Miscellaneous SNMP, FTP, SSH and HTTP fingerprints #64
Conversation
| @@ -184,8 +184,9 @@ against these patterns to fingerprint FTP servers. | |||
| <param pos="0" name="service.family" value="ProFTPD"/> | |||
| <param pos="0" name="service.product" value="ProFTPD"/> | |||
| </fingerprint> | |||
| <fingerprint pattern="^-{10} Welcome to Pure-FTPd (.*)-{10}$"> | |||
| <fingerprint pattern="^-{9,10} Welcome to Pure-FTPd (.*)-{9,10}$"> | |||
There was a problem hiding this comment.
is looking for the ----'s even needed?
There was a problem hiding this comment.
I've never seen a default Pure-FTPDd banner that didn't have them, but that doesn't mean there aren't any. In general, in situations like this, we use our best judgement.
I took a look, and Pure-FTPd versions at least from 1.0.11 to 1.0.13 (all from November 2002) use the following for a default banner:
addreply_noformat(0, "=(<*>)=-.:. (( " MSG_WELCOME_TO
" PureFTPd " VERSION " )) .:.-=(<*>)=-");
Versions newer than that, however, use 9 (not 10) -s. My guess is that the original regex here was wrong but I don't know where that example came from. For now I'd say that the 9 is more correct based on source code but 9-10 may be more accurate for all versions of Pure-FTPd.
For now, I'm going to expand this to account for both variants.
| @@ -184,11 +184,21 @@ against these patterns to fingerprint FTP servers. | |||
| <param pos="0" name="service.family" value="ProFTPD"/> | |||
| <param pos="0" name="service.product" value="ProFTPD"/> | |||
| </fingerprint> | |||
| <fingerprint pattern="^-{10} Welcome to Pure-FTPd (.*)-{10}$"> | |||
| <fingerprint pattern="^=\(<\*>\)=\-\.:\. \(\( Welcome to Pure-FTPd ([\d\.]+) \)\) \.:\.\-=\(<\*>\)=\-$"> | |||
There was a problem hiding this comment.
Don't need to escape -'s because they're not in blocks.
Don't need to escape the . in the block for the version because it's not considered a wild card inside a block.
There was a problem hiding this comment.
The dot seems necessary here as well to match the literal .:.
There was a problem hiding this comment.
Paul's comment about . was for ([\d\.]+), which is correct. Fixed on both accounts (nice catch).
Found after using Recog data to fingerprint a private lab.