-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Miscellaneous SNMP, FTP, SSH and HTTP fingerprints #64
Conversation
@@ -184,8 +184,9 @@ against these patterns to fingerprint FTP servers. | |||
<param pos="0" name="service.family" value="ProFTPD"/> | |||
<param pos="0" name="service.product" value="ProFTPD"/> | |||
</fingerprint> | |||
<fingerprint pattern="^-{10} Welcome to Pure-FTPd (.*)-{10}$"> | |||
<fingerprint pattern="^-{9,10} Welcome to Pure-FTPd (.*)-{9,10}$"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is looking for the ----'s even needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've never seen a default Pure-FTPDd banner that didn't have them, but that doesn't mean there aren't any. In general, in situations like this, we use our best judgement.
I took a look, and Pure-FTPd versions at least from 1.0.11 to 1.0.13 (all from November 2002) use the following for a default banner:
addreply_noformat(0, "=(<*>)=-.:. (( " MSG_WELCOME_TO
" PureFTPd " VERSION " )) .:.-=(<*>)=-");
Versions newer than that, however, use 9 (not 10) -
s. My guess is that the original regex here was wrong but I don't know where that example came from. For now I'd say that the 9 is more correct based on source code but 9-10 may be more accurate for all versions of Pure-FTPd.
For now, I'm going to expand this to account for both variants.
@@ -184,11 +184,21 @@ against these patterns to fingerprint FTP servers. | |||
<param pos="0" name="service.family" value="ProFTPD"/> | |||
<param pos="0" name="service.product" value="ProFTPD"/> | |||
</fingerprint> | |||
<fingerprint pattern="^-{10} Welcome to Pure-FTPd (.*)-{10}$"> | |||
<fingerprint pattern="^=\(<\*>\)=\-\.:\. \(\( Welcome to Pure-FTPd ([\d\.]+) \)\) \.:\.\-=\(<\*>\)=\-$"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't need to escape -'s because they're not in blocks.
Don't need to escape the . in the block for the version because it's not considered a wild card inside a block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The dot seems necessary here as well to match the literal .:.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Paul's comment about .
was for ([\d\.]+)
, which is correct. Fixed on both accounts (nice catch).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
Found after using Recog data to fingerprint a private lab.