├── README.md ├── USAGE.md ├── ivre_nmap.png ├── nmap-service-probes ├── nmap-services └── sap_ports.py /README.md: -------------------------------------------------------------------------------- 1 | SAP Services detection via nmap probes 2 | -------------------------------------- 3 | 4 | - [SAP Services detection via nmap probes](#sap-services-detection-via-nmap-probes) 5 | - [How nmap can help us](#how-nmap-can-help-us) 6 | - [SAP existing support in nmap](#sap-existing-support-in-nmap) 7 | * [Version and service detection](#version-and-service-detection) 8 | - [How to generate and test probes](#how-to-generate-and-test-probes) 9 | - [How to handle scan port range](#how-to-handle-scan-port-range) 10 | * [Port generation tool](#port-generation-tool) 11 | * [What about port customization by the admin?](#what-about-port-customization-by-the-admin) 12 | - [How a scan looks like with custom SAP probes](#how-a-scan-looks-like-with-custom-sap-probes) 13 | - [Issues encountered: SSL](#issues-encountered-ssl) 14 | - [What can be improved](#what-can-be-improved) 15 | - [What to do next with that information?](#what-to-do-next-with-that-information) 16 | - [Conclusion](#conclusion) 17 | - [Authors](#authors) 18 | 19 | This article aims at showing how to improve the capability of the nmap 20 | network scanner to detect SAP services. This is by no mean a complete 21 | and 100% exact way of doing service detection as a lot of corner cases 22 | exist that are not covered in this text. If you want a more 23 | comprehensive way to do SAP services detection and even much more, the 24 | [ERPScan Monitoring Suite](https://erpscan.com/products/erpscan-security-monitoring-suite-for-sap/) 25 | is a good starting point with its port scanner feature. 26 | 27 | 28 | ## How nmap can help us 29 | 30 | Our goal is to detect every network service exposed by SAP servers. 31 | Those servers are complex beasts with numerous components exposed to 32 | the network by default and each of these components potentially has 33 | vulnerabilities. So we want to send specific network probes to detect 34 | the presence of these services and then better assess if a service is 35 | vulnerable or not. 36 | 37 | Nmap is an open source network port scanner that can do many things 38 | and especially service detection via fingerprints. We will explain how 39 | one could implement a SAP-aware port scanner with this tool. 40 | 41 | ## SAP existing support in nmap 42 | 43 | First, if you look closely at the official nmap release you will 44 | notice that there are some traces of SAP support. It is actually very 45 | sparse and can be confirmed by scanning a real SAP server: 46 | 47 | ``` 48 | Nmap scan report for 172.16.30.29 49 | Host is up (0.00018s latency). 50 | Not shown: 65508 closed ports 51 | PORT STATE SERVICE VERSION 52 | 1128/tcp open soap gSOAP 2.7 53 | 3201/tcp open cpq-tasksmart? 54 | 3299/tcp open saprouter? 55 | 3301/tcp open unknown 56 | 3901/tcp open nimsh? 57 | 4901/tcp open sybase-adaptive Sybase Adaptive Server 58 | 4902/tcp open sybase-backup Sybase Backup Server 59 | 4903/tcp open unknown 60 | 8101/tcp open http SAP Message Server httpd release 745 61 | 30101/tcp open unknown 62 | 30102/tcp open unknown 63 | 30103/tcp open unknown 64 | 30104/tcp open unknown 65 | 30107/tcp open unknown 66 | 30108/tcp open unknown 67 | 30111/tcp open http BaseHTTPServer 0.3 (Python 2.7.10) 68 | 30116/tcp open unknown 69 | 40000/tcp open safetynetp? 70 | 40001/tcp open unknown 71 | 40002/tcp open unknown 72 | 40080/tcp open http SAP Internet Graphics Server httpd 73 | 46287/tcp open status 1 (RPC #100024) 74 | 50000/tcp open http SAP WebDispatcher 75 | 50001/tcp open ssl/http SAP WebDispatcher 76 | 50004/tcp open unknown 77 | 50007/tcp open unknown 78 | 50013/tcp open soap gSOAP 2.7 79 | 50014/tcp open ssl/soap gSOAP 2.7 80 | 50020/tcp open unknown 81 | 50113/tcp open soap gSOAP 2.7 82 | 50114/tcp open ssl/soap gSOAP 2.7 83 | ``` 84 | 85 | The columns SERVICE and VERSION shows us plenty of unknown or 86 | improperly named fields. This situation can be improved if we analyze 87 | each unknown port/protocol. 88 | 89 | If you dig a bit more you'll find that Core Security researcher Martin 90 | Gallo wrote much more improved support for SAP proprietary protocol 91 | (available at 92 | [corelabs-nmap-service-probes.txt](https://www.coresecurity.com/system/files/publications/2016/05/corelabs-nmap-service-probes.txt)) 93 | that does smarter stuff like extracting technical server information 94 | from answers. That is a very good starting point and as we included 95 | some of these probes we enlarged the support a bit more. 96 | 97 | ### Version and service detection 98 | 99 | Nmap key file for service detection is `nmap-service-probes` (stored 100 | in `/usr/share/nmap/` for Linux installation). 101 | 102 | The format is quite self-explanatory for its main features. Let us 103 | consider one of the simplest example: 104 | 105 | ``` 106 | Probe TCP NULL q|| 107 | match sajpoin m|SAP_Cluster_Manager| p/SAP Java Cluster Join Service/ 108 | ``` 109 | 110 | The `Probe` line describes the TCP payload that we send to the server. 111 | In this case, we connect to the TCP port without sending any TCP 112 | payload after the 3-way handshake. 113 | 114 | The next line beginning with `match` describes what we want to check 115 | from the server's answer. A match is final, the parser won't check 116 | another match for the given probe (as long as we don't use 117 | `softmatch`). In this example, we look for the ASCII string 118 | `SAP_Clutser_Manager` via a regular expression. If the expression is 119 | matched, then nmap tags the matching port with the product name "SAP 120 | Java Cluster Join Service". 121 | 122 | That probe can be used many times for all those protocols that are 123 | based on the first message sent by the server to the client (SSH, FTP, 124 | mail protocols, for example). We just add other `match` lines after 125 | the `Probe`. 126 | 127 | Full documentation of this file format can be found at 128 | [https://nmap.org/book/vscan-fileformat.html](https://nmap.org/book/vscan-fileformat.html) 129 | 130 | 131 | ## How to generate and test probes 132 | 133 | So now, we need a way to know which packets need to be sent and what 134 | specific piece of information inside an answer can allow us to 135 | identify with a good assurance what protocol is being used and from 136 | that determine what is the service using this protocol. In order to 137 | illustrate the difference about service and protocol, you can look at 138 | the HTTP protocol and all the different services that will make use of 139 | it. 140 | 141 | SAP services implement many different binary protocols that does not 142 | ease our task. 143 | 144 | Let's have a look at a simple probe for a service using a binary 145 | protocol: SAP Router. 146 | 147 | ``` 148 | Probe TCP SAProuter q|\x00\x00\x00\x00| 149 | ports 3299 150 | match saprouter m|SAProuter ([\d.]+) on '(\w+)'| p/SAProuter/ v/$1/ h/$2/ 151 | match saprouter m|SAProuter| p/SAProuter/ 152 | ``` 153 | 154 | Per official documentation SAP router service should be listening to 155 | the port tcp/3299. 156 | 157 | When sending the binary request `\x00\x00\x00\x00` to a SAP Router we 158 | can get several answers depending on the router version/configuration. 159 | 160 | Sometime the SAP Router can leak information like version + hostname, 161 | so we try to match this specific answer first and then we try to match 162 | the more generic answer without the information disclosure. 163 | 164 | The additional information we gather in the first `match` can be 165 | propagated and printed nicely by nmap using the version field and the 166 | hostname. That is what we accomplish with help of regular expression 167 | groups (using parenthesis inside the expression) and by referencing 168 | them via their position in the `v//` and `h//` statement ('v' standing 169 | for version, and 'h' for hostname). 170 | 171 | ## How to handle scan port range 172 | 173 | Usually with nmap, if we do not specify -p option it will scan the 174 | 1000 most used port (from Internet statistics). Unfortunately, many 175 | SAP ports will be missed by doing so. Therefore, we need to scan all 176 | 65535 ports at a big scan time cost or we look a bit closer at how to 177 | generate these SAP ports. For efficiency, we decide to choose the 178 | second option. 179 | 180 | If we look at SAP documentation, we see their rules to define 181 | potential ports for each services. So by using these rules, we can 182 | expand the full list of potential SAP ports. 183 | 184 | SAP services have the notion of instance number, this is a number that 185 | can vary from 00 to 99 and the port of the service will depend on it. 186 | 187 | SAP official documentation on all SAP TCP ports used by their services 188 | can be accessed at 189 | [https://cp.hana.ondemand.com/dps/d/preview/47673f06bd494db680ff6150c0b08108/2.0/en-US/frameset.htm](https://cp.hana.ondemand.com/dps/d/preview/47673f06bd494db680ff6150c0b08108/2.0/en-US/frameset.htm) 190 | 191 | 192 | For example the web ports for ICM HTTP service are noted 80NN, with NN 193 | being this instance number. It means they can cover the range 194 | 8000-8099. 195 | 196 | If we look at another example the SAP TREX nameserver service will 197 | listen on ports 3NN01. So our potential port range will be from 30001, 198 | 30101, 30201,...,39901. 199 | 200 | You can find port collision with two (and more) different 201 | services/protocols using theoretically the same port. Some examples: 202 | 32NN used on the Netweaver Java platform by the Enqueue service and on 203 | the Netweaver ABAP platform by the Dispatcher service. Another one is 204 | the previous example with port 3NN01 being used by SAP TREX nameserver 205 | and SAP HANA TREXNet internal nameserver port. 206 | 207 | Nmap handle all of that nicely with its service detection algorithm 208 | given a proper `nmap-service-probe` file: we can have the same port 209 | used in a `Probe` rule, and several `match` on a single port. 210 | 211 | ### Port generation tool 212 | 213 | The following python tool [sap_ports.py](sap_ports.py) takes care of 214 | port generation and prints out a comma-separated list of ports that 215 | can be used as the nmap `-p` parameter as following: 216 | 217 | ``` 218 | $ nmap -p $(sap_ports.py) $TARGETS 219 | ``` 220 | 221 | The main idea of `sap_ports.py` is to use a statically defined 222 | dictionary with information gathered from SAP on-line documentation to 223 | generate the list of ports with possibility to generate a subset of 224 | the ports depending on several criteria. 225 | 226 | ### What about port customization by the admin? 227 | 228 | During our security audit we saw rarely cases of port 229 | customization. One example case lead to wrong assumption on the 230 | instance number of a service by analyzing the port number. For 231 | instance: using 3617 for the message server service on the instance 232 | number 32... In this case it is necessary to inspect the protocol and 233 | use information disclosures to be able to disambiguate this situation. 234 | 235 | There is no generic answer to this problem if we do not want to scan 236 | the 64k TCP ports. We accept in this article the low risk that some 237 | port customization could be out of our static port range from our 238 | experience of seeing it very rarely. 239 | 240 | ## How a scan looks like with custom SAP probes 241 | 242 | ``` 243 | Nmap scan report for 172.16.30.29 244 | Host is up (0.00018s latency). 245 | Not shown: 6563 closed ports 246 | PORT STATE SERVICE VERSION 247 | 22/tcp open ssh OpenSSH 6.2 (protocol 2.0) 248 | 111/tcp open rpcbind 2-4 (RPC #100000) 249 | 1128/tcp open sapstartservice SAP Management Console (SID SAP, NR 99) 250 | 3201/tcp open sapjavaenq SAP Enqueue Server 251 | 3299/tcp open saprouter SAProuter 40.4 252 | 3301/tcp open sapgateway SAP Gateway 253 | 3901/tcp open sapms SAP Message Server 254 | 4901/tcp open sapase SAP ASE Database 255 | 4902/tcp open sybase-backup Sybase Backup Server 256 | 4903/tcp open unknown 257 | 8101/tcp open sapmshttp SAP Message Server httpd release 745 (SID J45) 258 | 30201/tcp open saptrex SAP TREX Name server 259 | 30202/tcp open saptrex SAP TREX Preprocessor 260 | 30203/tcp open saptrex SAP TREX Index server 261 | 30204/tcp open saptrex SAP TREX Queue server 262 | 30207/tcp open saptrex SAP TREX RFC server 263 | 30208/tcp open saptrex SAP TREX Cruise server 264 | 30211/tcp open saptrex SAP TREX AlertServer (BaseHTTP/0.3 Python/2.7.10) 265 | 30216/tcp open saptrex SAP TREX Index server 266 | 40080/tcp open sapigs SAP Internet Graphics Server 267 | 50000/tcp open sapjavaweb SAP NetWeaver Application Server (Kernel version 7.45, Java version 7.50) 268 | 50001/tcp open ssl/sapjavaweb SAP NetWeaver Application Server (Kernel version 7.45, Java version 7.50) 269 | 50004/tcp open sapjavap4 SAP JAVA P4 (Potential internal IP 172.16.30.29) 270 | 50007/tcp open sapp4iiop (Internel IP 172.16.30.29) 271 | 50013/tcp open sapstartservice SAP Management Console (SID J45, NR 00) 272 | 50014/tcp open ssl/sapstartservice SAP Management Console (SID J45, NR 00) 273 | 50020/tcp open sapjoin SAP Java Cluster Join Service 274 | 50113/tcp open sapstartservice SAP Management Console (SID J45, NR 01) 275 | 50114/tcp open ssl/sapstartservice SAP Management Console (SID J45, NR 01) 276 | 50213/tcp open sapstartservice SAP Management Console (SID TRX, NR 02) 277 | Service Info: Host: java745; 278 | ``` 279 | 280 | ## Issues encountered: SSL 281 | 282 | In theory there is the keyword `sslports` in the service-probe file 283 | that may indicate on which port a specific probe should be checked 284 | upon the SSL layer. In practice these specified ports were not 285 | properly validated as SSL ones without ripping the whole probes 286 | related to SSL in the original nmap-service-probe file (begins in our 287 | custom probe file at the `Probe TCP SSLSessionReq`). 288 | 289 | ## What can be improved 290 | 291 | Code exploits / port information disclosure in NSE Lua scripts tagged 292 | by categories: 293 | - version, discovery, exploit, auth, dos 294 | - safe, intrusive 295 | 296 | ## What to do next with that information? 297 | 298 | If you are a pentester, you probably have a bag full of exploits for 299 | specific SAP services, so you want to automatically link open ports to 300 | exploits attempts. That can be easily done by storing the nmap scan into 301 | an XML file (-oX option) and then writing a parser that will generate 302 | exploit command-line to be executed on the specific open ports. 303 | 304 | On the other hand, if you are a security analyst or doing operational 305 | security you probably want to store those results and be able 306 | afterwards to search them to detect change in the landscape or be able 307 | to pinpoint vulnerable services by their version. For this mean, we 308 | use the [IVRE framework](https://ivre.rocks/) that can import our XML 309 | nmap scans and provides a nice web interface to query scan results and 310 | allows doing basic statistics/reporting tasks. 311 | 312 | The attached screenshots shows a scan in IVRE with filtering OFFICE 313 | (internal lab) scan source and looking for P4 service (present on Java 314 | NetWeaver application servers) detected on the network. The right 315 | column shows the top ports histogram computed from those specific scan 316 | results. 317 | 318 | ![](ivre_nmap.png) 319 | 320 | 321 | ## Conclusion 322 | 323 | We hope that this will help you better understand what is hidden 324 | behind those cryptic SAP servers and show you that only with network 325 | level probes we can go deep in this knowledge of what is behind an SAP 326 | server. 327 | 328 | This blog post is a way to remind that SAP servers have a huge 329 | exposition surface and that enforcing a strict networking policy 330 | including them is part of a good security hygiene. 331 | 332 | This article and the associated Nmap files are available at 333 | [github.com](https://github.com/gelim/nmap-erpscan). A web-only 334 | version is available at 335 | https://erpscan.com/press-center/blog/sap-services-detection-via-nmap-probes/ 336 | 337 | 338 | ## Authors 339 | 340 | Name | Mail | Involvement 341 | ------|-------|------------ 342 | Mathieu Geli | | Main author/maintainer of those files 343 | Michael Medvedev | | Second author 344 | Martin Gallo | | Initial support on Diag/RFC/MS/Enqueue protocols 345 | Joris van de Vis | | Improvements over RFC probes 346 | -------------------------------------------------------------------------------- /USAGE.md: -------------------------------------------------------------------------------- 1 | How to use nmap-service-probes custom file 2 | ------------------------------------------ 3 | 4 | ``` 5 | $ git clone https://github.com/gelim/nmap-erpscan 6 | $ cd nmap-erpscan 7 | $ nmap -n --open --datadir . -sV -p $(./sap_ports.py) $TARGET 8 | ``` 9 | -------------------------------------------------------------------------------- /ivre_nmap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/gelim/nmap-sap/a78b63bb0cc87b84ce052b1c3600ee97b8fd2570/ivre_nmap.png -------------------------------------------------------------------------------- /nmap-service-probes: -------------------------------------------------------------------------------- 1 | # Authors: Mathieu Geli 2 | # Michael Medvedev 3 | # Martin Gallo 4 | # Joris van de Vis 5 | 6 | Probe TCP NULL q|| 7 | totalwaitms 6000 8 | tcpwrappedms 3000 9 | match sapjoin m|SAP_Cluster_Manager| p/SAP Java Cluster Join Service/ 10 | match jdwp m|^JDWP-Handshake$| p/Java Debug Wire Protocol/ 11 | # quick and not complete SSH support (see nmap original probe for that) 12 | match ssh m/^SSH-([\d.]+)-OpenSSH[_-]([\S ]+)/i p/OpenSSH/ v/$2/ i/protocol $1/ 13 | match ssh m/^(SSH-.*)/ p/SSH/ i/$1/ 14 | 15 | ##############################NEXT PROBE############################## 16 | Probe TCP SAPSOAP q|GET / HTTP/1.0\r\n\r\n| 17 | ports 1128,50013,50113,50213,50313,50413,50513,50613,50713,50813,50913,51013,51113,51213,51313,51413,51513,51613,51713,51813,51913,52013,52113,52213,52313,52413,52513,52613,52713,52813,52913,53013,53113,53213,53313,53413,53513,53613,53713,53813,53913,54013,54113,54213,54313,54413,54513,54613,54713,54813,54913,55013,55113,55213,55313,55413,55513,55613,55713,55813,55913,56013,56113,56213,56313,56413,56513,56613,56713,56813,56913,57013,57113,57213,57313,57413,57513,57613,57713,57813,57913,58013,58113,58213,58313,58413,58513,58613,58713,58813,58913,59013,59113,59213,59313,59413,59513,59613,59713,59813,59913 18 | sslports 1129,50014,50114,50214,50314,50414,50514,50614,50714,50814,50914,51014,51114,51214,51314,51414,51514,51614,51714,51814,51914,52014,52114,52214,52314,52414,52514,52614,52714,52814,52914,53014,53114,53214,53314,53414,53514,53614,53714,53814,53914,54014,54114,54214,54314,54414,54514,54614,54714,54814,54914,55014,55114,55214,55314,55414,55514,55614,55714,55814,55914,56014,56114,56214,56314,56414,56514,56614,56714,56814,56914,57014,57114,57214,57314,57414,57514,57614,57714,57814,57914,58014,58114,58214,58314,58414,58514,58614,58714,58814,58914,59014,59114,59214,59314,59414,59514,59614,59714,59814 19 | rarity 9 20 | match sapstartservice m|SID=(\w+)&NR=(\d+)&HOST=(\S+)\r\nServer: gSOAP| p/SAP Management Console/ i/SID $1, NR $2/ h/$3/ 21 | match sapstartservice m|Location: /sapmc/sapmc\.html\r\nServer: gSOAP| p/SAP Management Console/ 22 | match saphostcontrol m|HOST=(\S+)\r\nServer: gSOAP| p/SAPHostControl/ h/$1/ 23 | 24 | ##############################NEXT PROBE############################## 25 | Probe TCP SAPGW q|\x00\x00\x00@\x02\t\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00| 26 | ports 3300-3399,4800-4899 27 | rarity 9 28 | match sapgateway m|\x00\x00\x00\x00| p/SAP Gateway/ i/Monitoring mode disabled/ 29 | 30 | ##############################NEXT PROBE############################## 31 | Probe TCP SAPGW q|\x00\x00\x00@\x02\x03\xac\x10\x00w\x00\x00\x00\x00startrfc\x00\x001100\x00\x00\x00\x00\x00\x00default_startrfc \x06\xcb\xff\xff\x00\x00\x00\x00\x00\x00| 32 | ports 3300-3399,4800-4899 33 | rarity 9 34 | match sapgateway m|\x00\x00\x00\x40\x02\x03\xac\x10\x00\x77\x00\x00\x00\x00\x73\x74| p/SAP Gateway/ 35 | 36 | ##############################NEXT PROBE############################## 37 | # https://www.coresecurity.com/system/files/publications/2016/05/corelabs-nmap-service-probes.txt 38 | # 39 | #Probe TCP SAPMSDumpRelease q|\x00\x00\x00\xa2**MESSAGE**\x00\x04\x00MSG_SERVER\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01-\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1e\x00\x01\x03\x02\x00\x00\x00\x00\x00\x00\x08-\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00| 40 | ports 3600-3699,3900-3999 41 | 42 | #match sapms m|^....\*\*MESSAGE\*\*.*Release no = (\d+).*System name = (\w+).*patch number = (\d+)|s p/SAP Message Server/ i/SID $2 (release $1, patch level $3)/ 43 | #match sapms m|^\x00\x00..\*\*MESSAGE\*\*|s p/SAP Message Server/ 44 | 45 | Probe TCP MessageServer q|\x00\x00\x00\x72**MESSAGE**\x00\x04\x00MSG_SERVER\x00\x00msxxi.c\x00%s: MsSndName failed\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01\x2D\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x00\x05\x00\x68\x03| 46 | ports 3600-3699,3900-3999 47 | rarity 9 48 | match sapms m|MESSAGE.*\W+(\w+)_(\w+)_(\w+)\s{16}| p/SAP Message Server/ h/$1/ i/SID $2, ID $3/ 49 | match sapms m|MESSAGE| p/SAP Message Server/ 50 | 51 | ##############################NEXT PROBE############################## 52 | # FIXME: in some case (noip) we will fall into the tcpwrapped case 53 | Probe TCP SAPP4 q|v1\x18#p#4None:127.0.0.1:33170| 54 | ports 50004,50104,50204,50304,50404,50504,50604,50704,50804,50904,51004,51104,51204,51304,51404,51504,51604,51704,51804,51904,52004,52104,52204,52304,52404,52504,52604,52704,52804,52904,53004,53104,53204,53304,53404,53504,53604,53704,53804,53904,54004,54104,54204,54304,54404,54504,54604,54704,54804,54904,55004,55104,55204,55304,55404,55504,55604,55704,55804,55904,56004,56104,56204,56304,56404,56504,56604,56704,56804,56904,57004,57104,57204,57304,57404,57504,57604,57704,57804,57904,58004,58104,58204,58304,58404,58504,58604,58704,58804,58904,59004,59104,59204,59304,59404,59504,59604,59704,59804,59904 55 | rarity 9 56 | match sapjavap4 m|v1.*:(\d+\.\d+\.\d+\.\d+)| p/SAP JAVA P4/ i/Potential internal IP $1/ 57 | match sapjavap4 m|v1| p/SAP JAVA P4/ 58 | 59 | ##############################NEXT PROBE############################## 60 | Probe TCP WEB q|GET / HTTP/1.0\r\n\r\n| 61 | ports 8000-8099,8080,8100-8199,50000,50100,50200,50300,50400,50500,50600,50700,50800,50900,51000,51100,51200,51300,51400,51500,51600,51700,51800,51900,52000,52100,52200,52300,52400,52500,52600,52700,52800,52900,53000,53100,53200,53300,53400,53500,53600,53700,53800,53900,54000,54100,54200,54300,54400,54500,54600,54700,54800,54900,55000,55100,55200,55300,55400,55500,55600,55700,55800,55900,56000,56100,56200,56300,56400,56500,56600,56700,56800,56900,57000,57100,57200,57300,57400,57500,57600,57700,57800,57900,58000,58100,58200,58300,58400,58500,58600,58700,58800,58900,59000,59100,59200,59300,59400,59500,59600,59700,59800,59900 62 | sslports 50001,50101,50201,50301,50401,50501,50601,50701,50801,50901,51001,51101,51201,51301,51401,51501,51601,51701,51801,51901,52001,52101,52201,52301,52401,52501,52601,52701,52801,52901,53001,53101,53201,53301,53401,53501,53601,53701,53801,53901,54001,54101,54201,54301,54401,54501,54601,54701,54801,54901,55001,55101,55201,55301,55401,55501,55601,55701,55801,55901,56001,56101,56201,56301,56401,56501,56601,56701,56801,56901,57001,57101,57201,57301,57401,57501,57601,57701,57801,57901,58001,58101,58201,58301,58401,58501,58601,58701,58801,58901,59001,59101,59201,59301,59401,59501,59601,59701,59801,59901,44300-44399,44400-44499,30030 63 | rarity 9 64 | match sapmshttp m|server: SAP Message Server, release (\d+) \((\w+)\)| p/SAP Message Server httpd/ v/release $1/ i/SID $2/ 65 | match sapjavaweb m|SAP J2EE Engine/([\d.]+)| p/SAP JAVA EE Dispatcher HTTP/ v/$1/ 66 | match sapjavaweb m|SAP J2EE Engine| p/SAP JAVA EE Dispatcher HTTP/ 67 | match sapwebapp m|sap-system: (\w+).*SAP Web Application Server \(.*?\)| p/SAP Web Application Server/ v/$1/ 68 | match sapjavaweb m|SAP NetWeaver Application Server ([\d.]+) / AS Java ([\d.]+)| p/SAP NetWeaver Application Server/ i/Kernel version $1, Java version $2/ 69 | match sapicm m|SAP NetWeaver Application Server ([\d.]+) / ICM ([\d.]+)| p/SAP Internet Communication Manager/ v/$2/ 70 | match sapnetweaver m|SAP NetWeaver Application Server \(([\d.]+);([\d.]+)\)| p/SAP Internet Communication Manager/ v/$2/ 71 | match sapicm m|SAP Internet Communication Framework| p/SAP Internet Communication Manager/ 72 | match sapicm m|

403 Access denied


You do not have the permissions to access this resource
| p/SAP Internet Communication Manager/ 73 | match sapwebas m|SAP Web Application Server| p/SAP Web Application Server/ 74 | match saphttpmsgserv m|msg_server \((\w+)\)| p/SAP HTTP Message Server/ i/SID $1/ 75 | match sapwebmobile m|SAP Mobile Platform| p/SAP Mobile Platform/ 76 | match sapsmtp m|(\S+) SAP (\S+) E?SMTP service ready| p/SAP SMTP Server/ h/$1/ v/$2/ 77 | match sapxscontroller m|SAP SE| p/SAP XSA Controller/ 78 | 79 | ##############################NEXT PROBE############################## 80 | Probe TCP HANAXS q|GET / HTTP/1.0\r\n\r\n| 81 | ports 8000-8099 82 | sslports 4300-4399 83 | rarity 9 84 | match saphanaxs m|XSEngine| p/SAP HANA XS Engine/ 85 | 86 | ##############################NEXT PROBE############################## 87 | Probe TCP HANAXSA q|GET / HTTP/1.0\r\n\r\n| 88 | ports 50000-50005 89 | rarity 9 90 | match hanatomcat m|WWW-Authenticate: Basic realm="([\w ]+)| p/SAP HANA XSA/ i/basic "$1"/ 91 | match hanatomcat m|WWW-Authenticate: Bearer realm="([\w ]+)| p/SAP HANA XSA/ i/bearer $1/ 92 | match hanasinopia m|X-Powered-By: ([\w+ ]+)| p/SAP HANA XSA $1/ 93 | 94 | ##############################NEXT PROBE############################## 95 | Probe TCP HANAXSC q|GET /v2/info HTTP/1.0\r\nHost: 127.0.0.1:30030\r\n\r\n| 96 | sslports 30030 97 | rarity 9 98 | match xscontroller2 m|build":"(.*?)".*"controllerEndpoint":"https://(.*?):30030.*"databaseType":"(.*?)","databaseInfo":"(.*?)".*"apps":(\d+),"services":(\d+)| i/HDB_VERSION:$4, HDB_TYPE: $3/ v/$1/ h/$2/ p/XSA APPS:$5 SERVICES:$6/ 99 | match xscontroller1 m|build":"(.*?)".*"controllerEndpoint":"https://(.*?):30030.*"databaseType":"(.*?)","limits".*"apps":(\d+),"services":(\d+)| i/HDB_TYPE: $3/ v/$1/ h/$2/ p/XSA APPS:$4 SERVICES:$5/ 100 | 101 | 102 | 103 | ##############################NEXT PROBE############################## 104 | Probe TCP SAPHTTPP4 q|GET / HTTP/1.0\r\nHost: 1.1.1.1:1\r\nHttpTunneling: 1\r\nIdentificator: .E\r\nLocal-IP: \r\nLocal-port: 1\r\nContent-Length: 8\r\n\r\n\r\n\r\n\r\n\r\n| 105 | ports 50005,50105,50205,50305,50405,50505,50605,50705,50805,50905,51005,51105,51205,51305,51405,51505,51605,51705,51805,51905,52005,52105,52205,52305,52405,52505,52605,52705,52805,52905,53005,53105,53205,53305,53405,53505,53605,53705,53805,53905,54005,54105,54205,54305,54405,54505,54605,54705,54805,54905,55005,55105,55205,55305,55405,55505,55605,55705,55805,55905,56005,56105,56205,56305,56405,56505,56605,56705,56805,56905,57005,57105,57205,57305,57405,57505,57605,57705,57805,57905,58005,58105,58205,58305,58405,58505,58605,58705,58805,58905,59005,59105,59205,59305,59405,59505,59605,59705,59805,59905 106 | rarity 9 107 | match sapjavahttpp4 m|HTTP/1.0 200 OK\r\nServer: SAP J2EE Engine| p/SAP JAVA P4 over HTTP tunneling/ 108 | match sapjavahttpp4 m|\x15\x03\x00\x00\x02\x02\x28| p/SAP JAVA P4 over SSL/ 109 | 110 | ##############################NEXT PROBE############################## 111 | Probe TCP SAPjava q|\r\n| 112 | ports 50008,50108,50208,50308,50408,50508,50608,50708,50808,50908,51008,51108,51208,51308,51408,51508,51608,51708,51808,51908,52008,52108,52208,52308,52408,52508,52608,52708,52808,52908,53008,53108,53208,53308,53408,53508,53608,53708,53808,53908,54008,54108,54208,54308,54408,54508,54608,54708,54808,54908,55008,55108,55208,55308,55408,55508,55608,55708,55808,55908,56008,56108,56208,56308,56408,56508,56608,56708,56808,56908,57008,57108,57208,57308,57408,57508,57608,57708,57808,57908,58008,58108,58208,58308,58408,58508,58608,58708,58808,58908,59008,59108,59208,59308,59408,59508,59608,59708,59808,59908 113 | rarity 9 114 | match sapjavatelnet m|\xff\xfb\x01\xff\xfb\x03\xff\xfd\x1f| p/SAP JAVA Telnet/ 115 | match saplogviewer m|^READY#Logviewer#([\d.]+)\r\n| p/SAP NetWeaver Logviewer/ v/$1/ cpe:/a:sap:netweaver_logviewer:$1/ 116 | 117 | ##############################NEXT PROBE############################## 118 | Probe TCP SAPJMS q|\x00\x00\x00\x00| 119 | ports 50010,50110,50210,50310,50410,50510,50610,50710,50810,50910,51010,51110,51210,51310,51410,51510,51610,51710,51810,51910,52010,52110,52210,52310,52410,52510,52610,52710,52810,52910,53010,53110,53210,53310,53410,53510,53610,53710,53810,53910,54010,54110,54210,54310,54410,54510,54610,54710,54810,54910,55010,55110,55210,55310,55410,55510,55610,55710,55810,55910,56010,56110,56210,56310,56410,56510,56610,56710,56810,56910,57010,57110,57210,57310,57410,57510,57610,57710,57810,57910,58010,58110,58210,58310,58410,58510,58610,58710,58810,58910,59010,59110,59210,59310,59410,59510,59610,59710,59810,59910 120 | rarity 9 121 | match sapjms m|Packet length| p/SAP Java Message Service/ 122 | match sapjms m|Packet with i| p/SAP Java Message Service/ 123 | 124 | ##############################NEXT PROBE############################## 125 | # P_SAPJAVAENQ 126 | Probe TCP SAPJAVAENQ q|\x00\x00\x00\x56\xab\xcd\xe1\x23\x00\x00\x00\x00\x00\x00\x00\x56\x00\x00\x00\x56\x06\x01\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x03sap730_4016_1\x00\x00\x00\x00\x02\x00\x00\x00\x3b\x00\x00\x00\x05\x00\x00\x00\x03\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x01| 127 | ports 3200-3299 128 | rarity 9 129 | match sapjavaenq m|\W+(\w+)_IOThread_| p/SAP Enqueue Server/ h/$1/ 130 | 131 | ##############################NEXT PROBE############################## 132 | # P_NIPING 133 | Probe TCP SAPNIPING q|\x00\x00\x00\x03SAP| 134 | ports 3298 135 | rarity 9 136 | match sapniping m|\x00\x00\x00\x03SAP| p/SAP NIPing/ 137 | 138 | ##############################NEXT PROBE############################## 139 | # P_SAProuter 140 | Probe TCP SAProuter q|\x00\x00\x00\x00| 141 | ports 3200-3299 142 | rarity 9 143 | match saprouter m|SAProuter ([\d.]+) on '(\w+)'| p/SAProuter/ v/$1/ h/$2/ 144 | match saprouter m|SAProuter| p/SAProuter/ 145 | 146 | ##############################NEXT PROBE############################## 147 | # P_SAPIGS 148 | Probe TCP SAPIGS q|GET /a HTTP/1.0\r\n\r\n| 149 | ports 40080,40180,40280,40380,40480,40580,40680,40780,40880,40980,41080,41180,41280,41380,41480,41580,41680,41780,41880,41980,42080,42180,42280,42380,42480,42580,42680,42780,42880,42980,43080,43180,43280,43380,43480,43580,43680,43780,43880,43980,44080,44180,44280,44380,44480,44580,44680,44780,44880,44980,45080,45180,45280,45380,45480,45580,45680,45780,45880,45980,46080,46180,46280,46380,46480,46580,46680,46780,46880,46980,47080,47180,47280,47380,47480,47580,47680,47780,47880,47980,48080,48180,48280,48380,48480,48580,48680,48780,48880,48980,49080,49180,49280,49380,49480,49580,49680,49780,49880,49980 150 | rarity 9 151 | match sapigs m|SAP Internet Graphics Server| p/SAP Internet Graphics Server/ 152 | 153 | ##############################NEXT PROBE############################## 154 | # TREX (old) packet version 155 | Probe TCP SAPTREXGEN q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17| 156 | ports 30001,30101,30201,30301,30401,30501,30601,30701,30801,30901,31001,31101,31201,31301,31401,31501,31601,31701,31801,31901,32001,32101,32201,32301,32401,32501,32601,32701,32801,32901,33001,33101,33201,33301,33401,33501,33601,33701,33801,33901,34001,34101,34201,34301,34401,34501,34601,34701,34801,34901,35001,35101,35201,35301,35401,35501,35601,35701,35801,35901,36001,36101,36201,36301,36401,36501,36601,36701,36801,36901,37001,37101,37201,37301,37401,37501,37601,37701,37801,37901,38001,38101,38201,38301,38401,38501,38601,38701,38801,38901,39001,39101,39201,39301,39401,39501,39601,39701,39801,39901 157 | rarity 9 158 | match saptrex m|\xc7\xff\x17| p/SAP TREX Name server/ 159 | 160 | # HANA trexnet packet detection (Working for HANA trexnet from SPS7 to SPS12) 161 | Probe TCP SAPHANATREX q|\x3f\x00\x08\x10\x18\x09\x00\x00\x00\x01\x02\x07\x25\x00\x00\x00\x63\x6f\x72\x65\x2f\x70\x69\x6e\x67\x44\x02\x00\x00\x00\x00\x00\x00\xd6\x00\x00\x00\x05\xfd\xff\xff\xff\x0b\xff\xff\xff\xff\xff\xff\xff\xff\x05\xff\xff\xff\xff\x05\xff\xff\xff\xff\x05\xff\xff\xff\xff\x05\xff\xff\xff\xff\x05\xff\xff\xff\xff\x07\xff\xff\xff\xff\xff\xff\xff\xff\x07\xff\xff\xff\xff\xff\xff\xff\xff\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x05\xff\xff\xff\xff\x01\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x09\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00\x01\x00\x01\x00\x0b\x98\x7d\x00\x00\x00\x00\x00\x00\x05\x00\x04\x00\x00\x06\x01\x00\x00\x00\x06\x43\x7d\x00\x00\x06\x98\x7d\x00\x00\x0b\x04\x00\x00\x00\x00\x00\x00\x00\x09\x09\x00\x00\x00\x68\x61\x6e\x61\x73\x65\x72\x76\x72\x09\x06\x00\x00\x00\x70\x79\x74\x68\x6f\x6e\x09\x01\x00\x00\x00\x30\x05\x00\x00\x00\x00\x07\x50\x49\x4e\x47\x50\x4f\x4e\x47\x17| 162 | ports 30001,30101,30201,30301,30401,30501,30601,30701,30801,30901,31001,31101,31201,31301,31401,31501,31601,31701,31801,31901,32001,32101,32201,32301,32401,32501,32601,32701,32801,32901,33001,33101,33201,33301,33401,33501,33601,33701,33801,33901,34001,34101,34201,34301,34401,34501,34601,34701,34801,34901,35001,35101,35201,35301,35401,35501,35601,35701,35801,35901,36001,36101,36201,36301,36401,36501,36601,36701,36801,36901,37001,37101,37201,37301,37401,37501,37601,37701,37801,37901,38001,38101,38201,38301,38401,38501,38601,38701,38801,38901,39001,39101,39201,39301,39401,39501,39601,39701,39801,39901,30002,30102,30202,30302,30402,30502,30602,30702,30802,30902,31002,31102,31202,31302,31402,31502,31602,31702,31802,31902,32002,32102,32202,32302,32402,32502,32602,32702,32802,32902,33002,33102,33202,33302,33402,33502,33602,33702,33802,33902,34002,34102,34202,34302,34402,34502,34602,34702,34802,34902,35002,35102,35202,35302,35402,35502,35602,35702,35802,35902,36002,36102,36202,36302,36402,36502,36602,36702,36802,36902,37002,37102,37202,37302,37402,37502,37602,37702,37802,37902,38002,38102,38202,38302,38402,38502,38602,38702,38802,38902,39002,39102,39202,39302,39402,39502,39602,39702,39802,39902,30006,30106,30206,30306,30406,30506,30606,30706,30806,30906,31006,31106,31206,31306,31406,31506,31606,31706,31806,31906,32006,32106,32206,32306,32406,32506,32606,32706,32806,32906,33006,33106,33206,33306,33406,33506,33606,33706,33806,33906,34006,34106,34206,34306,34406,34506,34606,34706,34806,34906,35006,35106,35206,35306,35406,35506,35606,35706,35806,35906,36006,36106,36206,36306,36406,36506,36606,36706,36806,36906,37006,37106,37206,37306,37406,37506,37606,37706,37806,37906,38006,38106,38206,38306,38406,38506,38606,38706,38806,38906,39006,39106,39206,39306,39406,39506,39606,39706,39806,39906 163 | rarity 9 164 | match saphanatrex12 m|\x07PINGPONG\x18\x45\xff| p/SAP HANA Trexnet Name Server/ v/SPS12/ 165 | match saphanatrex11 m|PoolThread.cpp:389| p/SAP HANA Trexnet Name Server/ v/SPS11/ 166 | match saphanatrex10 m|PoolThread.cpp:402| p/SAP HANA Trexnet Name Server/ v/SPS10/ 167 | match saphanatrex09 m|PoolThread.cpp:274| p/SAP HANA Trexnet Name Server/ v/SPS9/ 168 | match saphanatrex08 m|PoolThread.cpp:265| p/SAP HANA Trexnet Name Server/ v/SPS8/ 169 | match saphanatrex07 m|PoolThread.cpp:278| p/SAP HANA Trexnet Name Server/ v/SPS7/ 170 | 171 | Probe TCP SAPTREXGEN q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17| 172 | ports 30002,30102,30202,30302,30402,30502,30602,30702,30802,30902,31002,31102,31202,31302,31402,31502,31602,31702,31802,31902,32002,32102,32202,32302,32402,32502,32602,32702,32802,32902,33002,33102,33202,33302,33402,33502,33602,33702,33802,33902,34002,34102,34202,34302,34402,34502,34602,34702,34802,34902,35002,35102,35202,35302,35402,35502,35602,35702,35802,35902,36002,36102,36202,36302,36402,36502,36602,36702,36802,36902,37002,37102,37202,37302,37402,37502,37602,37702,37802,37902,38002,38102,38202,38302,38402,38502,38602,38702,38802,38902,39002,39102,39202,39302,39402,39502,39602,39702,39802,39902 173 | rarity 9 174 | match saptrex m|\xc7\xff\x17| p/SAP TREX Preprocessor/ 175 | 176 | Probe TCP SAPTREXGEN q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17| 177 | ports 30003,30103,30203,30303,30403,30503,30603,30703,30803,30903,31003,31103,31203,31303,31403,31503,31603,31703,31803,31903,32003,32103,32203,32303,32403,32503,32603,32703,32803,32903,33003,33103,33203,33303,33403,33503,33603,33703,33803,33903,34003,34103,34203,34303,34403,34503,34603,34703,34803,34903,35003,35103,35203,35303,35403,35503,35603,35703,35803,35903,36003,36103,36203,36303,36403,36503,36603,36703,36803,36903,37003,37103,37203,37303,37403,37503,37603,37703,37803,37903,38003,38103,38203,38303,38403,38503,38603,38703,38803,38903,39003,39103,39203,39303,39403,39503,39603,39703,39803,39903,30016,30116,30216,30316,30416,30516,30616,30716,30816,30916,31016,31116,31216,31316,31416,31516,31616,31716,31816,31916,32016,32116,32216,32316,32416,32516,32616,32716,32816,32916,33016,33116,33216,33316,33416,33516,33616,33716,33816,33916,34016,34116,34216,34316,34416,34516,34616,34716,34816,34916,35016,35116,35216,35316,35416,35516,35616,35716,35816,35916,36016,36116,36216,36316,36416,36516,36616,36716,36816,36916,37016,37116,37216,37316,37416,37516,37616,37716,37816,37916,38016,38116,38216,38316,38416,38516,38616,38716,38816,38916,39016,39116,39216,39316,39416,39516,39616,39716,39816,39916 178 | rarity 9 179 | match saptrex m|\xc7\xff\x17| p/SAP TREX Index server/ 180 | 181 | Probe TCP SAPTREXGEN q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17| 182 | ports 30004,30104,30204,30304,30404,30504,30604,30704,30804,30904,31004,31104,31204,31304,31404,31504,31604,31704,31804,31904,32004,32104,32204,32304,32404,32504,32604,32704,32804,32904,33004,33104,33204,33304,33404,33504,33604,33704,33804,33904,34004,34104,34204,34304,34404,34504,34604,34704,34804,34904,35004,35104,35204,35304,35404,35504,35604,35704,35804,35904,36004,36104,36204,36304,36404,36504,36604,36704,36804,36904,37004,37104,37204,37304,37404,37504,37604,37704,37804,37904,38004,38104,38204,38304,38404,38504,38604,38704,38804,38904,39004,39104,39204,39304,39404,39504,39604,39704,39804,39904 183 | rarity 9 184 | match saptrex m|\xc7\xff\x17| p/SAP TREX Queue server/ 185 | 186 | Probe TCP SAPTREXHTTP q|GET /TREX?CMD=PING HTTP/1.0\r\n\r\n| 187 | ports 30005,30105,30205,30305,30405,30505,30605,30705,30805,30905,31005,31105,31205,31305,31405,31505,31605,31705,31805,31905,32005,32105,32205,32305,32405,32505,32605,32705,32805,32905,33005,33105,33205,33305,33405,33505,33605,33705,33805,33905,34005,34105,34205,34305,34405,34505,34605,34705,34805,34905,35005,35105,35205,35305,35405,35505,35605,35705,35805,35905,36005,36105,36205,36305,36405,36505,36605,36705,36805,36905,37005,37105,37205,37305,37405,37505,37605,37705,37805,37905,38005,38105,38205,38305,38405,38505,38605,38705,38805,38905,39005,39105,39205,39305,39405,39505,39605,39705,39805,39905 188 | rarity 9 189 | match saptrexhttp m|OK Server Connection| p/SAP TREX HTTP Server/ 190 | 191 | Probe TCP SAPTREXALERT q|GET / HTTP/1.0\r\n\r\n| 192 | ports 30011,30111,30211,30311,30411,30511,30611,30711,30811,30911,31011,31111,31211,31311,31411,31511,31611,31711,31811,31911,32011,32111,32211,32311,32411,32511,32611,32711,32811,32911,33011,33111,33211,33311,33411,33511,33611,33711,33811,33911,34011,34111,34211,34311,34411,34511,34611,34711,34811,34911,35011,35111,35211,35311,35411,35511,35611,35711,35811,35911,36011,36111,36211,36311,36411,36511,36611,36711,36811,36911,37011,37111,37211,37311,37411,37511,37611,37711,37811,37911,38011,38111,38211,38311,38411,38511,38611,38711,38811,38911,39011,39111,39211,39311,39411,39511,39611,39711,39811,39911 193 | rarity 9 194 | match saptrex m|Server: ([\w./ ]+)| p/SAP TREX AlertServer/ i/$1/ 195 | 196 | Probe TCP SAPTREXRFC q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17| 197 | ports 30007,30107,30207,30307,30407,30507,30607,30707,30807,30907,31007,31107,31207,31307,31407,31507,31607,31707,31807,31907,32007,32107,32207,32307,32407,32507,32607,32707,32807,32907,33007,33107,33207,33307,33407,33507,33607,33707,33807,33907,34007,34107,34207,34307,34407,34507,34607,34707,34807,34907,35007,35107,35207,35307,35407,35507,35607,35707,35807,35907,36007,36107,36207,36307,36407,36507,36607,36707,36807,36907,37007,37107,37207,37307,37407,37507,37607,37707,37807,37907,38007,38107,38207,38307,38407,38507,38607,38707,38807,38907,39007,39107,39207,39307,39407,39507,39607,39707,39807,39907 198 | rarity 9 199 | match saptrex m|\xc7\xff\x17| p/SAP TREX RFC server/ 200 | 201 | Probe TCP SAPTREXCRUISE q|I\x00\x08\x10\x18\x0b\x00\x00\x00\x01\x02\x05%\x00\x00\x00\x00__INT__PINGD\x00\x00\x00\x88\x00\x00\x00\x00\x07\xff\xff\xff\xff\xff\xff\xff\xff\x17| 202 | ports 30008,30108,30208,30308,30408,30508,30608,30708,30808,30908,31008,31108,31208,31308,31408,31508,31608,31708,31808,31908,32008,32108,32208,32308,32408,32508,32608,32708,32808,32908,33008,33108,33208,33308,33408,33508,33608,33708,33808,33908,34008,34108,34208,34308,34408,34508,34608,34708,34808,34908,35008,35108,35208,35308,35408,35508,35608,35708,35808,35908,36008,36108,36208,36308,36408,36508,36608,36708,36808,36908,37008,37108,37208,37308,37408,37508,37608,37708,37808,37908,38008,38108,38208,38308,38408,38508,38608,38708,38808,38908,39008,39108,39208,39308,39408,39508,39608,39708,39808,39908 203 | rarity 9 204 | match saptrex m|\xc7\xff\x17| p/SAP TREX Cruise server/ 205 | 206 | 207 | ##############################NEXT PROBE############################## 208 | Probe TCP SAPLOGVIEWER q|JRMI\x00\x02K| 209 | ports 1099, 5465, 26000 210 | rarity 9 211 | match saplogviewer m|N\x00| p/SAP Logviewer Standalone/ 212 | match saplogviewer m|\x52\x45\x41\x44\x59\x23| p/SAP Logviewer Standalone Socket/ 213 | match saplogviewer m|\x76\x31| p/SAP Logviewer Standalone Socket/ 214 | 215 | ##############################NEXT PROBE############################## 216 | Probe TCP SAPHANAHDB q|\xFF\xFF\xFF\xFF\x04\x00\x14\x04\x00\x01\x00\x01\x01\x01| 217 | ports 30015,30041-39998 218 | 219 | rarity 9 220 | match saphanahdb m|\x04\x01\x00\x00\x00| p/SAP HANA HDB/ 221 | 222 | ##############################NEXT PROBE############################## 223 | Probe TCP SAPMOBILE q|GET / HTTP/1.0\r\n\r\n| 224 | ports 5001 225 | rarity 9 226 | match sapmobile m|WWW-Authenticate: Basic realm="Unwired Platform"| p/SAP Mobile Platform/ 227 | 228 | ##############################NEXT PROBE############################## 229 | Probe TCP SAPMPSP q|SAP| 230 | sslports 8083 231 | rarity 9 232 | match sapmpsp m|Certificate| p/SAP Mobile Platform Administration Secure Port/ 233 | 234 | # 235 | # https://www.coresecurity.com/system/files/publications/2016/05/corelabs-nmap-service-probes.txt 236 | # 237 | ##############################NEXT PROBE############################## 238 | Probe TCP SAPDIAG q|\x00\x00\x01\x06\xff\xff\xff\xff\n\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff>\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x10\x04\x02\x00\x0c\x00\x00\x00\x80\x00\x00\x04L\x00\x00\x13\x89\x10\x04\x0b\x00 \xff\x7f\xfe-\xda\xb77\xd6t\x08~\x13\x05\x97\x15\x97\xef\xf2?\x8d\x07p\xff\x0f\x00\x00\x00\x00\x00\x00\x00\x00| 239 | ports 3200-3299 240 | rarity 9 241 | softmatch sapgui m|^\x00\x00..\x00\x00\x11\x00\x00\x01\x00\x00.*\x10\x06\x02..(\w\w\w).*\x10\x06\x03..([\w._-]+).*\x10\x06\x29..(\d+)\x00(\d+)\x00(\d+)\x00|s p/SAP Dispatcher/ i/DB name $1/ h/$2/ v/release $4, patch level $5, database release $3/ 242 | 243 | ##############################NEXT PROBE############################## 244 | Probe TCP SAPDISP q|\x00\x00\x00\x00| 245 | ports 3200-3299 246 | rarity 9 247 | match sapdisp m|DPTMMSG| p/SAP ABAP Dispatcher/ 248 | 249 | 250 | ##############################NEXT PROBE############################## 251 | # FIXME: do version grabbing when COMMAND=version is honored. 252 | Probe TCP ORACLETNS q|\x00Z\x00\x00\x01\x00\x00\x00\x016\x01,\x00\x00\x08\x00\x7f\xff\x7f\x08\x00\x00\x00\x01\x00 \x00:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\xe6\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00(CONNECT_DATA=(COMMAND=version))| 253 | ports 1520-1599 254 | rarity 9 255 | match oracledb m|DESCRIPTION.*ERROR| p/Oracle TNS Listener/ 256 | match oracledb m|TNSLSNR for (.*?): Version ([\d.]+)| p/Oracle TNS Listener/ v/$2/ o/$1/ 257 | 258 | ##############################NEXT PROBE############################## 259 | Probe TCP SAPPCOMGT q|GET /PCoManagement?wsdl HTTP/1.0\r\n\r\n| 260 | ports 50050 261 | rarity 9 262 | match sappcomgt m|200 OK| p/SAP Plant Connectivity Management SOAP/ 263 | 264 | ##############################NEXT PROBE############################## 265 | Probe TCP SAPXMII q|| 266 | ports 9000-9010 267 | rarity 9 268 | match sapxmii m|xMII| p/SAP xMII query agent/ 269 | 270 | ##############################NEXT PROBE############################## 271 | Probe TCP SAPBOCMS q|aps| 272 | ports 6400 273 | rarity 9 274 | match sapbocms m|seagatesoftware| p/SAP Business Object CMS/ 275 | 276 | ##############################NEXT PROBE############################## 277 | Probe TCP SAPBOWEB4 q|POST /BOE/CMC/ HTTP/1.0\r\n\r\n| 278 | ports 8080 279 | rarity 9 280 | match sapboweb m|200 OK| p/SAP Business Object Web Frontend/ v/4.x/ 281 | 282 | Probe TCP SAPBOWEB3 q|GET /CmcApp/logon.faces HTTP/1.0\r\n\r\n| 283 | ports 8080 284 | rarity 9 285 | match sapboweb m|200 OK| p/SAP Business Object Web Frontend/ v/3.x/ 286 | 287 | ##############################NEXT PROBE############################## 288 | #Probe TCP SAPASE q|\x00\x02\x00\x02\x00\x00\x00\x00| 289 | #ports 4901-4999 290 | #rarity 9 291 | #match sapase m|Login failed| p/SAP ASE Database/ 292 | 293 | ##############################NEXT PROBE############################## 294 | Probe TCP RPCCheck q|\x80\0\0\x28\x72\xFE\x1D\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xA0\0\x01\x97\x7C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| 295 | ports 4901-4999 296 | match ase-adaptive m|^\0\x01\0\x08\0\0\x00\0$| p/SAP ASE DB/ o/Windows/ cpe:/a:sybase:adaptive_server/ cpe:/o:microsoft:windows/a 297 | match ase-backup m|^\0\x01\0\x08\0\0\x01\0$| p/SAP ASE DB backup/ o/Windows/ cpe:/a:sybase:backup_server/ cpe:/o:microsoft:windows/a 298 | 299 | ##############################NEXT PROBE############################## 300 | #### BEWARE THIS PROBE WILL WORK WITH NMAP PATCHED !! #### 301 | ###################################################################### 302 | # line buffer is 2048 only, needs to be extended to 4096 for this probe to be parsed 303 | # diff --git a/service_scan.cc b/service_scan.cc 304 | # index c424314..435c1f8 100644 305 | # --- a/service_scan.cc 306 | # +++ b/service_scan.cc 307 | # @@ -1265,7 +1265,7 @@ void ServiceProbe::addMatch(const char *match, int lineno) { 308 | # (servicematch) which use this */ 309 | # void parse_nmap_service_probe_file(AllProbes *AP, char *filename) { 310 | # ServiceProbe *newProbe = NULL; 311 | # - char line[2048]; 312 | # + char line[4096]; 313 | # 314 | # 315 | #Probe TCP SAPASE q|\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00probe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x002936\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x03\x01\x06\n\t\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00probe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05DDD\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 316 | #splitted here to avoid nmap bug (even if line is commented)... 317 | #\x00\x00\x00\x00\x00\x00\x00\x02\x05\x00\x00\x00CT-Library\n\x0f\x07\x00\r\x00\r\x11\x00s_english\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01\x00k\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\n\x00\x00\x00\x02\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00utf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00512\x00\x00\x00\x03\x00\x00\x00\x00\xe2 \x00\x01\x0e\x01<\xe2\xf9\xb5\x87\xea\xbbm\x7f\xff\xff\xff\xfe\x02\x0e\x00\x00\x00\x00\x00\x18b\x00\x00\xa2h\x00\x00\x00| 318 | #ports 4901-4999 319 | #rarity 9 320 | #match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x10\x00\x02\x05| p/SAP ASE Database ($1)/ v/16.0.2.5/ 321 | #match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x10\x00\x02\x04| p/SAP ASE Database ($1)/ v/16.0.2.4/ 322 | #match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x10\x00\x02\x00| p/SAP ASE Database ($1)/ v/16.0.2.0/ 323 | #match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x0f\x07\x00\x00| p/SAP ASE Database ($1)/ v/15.7.0.0/ 324 | #match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x0f\x07| p/SAP ASE Database ($1)/ v/15.7.x/ 325 | #match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x10\x00\x02| p/SAP ASE Database ($1)/ v/16.0.2.x/ 326 | #match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x10| p/SAP ASE Database ($1)/ v/16.x/ 327 | #match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE\x0f| p/SAP ASE Database ($1)/ v/15.x/ 328 | #match sapase m|password on the network\.\n\x03(\w+)...........\x03ASE| p/SAP ASE Database ($1)/ v/unknown/ 329 | #match sapase m|\x0f\x01\x00\x3e\x00\x00\x00\x00\xad\x0d\x00\x07\x05\x00\x00\x00\x03ASE| p/SAP ASE Database (vulnerable to probe login)/ 330 | #match sapase m|^\x03ASE| p/SAP ASE Database (vulnerable to probe login)/ 331 | 332 | ##############################NEXT PROBE############################## 333 | Probe TCP SAPSDMADM q|\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x31\x31| 334 | ports 50017,50117,50217,50317,50417,50517,50617,50717,50817,50917,51017,51117,51217,51317,51417,51517,51617,51717,51817,51917,52017,52117,52217,52317,52417,52517,52617,52717,52817,52917,53017,53117,53217,53317,53417,53517,53617,53717,53817,53917,54017,54117,54217,54317,54417,54517,54617,54717,54817,54917,55017,55117,55217,55317,55417,55517,55617,55717,55817,55917,56017,56117,56217,56317,56417,56517,56617,56717,56817,56917,57017,57117,57217,57317,57417,57517,57617,57717,57817,57917,58017,58117,58217,58317,58417,58517,58617,58717,58817,58917,59017,59117,59217,59317,59417,59517,59617,59717,59817,59917 335 | rarity 9 336 | match sapsdmadmin m| 334Sorry| p/SAP SDM Administration/ 337 | 338 | ##############################NEXT PROBE############################## 339 | Probe TCP SAPSDMGUI q|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x31\x31| 340 | ports 50018,50118,50218,50318,50418,50518,50618,50718,50818,50918,51018,51118,51218,51318,51418,51518,51618,51718,51818,51918,52018,52118,52218,52318,52418,52518,52618,52718,52818,52918,53018,53118,53218,53318,53418,53518,53618,53718,53818,53918,54018,54118,54218,54318,54418,54518,54618,54718,54818,54918,55018,55118,55218,55318,55418,55518,55618,55718,55818,55918,56018,56118,56218,56318,56418,56518,56618,56718,56818,56918,57018,57118,57218,57318,57418,57518,57618,57718,57818,57918,58018,58118,58218,58318,58418,58518,58618,58718,58818,58918,59018,59118,59218,59318,59418,59518,59618,59718,59818,59918 341 | rarity 9 342 | match sapsdmgui m|This| p/SAP SDM GUI/ 343 | 344 | 345 | ##############################NEXT PROBE############################## 346 | Probe TCP SAPSMTP q|HEAD / HTTP/1.0\r\n\r\n| 347 | ports 25 348 | rarity 9 349 | match sapsmtp m|(\S+) SAP (\S+) E?SMTP service ready| p/SAP SMTP Server/ h/$1/ v/$2/ 350 | 351 | ##############################NEXT PROBE############################## 352 | Probe TCP P4IIOP q|GIOP\x01\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x03\x00\x00\x00\x11\x00\x00\x00\x02\x00\x02\x00\x00NEO\x00\x00\x00\x00\x02\x00\x14\x00\x00\x00\x00\x00\x06\x00\x00\x00\xa6\x00\x00\x00\x00\x00\x00\x00(IDL:omg.org/SendingContext/CodeBase:0.0\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00j\x00\x01\x02\x00\x00\x00\x00\n127.0.1.1\x00\x9bF\x00\x00\x00\x19\xaf\xab\xcb\x00\x00\x00\x00\x02%a2+\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00 \x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x00\x02\x05\x01\x00\x01\x00\x01\x00 \x00\x01\x01\t\x00\x00\x00\x01\x00\x01\x01\x00\x00\x00\x00&\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x05\x01\x00\x00\x00\x00\x00\x00\x04INIT\x00\x00\x00\x04get\x00\x00\x00\x00\x00\x00\x00\x00\x0cNameService\x00| 353 | ports 50007,50107,50207,50307,50407,50507,50607,50707,50807,50907,51007,51107,51207,51307,51407,51507,51607,51707,51807,51907,52007,52107,52207,52307,52407,52507,52607,52707,52807,52907,53007,53107,53207,53307,53407,53507,53607,53707,53807,53907,54007,54107,54207,54307,54407,54507,54607,54707,54807,54907,55007,55107,55207,55307,55407,55507,55607,55707,55807,55907,56007,56107,56207,56307,56407,56507,56607,56707,56807,56907,57007,57107,57207,57307,57407,57507,57607,57707,57807,57907,58007,58107,58207,58307,58407,58507,58607,58707,58807,58907,59007,59107,59207,59307,59407,59507,59607,59707,59807 354 | rarity 9 355 | match sapp4iiop m|IDL:omg.org/SendingContext/CodeBase:1.0.*?(\d+\.\d+\.\d+\.\d+)| p/SAP P4 over IIOP/ i/Potential internal IP $1/ 356 | 357 | ##############################NEXT PROBE############################## 358 | Probe TCP POSXPRESSDATA q|lalala| 359 | ports 2202 360 | rarity 9 361 | match xpresserver m|201 XPRESS SERVER (\d+\.\d+\.\d+)+ (SP\d+\s)?(Build\s\d+\s)?([\w-]+)?| p/SAP XPRESS Server/ v/Version $1 $2 $3/ h/$4/ 362 | 363 | 364 | ##############################NEXT PROBE############################## 365 | Probe TCP POSXPRESSCLIENT q|{D0045}\x14\x64\x00\x0a\x00\x02\x16\x00\x03\x00\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd9\x88\x64\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00| 366 | ports 2200 367 | rarity 9 368 | match xpresserverclinet m|{D\d\d\d\d}| p/SAP XPRESS Server client's port/ 369 | 370 | ##############################NEXT PROBE############################## 371 | # Added this one that clashes with SAP 33NN port rules for gateway # 372 | ###################################################################### 373 | 374 | Probe TCP MSRDP q|\x03\x00\x00\x0b\x06\xe0\x00\x00\x00\x00\x00\x00| 375 | ports 3389 376 | rarity 9 377 | match ms-wbt-server m#^\x03\x00\x00(\x0b|\x17|\x11)# p/Microsoft Terminal Service/ 378 | 379 | 380 | ############################################ 381 | # _____ _ ____ ______ ____ _ # 382 | #|_ _| | / ___| / / ___/ ___|| | # 383 | # | | | | \___ \ / /\___ \___ \| | # 384 | # | | | |___ ___) / / ___) |__) | |___ # 385 | # |_| |_____|____/_/ |____/____/|_____| # 386 | #Ripped from official nmap-services-probes # 387 | #without that ssl detection on non standard# 388 | #ports will fail badly. # 389 | ############################################ 390 | 391 | ##############################NEXT PROBE############################## 392 | # SSLv3 ClientHello probe. Will be able to reliably identify the SSL version 393 | # used, unless the server is running SSLv2 only. Note that it will also detect 394 | # TLSv1-only servers, based on a failed handshake alert. 395 | Probe TCP SSLSessionReq q|\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0| 396 | rarity 9 397 | ports 443,444,465,548,636,989,990,992,993,994,995,1241,1311,1443,2000,2252,2443,3443,4443,4444,5061,5443,5550,6443,7210,7272,7443,8009,8181,8194,8443,9001,9443,10443,14443,44443,60443,30030 398 | #fallback WEB 399 | 400 | match adabas m|^,\0,\0\x03\x02\0\0G\xd7\xf7\xbaO\x03\0\?\x05\0\0\0\0\x02\x18\0\xfd\x0b\0\0<=\xdbo\xef\x10n \xd5\x96\xc8w\x9b\xe6\xc4\xdb$| p/ADABAS database/ 401 | 402 | # Apple Filing Protocol (AFP) over TCP on Mac OS X 403 | # Sometimes we can get a host name or an IP address; those with come before those without. 404 | # These are mostly sorted by the flags field. 405 | 406 | # Flags \x80\xfb. 407 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x80\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x05\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 2.2; Mac OS X 10.1.*/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.1/ 408 | 409 | # Flags \x83\xfb. 410 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x06\x06AFP3\.1\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128.*[\x04\x05]([\w.-]+)\0|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.2.*/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.2/ 411 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x06\x06AFP3\.1\x06AFPX03\x06AFP2\.2\x0eAFPVersion 2\.1\x0eAFPVersion 2\.0\x0eAFPVersion 1\.1.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.2.*/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.2/ 412 | 413 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\x06Recon1\rClient Krb v20\0.*[\x04\x05]([\w.-]+)\x01.afpserver/([\w.@-]+)\0|s p/Apple AFP/ i/name: $1; afpserver: $3; protocol 3.1; Mac OS X 10.2.*/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.2/ 414 | 415 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver/([\w.@-]+)\0|s p/Apple AFP/ i/name: $1; afpserver: $3; protocol 3.1; Mac OS X 10.3.*/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.3/ 416 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\0|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.3.*/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.3/ 417 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x83\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x03\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.1; Mac OS X 10.3.*/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.3/ 418 | 419 | # Flags \x8f\xfa. 420 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfa.([^\0\x01]+)[\0\x01].*\tMacintosh\x01\x06AFP3\.1.\tDHCAST128|s p/Apple Airport Extreme AFP/ i/name: $1; protocol 3.1/ d/WAP/ cpe:/h:apple:airport_extreme/ 421 | 422 | # Flags \x8f\xfb. 423 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver/([-\w_.@]+)\0|s p/Apple AFP/ i/name: $1; afpserver: $3; protocol 3.2; Mac OS X 10.3 - 10.5/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a 424 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver|s p/Apple AFP/ i/name: $1; protocol 3.2; Mac OS X 10.3 - 10.5/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a 425 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\0|s p/Apple AFP/ i/name: $1; protocol 3.2; Mac OS X 10.3 - 10.5/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a 426 | 427 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\x06Recon1\rClient Krb v2\x0fNo User Authent\0.*[\x04\x05]([\w.-]+)\x01.afpserver/([-\w_.@]+)\0|s p/Apple AFP/ i/name: $1; afpserver: $3; protocol 3.2; Mac OS X 10.5 Server/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x_server:10.5/ 428 | 429 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh.\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver|s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.5/ 430 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh.\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.5/ 431 | 432 | match afp m=^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver=s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5 - 10.6; $2/ o/Mac OS X/ h/$3/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.5/ cpe:/o:apple:mac_os_x:10.6/ 433 | 434 | # Patched version of OS X 10.5 may match these too... wait for corrections 435 | match afp m=^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128.*[\x04\x05]([\w.-]+)\0\0=s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.6; $2/ o/Mac OS X/ h/$3/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.6/ 436 | 437 | match afp m=^\x01\x03\0\x80........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver=s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5 - 10.6; $2/ o/Mac OS X/ h/$3/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.5/ cpe:/o:apple:mac_os_x:10.6/ 438 | match afp m|^\x01\x03\0\x80........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh.\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver|s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.5/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.5/ 439 | 440 | match afp m=^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128.*[\x04\x05]([\w.-]+)\x01.afpserver=s p/Apple AFP/ i/name: $1; protocol 3.3; Mac OS X 10.6; $2/ o/Mac OS X/ h/$3/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.6/ 441 | 442 | # Flags \x8f\xfb. 443 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*AirPort.*AFP3\.2|s p|Apple Airport Extreme/Time Capsule AFP| i/name: $1; protocol 3.2 WAP/ cpe:/h:apple:airport_extreme/ 444 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*TimeCapsule.*AFP3\.3\x06AFP3\.2\x06AFP3\.1.\tDHCAST128.*[\x04\x05]([\w.-]+)\0|s p/Apple Time Capsule AFP/ i/name: $1; protocol 3.3/ h/$2/ 445 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*TimeCapsule.*AFP3\.3\x06AFP3\.2\x06AFP3\.1.\tDHCAST128|s p/Apple Time Capsule AFP/ i/name: $1; protocol 3.3/ 446 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tVMware7,1\x04\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03.\tDHCAST128\x04DHX2\x06Recon1\rClient\x20Krb\x20v2\0\0.*[\x04\x05]([\w.-]+)\x01.afpserver/([\w.@-]+)\0|s p/Apple AFP/ i/name: $1; afpserver: $3; protocol 3.1; Mac OS X 10.6.3/ o/Mac OS X/ h/$2/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a 447 | # Sometimes the hostname isn't included 448 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x8f\xfb.([^\0\x01]+)[\0\x01].*\tMacintosh\x04\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06AFP2\.2.\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.2; Mac OS X 10.3 - 10.5/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a 449 | 450 | # Flags \x9f\xf3 451 | match afp m=^\x01\x03\0\0........\0\0\0\0........\x9f\xf3.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03=s p/Apple AFP/ i/name: $1; protocol 3.4; Mac OS X 10.9 - 10.10; $2/ o/Mac OS X/ cpe:/a:apple:afp_server/ cpe:/o:apple:mac_os_x:10.10/ cpe:/o:apple:mac_os_x:10.9/ 452 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x9f\xf3.([^\0\x01]+).*?VMware(\d+),(\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03|s p/Apple AFP/ i/name: $1; protocol 3.4; VMware $2.$3/ o/Mac OS X/ cpe:/a:apple:afp_server/ cpe:/o:apple:mac_os_x/a 453 | 454 | # Flags \x9f\xfb. 455 | match afp m=^\x01\x03\0\0........\0\0\0\0........\x9f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06\tDHCAST128\x04DHX2\x06Recon1\rClient Krb v2\x03GSS\x0fNo User Authent.*\x1b\$not_defined_in_RFC4178@please_ignore$=s p/Apple AFP/ i/name: $1; protocol 3.4; Mac OS X 10.6 - 10.8; $2/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.6/ cpe:/o:apple:mac_os_x:10.7/ cpe:/o:apple:mac_os_x:10.8/ 456 | match afp m=^\x01\x03\0\0........\0\0\0\0........\x9f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x05\tDHCAST128\x04DHX2\x06Recon1\rClient Krb v2\x03GSS.*\x1b\$not_defined_in_RFC4178@please_ignore=s p/Apple AFP/ i/name: $1; protocol 3.4; Mac OS X 10.6 - 10.8; $2/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.6/ cpe:/o:apple:mac_os_x:10.7/ cpe:/o:apple:mac_os_x:10.8/ 457 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x9f\xfb.([^\0\x01]+)[\0\x01].*VMware(\d+),(\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x06\tDHCAST128\x04DHX2\x06Recon1\rClient Krb v2\x03GSS\x0fNo User Authent.*\x1b\$not_defined_in_RFC4178@please_ignore$|s p/Apple AFP/ i/name: $1; protocol 3.4; Mac OS X 10.6; VMware $2.$3/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a 458 | match afp m|^\x01\x03\0\0........\0\0\0\0........\x9f\xfb.([^\0\x01]+)[\0\x01].*Xserve\d+,\d+\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x05\tDHCAST128|s p/Apple AFP/ i/name: $1; protocol 3.4; Xserve/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x/a 459 | match afp m=^\x01\x03\0\0........\0\0\0\0........\x9f\xfb.([^\0\x01]+)[\0\x01].*?(iMac|Mac(?:mini|Pro|Book(?:Air|Pro)?)\d+,\d+)\x05\x06AFP3\.4\x06AFP3\.3\x06AFP3\.2\x06AFP3\.1\x06AFPX03\x05\tDHCAST128\x04DHX2\x06Recon1\x03GSS\x0fNo User Authent=s p/Apple AFP/ i/name: $1; protocol 3.4; Mac OS X 10.8; $2/ o/Mac OS X/ cpe:/a:apple:afp_server/a cpe:/o:apple:mac_os_x:10.8/ 460 | 461 | softmatch afp m|^\x01\x03\0\0........\0\0\0\0.*AFP|s 462 | 463 | match ajp13 m|^AB\0N\x04\x01\x94\0\x06/cccb/\0\0\x02\0\x0cContent-Type\0\0\x17text/html;charset=utf-8\0\0\x0eContent-Length\0\0\x03970\0AB\x03| p/Apache Jserv/ 464 | 465 | match cpu m|^unsupported auth method\0| p/Plan 9 cpu/ o/Plan 9/ cpe:/o:belllabs:plan_9/a 466 | 467 | match decomsrv m|^\x02\0\0\x01\x03\0U\xd0DSQ\x02\0\0\x01\x03\0U\xd0DSQ$| p/Lotus Domino decommission server/ i/decomsrv.exe/ cpe:/a:ibm:lotus_domino/ 468 | 469 | match dsr-video m|^\0\0\0\0\0\x84\0\x10\x01\xa3{\x10\0\0\0\0$| p/Avocent KVM DSR video/ 470 | 471 | match h323q931 m|^\x03\0\x000\x08\x02\0\0}\x08\x02\x80\xe2\x14\x01\0~\0\x1d\x05\x08 \x19\0\x06\0\x08\x91J\0\x05\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Polycom ViewStation H.323/ 472 | 473 | match http m|^HTTP/1\.0 500 Internal Server Error\r\nConnection: Close\r\nContent-Type: text/html\r\n.*

java\.lang\.Exception: Invalid request: \x16\x03|s p/Dell PowerEdge OpenManage Server Administrator httpd/ o/Windows/ cpe:/a:dell:openmanage_server_administrator/ cpe:/o:microsoft:windows/a 474 | match http m|^HTTP/1\.0 400 Bad Request\nContent-type: text/html\r\nDate: .*\r\nConnection: close\r\n\r\n400 Bad Request\n

400 Bad Request

\nUnsupported method\.\n\n| p/Brivo EdgeReader access control http interface/ d/security-misc/ 475 | 476 | match http-proxy m|^ 400 badrequest\r\nVia: 1\.0 ([\w.-]+) \(McAfee Web Gateway ([\w._-]+)\)\r\nConnection: Close\r\n| p/McAfee Web Gateway/ v/$2/ i/Via $1/ cpe:/a:mcafee:web_gateway:$2/ 477 | 478 | match ilo-vm m|^\"\0\x03\0$| p/HP Integrated Lights-Out Virtual Media/ cpe:/h:hp:integrated_lights-out/ 479 | 480 | match login m|^\0\r\nlogin: \^W\^@\^@\^@\^| p/VxWorks logind/ o/VxWorks/ cpe:/o:windriver:vxworks/a 481 | 482 | match maxdb m|^.Rejected bad connect packet\0$|s p/SAP MaxDB/ 483 | 484 | match msexchange-logcopier m|^\x15\x01\0\0\x08\0\0\0\0\x80\t\x03\x08$| p/Microsoft Exchange 2010 log copier/ cpe:/a:microsoft:exchange_server:2010/ 485 | 486 | match modbus m|^\x16\x03\0\0\0\x03\0\x80\x01| p/Modbus TCP/ 487 | 488 | match netbios-ssn m|^\0\0\0%G\xd7\xf7\xba,\xff\xea\xff\xff~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0\0\0\x16\0$| p/Konica Minolta bixhub 350 printer smbd/ d/printer/ cpe:/h:konicaminolta:bixhub_350/a 489 | 490 | match pbx-alarm m|^1\x0c5\x0c9\x0c\x0b\x03$| p/Aastra Open Interfaces Platform PBX alarm server/ d/PBX/ cpe:/a:aastra:oip/ 491 | 492 | match pop3-proxy m|^ERR concurrent connection limit in avast! exceeded\(pass:\d+, processes:([\w._-]+)\[\d+\]\)\r\n| p/Avast! anti-virus pop3 proxy/ i/connection limit exceeded by $1/ o/Windows/ cpe:/o:microsoft:windows/ 493 | 494 | # This funny service runs on port 9001 and seems to echo other service probes, 495 | # however they don't seem to come in any obvious order. Examples: 496 | # ---------- GenericLines ---------- 497 | # m|^GET / HTTP/1\.0| 498 | # ---------- WEB ---------- 499 | # m|^OPTIONS / HTTP/1\.0| 500 | # ---------- SSLSessionReq ---------- 501 | # m|^OPTIONS / RTSP/1\.0| 502 | # ---------- SSLv23SessionReq ---------- 503 | # m|^\x80\0\0\(r\xfe\x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\x7c\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| 504 | match postx-reporting m|^OPTIONS / RTSP/1\.0| p/PostX IP Reporting alarm system/ 505 | 506 | match remoting m|^\.NET\x01\0\x02\0\0\0\0\0\0\0\x02\0\x03\x01\0\x03\0\x01\x01..\0\0System\.Runtime\.Remoting\.RemotingException: |s p/MS .NET Remoting services/ cpe:/a:microsoft:.net_framework/ 507 | 508 | match siebel m|^\0\0\0\x40\0\0\0\0\0\0\0\x01\0\0\0\0\0\0..\0\0\0\x05\0\0\0\0\0\0\0\0\x4e...\0...\0\0\0\0\0\0\0\0\0\0\0\x05\0\0\0\x0c\0\0\0\x08\0\x12\0\x68\0\0\0\0$| p/Siebel Gateway Name Server/ cpe:/a:oracle:siebel_suite/ 509 | 510 | # OpenSSL/0.9.7aa, 0.9.8e 511 | match ssl m|^\x16\x03\0\0J\x02\0\0F\x03\0| p/OpenSSL/ i/SSLv3/ cpe:/a:openssl:openssl/ 512 | 513 | # Microsoft-IIS/5.0 - note that OpenSSL must go above this one because this is more general 514 | match ssl m|^\x16\x03\0..\x02\0\0F\x03\0|s p/Microsoft IIS SSL/ o/Windows/ cpe:/a:microsoft:iis/ cpe:/o:microsoft:windows/a 515 | # Novell Netware 6 Enterprise Web server 5.1 https 516 | # Novell Netware Ldap over SSL or enterprise web server 5.1 over SSL 517 | match ssl m|^\x16\x03\0\0:\x02\0\x006\x03\0| p/Novell NetWare SSL/ o/NetWare/ cpe:/o:novell:netware/a 518 | # Cisco IDS 4.1 Appliance 519 | match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\xd10:\xbd\\\x8e\xe3\x15\x1c\x0fZ\xe4\x04\x87\x07\xc0\x82\xa9\xd4\x0e\x9c1LXk\xd1\xd2\x0b\x1a\xc6/p\0\0\n\0\x16\x03\0\x026\x0b\0\x022\0| p/Cisco IDS SSL/ d/firewall/ 520 | # PGP Corporation Keyserver Web Console 7.0 - custom Apache 1.3 521 | # PGP LDAPS Keyserver 8.X 522 | match ssl m|^\x16\x03\0\0\+\x02\0\0'\x03\0...\?|s p/PGP Corporation product SSL/ 523 | # Unreal IRCd SSL 524 | # RemotelyAnywhere 525 | match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0\?| 526 | # Tumbleweed SecureTransport 4.1.1 Transaction Manager Secure Port on Solaris 527 | # Dell Openmanage 528 | match ssl m|^\x15\x03[\x01\x00]\0\x02\x01\0$| p/multi-vendor SSL/ 529 | # Probably Oracle https? 530 | match ssl m|^}\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0| p/Oracle https/ 531 | match ssl m|^\x15\x03\0\0\x02\x02\(31666:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr\.c:881:\n| p/Webmin SSL Control Panel/ 532 | match ssl m|^20928:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr\.c:565:\n| p/qmail-pop3d behind stunnel/ 533 | 534 | match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03\0B| p/Tor over SSL/ cpe:/a:torproject:tor/ 535 | match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03.*IOS-Self-Signed-Certificate|s p/Cisco IOS ssl/ d/router/ 536 | match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03.*\nCalifornia.*\tPalo Alto.*\x0cVMware, Inc\..*\x1bVMware Management Interface|s p/VMware management interface SSLv3/ 537 | match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03.*\x0edropbox-client0|s p/Dropbox client SSLv3/ cpe:/a:dropbox:dropbox/ 538 | match ssl m|^\x16\x03\0\0\*\x02\0\0&\x03.*vCenterServer_([\w._-]+)|s p/VMware ESXi Server httpd/ v/$1/ cpe:/o:vmware:esxi:$1/ 539 | 540 | # Alert (Level: Fatal, Description: Protocol Version|Handshake Failure) 541 | match ssl m|^\x15\x03[\x00-\x03]\0\x02\x02[F\x28]| 542 | 543 | match xtel m|^\x15Annuaire \xe9lectronique| p/xteld/ i/French/ 544 | 545 | match tor m|^\x16\x03\0\0\*\x02\0\0&\x03\0.*T[oO][rR]1.*[\x00-\x20]([-\w_.]+) |s p/Tor node/ i/Node name: $1/ cpe:/a:torproject:tor/ 546 | 547 | # Sophos Message Router 548 | match ssl/sophos m|^\x16\x03\0.*Router\$([a-zA-Z0-9_-]+).*Sophos EM Certification Manager|s p/Sophos Message Router/ h/$1/ 549 | match ssl/sophos m|^\x16\x03\0.*Sophos EM Certification Manager|s p/Sophos Message Router/ 550 | 551 | match ssl/openvas m|^\x16\x03\x01\0J\x02\0\0F\x03\x01| p/OpenVAS server/ 552 | 553 | # Generic: TLSv1.3 ServerHello 554 | match ssl m|^\x16\x03\x03..\x02...\x03\x03|s p/TLSv1.2/ 555 | # Generic: TLSv1.2 ServerHello 556 | match ssl m|^\x16\x03\x02..\x02...\x03\x02|s p/TLSv1.1/ 557 | # Generic: TLSv1.1 ServerHello 558 | match ssl m|^\x16\x03\x01..\x02...\x03\x01|s p/TLSv1.0/ 559 | 560 | # Generic: SSLv3 ServerHello 561 | match ssl m|^\x16\x03\0..\x02...\x03\0|s p/SSLv3/ 562 | 563 | match storagecraft-image m|^\x15\x01\0\0\x08\0\0\0\0\x80\t\x03\x08\.NET\x01\0\x02\0\0\0\0\0\0\0\x02\0\x03\x01\0\x03\0\x01\x01 \0\0\0Authentication failure on server\x05\0\0\0\0$| p/StorageCraft Image Manager/ 564 | 565 | match xamarin m|^ERROR: Another instance is running\n| p/Xamarin MonoTouch/ 566 | 567 | ##############################NEXT PROBE############################## 568 | # TLSv1.2 ClientHello probe. TLS implementations may choose to ignore (close 569 | # silently) incompatible ClientHello messages like the one in SSLSessionReq. 570 | # This one should be widely compatible, and if we avoid adding non-ssl service 571 | # matches here, we can continue to upgrade it (bytes 10 and 11 and the ranges 572 | # in the match lines) 573 | Probe TCP TLSSessionReq q|\x16\x03\0\0\x69\x01\0\0\x65\x03\x03U\x1c\xa7\xe4random1random2random3random4\0\0\x0c\0/\0\x0a\0\x13\x009\0\x04\0\xff\x01\0\0\x30\0\x0d\0,\0*\0\x01\0\x03\0\x02\x06\x01\x06\x03\x06\x02\x02\x01\x02\x03\x02\x02\x03\x01\x03\x03\x03\x02\x04\x01\x04\x03\x04\x02\x01\x01\x01\x03\x01\x02\x05\x01\x05\x03\x05\x02| 574 | rarity 5 575 | ports 443,444,465,636,989,990,992,993,994,995,1241,1311,2252,3389,4444,5061,6679,6697,8443,9001,30030 576 | #fallback WEB 577 | 578 | # SSLv3 - TLSv1.2 ServerHello 579 | match ssl m|^\x16\x03[\0-\x03]..\x02\0\0.\x03[\0-\x03]|s 580 | # SSLv3 - TLSv1.2 Alert 581 | match ssl m|^\x15\x03[\0-\x03]\0\x02[\x01\x02].$|s 582 | 583 | ##############################NEXT PROBE############################## 584 | # SSLv2-compatible ClientHello, 39 ciphers offered. 585 | # Will elicit a ServerHello from most SSL implementations, apart from those 586 | # that are TLSv1-only or SSLv3-only. As it comes after the SSLv3 probe 587 | # (SSLSessionReq), its only added value is the detection of SSLv2-only servers. 588 | # SSLv2-only servers are rare so this probe has a high rarity. 589 | Probe TCP SSLv23SessionReq q|\x80\x9e\x01\x03\x01\x00u\x00\x00\x00 \x00\x00f\x00\x00e\x00\x00d\x00\x00c\x00\x00b\x00\x00:\x00\x009\x00\x008\x00\x005\x00\x004\x00\x003\x00\x002\x00\x00/\x00\x00\x1b\x00\x00\x1a\x00\x00\x19\x00\x00\x18\x00\x00\x17\x00\x00\x16\x00\x00\x15\x00\x00\x14\x00\x00\x13\x00\x00\x12\x00\x00\x11\x00\x00\n\x00\x00\t\x00\x00\x08\x00\x00\x06\x00\x00\x05\x00\x00\x04\x00\x00\x03\x07\x00\xc0\x06\x00@\x04\x00\x80\x03\x00\x80\x02\x00\x80\x01\x00\x80\x00\x00\x02\x00\x00\x01\xe4i<+\xf6\xd6\x9b\xbb\xd3\x81\x9f\xbf\x15\xc1@\xa5o\x14,M \xc4\xc7\xe0\xb6\xb0\xb2\x1f\xf9)\xe8\x98| 590 | 591 | rarity 5 592 | ports 443,444,465,548,636,989,990,992,993,994,995,1241,1311,2000,4444,5550,7210,7272,8009,8194,8443,9001,30030 593 | #fallback WEB 594 | 595 | # SSLv2 ServerHello 596 | match ssl m|^..\x04\0.\0\x02|s p/SSLv2/ 597 | 598 | # TLSv1 ServerHello, compatible with SSLv2: 599 | match ssl m|^\x16\x03\x01..\x02...\x03\x01|s p/TLSv1/ 600 | 601 | # SSLv3 ServerHello, compatible with SSLv2: 602 | match ssl m|^\x16\x03\0..\x02...\x03\0|s p/SSLv3/ 603 | 604 | # SSLv3 - TLSv1.2 Alert 605 | match ssl m|^\x15\x03[\0-\x03]\0\x02[\x01\x02].$|s 606 | -------------------------------------------------------------------------------- /sap_ports.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # Generate a list of SAP TCP ports 4 | # 5 | # based on reference document: 6 | # https://help.sap.com/viewer/ports 7 | # 8 | # This code can be used to generate only specific SAP ports 9 | # during a network scan 10 | # 11 | # -- gelim 12 | 13 | from pprint import pprint 14 | import argparse 15 | import sys 16 | import re 17 | 18 | help_desc=''' 19 | Script used to generate list of SAP services ports. 20 | Main idea is to expand SAP notation '32NN' to a lists of ports 21 | 3200, 3201, 3202, ... 22 | 23 | Example of usage: 24 | - Dump all SAP existing ports 25 | $ sap_ports.py 26 | 27 | - Know what kind of services this scripts proposes 28 | 29 | $ sap_ports.py --verbose 30 | Admin Services | Start Service SSL | 5NN14 31 | Admin Services | Start Service | 5NN13 32 | Admin Services | SAPlpd | 515 33 | Admin Services | SDM | 5NN17,5NN18,5NN19 34 | [...] 35 | 36 | - Get details about specific port rule 37 | 38 | $ sap_ports.py --verbose 33NN 39 | ABAP AS | Gateway | 33NN 40 | Java Central Service | Enqueue Replication | 33NN 41 | Java Central Service | Gateway | 33NN 42 | 43 | - Dump all SAP HANA ports for 10 first instances (00 to 09) 44 | $ sap_ports.py --hana --instance 10 45 | 46 | - Use this program combined with Nmap 47 | 48 | $ nmap -p $(sap_ports.py) 10.3.3.7 -sV --open 49 | Not shown: 4496 closed ports 50 | PORT STATE SERVICE VERSION 51 | 1128/tcp open saphostcontrol SAPHostControl 52 | 3201/tcp open sapjavaenq SAP Enqueue Server 53 | 3301/tcp open sapgateway SAP Gateway 54 | 3901/tcp open sapmsgserver SAP Message Server 55 | 8101/tcp open sapms SAP Message Server httpd release 745 (SID J45) 56 | 50000/tcp open sapnetweawer2 SAP NetWeaver Application Server (Kernel version 7.45, Java version 7.50) 57 | 50004/tcp open sapjavap4 SAP JAVA P4 (Potential internal IP 10.3.3.7) 58 | 50007/tcp open tcpwrapped 59 | 50013/tcp open sapstartservice SAP Maganement Console (SID J45, NR 00) 60 | 50014/tcp open tcpwrapped 61 | 50020/tcp open sapjoin SAP Java Cluster Join Service 62 | 50021/tcp open jdwp Java Debug Wire Protocol (Reference Implementation) version 1.8 1.8.0_51 63 | 50113/tcp open sapstartservice SAP Maganement Console (SID J45, NR 01) 64 | 50114/tcp open tcpwrapped 65 | Service Info: Host: java745 66 | ''' 67 | 68 | ports = { "ABAP AS": {"Dispatcher": "32NN", 69 | "Gateway": "33NN", 70 | "Gateway2": "48NN", 71 | "ICM HTTP": ["80NN", "80"], 72 | "ICM HTTPS": ["443NN", "443"], 73 | "ICM SMTP": "25", 74 | "ICM Admin": "650NN", 75 | "Message Server": ["36NN", "39NN"], 76 | "Message Server HTTP": "81NN", 77 | "Message Server HTTPS": "444NN", 78 | "Central System Log *UDP*": ["12NN", "13NN", "14NN", "15NN"], 79 | }, 80 | "Java AS": {"HTTP": ["5NN00", "80"], 81 | "HTTP over SSL": ["5NN01", "443"], 82 | "IIOP initial context": "5NN02", 83 | "IIOP over SSL": "5NN03", 84 | "P4": "5NN04", 85 | "P4 over HTTP": "5NN05", 86 | "P4 over SSL": "5NN06", 87 | "IIOP": "5NN07", 88 | "Telnet": "5NN08", 89 | "JMS": "5NN10", 90 | "Server Join port": "5NN20", 91 | "Server Debug Port": "5NN21"}, 92 | "Java Central Service": {"Enqueue Server": "32NN", 93 | "Enqueue Replication": "33NN", 94 | "Enqueue Replication2": "5NN16", 95 | "Gateway": "33NN", 96 | "Gateway SNC": "48NN", 97 | "Message Server": "36NN", 98 | "Message Server HTTP": "81NN", 99 | "Message Server HTTPS": "444NN"}, 100 | "Admin Services": {"SAPHostControl": "1128", 101 | "SAPHostControl SSL": "1129", 102 | "Start Service": "5NN13", 103 | "Start Service SSL": "5NN14", 104 | "SDM": ["5NN17", "5NN18", "5NN19"], 105 | "SAP Router": "3299", 106 | "NIping": "3298", 107 | "SAPlpd": "515", 108 | "DTR": "5NN15", 109 | "IGS HTTP": "4NN80" 110 | }, 111 | "TREX": {"RFC Server": "3NN07", 112 | "Cruiser": "3NN08", 113 | "Python Alert Server": "3NN11", 114 | "Indexserver": "3NN16",}, 115 | "HANA": {"SQL indexserver": "3NN15", 116 | "SQL multitenant indexserver (41 to 98)": "3NN41", 117 | "SQL statisserver": "3NN17", 118 | "XS HTTP": "80NN", 119 | "XS HTTPS": "43NN", 120 | "Internal daemon": "3NN00", 121 | "Internal nameserver": "3NN01", 122 | "Internal preprocessor": "3NN02", 123 | "Internal indexserver": "3NN03", 124 | "Internal scriptserver": "3NN04", 125 | "Internal statisserver": "3NN05", 126 | "Internal webdispatcher": "3NN06", 127 | "Internal xsengine": "3NN07", 128 | "Internal compileserver": "3NN10", 129 | "Internal compileserver": "3NN10", 130 | "Internal indexservers": "3NN40", 131 | "SAP support hdbrss": "3NN09", 132 | "Internal diserver": "3NN25", 133 | "xscontroller": "3NN29", 134 | "xscontroller data access": "3NN30", 135 | "xuaaserver": "3NN31", 136 | "xscontroller authentication": "3NN32", 137 | "XSA routing by hostnames": "3NN33", 138 | "SAP HANA xscontroller app instances": ["510NN", "511NN", "512NN", "513NN", "514NN", "515NN"]}, 139 | "SAP Business Suite": {"CSDM": "20201", 140 | "DCOM": "135", 141 | "Lotus Domino Connector 1": "62026", 142 | "Lotus Domino Connector 2": "62027", 143 | "Lotus Domino Connector 3": "62028", 144 | "Lotus Domino Connector 4": "62029", 145 | }, 146 | "SAP Enterprise Threat Detection": { 147 | "ESP Web Sevice Provider": "9786", 148 | "SAP Enterprise Threat Detection": "10514", 149 | "Encrypted connection for all others providers (TLS)": "10443" 150 | }, 151 | "Database":{ 152 | "SAP ASE Databsae": "49NN", 153 | "MSSQL": "1433", 154 | "MaxDB": ["7200", "7210", "7269", "7270", "7575"], 155 | "Oracle Listener": "1527", 156 | }, 157 | "SAP POS":{ 158 | "Xpress Clinet": "2200", 159 | "Xpress Server telnet": "2202", 160 | "Store Data": "10000", 161 | "Messaging Client": "8300", 162 | "Mobile POS Think Client": "4NN0", 163 | "Mobile printer": "61NN", 164 | "Upgrade Server": ["4404", "4405"], 165 | "File Transfer Server": "8008", 166 | "Message Transfer Server": "8400" 167 | } 168 | } 169 | 170 | port_re = r'(\w+)(NN)(\w+)?' 171 | 172 | # takes string '33NN' and returns list of str 173 | # ['3300', '3301', ... '3399'] 174 | def expand_ports(port_rule, maxi=100): 175 | port_list = re.split(port_re, port_rule) # split list 176 | port_list = [e for e in port_list if e not in ['', None]] # clean list 177 | 178 | if len(port_list) > 1: 179 | temp_list = list() 180 | for i in range(0, maxi): 181 | port = ''.join(port_list) 182 | temp_list.append(port.replace('NN', '%.2d' % i)) 183 | return temp_list 184 | else: 185 | return port_list 186 | 187 | def generate_ports(p, maxi): 188 | merged_list = list() 189 | for e in p: 190 | merged_list += expand_ports(e, maxi) 191 | print(','.join(set(merged_list))) 192 | 193 | def print_ports(flt=None, ssl=False): 194 | pl = list() 195 | for ass in ports.keys(): 196 | for proto in ports[ass].keys(): 197 | if ssl: 198 | if 'ssl' in proto.lower() or 'https' in proto.lower() or 'tls' in proto.lower(): 199 | continue 200 | pl = ports[ass][proto] 201 | if isinstance(pl, list): 202 | k = ','.join(pl) 203 | else: 204 | k = pl 205 | if flt: 206 | if flt.lower() in proto.lower(): print( ("%s" % ass).ljust(20) + (" | %s" % proto).ljust(30) + " | %s" % k) 207 | else: 208 | print(("%s" % ass).ljust(20) + (" | %s" % proto).ljust(30) + " | %s" % k) 209 | 210 | def list_add_or_merge(port_list, elem): 211 | if isinstance(elem, list): 212 | port_list += elem 213 | else: 214 | port_list.append(elem) 215 | return port_list 216 | 217 | # Get subset of ports via root keys of main port dict 218 | def get_ports_by_cat(asname, ssl=False): 219 | port_list = list() 220 | for proto in ports[asname]: 221 | if ssl: 222 | if 'ssl' in proto.lower() or 'https' in proto.lower(): 223 | continue 224 | pl = ports[asname][proto] 225 | port_list = list_add_or_merge(port_list, pl) 226 | return port_list 227 | 228 | # svc == keyword mayching one of the keys of each application server 229 | # used to match any specific protocol/service indicated as additional argument in command-line 230 | # we walk the main 'port' dict, look for matching subkeys and stack up their port for further 231 | # rendering 232 | def get_ports_by_svc(svc, ssl=False): 233 | port_list = list() 234 | for ass in ports.keys(): 235 | for proto in ports[ass].keys(): 236 | if ssl: 237 | if 'ssl' in proto.lower() or 'https' in proto.lower(): 238 | continue 239 | if svc.lower() in proto.lower(): 240 | pl = ports[ass][proto] 241 | port_list = list_add_or_merge(port_list, pl) 242 | return port_list 243 | 244 | if __name__ == '__main__': 245 | parser = argparse.ArgumentParser(description=help_desc, 246 | formatter_class=argparse.RawTextHelpFormatter) 247 | parser.add_argument('-a', '--abap', action='store_true', help='all ports available on ABAP AS') 248 | parser.add_argument('-j', '--java', action='store_true', help='all ports available on JAVA AS') 249 | parser.add_argument('-H', '--hana', action='store_true', help='all ports available on HANA AS') 250 | parser.add_argument('-p', '--pos', action='store_true', help='all ports available on SAP POS') 251 | parser.add_argument('-v', '--verbose', action='store_true', help='List ports in verbose way') 252 | parser.add_argument('-i', '--instance', default=100, type=int, 253 | help='Set max instances number (default: 100)') 254 | parser.add_argument('arguments', metavar='arguments', nargs='*', help='additional parameters like port') 255 | args = parser.parse_args() 256 | 257 | ports_active = list() 258 | if args.instance > 100: 259 | print("Instance number can be maximum 100.") 260 | exit(0) 261 | 262 | if args.verbose: 263 | if args.arguments: 264 | print_ports(args.arguments[0]) 265 | else: 266 | print_ports() 267 | exit(0) 268 | # keyword mode 269 | if len(args.arguments) > 0: 270 | ports_active += get_ports_by_svc(args.arguments[0]) 271 | if args.java: 272 | ports_active += get_ports_by_cat('Java AS') 273 | if args.abap: 274 | ports_active += get_ports_by_cat('ABAP AS') 275 | if args.hana: 276 | ports_active += get_ports_by_cat('HANA') 277 | if args.pos: 278 | ports_active += get_ports_by_cat('SAP POS') 279 | 280 | # select all ports if no filtering options are set 281 | if not args.java and not args.abap and not args.hana and not args.pos and not len(args.arguments): 282 | for k in ports.keys(): 283 | ports_active += get_ports_by_cat(k) 284 | else: 285 | # always add the Admin services if we use the filtering options 286 | ports_active += get_ports_by_cat('Admin Services') 287 | ports_active += get_ports_by_cat('Database') 288 | 289 | generate_ports(ports_active, args.instance) 290 | --------------------------------------------------------------------------------