# Nmap service detection probe list -*- mode: fundamental; -*-# $Id: nmap-service-probes 2842 2005-09-07 22:37:43Z fyodor $ ## This is a database of custom probes and expected responses that the# Nmap Security Scanner ( http://www.insecure.org/nmap/ ) uses to# identify what services (eg http, smtp, dns, etc.) are listening on# open ports.  Contributions to this database are welcome.  We hope to# create an automated submission system (as with OS fingerprints), but# for now you can email fyodor any new probes you develop so that he# can include them in the main Nmap distributon.  By sending new# probe/matches to Fyodor or one the insecure.org development mailing# lists, it is assumed that you are transfering any and all copyright# interest in the data to Fyodor so that he can modify it, relicense# it, incorporate it into programs, etc. This is important because the# inability to relicense code has caused devastating problems for# other Free Software projects (such as KDE and NASM).  Nmap will# always be available Open Source.  If you wish to specify special# license conditions of your contributions, just say so when you send# them.## This collection of probe data is (C) 2003 by Insecure.Com LLC It is# available for free use by open source software under the terms of# the GNU General Public License.  We also license the data to# selected commercial/proprietary vendors under less restrictive# terms.  Contact sales@insecure.com for more information.## For details on how Nmap version detection works, why it was added,# the grammar of this file, and how to detect and contribute new# services, see our paper at# http://www.insecure.org/nmap/versionscan.html .# The Exclude directive takes a comma separated list of ports.# The format is exactly the same as the -p switch.Exclude T:9100# This is the NULL probe that just compares any banners given to us##############################NEXT PROBE##############################Probe TCP NULL q||# Wait for at least 6 seconds for data.  It used to be 5, but some# smtp services have lately been instituting an artificial pause (see# FEATURE('greet_pause') in Sendmail, for example)totalwaitms 6000match acap m|^\* ACAP \(IMPLEMENTATION \"CommuniGate Pro ACAP (\d[-.\w]+)\"\) | p/CommuniGate Pro ACAP server/ i/for mail client preference sharing/ v/$1/# AMANDA index server 2.4.2p2 on Linux 2.4match amanda m|^220 ([-.\w]+) AMANDA index server \((\d[-.\w ]+)\) ready\.\r\n| p/Amanda backup system index server/ v/$2/ h/$1/ o/Unix/match antivir m|^220 Symantec AntiVirus Scan Engine ready\.\r\n| p/Symantec AntiVirus Scan Engine/match antivir m|^200 NOD32SS ([\d.]+) \((\d+)\)\r\n| p/NOD32 AntiVirus/ v/$1 ($2)/match aplus m|^\x01\xff\0\xff\x01\x1d\0\xfd\0\n\x03\x05A\+ API \(([\d.]+)\) - CCS \(([\d.]+)\)\0| p/Cleo A+/ i/API $1; CSS $2/# arkstats (part of arkeia-light 5.1.12 Backup server) on Linux 2.4.20match arkstats m|^\0`\0\x03\0\0\0\x1810\x000\x000\x00852224\0\0\0\0\0\0\0\0\0\0\0| p/Arkeia arkstats/match artsd m|^MCOP\0\0\0.\0\0\0\x01\0\0\0\x10aRts/MCOP-([\d.]+)\0\0\0\0|s p/artsd/ i/MCOP $1/match audit m|^Visionsoft Audit on Demand Service\r\nVersion: ([\d.]+)\r\n\r\n| p/Visionsoft Audit on Demand Service/ v/$1/ o/Windows/match backdoor m|^220 jeem\.mail\.pv ESMTP\r\n| p/Jeem backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^\r\nUser Access Verification\r\n\r\nYour PassWord:| p/Jeem backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^ \r\n$| p/OptixPro backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^echo o [\d.]+ \d+ >s\r\necho common>> s\r\necho common>> s\r\necho bin>> s\r\necho get m220\.exe| p/JTRAM backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^220 Bot Server \(Win32\)\r\n$| p/Gaobot backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^PWD$| p/Subseven backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^=+\n= +RBackdoor ([\d.]+) | p/RBackdoor/ v/$1/ i/**BACKDOOR**/ o/Windows/match backdoor m|^220 Windrone Server \(Win32\)\r\n$| p/NerdBot backdoor/ i/**BACKDOOR**/ o/Windows/# Bittorrent Client 3.2.1b on Linux 2.4.Xmatch bittorent m|^\x13BitTorrent protocol\0\0\0\0\0\0\0\0| p/Bittorrent P2P client/# BMC Software Patrol Agent 3.45match bmc-softwarepatrol m|^\0\0\0\x17i\x02\x03..\0\x05\x02\0\x04\x02\x04\x03..\0\x03\x04\0\0\0\0\x01\x01\0| p/BMC Software Patrol Agent/match buildservice m|^200 HELLO - BuildForge Agent v([\d.]+)\n| p/BuildForge Agent/ v/$1/match buildservice m|^\$\0\0\0\$\0\0\x000RAR\0 \0\0.\xe2\x02\0\xc4G\x0f\0\0\0\0\0\0\0\0\0\0\0\0\0|s p/Xoreax IncrediBuild/ o/Windows/match cddbp m|^201 ([\w-_.]+) CDDBP server v([\w-.]+) ready at .*\r\n| p/freedb cddbp server/ v/$2/ h/$1/match chargen m|^!"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefgh\r\n"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEF| p/Linux chargen/ o/Linux/# Redhat 7.2, xinetd 2.3.7 chargenmatch chargen m|^\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefghijklmnopq\r\n\+,-\./| p/xinetd chargen/ o/Unix/# Sun Solaris 9; Windowsmatch chargen m|^\ !"#\$%&'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_|# Mandrake Linux 9.2, xinetd 2.3.11 chargenmatch chargen m|NOPQRSTUVWXYZ\[\\\]\^_`abcdefghijklm| p/xinetd chargen/ o/Unix/match chargen m|^\*\*\* Port V([\d.]+) !\"#\$%&'\(\)\*\+,-\./0123456789:| p/Lantronix chargen/ v/$1/match chat m|^WebStart Chat Service Established\.\.\.\r\n\(C\) 2000-\d+ R Gabriel all Rights Reserved\r\n| p/WebStart Chat Service/match chat m|^\*\x01..\0\x04\0\0\0\x01$|s p/AIM or ICQ server/match chat-ctl m|^InfoChat Server v([\d.]+) Remote Control ready\n\r| p/InfoChat Remote Control/ v/$1/match chess m=^\n\r             _       __     __                             __      \n\r            \| \|     / /__  / /________  ____ ___  ___     / /_____ \n\r            \| \| /\| / / _ \\/ / ___/ __ \\/ __ `__ \\/ _ \\   / __/ __ \\\n\r= p/Lasker Internet Chess server/# Citrix, Metaframe XP on Windowsmatch citrix-ica m|^\x7f\x7fICA\0\x7f\x7fICA\0| p/Citrix Metaframe XP ICA/ o/Windows/match clsbd m|^\0\0\0\x10ClsBoolVersion 1$| p/Cadence IC design daemon/match concertosendlog m|^Concerto Software\r\n\r\nEnsemblePro SendLog Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | p/Concerto Software EnsemblePro CRM software SendLog Server/ v/$1/match concertotimesync m|^Concerto Software\r\n\r\nContactPro TimeSync Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | p/Concerto Software EnsemblePro CRM software TimeSync Server/ v/$1/match conference m|^Conference, V([\d.]+)\r\n$| p/Forum Communcations conferenced/ v/$1/match complex-link m|^\x06\x07\xd0\0\x01\0\0\0\x01\0\x02\x07\xd0\0\x01\0\0\x01\x0f\x01\xf4\0\0\0\0HP +LTO ULTRIUM| p/HP LTO Ultrium data port/ d/storage-misc/# CompTek AquaGateKeeper (Telephony package) http://aqua.comptek.rumatch H.323/Q.931 m|^\x03\0\0.*@| p/CompTek AquaGateKeeper/# Cisco router running IOS 12.1.5-12.2.13amatch H.323/Q.931 m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f$| p/Cisco router/ d/router/ o/IOS/match cvspserver m|^no repository configured in /| p/CVS pserver/ i/broken/match cvspserver m|^/usr/sbin/cvs-pserver: line \d+: .*cvs: No such file or directory\n| p/CVS pserver/ i/broken/match cvsup m|^OK \d+ \d+ ([-.\w]+) CVSup server ready\n| p/CVSup/ v/$1/match damewaremr m|^0\x11\0\0...........@........\x01\0\0\0\x01\0\0\0\0\0\0\0.\0\0\0$|s p/DameWare Mini Remote Control/ o/Windows/# Linuxmatch daytime m|^[0-3]\d [A-Z][A-Z][A-Z] 20\d\d \d\d:\d\d:\d\d \S+\r\n|# OpenBSD 3.2match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\r\n|# Solaris 8,9match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\n\r| p/Sun Solaris daytime/ o/Solaris/# Windows daytimematch daytime m|^\d+:\d\d:\d\d [AP]M \d+/\d+/200\d\n$| p/Microsoft Windows USA daytime/ o/Windows/# Windows daytime - UK english I think (no AM/PM)match daytime m|^\d\d:\d\d:\d\d \d\d.\d\d.200\d\n$| p/Microsoft Windows International daytime/ o/Windows/# daytime on Windows 2000 Servermatch daytime m|^.... \d{1,2}:\d{1,2}:\d{1,2} 200\d-\d{1,2}-\d{1,2}\n$| p/Microsoft Windows daytime/ o/Windows/# Windows NT daytimematch daytime m|^[A-Z][a-z]+day, [A-Z][a-z]+ \d{1,2}, 200\d \d{1,2}:\d\d:\d\d\n\0$| p/Microsoft Windows daytime/ o/Windows/# Windows 2000 Adv Server sp-4 daytimematch daytime m|^[A-Z][a-z][a-z] [A-Z][a-z][a-z] \d{1,2} \d{1,2}:\d{1,2}:\d{1,2} 200\d\n| p/Microsoft Windows daytime/ o/Windows/# Windows 2003 Server daytmematch daytime m|^\d{1,2}\.\d{1,2}\.\d{1,2} \d\d/\d\d/200\d\n| p/Microsoft Windows daytime/ o/Windows/# Windows 2000 Prof. Central European formatmatch daytime m|^\d{1,2}:\d\d:\d\d \d{1,2}\.\d{1,2}\.200\d\n$| p/Microsoft Windows daytime/ o/Windows/# Windows International daytimematch daytime m|^\d\d:\d\d:\d\d \d\d.\d\d.200\d\n$| p/Microsoft Windows International daytime/ o/Windows/# New Zealand format daytime - Windows 2000match daytime m|^[01]\d:\d\d:\d\d [AP]M [0-3]\d/[01]\d/0\d\n$| p/Microsoft Windows daytime/ i/New Zealand style/ o/Windows/# HP-UX B.11.00 A inetd daytimematch daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} \d\d:\d\d:\d\d [A-Z]+ 200\d\r\n$| p/HP-UX daytime/ o/HP-UX/# Tardis 2000 v1.4 on NTmatch daytime m|^^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} \d\d:\d\d:\d\d 200\d $| p/Tardis 2000 daytime/# TrueTime nts100 running WxWorksmatch daytime m|^[A-Z][a-z]{2}, [A-Z][a-z]{2} \d{1,2}, 200\d, \d\d:\d\d:\d\d-UTC$| p/Truetime nts100/# Cisco router daytimematch daytime m|^[A-Z][a-z]+day, [A-Z][a-z]+ \d{1,2}, 200\d \d\d:\d\d:\d\d-MET(-DST)?\r\n| p/Cisco router daytime/ o/IOS/match dict m|^530 access denied\r\n$| p/dictd/ i/access denied/match dict m|^220 ([-.\w]+) dictd ([-.\w/]+) on ([-.+ \w]+) <auth\.mime>| p/dictd/ h/$1/ v/$2/ o/$3/match directconnect m/^\$MyNick ([-.\w]+)|\$Lock/ p/Direct Connect P2P/ i/User: $1/ o/Windows/match directconnect m|^\r\nDConnect Daemon v([\d.]+)\r\nlogin: | p/Direct Connect P2P/ v/$1/ o/Windows/match directconenct m=<Hub-Security> Your IP is temporarily banned for (\d+) minutes\.\|= p/Shadows DirectConnect hub/ i/Banned for $1 minutes/match directconnect m=<Hub-Security> You are being redirected to ([\d.]+)\|\$ForceMove [\d.]+\|= p/PtokaX directconnect hub/ i/Redirected to $1/