NMAP is probably the most known long standing and community involved security-related project in the Open Source universe ever. And it is quite naturally to think that there is nothing left to be done to improve it by end users like us, and of course the opposite is the case. If we forget for a second all the complex C/C++/Lua/etc coding involved to sharpen the algorithms and performance of the Nmap, after all it is a signature based network scanner that is as good as its signatures are. And here you can never get enough.
Just find some over the shelf network equipment, run a scan on it , be surprised that it is not recognized by Nmap and contribute its signature back to the Nmap communa, then buy yourself a beer and put a sign in your cube ” I contributed to Nmap” 🙂
— So how do you do this? Piece of cake.
When running scan with -sV option (version detection of the software) if the target is not known to the Nmap it will print out as the output the Nmap-style fingerprint of the scanned service. It is ok to just take copy and paste it here : http://insecure.org/cgi-bin/submit.cgi, but then I wouldn’t write this article. So let’s do some practice.
There is a nice anti-spam and anti-virus appliance called PineApp Mailsecure , produced by Israel company named (surprise ..) Pineapp and which is quite popular at least here in Israel. Unfortunately Nmap does not recognize it beyond having an opened port of 25.
Here is the result of the Nmap scan.
NSE: Loaded 4 scripts for scanning.
Initiating SYN Stealth Scan at 15:41
Scanning 12.12.12.12 [1000 ports]
Discovered open port 25/tcp on 12.12.12.12
Completed SYN Stealth Scan at 15:41, 4.88s elapsed (1000 total ports)
Initiating Service scan at 15:41
Scanning 2 services on 12.12.12.12
Completed Service scan at 15:41, 13.88s elapsed (2 services on 1 host)
NSE: Script scanning 12.12.12.12.
NSE: Script Scanning completed.
Nmap scan report for 12.12.12.12
Host is up (0.015s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp
113/tcp closed auth
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port25-TCP:V=5.21%I=7%D=3/19%Time=4D14329D%P=i686-pc-linux-gnu%r(NULL,2
SF:5,”220\x20Ready\x20to\x20receive\x20mail\x20-=-\x20ESMTP\r\n”)%r(Hello,
SF:8E,”220\x20Ready\x20to\x20receive\x20mail\x20-=-\x20ESMTP\r\n250-Ready\
SF:x20to\x20receive\x20mail\x20-=-\r\n250-AUTH\x20LOGIN\x20PLAIN\r\n250-AU
SF:TH=LOGIN\x20PLAIN\r\n250-PIPELINING\r\n250\x208BITMIME\r\n”)%r(Help,28,
SF:”451\x20Rejected\x20due\x20to\x20illegal\x20pipelining\r\n”)%r(GenericL
SF:ines,28,”451\x20Rejected\x20due\x20to\x20illegal\x20pipelining\r\n”);
Read data files from: /usr/local/share/nmap
So let’s fix this,but first some preliminary knowledge of importance.
All its service signatures Nmap keeps in the file nmap-service-probes that has some predefined keywords that are easy to remember and use :
-First we want to create a probe to define what string to which port to send, it goes like this:
In our case the target service is SMTP so no changes are due to the existing probe,
The above means send word EHLO once connected.
Next line starts with the word rarity and its value. The higher the number the less is the probability of running this service probe, leave it as is in our case, as it will be run if previous port scanning reports port 25 as open.
rarity 8
The rarity line is followed by the list of ports for which this service probe will be triggered once they are reported as open. Again , in our case we leave it as is:
ports 25,587,3025
Then goes sslports keyword to specify SSL enabled ports, finally followed by totalwaitms also of no interest here .
Now we come to the good stuff – many lines doing matches of different vendors/equipment that all and each start with keyword match. let’s have a closer look at it:
match m|matching regex pattern Perl style| [version/device/hardware optional info]
The best way to get it is via an existing match in the file:
match smtp m|^220\s+(DP-\d+)\r\n250-Hello\r\n250-DSN\r\n| p/Panasonic smtpd/ v/$1/ i/Panasonic printer/ d/printer/
It basically says:
Send EHLO command to the target,check output the output from the target and look for string that starts with 220 followed by printable string of variable length, followed
by word DP- then decimal number, note – here () allow to later reference the matched part of the string inside (), followed by Return and New Line char (\r\n), followed by word “250-DSN” and finally followed by return + new line (\r\n). If such match is found then print to the terminal string “Panasonic smtpd” , in version field (v/$1/) print what was matched by (DP-\d+) and in device type field print printer (d/printer/).
That is it to it. Now let’s create a signature for the PineApp.
We have 2 options here – to actually run a scan against the PineApp target and decipher the output, or , what I do here, use the common sense.
First I will try to do what Nmap Probe EHLo does – namely connect by telnet to port 25 and issue EHLO command. After that I will try to compile a regex expression matching the output.
Connected to earth.planet.co (12.12.12.12).
Escape character is ‘^]’.
220 Ready to receive mail -=- ESMTP
helo a
250 Ready to receive mail -=-
quit
221 Ready to receive mail -=-
Connection closed by foreign host.
Well, the regex is not that hard to do here:
match smtp m|^220 Ready to receive mail -=- ESMTP\r\n| p/PineApp Mail-secure/ i/PineApp Av and Antispam mail gateway/ o/Linux/
I edit /usr/local/share/nmap/nmap-service-probes and insert the above regex under Probe TCP Hello where the matches start, save it and run the Nmap on the same host not recognized before:
Nmap scan report for 12.12.12.12
Host is up (0.012s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp PineApp Mail-secure (PineApp Av and Antispam mail gateway)
113/tcp closed auth
Service Info: OS: Linux
