Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Telnet fingerprinting nse #1083

Closed
wants to merge 7 commits into from
Closed

Telnet fingerprinting nse #1083

wants to merge 7 commits into from

Conversation

droberson
Copy link

This fingerprints telnet services. Based on the old telnetfp tool.

@droberson droberson changed the title initial commit Telnet fingerprinting nse Dec 10, 2017
Copy link
Contributor

@rewanthtammana rewanthtammana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make these changes.


Original idea from telnetfp by Palmers of Team TESO.

Please send new or incorrect fingerprint data to daniel@planethacker.net
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid putting your email address here, leave a general dev@nmap.org or completely skip it.



-- Fingerprint table. Please keep in alphabetical order!
fp_table = {}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer using local variables.

end

-- Search table for matches
output.Match = "No matches found. Please submit fingerprints to daniel@planethacker.net"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid putting your email address here, leave a general dev@nmap.org or completely skip it.

@@ -0,0 +1,96 @@
local stdnse = require "stdnse"
local shortport = require "shortport"
local comm = require "comm"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove unused libraries.


-- Fingerprint table. Please keep in alphabetical order!
fp_table = {}
fp_table["255 251 1"] = "APC, Windows CE"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add reference links for these fingerprints in the description above.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only item I was unsure about. I do not know what you mean by adding reference links in the description.

@droberson
Copy link
Author

I did the recommended fixes with the exception of adding reference links to the fingerprints, because I was unsure what was meant by this.

@rewanthtammana
Copy link
Contributor

@droberson I'm sure you didn't create the fingerprints on your own, you must have got them from somewhere, right? By reference links to the fingerprints , I meant the list of websites from which you were able to get these fingerprints.

@droberson
Copy link
Author

droberson commented Dec 13, 2017

@rewanth1997 I referenced the RFC and original tool which does not have a website anymore and hasn't been maintained since 2004. I gathered these fingerprints myself by connecting to multiple devices that I was able to positively identify; I own the devices personally, they are devices that I administer at work or stuff at friends' houses.

When you connect to a telnet service, they typically send a series of options requests/other commands. These come in a 3-byte format:

0xff command value

This script extracts those commands and outputs them as the decimal value of their ASCII values so they can be copied and pasted easily.

Connecting to several dozen Cisco IOS devices of different models and versions will yield the same "fingerprint" regardless of if someone has changed or removed the banner because they share the same implementation of a telnet server. The same applies to Linux telnetd, regardless of distro, the architecture of the device, or if the administrator has set a non-stock banner.

In practice, most telnet implementations will have a unique "fingerprint" based on the data sent by the server upon connection. This has been a very reliable method of identifying at least the manufacturer/vendor of a device running telnet.

@rewanthtammana
Copy link
Contributor

@cldrn @dmiller-nmap This looks good to me and is working good. Final confirmation please.

@dmiller-nmap
Copy link

dmiller-nmap commented Jan 22, 2018

I appreciate your work on this script, but I don't see why we can't make these into service matches in nmap-service-probes. If, as I understand it, the method is to collect all the Telnet directives (IACs) until the first non-IAC byte, then you should be able to put these into that file just after # Specific vendor telnet options that should be matched more accurately by prompt, etc:

softmatch telnet m|^\xff\xfb\x01(?!\xff)| p|APC PDU/UPS devices or Windows CE telnetd|
softmatch telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\xff\xfd\x1f(?!xff)| p/Aruba telnetd/
softmatch telnet m|^\xff\xfd\x03(?!xff)| p/Cisco telnetd/
softmatch telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f(?!xff)| p/Cisco IOS telnetd/
softmatch telnet m|^\xff\xfd\x1f(?!xff)| p/Cowrie Honeypot telnetd/
softmatch telnet m|^\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01(?!xff)| p/Enterasys telnetd/
softmatch telnet m|^\xff\xfb\x01\xff\xfb\x03(?!xff)| p/HP LaserJet telnetd/ d/printer/
softmatch telnet m|^\xff\xfb\x03\xff\xfb\x01(?!xff)| p/HP Integrated Lights Out telnetd/ d/remote management/
softmatch telnet m|^\xff\xfc\x01(?!xff)| p/HP JetDirect telnetd/ d/printer/
softmatch telnet m|^\xff\xfb\x01\xff\xfb\x01\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f(?!xff)| p/Huawei telnetd/
softmatch telnet m|^\xff\xfd\x18\xff\xfd\x20\xff\xfd\x23\xff\xfd\x27(?!xff)| p/Linux telnetd/ o/Linux/ cpe:/o:linux:linux_kernel/a
softmatch telnet m|^\xff\xfd\x25\xff\xfb\x01\xff\xfb\x03\xff\xfd\x27\xff\xfd\x1f\xff\xfd\x00\xff\xfb\x00(?!xff)| p/Microsoft Telnet Service telnetd/
softmatch telnet m|^\xff\xfd\x25\xff\xfb\x01\xff\xfd\x03\xff\xfd\x1f\xff\xfd\x00\xff\xfb\x00(?!xff)| p/Windows NT 4.0 telnetd/ o/Windows/ cpe:/o:microsoft:windows_nt:4.0/a
softmatch telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfb\x00\xff\xfd\x01\xff\xfd\x00(?!xff)| p/Moxa Serial to Ethernet telnetd/

You will notice that we already have one exactly like this for Huawei devices.

Can you try this and let us know if it produces results you would expect? The service matching engine is much faster than NSE when it comes to this sort of thing, and more people use it.

@droberson
Copy link
Author

Shucks. This is a way better solution. I should have looked into this more beforehand.

@dmiller-nmap
Copy link

@droberson If you can confirm these softmatch lines look/work OK, we will add them and still credit you in the CHANGELOG.

@droberson
Copy link
Author

@dmiller-nmap Many of these signatures were present already in nmap-service-probes

Order mattered for some of these, too. For instance HP laserjet and Moxa devices:
softmatch telnet m|^\xff\xfb\x01\xff\xfb\x03(?!xff)| p/HP LaserJet telnetd/ d/printer/
softmatch telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfb\x00\xff\xfd\x01\xff\xfd\x00(?!xff)| p/Moxa Serial to Ethernet telnetd/

This was incorrectly reporting Moxa devices as LaserJet printers.

The following have been verified and did not have entries in this file to my knowledge:

softmatch telnet m|^\xff\xfd\x18(?!\xff)| p/GE Multilin/
softmatch telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfb\x00\xff\xfd\x01\xff\xfd\x00(?!xff)| p/Moxa Serial to Ethernet telnetd/
softmatch telnet m|^\xff\xfd\x1f(?!xff)| p/Cowrie Honeypot/
softmatch telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\xff\xfd\x1f(?!xff)| p/Aruba telnetd/

@dmiller-nmap
Copy link

Ah, I see I was missing a backslash in the negative lookahead. I'll fix that and commit; that should fix the order problem. Thanks!

@nmap-bot nmap-bot closed this in b7b29b0 Jan 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants