Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nmap 7.91 - Aggressive option (-A) print unwanted documents #2237

Closed
Grizzly2000 opened this issue Jan 25, 2021 · 1 comment
Closed

Nmap 7.91 - Aggressive option (-A) print unwanted documents #2237

Grizzly2000 opened this issue Jan 25, 2021 · 1 comment
Labels

Comments

@Grizzly2000
Copy link

@Grizzly2000 Grizzly2000 commented Jan 25, 2021

Hi !! :)

Describe the bug
Aggressive option '-A' on printers produce unwanted print : binary blob with 'random1random2...'.
The printed payload 'random1random2...' is located here : "/usr/share/nmap/nselib/shortport.lua" line 261

To Reproduce
Run the following command on a printer device :

nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace

Expected behavior
Aggressive option '-A' on printers should not print. (like the version 7.80+dfsg1-2build1 of nmap)

Version info :

  • Output of 'uname -a'
Linux hive 5.4.88-1-lts #1 SMP Sat, 09 Jan 2021 14:02:47 +0000 x86_64 GNU/Linux
  • Output of nmap --version:
Nmap version 7.91 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: liblua-5.3.6 openssl-1.1.1h libssh2-1.9.0 libz-1.2.11 libpcre-8.44 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Debug output of nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace

Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-25 17:12 CET
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
Initiating ARP Ping Scan at 17:12
Scanning X.X.X.34 [1 port]
Completed ARP Ping Scan at 17:12, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:12
Completed Parallel DNS resolution of 1 host. at 17:12, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:12
Scanning X.X.X.34 [1 port]
Discovered open port 9100/tcp on X.X.X.34
Completed SYN Stealth Scan at 17:12, 0.09s elapsed (1 total ports)
Initiating Service scan at 17:12
Initiating OS detection (try #1) against X.X.X.34
NSE: Script scanning X.X.X.34.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:13
NSOCK INFO [2.3680s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | CONNECT
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | 00000000: 16 03 00 00 69 01 00 00 65 03 03 55 1c a7 e4 72     i   e  U   r
00000010: 61 6e 64 6f 6d 31 72 61 6e 64 6f 6d 32 72 61 6e andom1random2ran
00000020: 64 6f 6d 33 72 61 6e 64 6f 6d 34 00 00 0c 00 2f dom3random4    /
00000030: 00 0a 00 13 00 39 00 04 00 ff 01 00 00 30 00 0d      9       0  
00000040: 00 2c 00 2a 00 01 00 03 00 02 06 01 06 03 06 02  , *            
00000050: 02 01 02 03 02 02 03 01 03 03 03 02 04 01 04 03                 
00000060: 04 02 01 01 01 03 01 02 05 01 05 03 05 02                     

NSOCK INFO [2.3680s] nsock_write(): Write request for 110 bytes to IOD #1 EID 19 [X.X.X.34:9100]
NSOCK INFO [2.3680s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | SEND
NSOCK INFO [2.3680s] nsock_read(): Read request from IOD #1 [X.X.X.34:9100] (timeout: 7000ms) EID 26
NSOCK INFO [9.3680s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 26 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | CLOSE
NSOCK INFO [9.3680s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [9.3680s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [9.3680s] nsock_connect_tcp(): TCP connection requested to X.X.X.34:9100 (IOD #2) EID 32
NSOCK INFO [9.3710s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 32 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | CONNECT
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | 00000000: 16 03 00 00 53 01 00 00 4f 03 00 3f 47 d7 f7 ba     S   O  ?G   
00000010: 2c ee ea b2 60 7e f3 00 fd 82 7b b9 d5 96 c8 77 ,   `~    {    w
00000020: 9b e6 c4 db 3c 3d db 6f ef 10 6e 00 00 28 00 16     <= o  n  (  
00000030: 00 13 00 0a 00 66 00 05 00 04 00 65 00 64 00 63      f     e d c
00000040: 00 62 00 61 00 60 00 15 00 12 00 09 00 14 00 11  b a `          
00000050: 00 08 00 06 00 03 01 00                                 

NSOCK INFO [9.3710s] nsock_write(): Write request for 88 bytes to IOD #2 EID 43 [X.X.X.34:9100]
NSOCK INFO [9.3710s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | SEND
NSOCK INFO [9.3710s] nsock_read(): Read request from IOD #2 [X.X.X.34:9100] (timeout: 7000ms) EID 50
NSOCK INFO [16.3710s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 50 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | CLOSE
NSOCK INFO [16.3710s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
Completed NSE at 17:13, 14.02s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Nmap scan report for X.X.X.34
Host is up, received arp-response (0.0022s latency).
Scanned at 2021-01-25 17:12:58 CET for 16s

PORT     STATE SERVICE    REASON         VERSION
9100/tcp open  jetdirect? syn-ack ttl 64 Excluded from version scan
MAC Address: 3C:2A:F4:35:4D:82 (Brother Industries)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Wind River VxWorks
OS CPE: cpe:/o:windriver:vxworks
OS details: VxWorks
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/25%OT=9100%CT=%CU=37458%PV=Y%DS=1%DC=D%G=N%M=3C2AF4%
OS:TM=600EEE1A%P=x86_64-unknown-linux-gnu)SEQ(SP=F9%GCD=1%ISR=10E%II=I%TS=A
OS:)OPS(O1=M5B4NW0NNSNNT11%O2=M578NW0NNSNNT11%O3=M280NW0NNT11%O4=M5B4NW0NNS
OS:NNT11%O5=M218NW0NNSNNT11%O6=M109NNSNNT11)WIN(W1=21F0%W2=2088%W3=2258%W4=
OS:21F0%W5=20C0%W6=209D)ECN(R=Y%DF=N%T=40%W=2238%O=M5B4NW0NNS%CC=N%Q=)T1(R=
OS:Y%DF=N%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=N%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y
OS:%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)U1(R=Y%DF=N%T=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD
OS:=G)IE(R=Y%DFI=N%T=FF%CD=S)

Uptime guess: 2.974 days (since Fri Jan 22 17:50:58 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=249 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class

TRACEROUTE
HOP RTT     ADDRESS
1   2.20 ms X.X.X.34

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.39 seconds
           Raw packets sent: 24 (1.850KB) | Rcvd: 16 (1.042KB)

Thank you for your tools!
Thank you in advance !

@Grizzly2000 Grizzly2000 added the Nmap label Jan 25, 2021
@dmiller-nmap
Copy link

@dmiller-nmap dmiller-nmap commented Jan 25, 2021

Thanks for this report. Because of the risk of printing garbage data from our version detection probes, Nmap specifically excludes ports 9100-9107 from being probed with -sV. The data printed in your case is coming from further probing within the ssl-* NSE scripts, which attempt their own probes if -sV did not do so. I will correct this to check whether the port ought to be excluded from probing like this.

@nmap-bot nmap-bot closed this in b305ba6 Jan 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants