# Nmap service detection probe list -*- mode: fundamental; -*-# $Id: nmap-service-probes 6669 2008-01-05 07:15:41Z fyodor $ ## This is a database of custom probes and expected responses that the# Nmap Security Scanner ( http://www.insecure.org/nmap/ ) uses to# identify what services (eg http, smtp, dns, etc.) are listening on# open ports.  Contributions to this database are welcome.  We hope to# create an automated submission system (as with OS fingerprints), but# for now you can email fyodor any new probes you develop so that he# can include them in the main Nmap distributon.  By sending new# probe/matches to Fyodor or one the insecure.org development mailing# lists, it is assumed that you are transfering any and all copyright# interest in the data to Fyodor so that he can modify it, relicense# it, incorporate it into programs, etc. This is important because the# inability to relicense code has caused devastating problems for# other Free Software projects (such as KDE and NASM).  Nmap will# always be available Open Source.  If you wish to specify special# license conditions of your contributions, just say so when you send# them.## This collection of probe data is (C) 2003-2006 by Insecure.Com LLC# It is available for free use by open source software under the terms# of the GNU General Public License.  We also license the data to# selected commercial/proprietary vendors under less restrictive# terms.  Contact sales@insecure.com for more information.## For details on how Nmap version detection works, why it was added,# the grammar of this file, and how to detect and contribute new# services, see our paper at# http://www.insecure.org/nmap/versionscan.html .# The Exclude directive takes a comma separated list of ports.# The format is exactly the same as the -p switch.Exclude T:9100-9107# This is the NULL probe that just compares any banners given to us##############################NEXT PROBE##############################Probe TCP NULL q||# Wait for at least 6 seconds for data.  It used to be 5, but some# smtp services have lately been instituting an artificial pause (see# FEATURE('greet_pause') in Sendmail, for example)totalwaitms 6000match acap m|^\* ACAP \(IMPLEMENTATION \"CommuniGate Pro ACAP (\d[-.\w]+)\"\) | p/CommuniGate Pro ACAP server/ i/for mail client preference sharing/ v/$1/match activemq m|^\0\0\0\xae\x01ActiveMQ\0\0\0| p/Apache ActiveMQ/# AMANDA index server 2.4.2p2 on Linux 2.4match amanda m|^220 ([-.\w]+) AMANDA index server \((\d[-.\w ]+)\) ready\.\r\n| p/Amanda backup system index server/ v/$2/ h/$1/ o/Unix/match antivir m|^220 Symantec AntiVirus Scan Engine ready\.\r\n| p/Symantec AntiVirus Scan Engine/match antivir m|^200 NOD32SS ([\d.]+) \((\d+)\)\r\n| p/NOD32 AntiVirus/ v/$1 ($2)/match aplus m|^\x01\xff\0\xff\x01\x1d\0\xfd\0\n\x03\x05A\+ API \(([\d.]+)\) - CCS \(([\d.]+)\)\0| p/Cleo A+/ i/API $1; CSS $2/# arkstats (part of arkeia-light 5.1.12 Backup server) on Linux 2.4.20match arkstats m|^\0`\0\x03\0\0\0\x1810\x000\x000\x00852224\0\0\0\0\0\0\0\0\0\0\0| p/Arkeia arkstats/match artsd m|^MCOP\0\0\0.\0\0\0\x01\0\0\0\x10aRts/MCOP-([\d.]+)\0\0\0\0|s p/artsd/ i/MCOP $1/# Asterisk call manager - port 5038match asterisk m|^Asterisk Call Manager/([\d.]+)\r\n| p/Asterisk Call Manager/ v/$1/match asterisk-proxy m|^Response: Follows\r\nPrivilege: Command\r\n--END COMMAND--\r\n| p/Asterisk Call Manager Proxy/match audit m|^Visionsoft Audit on Demand Service\r\nVersion: ([\d.]+)\r\n\r\n| p/Visionsoft Audit on Demand Service/ v/$1/ o/Windows/match avg m|^220-AVG7 Anti-Virus daemon mode scanner\r\n220-Program version ([\d.]+), engine (\d+)\r\n220-Virus Database: Version ([\d/.]+)  [\d-]+\r\n| p/AVG daemon mode/ v/$1 engine $2/ i/Virus DB $3/match afbackup m|^afbackup ([\d.]+)\n\nAF's backup server ready\.\n| p/afbackup/ v/$1/match backdoor m|^220 jeem\.mail\.pv ESMTP\r\n| p/Jeem backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^\r\nUser Access Verification\r\n\r\nYour PassWord:| p/Jeem backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^ \r\n$| p/OptixPro backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^echo o [\d.]+ \d+ >s\r\necho common>> s\r\necho common>> s\r\necho bin>> s\r\necho get m220\.exe| p/JTRAM backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^220 Bot Server \(Win32\)\r\n$| p/Gaobot backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^PWD$| p/Subseven backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^=+\n= +RBackdoor ([\d.]+) | p/RBackdoor/ v/$1/ i/**BACKDOOR**/ o/Windows/match backdoor m|^220 Windrone Server \(Win32\)\r\n$| p/NerdBot backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^Zadej heslo:$| p/Czech "zadej heslo" backdoor/ i/**BACKDOOR**/ o/Windows/match backdoor m|^220 Reptile welcomes you\.\.\r\n| p/Darkmoon backdoor "reptile" ftpd/ i/**BACKDOOR**/ o/Windows/match backdoor m|^Sifre_EDIT$| p/ProRat trojan/ i/**BACKDOOR**/ o/Windows/match backdoor m|^MZ\x90\0\x03\0\0\0\x04\0\0\0\xff\xff\0\0\xb8\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0fn\0\0\xd0\0\0\0\x0e\x1f\xba\x0e\0\xb4\t\xcd!\xb8\x01L\xcd!This program cannot be run in DOS mode\.| p/Korgo worm/ i/**BACKDOOR**/ o/Windows/match backdoor m|^\xfa\xcb\xd9\xd9\xdd\xc5\xd8\xce\xd6| p/Theef trojan/ i/**BACKDOOR**/ o/Windows/match backdoor m|^220 SSL Connection Established - Loading Protocol\.\.\.\.\r\n| p/dhcpse.exe/ i/**BACKDOOR**/ o/Windows/match backdoor m|^A-311 Death welcome\x001| p/Haxdoor trojan/ i/**BACKDOOR**/ o/Windows/match backdoor m|^220 CAFEiNi [\w-_.]+ FTP server\r\n$| p/CAFEiNi trojan/ i/**BACKDOOR**/ o/Windows/match bf2rcon m|^### Battlefield 2 ModManager Rcon v([\d.]+)\.\n### Digest seed: \w+\n\n| p/Battlefield 2 ModManager Remote Console/ v/$1/# Bittorrent Client 3.2.1b on Linux 2.4.Xmatch bittorent m|^\x13BitTorrent protocol\0\0\0\0\0\0\0\0| p/Bittorrent P2P client/# BMC Software Patrol Agent 3.45 and HP Patrol Agentmatch softwarepatrol m|^\0\0\0\x17i\x02\x03..\0\x05\x02\0\x04\x02\x04\x03..\0\x03\x04\0\0\0|s p|BMC/HP Software Patrol Agent|match scmbug m|^SCMBUG-SERVER RELEASE_([\w-_.]+) \d+\n| p/Scmbug bugtracker/ v/$1/match buildservice m|^200 HELLO - BuildForge Agent v([\d.]+)\n| p/BuildForge Agent/ v/$1/match buildservice m|^\$\0\0\0\$\0\0\x000RAR\0 \0\0.\xe2\x02\0\xc4G\x0f\0\0\0\0\0\0\0\0\0\0\0\0\0|s p/Xoreax IncrediBuild/ o/Windows/match bzfs m|BZFS\d{4}\0| p/BZFlag game server/match cddbp m|^201 ([\w-_.]+) CDDBP server v([\w-.]+) ready at .*\r\n| p/freedb cddbp server/ v/$2/ h/$1/match chargen m|^!"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefgh\r\n"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEF| p/Linux chargen/ o/Linux/# Redhat 7.2, xinetd 2.3.7 chargenmatch chargen m|^\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefghijklmnopq\r\n\+,-\./| p/xinetd chargen/ o/Unix/# Sun Solaris 9; Windowsmatch chargen m|^\ !"#\$%&'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_|# Mandrake Linux 9.2, xinetd 2.3.11 chargenmatch chargen m|NOPQRSTUVWXYZ\[\\\]\^_`abcdefghijklm| p/xinetd chargen/ o/Unix/match chargen m|^\*\*\* Port V([\d.]+) !\"#\$%&'\(\)\*\+,-\./0123456789:| p/Lantronix chargen/ v/$1/match chargen m|^The quick brown fox jumps over the lazy dog\. 1234567890\r\n| p/Tektronix Phaser chargen/ d/printer/match chat m|^WebStart Chat Service Established\.\.\.\r\n\(C\) 2000-\d+ R Gabriel all Rights Reserved\r\n| p/WebStart Chat Service/match chat m|^\*\x01..\0\x04\0\0\0\x01$|s p/AIM or ICQ server/match chat-ctl m|^InfoChat Server v([\d.]+) Remote Control ready\n\r| p/InfoChat Remote Control/ v/$1/match chess m=^\n\r             _       __     __                             __      \n\r            \| \|     / /__  / /________  ____ ___  ___     / /_____ \n\r            \| \| /\| / / _ \\/ / ___/ __ \\/ __ `__ \\/ _ \\   / __/ __ \\\n\r= p/Lasker Internet Chess server/# Citrix, Metaframe XP on Windowsmatch citrix-ica m|^\x7f\x7fICA\0\x7f\x7fICA\0| p/Citrix Metaframe XP ICA/ o/Windows/# Citrix MetaFrame XP 1.0 implimented with ClassLink 2000 on NT4match citrix-ima m|^.\0\0\0\x81\0\0\0\x01|s p/Citrix Metaframe XP IMA/ o/Windows/match clsbd m|^\0\0\0\x10ClsBoolVersion 1$| p/Cadence IC design daemon/match codeforge m|^CFMSERV\(1\)\n| p/CodeForge IDE/match concertosendlog m|^Concerto Software\r\n\r\nEnsemblePro SendLog Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | p/Concerto Software EnsemblePro CRM software SendLog Server/ v/$1/match concertotimesync m|^Concerto Software\r\n\r\nContactPro TimeSync Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | p/Concerto Software EnsemblePro CRM software TimeSync Server/ v/$1/match conference m|^Conference, V([\d.]+)\r\n$| p/Forum Communcations conferenced/ v/$1/match complex-link m|^\x06\x07\xd0\0\x01\0\0\0\x01\0\x02\x07\xd0\0\x01\0\0\x01\x0f\x01\xf4\0\0\0\0HP +LTO ULTRIUM| p/HP LTO Ultrium data port/ d/storage-misc/# CompTek AquaGateKeeper (Telephony package) http://aqua.comptek.rumatch H.323/Q.931 m|^\x03\0\0.*@|s p/CompTek AquaGateKeeper/match cvspserver m|^no repository configured in /| p/CVS pserver/ i/broken/match cvspserver m|^/usr/sbin/cvs-pserver: line \d+: .*cvs: No such file or directory\n| p/CVS pserver/ i/broken/match cvspserver m|^Unknown command: `pserver'\n\nCVS commands are:\n| p/CVS pserver/ i/broken/match cvsup m|^OK \d+ \d+ ([-.\w]+) CVSup server ready\n| p/CVSup/ v/$1/match damewaremr m|^0\x11\0\0...........@........\x01\0\0\0\x01\0\0\0\0\0\0\0.\0\0\0$|s p/DameWare Mini Remote Control/ o/Windows/# Linuxmatch daytime m|^[0-3]\d [A-Z][A-Z][A-Z] 20\d\d \d\d:\d\d:\d\d \S+\r\n|# OpenBSD 3.2match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\r\n|# Solaris 8,9match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\n\r| p/Sun Solaris daytime/ o/Solaris/# Windows daytimematch daytime m|^\d+:\d\d:\d\d [AP]M \d+/\d+/200\d\n$| p/Microsoft Windows USA daytime/ o/Windows/# Windows daytime - UK english I think (no AM/PM)match daytime m|^\d\d:\d\d:\d\d \d\d.\d\d.200\d\n$| p/Microsoft Windows International daytime/ o/Windows/# daytime on Windows 2000 Servermatch daytime m|^.... \d{1,2}:\d{1,2}:\d{1,2} 200\d-\d{1,2}-\d{1,2}\n$| p/Microsoft Windows daytime/ o/Windows/# Windows NT daytimematch daytime m|^[A-Z][a-z]+day, [A-Z][a-z]+ \d{1,2}, 200\d \d{1,2}:\d\d:\d\d\n\0$| p/Microsoft Windows daytime/ o/Windows/# Windows 2000 Adv Server sp-4 daytime