Telnet fingerprinting nse #1083
@rewanth1997 I referenced the RFC and original tool which does not have a website anymore and hasn't been maintained since 2004. I gathered these fingerprints myself by connecting to multiple devices that I was able to positively identify; I own the devices personally, they are devices that I administer at work or stuff at friends' houses.
When you connect to a telnet service, they typically send a series of options requests/other commands. These come in a 3-byte format:
0xff command value
This script extracts those commands and outputs them as the decimal value of their ASCII values so they can be copied and pasted easily.
Connecting to several dozen Cisco IOS devices of different models and versions will yield the same "fingerprint" regardless of if someone has changed or removed the banner because they share the same implementation of a telnet server. The same applies to Linux telnetd, regardless of distro, the architecture of the device, or if the administrator has set a non-stock banner.
In practice, most telnet implementations will have a unique "fingerprint" based on the data sent by the server upon connection. This has been a very reliable method of identifying at least the manufacturer/vendor of a device running telnet.
I appreciate your work on this script, but I don't see why we can't make these into service matches in
You will notice that we already have one exactly like this for Huawei devices.
Can you try this and let us know if it produces results you would expect? The service matching engine is much faster than NSE when it comes to this sort of thing, and more people use it.
@dmiller-nmap Many of these signatures were present already in nmap-service-probes
Order mattered for some of these, too. For instance HP laserjet and Moxa devices:
This was incorrectly reporting Moxa devices as LaserJet printers.
The following have been verified and did not have entries in this file to my knowledge:
softmatch telnet m|^\xff\xfd\x18(?!\xff)| p/GE Multilin/