.5\.4\.1 Ready \(C\)1993, 1999 Novell, Inc\.\r\n" 491 492Fingerprint:0.14.14.4.1 Novell 4.11 (NetWare) 493 21B="\(NetWare v4" 494 25B="Mercury 1\.48 ESMTP server ready" 495 161S="Novell NetWare 4" 496 497Fingerprint:0.14.14.5 Novell 5.00.09 (NetWare) 498 21B="\(Netware v5" 499 25B="GroupWise Internet Agent "%23N="^\xff\xfd\x18\xff\xfa\x18\x01\xff\xf0\xff\xfb\x03\xff\xfb\x01\n-*\nHelp is Ctrl-\? or Ctrl-w" 500 161S3="Novell Netware 5" 501 # 25B="220 tigra GroupWise Internet Agent 5\.5\.4\.1 Ready \(C\)1993, 1999 Novell, Inc\.\r\n" 502 503Fingerprint:0.14.14.6 Novell 6 (NetWare) 504 161S="Novell NetWare 5\.60" # Novell 5.60 = 6 505 506Fingerprint:0.21.15 Compaq Tru64 UNIX 507 21B="Compaq Tru64" 508 22B=" Tru64 UNIX " # SSH Secure Shell Tru64 UNIX V1.0 509 510Fingerprint:0.21.15 Digital UNIX (now Compaq Tru64 UNIX) 511 21B="Digital UNIX"%23N="Digital UNIX " # \xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd$\xff\xfb\x03\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x05\xff\xfd!\xff\xfb\x01\nDigi" 512 21B=" server \(Version 5\.60\) ready\."%23N="Digital UNIX " # \xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd$\xff\xfb\x03\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x05\xff\xfd!\xff\xfb\x01\nDigi" 513 514Fingerprint:0.21.16 Compaq OpenVMS (MultiNet) 515 21B="MultiNet FTP Server"%25B=".*GIVEME2 "%22B=".*Process Software MultiNet" 516 21B="MultiNet FTP Server"%25B=".*GIVEME2 " 517 23N="OpenVMS" # Welcome to OpenVMS Alpha (TM) Operating System, Version V6.2 518 519Fingerprint:0.19.17 HP-UX 520 23N="HP-UX " 521 522Fingerprint:0.19.17.1 HP-UX B.10.20 523 23N="HP-UX .* B\.10\.20"%21B="\(Version 1\.7\.212\.2 Tue Apr 21 12" 524 525# Cisco developed the TCP stack for OpenVMS 526Fingerprint:0.21.16 Compaq Alpha/VAX OpenVMS (MultiNet by Cisco) 527 25B="CISCO MultiNet V" # Cisco implements TCP/IP services for OpenVMS 528 529Fingerprint:0.22.18 Irix 530 23N="IRIX " # 531 25B=" SGI-" # ESMTP Sendmail SGI-8.9.3/8.9.3;" 532 533Fingerprint:0.22.18.6.5 Irix 6.5 Origin2 534 23N="\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd\$\xff\xfb\x03\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x05\xff\xfd\!\xff\xfb\x01\nIRIX " 535 536 537Fingerprint:0.29.19 Commodore C64 538 21B=" C64\)"%25B=" Ultramile v\." 539 23N20="\xff\xfd\x18\xff\xfd\x1f\xff\xfd#\xff\xfd'\xff\xfd\$\xff\xfe\x18\xff\xfe\x1f\xff\xfe#\xff\xfe'\xff\xfe\$" 540 541### SWITCH ################################################################### 542# 543# 1 - Catalyst 544 545# Allegro-Software-RomPager is an HTTP server used in network hardware 546# (such as switches) to provide a web interface to remotly configure your 547# hardware. 548Fingerprint:2.0.0 generic Switch 549 80W="Allegro-Software-RomPager" 550 551# No known OS or Vendor (or not important enough) 552Fingerprint:2.0.0.1 Omni Switch 553 21B=" Omni Switch" 554 555Fingerprint:2.0.0.2 ECSC Tiger Switch 556 23N4="^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\x1b\[0;37;40m\x1b\[2J\x1b\[0;37;40m\x1b\[1m\x1b\[2;6H SSSSSSSSSSSS" 557 23N4="^\x1b\[1;24r\x1b\[24;1H\x1b\[24;1H\x1b\[2K\x1b\[24;1H\x1b\[\?25h\x1b\[24;1H\x1b\[24;1HPassword: " 558 23N4="^\xff\xfb\x01\x1b\[2J\x1b\[1m\x1b\[2;13HSSSSS" 559 560Fingerprint:2.0.0.3 Allied Telesyn Switch 561 23N="\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\x1b\[0;37;40m\x1b" 562 23N="AT-8324SX" # same as above (147.32.118.254) 563 564Fingerprint:2.0.0.4 Extreme Networks Black Diamond switch 565 80W="^ Allegro-Software-RomPager"%23N="Extreme Networks" 566 # 23N="\xff\xfb\x01\nCopyright \(C\) 1999 by Extreme Networks\nlogin: \xff\xfb\x01\nlogin: " 567 # 80W=" Allegro-Software-RomPager/2.10" 568 569 570Fingerprint:2.15.0 Cisco switch 571 2001T=O 572 6001T=O # this can also be X11 :/ 573 574Fingerprint:2.15.4.1.1 Cisco Catalyst 19XX switch 575 23N="\nPassword required, but none set\n" 576 23N="Catalyst 1900 Management Console" # \x01\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\xff\xfe\x03 577 23N="\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\xff\xfe\x03" 578 579Fingerprint:2.15.4.1.2 Cisco Catalyst 2XXX switch 580 161S4="Cisco .*\(C2[0-9]" # Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(9)EA1, RELEASE SOFTWARE (fc1) 581# This is already to specific 582#Fingerprint:3.1.1.1 Cisco Catalyst 2900 switch 583# 161S="Cisco .*\(C29" 584Fingerprint:2.15.4.1.2 Cisco Catalyst 2900XL Switch 585 161S4=" C2900XL " 586 587Fingerprint:2.15.4.1.3 Cisco Catalyst 3XXX switch 588 161S4="Cisco Catalyst 3" # Cisco Catalyst 3900 HW Rev 002; SW Rev 4.1(1) 589 590Fingerprint:2.15.4 Cisco switch (WS-CXXXX) 591 161S4="Cisco Systems WS-C" # Cisco Systems WS-C6509; Cisco Systems WS-C5500 592 593#Fingerprint:3.1.1.11Cisco Catalyst 2950G switch 594# 161S="Cisco .*\(C2950" # Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(9)EA1, RELEASE SOFTWARE (fc1) 595 596# 130.89.144.118 597Fingerprint:2.16.0 3Com 598 80W=" 3Com/v1\.0"%23N3="\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\n\xff\xfe\x03\nLogin" 599 # 3Com Switch 1100 600 601# Why can this be a linkbuilder? 602Fingerprint:2.16.0.1 3Com SuperStack II, Switch 110 603 23N3="\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\nLogin: \xff\xfe\x03" 604 23N3="\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\n\xff\xfe\x03\nLogin: " 605 606Fingerprint:2.16.0.2 3Com Linkbuilder or SuperStack II 607 23N="q{40}" # SuperStackII welcome grfx 608 #23N="\x1b\[2J\x1b\(0\x1b\[01;00Hlqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk\x1b\[03;00Hqqqqqqqqqqqqqqqqqqqqqqqq" 609 ## 3Com SuperStackII Switch 3000, SW Version:3\.10 610 #23N="\x1b\[2J\x1b\(0\x1b\[01;00Hlqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk\x1b\[03;00Hqqqqqqqqqqqqqqqqqqqqqqqq" 611 612Fingerprint:2.16.0.3 3Com SuperStack II 613 161S4="^3Com SuperStackII" 614 23N3="\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\n\xff\xfe\x03\nLogin: "%161S4="^3Com SuperStack II" 615 23N3="\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\nLogin: \xff\xfe\x03"%161S="^3Com" 616 617Fingerprint:2.17.0 Lucent Cajun # Avaya Firmware 618 161S="Avaya Inc" # Avaya Inc. - P330 Stackable Switch, SW version 3.11.0 619 161S="Summit1i" # Summit1i - Version 6.1.8 (Build 12) by" 620 621 622Fingerprint:2.23.0 EntraSys switch 623 23N="Vertical Horizon Local Management" # Enerasys switch 624 625Fingerprint:2.23.0.1 EntraSys VH-8TX1UM 626 23N4="VH-8TX1UM" 627Fingerprint:2.23.0.2 EntraSys VH-2402S 628 23N4="VH-2402S" 629 630Fingerprint:2.24.0 Cabletron switch 631 23N="CABLETRON Systems" 632 23N="CABLETRON Systems"%80W="Agranat-EmWeb" # " Agranat-EmWeb/R4_02" 633 23N0="Vertical Horizon"%23N=" Local Management\x1b" 634Fingerprint:2.24.0.1 Cabletron 2H252-25R Smart Switch 635 23N="2H252-25R" 636 23N="2H252-25R"%80W="Agranat-EmWeb" 637 638Fingerprint:2.31.0 Foundry Networks switch 639 80W=" Foundry Networks"%23N="\xff\xfb\x01\xff\xfb\x03telnet" 640 80W=" Foundry Networks"%23N="^Telnet server disabled\n" 641 642Fingerprint:2.33.0 Nortel Networks switch 643 23N="Nortel Networks" 644 645Fingerprint:2.33.0.1 Nortel Networks BayStack 540-24T 646 23N="\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd\$\xff\xfb\x03\xff\xfd\x01\xff\xfd\"\xff\xfd\x1f\xff\xfb\x05\xff\xfd\!\xff\xfb\x01\xff\xfd\x06\xff\xfc\x01\xff\xfb\x01\nNortel Networks" 647 648Fingerprint:2.33.0.2 Nortel Networks BayStack 450-24T 649 23N="\xff\xfd\x03\xff\xfb\x01\xff\xfb\x03\x1b\[1;1H" 650 651Fingerprint:2.34.0 Bay Networks switch 652 #23N1="\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01" # 3com also 653 23N="\bBay Networks" 654 # and so cisco! 655 656Fingerprint:2.37.0 SynOptics Hub 657 161S3="^SynOptics .* Ethernet Concentrator" 658 659Fingerprint:2.37.0.1 SynOptics 2310 Series Ethernet Concentrator 660 161S3="^SynOptics 2310 Series Ethernet Concentrator" 661 662### ROUTERS ################################################################## 663 664# generic router FP's (tell me if other routers use the telnet banner or 665# if it is 100% cisco specific). 666Fingerprint:1.0.0 Router 667 23N="\nUser Access Verification" 668 669Fingerprint:1.0.0.1 DSL Router 670 23N="\xff\xfb\x01\xff\xfb\x03\xff\xfe\x01\nlogin" # Some DSL router 671 672Fingerprint:1.0.0.2 Agranat ADSL router 673 80W="Agranat-EmWeb"%21B="421 Session access restricted" 674 675# This actually is a ADSl-Ethernet router/bridge 676Fingerprint:1.0.0.3 Alcatel Speed Touch router 677 #23N="\xff\xfe\"\xff\xfb\x01\xff\xfb\x03User :" the 'SpeedTouch' match is better. 678 23N="SpeedTouch \(" 679 680Fingerprint:1.0.0.4 OpenROUTE Router 681 161S="^Portable M68360 C Gateway"%23N="\xff\xfb\x01\xff\xfb\x03\nlogin: \n" 682 683# 1 - Cisco BGP 684# 685# This means even if port 137 is found open we consider it a Cisco. 686 687Fingerprint:1.15.4 Cisco router 688 80W="cisco-" # cisco-ISO and cisco-CPA 689 23N="\nUser Access Verification"%22B="Cisco" 690 23N="\[1mPress RETURN to activate console \. \. \." # TACAS++ enabled? 691 23N="CISCO " 692 23N="^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\n" 693 23N="\bCisco Systems, Inc\. Console" 694 695#Fingerprint:1.15.4.1.2 Cisco 29XX 696# 23N="\n29.* ready to connect" 697 698Fingerprint:1.15.4.1.3 Cisco 36XX BGP router 699 161S4="Cisco .*\(C36" 700 %23N="\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\n.*\nUser Access Verification\n.*: \xff\xfe\x18\xff\xfe\x1f\n" 701 702Fingerprint:1.15.4.1.5 Cisco 53XX Access Server 703 161S4="\(tm\) 5300 Software" # IOS (tm) 5300 Software (C5300-I-M), Version 12.2(2)XA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) 704 705Fingerprint:1.15.4.2 Cisco 72XX router 706 23N="CISCO 72"%161S="\(tm\) 7200 Software" 707 # IOS (tm) 7200 Software (C7200-JS-M), Version 12.2(1a), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2001 by cisco Systems, Inc. 708 709Fingerprint:1.18.0 BinTec Bianca/Brick XL router 710 161S="BIANCA/BRICK-XL" 711 712Fingerprint:1.36.0.1 Intel Express Router 713 161S="Intel Express" 714 715Fingerprint:1.36.0.2 Intel Express 9530 Router 716 161S="ER9530 Intel Express"%139T=C%445T=C%2001T=C 717 718### ACCESS POINT / Dialup Router / Microwave bridges ############################################################ 719 720Fingerprint:16.0.0 Planet WAP-1965 AccessPoint 721 80W="^ Embedded HTTP Server 3.3.0" 722 723Fingerprint:16.0.0 Aironet BR100E Microwave Bridge 724 21B="\(Aironet BR"%161S="^Aironet BR"%23N="Aironet BR" 725 726Fingerprint:16.0.0.1 Polycom ISDN router 727 23N="\xff\xfb\x01\xff\xfd\x03\nHi, my name is"%80W=" Viavideo-Web" 728 729Fingerprint:16.0.0.2 Aironet BR500E WiFi Bridge 730 21B="\(Aironet BR500E"%23N="Aironet BR500E " 731 # 23N="\xff\xfb\x01\xff\xfe\x01Connected\nAironet BR500E V8\.24 Main Menu dejvicka_kolej\n Option Value Description\n1 - Privilege \[ off ] - Set privilege l" 732 # 21B="220 dejvicka_kolej \(Aironet BR500E V8\.24\) ready\r\n" 733 734Fingerprint:16.0.0.3 DXC 10 A 735 23N="DXC10" 736 # 23N="\xff\xfd\x18\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\x1b[2J\x1b[H\x07\nDXC10A 737 738Fingerprint:16.13.0 Apple Airport Base Station 739 161S="Base Station V3" 740 741Fingerprint:16.30.0 Shiva LanRover Dialup router 742 23N="\xff\xfb\x01@ Userid: " 743 744# POTS, ISDN, T1/E1 interface, up to 60 simultanous voice and fac channels 745Fingerprint:16.33.0 Nortel Passport switch 746 161S="Passport" # Passport-8610 (3.0.3) 747 748### PRINTERS ################################################################# 749Fingerprint:4.0.0 Printer 750 21B="220 printer" 751 21B=" Printer " 752 23N="Print Server" # "\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\nWelcome to Print Server\nPS>\xff\xfe\x03\nPS>\nPS>" 753 80W=" Web Server/2\.0" 754 80W=" PRINT_SERVER " # " PRINT_SERVER WEB 1.0" 755 756Fingerprint:4.19.0 HP Jetdirect Laserjet 757 80W="HTTP/1\.0"%21B="220 JD FTP Server Ready" 758 161S="JETDIRECT" # HP ETHERNET MULTI-ENVIRONMENT,ROM G.08.21,JETDIRECT,JD33,EEPROM G.08.21 759 21B="220 JD FTP Server Ready"%80W=" Agranat-EmWeb" 760 21B="220 JD FTP Server Ready"%80W=" HP-ChaiServer" 761 23N="\xff\xfc\x01\nPlease type \[Return] two times, to initialize telnet configuration\nFor HELP type " 762 23N="HP JetDirect" # "\xff\xfc\x01\nHP JetDirect\nPlease type \"\?\" for HELP, or \"/\" for current settings\n> " 763 764Fingerprint:4.25.0 Epson Network Print Server 765 23N="EPSON Network Print Server" # "\xff\xfb\x01\n-> *** EPSON Network Print Server (EPAEEFBC) ***\n\x08 \nlogin: " 766 23N="\nSorry, this system is engaged\.\n" # 2 TCP connection 767 768Fingerprint:4.13.0 Apple LaserWriter 769 23N="Apple Computer" # \xff\xfb\x01\xff\xfb\x03\n\**\n Apple Computer, Inc.\n LaserWriter 12/640 P" 770 771Fingerprint:4.26.0 Axis Printer Server 772 21B="FTP Printer Server V" # NPS 5400 FTP Printer Server V5.58.08 Mar 17 2000 ready. 773Fingerprint:4.26.0.1 Axis NPS 5400 Printer Server 774 21B=" NPS 5400 FTP Printer" 775 776Fingerprint:4.28.0 Lexmark LaserPrinter 777 21B="Lexmark " # "220 FTP server: Lexmark Optra LaserPrinter ready\r" 778 779Fingerprint:4.28.0.1 Lexmark Optra T612 printer 780 21B=" MarkNet Pro " # "220 LXK257A09 MarkNet Pro 1 FTP Server 2.10.10 ready.\r" 781 782Fingerprint:4.26.0.1 Xerox DocuPrint N2125 Network Laser Printer 783 80W1="^ Allegro-Software-RomPager"%161S="^Xerox DocuPrint N2125 Network Laser P" 784 # FIXME: So many devices are using Allegro-Softw... 785 786Fingerprint:4.35.0 APC Power Controller 787 23N="\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\nUser Name : " 788 # This is also true for many many other servers. 789 #21B="^220 \r\n"%23N="\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\nUser Name : " 790 791### APPLIENCE ################################################################ 792Fingerprint:32.0.0 Canon WebCam 793 80W=" Canon Http Server 1" 794 795Fingerprint:32.0.0 Axis 2100 Network Camera 796 21B="^220 Axis 2100"%80W="^ Boa/" 797 798Fingerprint:32.20.0.1 Quantum PowerVault 508080 Filesharing System 799 80W=" Quantum Corporation\./3\.4\.790"%21B="220 Service ready for new user\." #%139T=O%135T=C%137T=C 800 801Fingerprint:32.0.0 unknown Embedded device 802 80W="Digital Comet Embedded Server" 803 80W=" Spyglass[_-]MicroServer" # 80W=" Spyglass_MicroServer/2.00FC4" 804 80W="HP-ChaiServer" 805 80W=" EHTTP/" # Siemens EHTTP server module (java) 806Fingerprint:32.0.0 Ethernet Board 807 21B=" EthernetBoard" # "220 EthernetBoard MLETB08 Ver 2.0.0 FTP server.\r\n" 808 23N="EthernetBoard " # "\xff\xfd\x03\xff\xfb\x01\xff\xfb\x03EthernetBoard MLETB08 Ver 2.0.0 TELNET server.\nlogin: \xff\xfe\x03\nlogin: " 809 25B="^421 Service not available, closing transmission channel\r\n" 810 80W=" JC-HTTPD/" # " JC-HTTPD/1.3.7" EthernetBoard 811Fingerprint:32.0.0 Wind River pSOSystem 812 23N="\bBaseSystem "%21B=" pSOSystem FTP server" 813Fingerprint:32.0.0 Rapid Logic embedded device 814 80W="^ Rapid Logic/1.1"%23N="^\xff\xfb\x03\xff\xfb\x01\n Disconnecting" 815 816Fingerprint:32.32.0.1 Ericsson IP Telephony AP 817 23N="\n ,#\n ,#' \n ####" # ericsson logo 818 819 820### FIREWALL ################################################################# 821# FW-1 has 256, 257, 258 open 822# on 259/tcp is an identification string from FW1 823# MS Proxy Server has 1745, 1080 open 824 825Fingerprint:8.15.0 Eagle Firewall 826 23N="Eagle Secure Gateway"%25B="the firewall does not" 827 # Eagle Secure Gateway. 828 # Hostname: 829 # 421 10.10.1.8 Sorry, the firewall does not provide mail service to you. 830 831Fingerprint:8.15.4.1 Cisco PIX Firewall 832 161S="Cisco Secure PIX Firewall" # Cisco Secure PIX Firewall Version 5.3(2) 833 834Fingerprint:8.0.0 Netscreen Firewall Management Console 835 23N="NetScreen Remote Management Console\n"%80W=" NetScreen-100" 836 # \xff\xfd\x18\xff\xfb\x01\xff\xfe\x01\xff\xfd\x03NetScreen Remote Management Console\n 837 838