# Nmap service detection probe list -*- mode: fundamental; -*- # $Id: nmap-service-probes,v 1.42 2004/08/31 03:46:19 fyodor Exp $ # # This is a database of custom probes and expected responses that the # Nmap Security Scanner ( http://www.insecure.org/nmap/ ) uses to # identify what services (eg http, smtp, dns, etc.) are listening on # open ports. Contributions to this database are welcome. We hope to # create an automated submission system (as with OS fingerprints), but # for now you can email fyodor any new probes you develop so that he # can include them in the main Nmap distributon. By sending new # probe/matches to Fyodor or one the insecure.org development mailing # lists, it is assumed that you are transfering any and all copyright # interest in the data to Fyodor so that he can modify it, relicense # it, incorporate it into programs, etc. This is important because the # inability to relicense code has caused devastating problems for # other Free Software projects (such as KDE and NASM). Nmap will # always be available Open Source. If you wish to specify special # license conditions of your contributions, just say so when you send # them. # # This collection of probe data is (C) 2003 by Insecure.Com LLC It is # available for free use by open source software under the terms of # the GNU General Public License. We also license the data to # selected commercial/proprietary vendors under less restrictive # terms. Contact sales@insecure.com for more information. # # For details on how Nmap version detection works, why it was added, # the grammar of this file, and how to detect and contribute new # services, see our paper at # http://www.insecure.org/nmap/versionscan.html . # This is the NULL probe that just compares any banners given to us ##############################NEXT PROBE############################## Probe TCP NULL q|| # Wait for at least 5 seconds for data. Otherwise an Nmap default is used. totalwaitms 5000 match acap m|^\* ACAP \(IMPLEMENTATION \"CommuniGate Pro ACAP (\d[-.\w]+)\"\) | v/CommuniGate Pro ACAP server//for mail client preference sharing/ match aim m|^\*\x01..\0\x04\0\0\0\x01$|s v/Pyboticide AIM chat filter/// # AMANDA index server 2.4.2p2 on Linux 2.4 match amanda m|^220 [-.\w]+ AMANDA index server \((\d[-.\w ]+)\) ready\.\r\n| v/Amanda backup system index server/$1// # arkstats (part of arkeia-light 5.1.12 Backup server) on Linux 2.4.20 match arkstats m|^\0`\0\x03\0\0\0\x1810\x000\x000\x00852224\0\0\0\0\0\0\0\0\0\0\0| v/Arkeia arkstats/// match backdoorjeam m|^220 jeem\.mail\.pv ESMTP\r\n| v/Jeem backdoor//**BACKDOOR**/ # Bittorrent Client 3.2.1b on Linux 2.4.X match bittorent m|^\x13BitTorrent protocol\0\0\0\0\0\0\0\0| v/Bittorrent P2P client/// # BMC Software Patrol Agent 3.45 match bmc-softwarepatrol m|^\0\0\0\x17i\x02\x03..\0\x05\x02\0\x04\x02\x04\x03..\0\x03\x04\0\0\0\0\x01\x01\0| v/BMC Software Patrol Agent/// match chargen m|^!"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefgh\r\n"#\$%\&'\(\)\*\+,-\./0123456789:;<=>\?\@ABCDEF| v/Linux chargen/// # Redhat 7.2, Xinetd 2.3.7 chargen match chargen m|^\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_`abcdefghijklmnopq\r\n\+,-\./| v/Xinetd chargen/// # Sun Solaris 9; Windows match chargen m|^\ !"#\$%&'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\\\]\^_| # Citrix, Metaframe XP on Windows match citrix-ica m|^\x7f\x7fICA\0\x7f\x7fICA\0| v/Citrix Metaframe XP ICA/// match concertosendlog m|^Concerto Software\r\n\r\nEnsemblePro SendLog Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | v/Concerto Software EnsemblePro CRM software SendLog Server/$1// match concertotimesync m|^Concerto Software\r\n\r\nContactPro TimeSync Server - Version (\d[-.\w]+)\r\n\r\nEnter Telnet Password\r\n#> | v/Concerto Software EnsemblePro CRM software TimeSync Server/$1// match cvspserver m|^no repository configured in /| v/CVS pserver//broken/ match cvspserver m|^/usr/sbin/cvs-pserver: line \d+: .*cvs: No such file or directory\n| v/CVS pserver//broken/ match cvsup m|^OK \d+ \d+ ([-.\w]+) CVSup server ready\n| v/CVSup/$1// match damewaremr m|^0\x11\0\0\0..\0......\r@\0\0\0\0\0\0\0\0\x01\0\0\0\x01\0\0\0\0\0\0\0.\0\0\0$|s v/DameWare Mini Remote Control//Windows/ # Linux match daytime m|^[0-3]\d [A-Z][A-Z][A-Z] 20\d\d \d\d:\d\d:\d\d \S+\r\n| # OpenBSD 3.2 match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\r\n| # Solaris 8,9 match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} +\d\d:\d\d:\d\d 20\d\d\n\r| v/Sun Solaris daytime/// # Windows daytime match daytime m|^\d+:\d\d:\d\d [AP]M \d+/\d+/200\d\n$| v/Microsoft Windows USA daytime/// # Windows daytime - UK english I think (no AM/PM) match daytime m|^\d{1,2}:\d{1,2}:\d{1,2} \d{1,2}/\d{1,2}/200\d\n$| v/Microsoft Windows daytime/// # Windows International daytime match daytime m|^\d\d:\d\d:\d\d \d\d.\d\d.200\d\n$| v/Microsoft Windows International daytime/// # New Zealand format daytime - Windows 2000 match daytime m|^[01]\d:\d\d:\d\d [AP]M [0-3]\d/[01]\d/0\d\n$| v/Microsoft Windows daytime//New Zealand style/ # HP-UX B.11.00 A inetd daytime match daytime m|^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} \d\d:\d\d:\d\d [A-Z]+ 200\d\r\n$| v/HP-UX daytime/// # Tardis 2000 v1.4 on NT match daytime m|^^[A-Z][a-z]{2} [A-Z][a-z]{2} +\d{1,2} \d\d:\d\d:\d\d 200\d $| v/Tardis 2000 daytime/// match dict m|^530 access denied\r\n$| v/dictd//access denied/ match dict m|^220 [-.\w]+ dictd ([-.\w/]+) on ([-.+ \w]+) | v/dictd/$1/on $2/ match directconnect m/^\$MyNick ([-.\w]+)|\$Lock/ v/Direct Connect P2P//User: $1/ match eggdrop m=^\r\n\r\n([-`|.\w]+) \(Eggdrop v(\d[-.\w]+) +\([cC]\) *1997.*\r\n\r\n= v/Eggdrop irc bot console/$2/botname: $1/ # This fallback is because many people customize their eggdrop # banners. This rule should always be well below the detailed rule # above. match eggdrop m|Copyright \(C\) 1997 Robey Pointer\r\n.*Eggheads| v/Eggdrop IRC bot console/// match finger m|\r\n {4}Line {5,8}User {6,8}Host\(s\) {13,18}Idle +Location\r\n| v/Cisco fingerd/// match ftp m|^220 [-/.+\w]+ FTP server \(SecureTransport (\d[-.\w]+)\) ready\.\r\n| v/Tumbleweed SecureTransport ftpd/$1// match ftp m|^220 3Com 3CDaemon FTP Server Version (\d[-.\w]+)\r\n| v/3Com 3CDaemon ftpd/$1// # GuildFTP 0.999.9 on Windows match ftp m|^220-GuildFTPd FTP Server \(c\) 1997-2002\r\n220-Version (\d[-.\w]+)\r\n220 Please enter your name:\r\n| v/Guild ftpd/$1/Windows/ # Medusa Async V1.21 [experimental] on Linux 2.4 match ftp m|^220 [-/.+\w]+ FTP server \(Medusa Async V(\d[^\)]+)\) ready\.\r\n| v/Medusa Async ftpd/$1// match ftp m|^220 [-/.+\w]+\((\d[-.\w]+)\) FTP server \(EPSON ([^\)]+)\) ready\.\r\n| v/Epson printer ftpd/$1/Epson $2/ match ftp m|^220 [-/.+\w]+ IBM TCP/IP for OS/2 - FTP Server ver \d+:\d+:\d+ on [A-Z]| v|IBM OS/2 ftpd||| match ftp m|^220 [-/.+\w]+ Lexmark ([-/.+\w]+) FTP Server (\d[-.\w]+) ready\.\r\n| v/Lexmark printerftpd/$2/Lexmark $1/ match ftp m|^220 Internet Rex (\d[-.\w ]+) \(([-/.+\w]+)\) FTP server awaiting your command\.\r\n| v/Internet Rex ftpd/$1/$2/ match ftp m|^220 [-.+\w]+ FTP server \(Version (\d[-.\w]+)\(([^\)]+)\) [A-Z][a-z][a-z] [A-Z].*200\d\) ready\.\r\n| v/HP-UX ftpd/$1/$2/ match ftp m|^530 Connection refused, unknown IP address\.\r\n$| v/Microsoft IIS ftpd//IP address rejected/ match ftp m|^220 PizzaSwitch FTP server ready\r\n| v/Xylan PizzaSwitch ftpd/// match ftp m|^220 [-.+\w]+ IronPort FTP server \(V(\d[-.\w]+)\) ready\.\r\n| v/IronPort mail appliance ftpd/// match ftp m|^220 WFTPD (\d[-.\w]+) service \(by Texas Imperial Software\) ready for new user\r\n| v/Texas Imperial Software WFTPD/$1// match ftp m|^220 [-.+\w]+ FTP server \(Version (MICRO-[-.\w:#+ ]+)\) ready\.\r\n| v/Bay Networks MicroAnnex terminal server ftpd/$1// match ftp m|^220 [-.+\w]+ FTP server \(Digital UNIX Version (\d[-.\w]+)\) ready\.\r\n| v/Digital UNIX ftpd/$1// match ftp m|^220 [-.+\w]+ FTP server \(Version [\d.]+\+Heimdal (\d[-+.\w ]+)\) ready\.\r\n| v/Heimdal Kerberized ftpd/$1// match ftp m|^500 OOPS: (could not bind listening IPv4 socket)\r\n$| v/vsftpd//broken: $1/ match ftp m|^500 00PS: vsftpd: (.*)\r\n| v/vsftpd//broken: $1/ match ftp m|^220-QTCP at [-.\w]+\r\n220| v|IBM OS/400 FTPd||| match ftp m|^220-FileZilla Server version (\d[-.\w ]+)\r\n| v/FileZilla ftpd/$1// # Netgear RP114 switch with integrated ftp server # Netgear RP114 match ftp m|^220 ([-\w]+)? FTP version 1\.0 ready at | v/Netgear broadband router ftpd/1.0// match ftp m|^220 [-.\w]+ FTP server \(GNU inetutils (\d[-.\w ]+)\) ready\.\r\n| v/GNU Inetutils FTPd/$1// match ftp m|^220 .* \(glftpd (\d[-.0-9a-zA-Z]+)_(\w+)(\+TLS)?\) ready\.\r\n| v/glFtpD/$1/platform: $2/ match ftp m|^220 [-.\w]+ FTP server \(FirstClass v(\d[-.\w]+)\) ready\.\r\n| v/FirstClass FTP server/$1// match ftp m|^220 [-.\w]+ FTP server \(Compaq Tru64 UNIX Version (\d[-.\w]+)\) ready\.\r\n| v/Compaq Tru64 ftp server/$1// match ftp m|^220 AXIS ([-.\w]+) FTP Network Print Server V(\d[-.\w]+) [A-Z][a-z]| v/Axis network print server ftpd/$2/Model $1/ match ftp m|^220-Cerberus FTP Server Personal Edition\r\n220-UNREGISTERED\r\n| v/Cerberus FTP Server//Personal Edition; Unregistered/ match ftp m|^220-GuildFTPd FTP Server \(c\) 2001\r\n220-Version (\d[-.\w]+)\r\n220 Please enter your name:\r\n| v/GuildFTPd/$1// match ftp m|^220 FTP print service:V-(\d[-.\w]+)/Use the network password for the ID if updating\.\r\n| v/Brother printer ftpd/$1// match ftp m|^220- APC FTP server ready\.\r\n220 \r\n$| v|APC ftp server||UPS/Power device| match ftp m|^220 [-\w]+ FTP server \(Version (\d.[.\d]+) ([A-Z][a-z]{2} [A-Z][a-z]{2} [0-9]+ [0-9:]+ .* [21][0-9]+)\) ready\.\r\n| v/HP-UX 10.x ftpd/$1// match ftp m|^220 [-\w]+ FTP server \(Version (\d[-.\w]+) [A-Z][a-z]{2} [A-Z][a-z]{2} .*\) ready\.\r\n| v/AIX ftpd/$1// match ftp m|^220[- ]Roxen FTP server running on Roxen (\d[-.\w]+)/Pike (\d[-.\w]+)\r\n| v/Roxen ftp server/$1/Pike $2/ # Debian packaged oftpd 0.3.6-51 on Linux 2.6.0-test4 Debian match ftp m|^220 Service ready for new user\.\r\n| v/oftpd/// # ProFTPd 1.2.5 match ftp m|^220 Server \(ProFTPD\) \[[-.\w]+\]\r\n| v/ProFTPd/// # Mac OS X Client 10.2.6 built-in ftpd match ftp m|^220[ -].*FTP server \(lukemftpd (\d[-. \w]+)\) ready\.\r\n|s v/LukemFTPD/$1/Mac OS X uses lukemftpd derivative/ match ftp m/^220.*Microsoft FTP Service \(Version (\d[^)]+)/ v/Microsoft ftpd/$1// # This lame version doesn't give a version number # Windows 2003 match ftp m/^220[ -]Microsoft FTP Service\r\n/ v/Microsoft ftpd/// match ftp m/^220 Serv-U FTP Server v(\d\S+) for WinSock ready/ v/Serv-U ftpd/$1// match ftp m/^220 Serv-U FTP-Server v(\d\S+) for WinSock ready/ v/Serv-U ftpd/$1// match ftp m/^220-Sambar FTP Server Version (\d\S+)\x0d\x0a/ v/Sambar ftpd/$1// # Sambar server V5.3 on Windows NT match ftp m|^220-FTP Server ready\r\n220-Use USER user@host for native FTP proxy\r\n220 Your FTP Session will expire after 300 seconds of inactivity\.\r\n| v/Sambar ftpd/// match ftp m/^220 JD FTP Server Ready/ v/HP JetDirect ftpd/// match ftp m/^220.*Check Point FireWall-1 Secure FTP server running on/s v/Check Point Firewall-1 ftpd/// match ftp m/^220[- ].*FTP server \(Version (wu-[-.\w]+)/s v/WU-FTPD/$1// match ftp m|^220-\r\n220 [-.\w]+ FTP server \(Version ([-.+\w()]+)\) ready\.\r\n$| v/WU-FTPD/$1// match ftp m|^220 [-.\w]+ FTP server \(Version ([-.+\w()]+)\) ready\.\r\n$| v/WU-FTPD/$1// match ftp m/^220 ProFTPD (\d\S+) Server/ v/ProFTPD/$1// match ftp m/^220.*ProFTP[dD].*Server ready/ v/ProFTPD/// match ftp m/^220.*NcFTPd Server / v/NcFTPd/// match ftp m/^220.*FTP server \(SunOS 5\.([789])\) ready/ v/Sun Solaris $1 ftpd/// match ftp m/^220.*FTP server \(SunOS (\S+)\) ready/ v/Sun SunOS ftpd/$1// match ftp m/^220-[-.\w]+ IBM FTP.*(V\d+R\d+)/ v|IBM OS/390 ftpd|$1|| match ftp m/^220 VxWorks \((\d[^)]+)\) FTP server ready/ v/VxWorks ftpd/$1// match ftp m/^220 VxWorks \(VxWorks(\d[^)]+)\) FTP server ready/ v/VxWorks ftpd/$1// match ftp m/^220.*Welcome to .*Pure-?FTPd (\d\S+\s*)/ v/PureFTPd/$1// match ftp m/^220.*Welcome to .*Pure-?FTPd[^(]+\r\n/ v/PureFTPd/// match ftp m/^220.*Bienvenue sur .*Pure-?FTPd (\d[-.\w]+)/ v/PureFTPd/$1// match ftp m/^220 ready, dude \(vsFTPd (\d[0-9.]+): beat me, break me\)\r\n/ v/vsFTPd/$1// match ftp m/^220 \(vsFTPd ([-.\w]+)\)\r\n$/ v/vsFTPd/$1// match ftp m/^220 TYPSoft FTP Server (\d\S+) ready\.\.\.\r\n/ v/TYPSoft ftpd/$1// match ftp m/^220-MegaBit Gear (\S+).*FTP server ready/ v/MegaBit Gear ftpd/$1// match ftp m/^220.*WS_FTP Server (\d\S+)/ v/WS FTPd/$1// match ftp m/^220 Features: a p \.\r\n$/ v/Publicfile ftpd/// match ftp m/^220 [-.\w]+ FTP server \(Version (\S+) VFTPD, based on Version (\S+)\) ready\.\r\n$/ v/Virtual FTPD/$1/based on $2/ match ftp m|220 [-.\w]+ FTP server \(Version (\S+)/OpenBSD, linux port (\S+)\) ready\.\r\n| v/OpenBSD ftpd/$1/Linux port $2/ match ftp m|^220 [-.\w]+ FTP server \(Version (\S+)/OpenBSD/Linux-ftpd-([-.\w]+)\) ready.\r\n$| v/OpenBSD ftpd/$1/Linux port $2/ match ftp m/^220 Interscan Version ([-\w.]+)/i v/Interscan Viruswall ftpd/$1// match ftp m|^220 InterScan FTP VirusWall NT (\d[-.\w]+) \(([-.\w]+) Mode\), Virus scan (\w+)\r\n$| v/Interscan VirusWall NT/$1/Virus scan $3; $2 mode/ match ftp m|^220 [-.\w]+ FTP server \(Version ([-.\w]+)/OpenBSD\) ready\.\r\n$| v/OpenBSD ftpd/$1// match ftp m|^220-Welcome to [A-Z]+ FTP Service\.\r\n220 All unauthorized access is logged\.\r\n$| v/FileZilla ftpd/// match ftp m|^220 [-.\w]+ FTP server \(Version (6.0\w+)\) ready.\r\n| v/FreeBSD ftpd/$1// # OpenBSD 3.4 beta running Pure-FTPd 1.0.16 with SSL/TLS match ftp m|^220---------- Welcome to Pure-FTPd \[privsep\] \[TLS\] ----------\r\n220-You are user number| v|Pure-FTPd||with SSL/TLS| match ftp m|^220---------- .* Pure-FTPd ----------\r\n220-| v/Pure-FTPd/// # Trolltech Troll-FTPD 1.28 (Only runs on Linux) match ftp m|^220-Setting memory limit to 1024\+1024kbytes\r\n220-Local time is now \d+:\d+ and the load is [.\d]+\.\r\n220 You will be disconnected after \d+ seconds of inactivity.\r\n$| v/Trolltech Troll-FTPd//on Linux/ match ftp m|^220 FTP server \(Hummingbird Ltd\. \(HCLFTPD\) Version (7.1.0.0)\) ready\.\r\n$| v/Hummingbird FTP server/$1// # Netware 6 - NWFTPD.NLM FTP Server Version 5.01w match ftp m|^220 Service Ready for new User\r\n$| v/Netware NWFTPD/// match ftp m|^220 ([-\w]+) FTP server \(NetWare (v[\d.]+)\) ready\.\r\n$| v/Novell Netware ftpd/$2// match ftp m|220 FTP Server for NW 3.1x, 4.xx \((v1.10)\), \(c\) 199[0-9] HellSoft\.\r\n$| v/HellSoft FTP server for Netware 3.1x, 4.x/$1// match ftp m|^220 [-.\w]+ MultiNet FTP Server Process V(\S+) at .+\r\n$| v/DEC OpenVMS MultiNet FTPd/$1// match ftp m|^220-\r\n220 [-.\w]+ FTP server \(NetBSD-ftpd ([-.\w]+)\) ready.\r\n$| v/NetBSD ftpd/$1// match ftp m|^220 ([-.\w]+) Network Management Card AOS v([-.\w]+) FTP server ready.\r\n$| v/APC AOS ftpd/$2/on APC $1 network management card/ # G-Net BB0060 ADSL Modem - the ftpd might be by "GlobespanVirata" as that # is what the telnetd on this device said. match ftp m|^220 FTP Server \(Version 1.0\) ready.\r\n$| v/G-Net DSL Modem ftpd/1.0// # HP-UX B.11.00 match ftp m|^220 [-.\w ]+ FTP server \(Version (1.1.2[.\d]+) [A-Z][a-z]{2} [A-Z][a-z]{2} .*\) ready.\r\n| v/HP-UX ftpd/$1// # 220 mirrors.midco.net FTP server ready. match ftp m|^220-.*\r\n WarFTPd (\d[-.\w]+) \([\w ]+\) Ready\r\n|s v/WarFTPd/$1// match ftp m|^220 Welcome to Windows FTP Server| v|Windows Ftp Server||Not from Microsoft - http://srv.nease.net/| match ftp-proxy m|^220 Ftp service of Jana-Server ready\r\n| v/JanaServer ftp proxy/// match ftp-proxy m|^220 [-.\w]+ FTP proxy \(Version (\d[-.\w]+)\) ready\.\r\n| v/Guantlet FTP proxy/$1// # Frox FTP Proxy (frox-0.6.5) on Linux 2.2.X - http://frox.sourceforge.net/ match ftp-proxy m|^220 Frox transparent ftp proxy\. Login with username\[@host\[:port\]\]\r\n| v/Frox ftp proxy/// match ftp-proxy m|^501 Proxy unable to contact ftp server\r\n| v/Frox ftp proxy/// match ftp-proxy m|^220 [-.+\w]+ FTP AnalogX Proxy (\d[-.\w]+) \(Release\) ready\r\n| v/AnalogX FTP proxy/$1// match ftp-proxy m|^220 Secure Gateway FTP server ready\.\r\n| v/Symantec Enterprise Firewall FTP proxy/// match ftp-proxy m/^220-Sidewinder ftp proxy\. You must login to the proxy first/ v/Sidewinder FTP proxy/// match ftp-proxy m/^220-\r\x0a220-Sidewinder ftp proxy/s v/Sidewinder FTP proxy/// softmatch ftp m/^220 [-.\w ]+ftp.*\r\n$/i softmatch ftp m/^220-[-.\w ]+ftp.*\r\n220/i softmatch ftp m/^220[- ].*ftp server.*\r\n/i match fw1-rlogin m|^\0Check Point FireWall-1 authenticated RLogin server running on [-.\w]+\r\n\r| v/Check Point FireWall-1 authenticated RLogin server/// match gnats m|^200 [-.\w]+ GNATS server (\d[-.\w]+) ready\.\r\n| v/GNATS bugtracking system/$1// # Returns ASCII data in the following format: # |HardDrive1DevName|HardDrive1HardwareID|HardDrive1Temp|TempUnit| # |HardDrive2DevName|HardDrive2HardwareID|HardDrive2Temp|TempUnit| match hddtemp m+^\|/dev/hd\w\|+ v/hddtemp hard drive info server/// # And now for some SORRY web servers that just blurt out an http "response" upon connection!!! match http m|^HTTP/1\.1 200 OK\r\nContent-type: text/html\r\nExpires: .*\r\nDate: .*\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\nJAP\n| v/Java Anonymous Proxy/// match http m|^HTTP/1.0 500\r\nContent-type: text/plain\r\n\r\nNo Scan Capable Devices Found\r\n| v/HP Embedded Web Server remote scan service//no scanner found/ # SMC Barricade 7004ABR match http m|^HTTP/1\.0 301 Moved\r\nLocation: http://\d+\.\d+\.\d+\.\d+:88\r\n| v/SMB Barricade broadband router//simply redirects to real web admin port 88/ match hp-gsg m|^220 JetDirect GGW server \(version (\d[.\d]+)\) ready\r\n| v/HP JetDirect Generic Scan Gateway/$1// match hylafax m|^220 [-.\w]+ server \(HylaFAX \(tm\) Version (\d[-.\w]+)\) ready\.\r\n$| v/HylaFAX/$1// # Hylafax 4.1.6 on Linux 2.4 match hylafax m|^130 Warning, client address \"[\d.]+\" is not listed for host name \"[-.\w]+\"\.\r\n| v/HylaFAX//IP unauthorized/ match ichat m|^\r\n Welcome To\r\n ichat ROOMS (\d[-.\w]+)\r\n==| v|^iChat Rooms|$1|| match ident m|^flock\(\) on closed filehandle .*midentd| v/midentd//broken/ match ident m|^nullidentd -- version (\d[-.\w]+)\nCopyright | v/Nullidentd/$1/broken/ match imap m|^\* OK [-/.+\w]+ Solstice \(tm\) Internet Mail Server \(tm\) (\d[-.\w]+) IMAP4 service - at | v/Sun Solstice Internet Mail Server imapd/$1// match imap m|^\* OK GroupWise IMAP4rev1 Server Ready\r\n| v/Novell GroupWise imapd/// match imap m|^\* OK dbmail imap \(protocol version 4r1\) server (\d[-.\w]+) ready to run\r\n| v/DBMail imapd/$1/imapd version may differ from overal dbmail version number/ match imap m|^\* OK [-.+\w]+ NetMail IMAP4 Agent server ready | v/Novell NetMail imapd/// match imap m|^\* OK IMAP4 Server \(IMail (\d[-.\w]+)\)\r\n| v/IMail imapd/$1// match imap m|^\* OK Merak (\d[-.\w]+) IMAP4rev1 | v/Merak Mail Server imapd/$1/Windows/ match imap m|^\* OK [-.+\w]+ IMAP4rev1 Mercury/32 v(\d[-.\w]+) server ready\.\r\n| v|Mercury/32 imapd|$1|Win32| match imap m|^\* OK [-.\w]+ IMAP4 service \(Netscape Messaging Server (\d[-.\w ]+) \(built ([\w ]+)\)\)\r\n| v/Netscape Messaging Server Imapd/$1/built $2/ match imap m|^\* OK \[CAPABILITY .*\] [-.\w]+ IMAP4rev1 (20[\w.]+) at | v/UW imapd/$1// match imap m|^\* OK eXtremail V(\d[-.\w]+) release (\d+) IMAP4 server started\r\n| v/eXtremail IMAP server/$1.$2// match imap m|^\* OK [-.\w]+ NetMail IMAP4 Agent server ready <.*>\r\n| v/Novell Netmail imapd/// # Alt-N MDaemon 6.5.1 imap server on Windows XP match imap m|^\* OK [-.\w]+ IMAP4rev1 MDaemon (\d[-.\w]+) ready\r\n| v/Alt-N MDaemon imapd/$1// # Dovecot IMAP Server - http://dovecot.procontrol.fi/ match imap m|^\* OK dovecot ready\.\r\n| v/Dovecot imapd/// # courier-0.36.1 match imap m|^\* OK Courier-IMAP ready\. Copyright 1998-2001 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/0.36 - 1.4// # Courier-Imap 1.4.3-2.3 match imap m|^\* OK Courier-IMAP ready\. Copyright 1998-2002 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/1.4 - 2.3// # Courier Imap 1.7.0 on Linux # Courier IMAP server 1.6.2 on Linux match imap m|\* OK Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier Imap/1.6.X - 1.7.X// # Courier IMAP courier-imapd-0.42.0-1.7.3 # Courier IMAP 1.7.2 match imap m|^\* OK \[CAPABILITY IMAP4rev1 .*Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1/1.7.X// # courier-imap 2.0.0.20030809 match imap m|^\* OK \[CAPABILITY IMAP4rev1\].*Courier-IMAP ready\. Copyright 1998-2003 Double Precision, Inc\. See COPYING for distribution information\.\r\n| v/Courier IMAP4rev1/2.0.X// # Courier IMAP 1.7.2 match imap m|\* OK \[CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA\] Courier-IMAP ready. Copyright 1998-2003 Double Precision, Inc. See COPYING for distribution information.\r\n$| v/Courier IMAP4rev1/1.7.2// match imap m|^\* OK CommuniGate Pro IMAP Server ([-.\w]+) at [-.\w]+ ready\r\n$| v/CommuniGate Pro imapd/$1// # W-Imapd-SSL v2001adebian-6 match imap m|^\* OK \[CAPABILITY IMAP4REV1 X-NETSCAPE LOGIN-REFERRALS STARTTLS AUTH=LOGIN\] \S+ IMAP4rev1 ([-.\w]+) at| v/UW-Imapd-SSL/$1// match imap m|^\* OK Domino IMAP4 Server Release (\d[-.\w]+) +ready| v/Lotus Domino imapd/$1// match imap m|^\* OK Microsoft Exchange IMAP4rev1 server version ([-.\w]+) | v/Microsoft Exchange IMAP4rev1 server/$1// match imap m|^\* OK Microsoft Exchange 2000 IMAP4rev1 server version (\d[-.\w]+) \([-.\w]+\) ready\.\r\n| v/Microsoft Exchange 2000 IMAP4rev1 server/$1// match imap m|^\* OK \[CAPABILITY IMAP4REV1 .*IMAP4rev1 (200\d\.[-.\w]+) at| v/UW Imapd/$1// match imap m|^\* OK [-.\w]+ Cyrus IMAP4 v([-.\w]+) server ready\r\n| v/Cyrus IMAP4 server/$1// match imap m|^\* OK Welcome to Binc IMAP v(\d[-.\w]+)| v/Binc IMAPd/$1// match imap m|^\* OK [-.\w]+ IMAP4rev1 AppleMailServer (\d[-.\w]+) ready\r\n| v/AppleMailServer imapd/$1// softmatch imap m/^\* OK [-.\w,:+ ]+imap[-.\w,:+ ]+\r\n$/i # Cyrus IMSPD match imsp m|^\* OK Cyrus IMSP version (\d[-.\w]+) ready\r\n$| v/Cyrus IMSPd/$1// # ircd-hybrid 7 on Linux match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Got Ident response\r\nNOTICE AUTH :\*\*\* Couldn't look up your hostname\r\n$| v/Hybrid ircd/// # Hybrid6/PTlink6.15.0 ircd on Linux match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Found your hostname\r\n$| v/Hybrid ircd/// # ircd 2.8/hybrid-6.3.1 on Linux match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* No Ident response\r\nNOTICE AUTH :\*\*\* Found your hostname\r\n$| v/Hybrid ircd/// # ircd-hybrid-7.0 - apparently upset because Nmap reconnected too fast match irc m|^ERROR :Trying to reconnect too fast\.\r\n| v/Hybrid ircd/// # Hybrid-IRCD 7.0 on Linux 2.4 match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Found your hostname\r\nNOTICE AUTH :\*\*\* Got Ident response\r\n| v/Hybrid ircd/// # dircproxy 1.0.3 on Linux 2.4.x match irc-proxy m|^:dircproxy NOTICE AUTH :Looking up your hostname\.\.\.\r\n:dircproxy NOTICE AUTH :Got your hostname\.\r\n| v/dircproxy/// # Unreal IRCD Server version 3.2 beta 17 match irc m|^:[-.\w]+ NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\n| v/Unreal ircd/// # dancer-ircd 1.0.31+maint8-1 match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Checking ident\r\nNOTICE AUTH :\*\*\* No identd \(auth\) response\r\nNOTICE AUTH :\*\*\* Found your hostname\r\n$| v/Dancer ircd/// match irc m|^NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\r\nNOTICE AUTH :\*\*\* Found your hostname, welcome back\r\nNOTICE AUTH :\*\*\* Checking ident\r\nNOTICE AUTH :\*\*\* No identd \(auth\) response\r\n| v/Dancer ircd/// match irc m|^NOTICE AUTH :\*\*\* Checking Ident\r\nNOTICE AUTH :\*\*\* Got ident response\r\n| v/ircu Undernet IRCd/// # Bitlbee ircd 0.80 match irc m|^:[-.\w]+ NOTICE AUTH :BitlBee-IRCd initialized, please go on\r\n| v/BitlBee IRCd/// # PTlink6.15.2 on Linux 2.4 match irc m|^NOTICE AUTH :\*\*\* Hostname lookup disabled, using your numeric IP\r\nNOTICE AUTH :\*\*\* Checking Ident\r\n| v/PTlink ircd/// match irc m|^:[-.+\w]+ NOTICE AUTH :\*\*\* Looking up your hostname\.\.\.\n:[-.+\w]+ NOTICE AUTH :\*\*\* Checking Ident\n:[-.+\w]+ NOTICE AUTH :\*\*\* Found your hostname\n| v/Bahamut Dalnet ircd//derived from DreamForge and Hybrid/ match irc-proxy m|^:Welcome!psyBNC@lam3rz\.de NOTICE \* :psyBNC([-.\w]+)\r\n| v/psyBNC/$1// match issrealsecure m|^\0\0\0.\x08\x01\x03\x01\0.\x02\0\0..\0\0.\0\0\0..\0\0\x80\x04..\0.\0\xa0|s v/ISS RealSecure IDS//for Windows/ # ISS RealSecure Server Sensor for Windows 6.5 on Windows NT 4.0 Server SP6a # ISS RealSecure ServerSensor 7.0 on Windows 2000 Server # ISS RealSecure Server Sensor 6.0 on Windows NT 4.0 Server SP6a # ISS RealSecure Server Sensor 7.0 issdaemon on Microsoft Windows NT Workstation with SP6a match issrealsecure m|^\0\0\0.\x08\x01\x04\x01\0..\0\0..\0\0.\0\0\0f.\0\0\x80\x04..\0.\0\xa0\0\0\0\0\0.\0\0\xa4\0\0|s v/ISS RealSecure IDS ServerSensor/6.0 - 7.0/for Windows/ match klogin m|^\x01klogind: (All authentication systems disabled; connection refused)\.\.\r\n| v/MIT Kerberos klogin//broken - $1/ match lmtp m|^220 [-.\w]+ LMTP Cyrus v(\d[-.\w]+) ready\r\n| v/Cyrus Imap Daemon LMTP/$1// # LSMS VPN Firewall GUI admin port # LSMS Redundancy port match lucent-fwadm m|^0001;2$| v/Lucent Secure Management Server/// match meetingmaker m/^\xc1,$/ v/Meeting Maker calendaring/// match melange m|^\+\+\+Online\r\n>> Melange Chat Server \(Version (\d[-.\w]+)\), Apr-25-1999\r\n\nWelcome | v/Melange Chat Server/$1// # lopster 1.2.0.1 on Linux 1.1 match mserv m|^200 Mserv (\d[-.\w]+) \(c\) James Ponder 2000 - Type: USER \r\n\.\r\n| v/Mserv music server/$1// softmatch napster m|^1$| match netrek m|^<>=======================================================================<>\n Pl: Rank Name Login Host name Type\n| v/Netrek game server player information interface/// match mldonkey m|^\x06\0\0\0\0\0\x10\0\0\0-\0\0\0\x14\0\x02\0\0\0\x06\0Donkey\x01\x0c\0\./donkey\.ini\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x11\x02\0\0\x13\0\r\x02\n\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\n Welcome to MLdonkey \n| v/MLdonkey multi-network P2P GUI port/// match mldonkey m|^\xff\xfd\x1f\r\r\r\r\r\r\r\r\r\r\r\r\r\n\r\r\r\r\r\r\r\r\r\r\r\r\r\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\r\r\r\r\r\r\r\r\r\r\r\r\r\n\r\r\r\r\r\r\r\r\r\r\r\r\r\n Welcome to MLdonkey \r\r\r\r\r\r\r\r\r\r\r\r\r\n| v/MLdonkey multi-network P2P GUI port/// match mldonkey m|^\xff\xfd\x1fWelcome to MLdonkey\n\x1b\[34mWelcome on mldonkey command-line\x1b\[2;37;0m\n\nUse \x1b\[31m\?\x1b\[2;37;0m for help\n\n\x1b\[7mMLdonkey command-line:\x1b\[2;37;0m\n> | v/MLdonkey multi-network P2P server control port/// # Microsoft ActiveSync Version 3.7 Build 3083 (It's used for syncing # my ipaq it disapears when you remove the ipaq.) match msactivesync m|^\x16\0\x01\0\$\0U\0P\0T\0O\0D\0A\0T\0E\0\$\0\0\0$| v/Microsoft ActiveSync/// match mud m|^\n\r\xff\xfbUDo you want ANSI color\? \(Y/n\) $| v|ROM-based MUD||http://rrp.rom.org/| match mysql m/^.\0\0\0\xffj\x04Host .* is not allowed to connect to this MySQL server$/ v/MySQL//unauthorized/ match mysql m|^.\0\0\0\xffi\x04Host .* is blocked because of many connection errors\.| v/MySQL//blocked - too many connection errors/ # MySQL 4.0.13 match mysql m/^.\0\0\0...Al sistema '[-.\w]+' non e` consentita la connessione a questo server MySQL$/ v/MySQL/// match mysql m/^.\0\0\0.(3\.[-.\w]+)\0.*\x08\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0$/s v/MySQL/$1// match mysql m/^.\0\0\0\n(3\.[-.\w]+)\0...\0/s v/MySQL/$1// # r(NULL,2B,"'\0\0\0\n4.0.13\0\xdf\xbc\x02\0SC7)fHu5\0, \x08\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0") match mysql m/^.\0\0\0\n(4\.[-.\w]+)\0...\0/s v/MySQL/$1// # Hmmm ... http://seclists.org/lists/incidents/2002/Mar/0047.html # So "ncacn_http" may be used by multiple services. I'll take this # one out for now. # match ncacn_http m|^ncacn_http/([\d.]+)$| v/ncacn_http/$1// # NCD Thinstar 300 running NCD Software 2.31 build 6 match ncd-diag m|^WinCE/WBT Diagnostic port\n\rSerial Number: (\w+) MAC Address: 0000(\w+)\s+.*CPU info: ([ -.+\w/ ]+)\r\n.*(Windows CE Kernel[-.+:\w ]+)\r|s v|NCD Thinster Terminal Diagnostic port||Serial# $1; MAC: $2; CPU: $3; $4| match netdevil m|^pass_pleaz$| v/Net-Devil backdoor//Windows **TROJAN**/ match netsaint m|^Sorry, you \(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\) are not among the allowed hosts\.\.\.\n$| v/Netsaint status daemon/// # I love this service: match netstat m|^Active Internet connections \(servers and established\)\nProto Recv-Q Send-Q Local Address Foreign Address State \n| v/Linux Netstat/// match netstat m|^netstat: invalid option -- f\nusage: netstat \[-veenNcCF\]| v/Linux netstat//broken/ match nntp m|^nnrpd: invalid option -- S\nUsage error\.\n| v/INN NNTPd//broken/ match nntp m|^200 [-.\w]+ NNTP Service Ready - ([-.\w]+@[-.\w]+) \(DIABLO (\d[-.\w ]+)\)\r\n| v/Diablo NNTP service/$2/Admin: $1/ match nntp m|^200 NNTP Service (\d[-.\w ]+) Version: (\d[-.\w ]+) Posting Allowed \r\n| v/Microsoft NNTP Service/$2/posting ok/ match nntp m|^200 [-.\w]+ DNEWS Version (\d[-.\w]+).*posting OK \r\n| v/Netwinsite DNEWS/$1/posting OK/ match nntp m|^200 Leafnode NNTP Daemon, version (\d[-.\w]+) running at| v/Leafnode NNTPd/$1// match nntp m|^200 Lotus Domino NNTP Server for ([-./\w]+) \(Release (\d[-.\w]+), .*\) - Not OK to post\r\n$| v/Lotus Domino nntpd/$2/on $1; posting denied/ match nntp m|^200 Lotus Domino NNTP Server for ([-./\w]+) \(Release (\d[-.\w]+), .*\) - OK to post\r\n$| v/Lotus Domino nntpd/$2/on $1; posting ok/ softmatch nntp m|^200 [-\[\]\(\)!,/+:<>@.\w ]*nntp[-\[\]\(\)!,/+:<>@.\w ]*\r\n$| # Windows 2000 Server read: match nntp m|^200 NNTP Service 5\.00\.0984 Version: (5\.0\.2159.1) Posting Allowed \r\n| v/Microsoft NNTP Service/$1/posting OK/ match nntp m|^200 NNTP Service Microsoft\xae Internet Services \d[-.\w]+ Version: (\d[-.\w]+) Posting Allowed \r\n| v/Microsoft NNTP Service/$1/posting OK/ # Windows NT 4.0 SP5-SP6 match nntp m|^200 Microsoft Exchange Internet News Service Version (5\.5\.[.\d]+) \(posting allowed\)\r\n| v/Microsoft Exchange Internet News Service/$1/posting allowed/ #match nntp m|^200 [-.\w]+ InterNetNews NNRP server INN (\d[-.\w]+) ready \(posting ok\)\.\r\n| v/InterNetNews (INN)/$1/posting ok/ match nntp m|^200 [-.\w]+ InterNetNews NNRP server INN (\d[-.\w ]+) ready \(posting ok\)\.\r\n| v/InterNetNews (INN)/$1/posting ok/ match nntp m|^200 NNTP-Server Classic Hamster Vr\. \d[-.\w ]+ \(Build (\d[-.\w ]+)\) \(post ok\) says: Hi!\r\n| v/Classic Hamster NNTPd/$1/for Windows; posting ok/ # Windows 2000 Server Windows Media Unicast Service (NsUnicast) - Nsum.exe match nsunicast m|^4\0\0\0V4\x12\0\0\0\0\0\0\0\0\x004\0\0\0\x04\0\xf0\0\xd3\x07\t\0.\0.\0.\0.\0.\0..\0\0\0\0.\0\0\0.\0\0\0\x02\0|s v/Microsoft Windows Media Unicast Service//nsum.exe/ match nsunicast m|^[4f]\0\0\0V4\x12\0\0\0\0\0\0\0\0\x00[4f]\0\0\0.\0\xf0\0\xd3\x07\t\0.\0.\0.\0.\0.\0..\0\0\0\0.\0\0\0..\0\0.\0|s v/Microsoft Windows Media Unicast Service//nsum.exe/ match pcanywheredata m/^\0X\x08\0\}\x08\r\n\0\.\x08.*\.\.\.\r\n/s v/PCAnywhere/// match pbmasterd m|^pbmasterd(\d[-.\w]+)@[-.+\w]+: | v/Symark Power Broker pbmasterd/$1/privilege separation software/ match pblocald m|^pblocald(\d[-.\w]+)@[-.+\w]+: | v/Symark Power Broker pblocald/$1/privilege separation software/ match pksd m|^usage: [/\w]*/etc/pksd\.conf conf_file\n$| v/PGP Public Key Server//broken/ # UW POP2 server on Linux 2.4.18 match pop2 m|^\+ POP2 [-\[\].\w]+ v(20[-.\w]+) server ready\r\n$| v/UW POP2 server/$1// match pop3 m|^\+OK POP3 AnalogX Proxy (\d[-.\w]+) \(Release\) ready\.\n$| v/AnalogX POP3 proxy/$1// # Novell Groupwise 6.0.1 match pop3 m|^\+OK GroupWise POP3 server ready\r\n$| v/Novell GroupWise pop3d/// match pop3 m|^\+OK Ready when you are <200\d+\.| v/Hotmail Popper hotmail to pop3 gateway/// match pop3 m|^\+OK Internet Rex POP3 server ready <| v/Internet Rex Pop3 server/// match pop3 m|^\+OK DBMAIL pop3 server ready to rock <| v/DBMail pop3d/// match pop3 m|^\+OK POP3 POPFile \(v(\d[-.\w]+)\) server ready\r\n| v/popfile pop3d/$1// # Dots in Revision to prevent MY CVS from screwing it up match pop3 m|^\+OK [-.+\w]+ NetMail POP3 Agent \$Re..sion: ([\d.]+) \$\r\n| v/Novell NetMail pop3d//File revision: $1/ match pop3 m|^\+OK [-.+\w]+ Merak (\d[-.\w]+) POP3 | v/Merak mail server pop3d/$1// # Mercury/32 3.32 pop3 Server module on Windows XP match pop3 m|^\+OK <\d{6,10}\.\d{4,6}@[-.+\w]+>, POP3 server ready\.\r\n| v|Mercury/32 pop3d||Win32| # gnu/mailutils pop3d 0.3.2 on Linux match pop3 m|^\+OK POP3 Ready <\d{3,6}\.1[012]\d{8}@[-.\w]+>\r\n| v|GNU mailutils pop3d||| # Solid POP3 Server 0.15 on Linux 2.4 match pop3 m|^\+OK Solid POP3 server ready <\d{3,6}\.1[012]\d{8}@[-.\w]+>\r\n| v/Solid pop3d/// # Cyrus POP3 v2.0.16 match pop3 m|^\+OK [-.\w]+ Cyrus POP3 v(\d[-.\w]+) server ready\r\n| v/Cyrus pop3d/$1// # pop3d (GNU Mailutils 0.3) on Linux 2.4 match pop3 m|^\+OK POP3 Ready <\d{3,6}\.1[012]\d{8}@\w+>\r\n| v/GNU Mailutils pop3d/// # dovecot 0.99.10 on Linux 2.4 match pop3 m|^\+OK dovecot ready\.\r\n| v/Dovecot pop3d/// # teapop 0.3.5 on Linux 2.4 match pop3 m|^\+OK Teapop \[v(\d[-.\w ]+)\] - Teaspoon stirs around again .*\r\n| v/Teapop pop3d/$1// # Qpopper v4.0.5 on Linux 2.4.19 match pop3 m|^\+OK ready \r\n$| v/Qpopper pop3d/// # Jana Server 1.45 on WIn98 match pop3 m|^\+OK POP3 server ready \r\n| v/Jana POP3 server//Windows/ match pop3 m|^\+OK AppleMailServer (\d[-.\w]+) POP3 server at [-.\w]+ ready <\d| v/AppleMailServer pop3d/$1// match pop3 m|\+OK <10\d+\.\d+@[-.\w]+> \[XMail (\d[-.\w]+) \(([-./\w]+)\) POP3 Server\] service ready; | v/XMail pop3 server/$1/on $2/ # Mail-Enable pop3 server 1.704 match pop3 m|^\+OK Welcome to MailEnable POP3 Server\r\n| v/MailEnable POP3 Server/// match pop3 m|^\+OK [-.\w]+ running Eudora Internet Mail Server (\d[-.\w]+) <.*>\r\n| v/Eudora Internet Mail Server pop3d/$1// # Qpopper 4.0.3 on Linux # QPopper 4.0.4 FreeBSD match pop3 m|^\+OK ready <\d{1,5}\.10\d{8}@[-.\w]+>\r\n| v/Qualcomm Qpopper pop3d/// match pop3 m|^\+OK POP3 Welcome to GNU POP3 Server Version (\d[-.\w]+) <.*>\r\n| v/GNU POP3 Server/$1// match pop3 m|^\+OK eXtremail V(\d[-.\w]+) release (\d+) POP3 server ready <.*>\r\n| v/eXtremail pop3d/$1.$2// match pop3 m|^\+OK POP3 Welcome to vm-pop3d (\d[-.\w]+) <.*>\r\n| v/vm-pop3d/$1/derived from gnu-pop3d/ # tpop3d v1.4.2 on Linux - http://www.ex-parrot.com/~chris/tpop3d/ match pop3 m|^\+OK <[\da-f]{32}@[-.\w]+>\r\n| v/tpop3d/// match pop3 m|^\+OK UCB based pop server \(version (\d[-.\w]+) at sionisten\) starting\.\r\n| v/Heimdal kerberized pop3/$1/UCB-pop3 derived/ # VPOP3 (Virtual POP3 server) 2.0.0d on Windows 2000 match pop3 m|^\+OK VPOP3 Server Ready <.*>\r\n| v/PSCS VPop3/// match pop3 m|^\+OK Lotus Notes POP3 server version ([-.\w]+) ready .* on ([^/]+)/([^\.]+)\.\r\n| v/Lotus Domino POP3 server/$1/CN=$2;Org=$3/ match pop3 m|^\+OK Lotus Notes POP3 server version ([-.\w]+) ready on | v/Lotus Domino POP3 server/$1// match pop3 m|^\+OK POP3 hotwayd v(\d[-.\w]+) -> The POP3-HTTPMail Gateway\.| v/hotwayd pop3d/$1// match pop3 m|^\+OK [-.\w]+ POP3 service \(Netscape Messaging Server (\d[^(]+) \(built ([\w ]+)\)\)\r\n| v/Netscape Messenging Server pop3/$1/built on $2/ match pop3 m/^\+OK [-.\w]+ Cyrus POP3 v(\d[-.\w]+) server ready \r\n$/ v/qmail-pop3d/// # Courier Pop3 courier-pop3d-0.42.0-1.7.3 match pop3 m|^\+OK Hello there\.\r\n$| v/Courier pop3d/// match pop3 m|^\+OK ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [-.\w]+ \(([-.\w]+)\)\r\n$| v/ArGoSoft Mail Server Pro pop3d/$1// match pop3 m/^\+OK [-.\w]+ VisNetic.MailServer.v([-.\w]+) POP3 / v/VisNetic MailServer pop3d/$1// match pop3 m/^\+OK [-.\w]+ POP3 server \(Post\.Office v([-.\w]+) release ([-.\w]+) with ZPOP version ([-.\w]+)\) ready / v|Post.Office pop3d|$1 release $2|w/ZPOP $3| match pop3 m/^\+OK CommuniGate Pro POP3 Server ([-.\w]+) ready/ v/CommuniGate Pro/$1// match pop3 m/^\+OK\r\n$/ v/Openwall popa3d/// match pop3 m|^\+OK [-.\w]+ MultiNet POP3 Server Process V(\S+) at| v/DEC OpenVMS MultiNet pop3d/$1// match pop3 m|^\+OK <.*>, MercuryP/NLM v(\d[-.\w]+) ready.\r\n$| v/Mercury POP3 server/$1/on Novell Netware/ match pop3 m|^\+OK Microsoft Windows POP3 Service Version 1.0 <| v/Microsoft Windows 2003 POP3 Service/1.0// match pop3 m|^\+OK POP3 [-.\w]+ v?(200\d\.[-.\w]+) server ready\r\n| v/UW Imap pop3 server/$1// match pop3 m|^\+OK POP3 server ready <\w{11}>\r\n$| v/WebSTAR pop-3 server/// match pop3 m|^\+OK TrendMicro IMSS (\d[-.\w ]+) POP3 Proxy at [-.\w]+\r\n| v/TrendMicro IMSS virus scanning POP3 proxy/$1// softmatch pop3 m|^\+OK [-\[\]\(\)!,/+:<>@.\w ]+\r\n$| # http://echelon.pl/pubs/poppassd.html # you give it username, present password and new password, and # it changes the password of the user. # poppassd 1.8.1 match pop3pw m|^200 ([-.\w]+ )?poppassd v(\d[-.\w]+) hello, who are you\?\r\n| v|Poppassd|$2|http://echelon.pl/pubs/poppassd.html| match pop3pw m|^200 courierpassd v(\d[-.\w]+) hello, who are you\?\r\n| v/Courierpassd pop3 password change daemon/// match pop3pw m|^200 [-.+\w]+ MercuryW PopPass server ready\.\r\n| v|Mercury/32 poppass service||Win32| match pop3pw m|^200 X1 NT-PWD Server [-.+\w]+ \(IMail (\d[-.\w]+)\)\r\n| v/IPSwitch Imail pop3 password change daemon/$1/Windows/ match pop3pw m|^200 CommuniGate Pro PWD Server (\d[-.\w]+) ready <| v/CommuniGate Pro pop3 password change daemon/$1// match pop3pw m|^\+OK ApplePasswordServer (\d[-.\w]+) password server at | v/ApplePasswordServer pop3 password change daemon/$1// match pmud m|^pmud (\d[-.\w]+) \d+\n| v|pmud||http://sf.net/projects/apmud| match printer m|^lpd \[@[-.\w]+\]: Print-services are not available to your host \([-.\w]+\)\.\n| v/BSD lpd//Unauthorized host/ # BSD lpr/lpd line printer spooling system (lpr v1:2000.05.07) on Linux 2.6.0-test5 match printer m|[-.\w]+: lpd: Your host does not have line printer access\n| v|BSD/Linux lpd||access denied| # Linux 2.4.18 lpr 2000.05.07-4.2 match printer m|^lpd: Host name for your address \(\d+\.\d+\.\d+\.\d+\) unknown\n$| v/Linux lpd//client IP must resolve/ match printer m|^([/\w]+/)?lpd: (.*)\n| v/lpd//error: $2/ # Windows QOTD service only has 12 services. Found on Windows XP in # %systemroot%\system32\drivers\etc\quotes match qotd m/^"(My spelling is Wobbly\.|Man can climb to the highest summits,|In Heaven an angel is nobody in particular\.|Assassination is the extreme form of censorship\.|When a stupid man is doing|We have no more right to consume happiness without|We want a few mad people now.|The secret of being miserable is to have leisure to|Here's the rule for bargains:|Oh the nerves, the nerves; the mysteries of this machine called man|A wonderful fact to reflect upon,|It was as true as taxes is\.)/ v/Windows qotd/// match quagga m|^\r\nHello, this is quagga \(version (\d[-.\w]+)\)\.\r\nCopyright 1996-200| v/Quagga routing software/$1/Derivative of GNU Zebra/ match razor2 m|^sn=\w&srl=\d+&ep4=[-\w]+&a=\w&a=\w+\r\n$| v/Vipul's Razor2 anti-spam service/// # Remote Console via RCONJ - RCONJ is a java utility that allows one # to remote console into a Novell server. It uses 2034 (unsecure) or # 2036 (secure) by default but can be changed. match rconj m|\0\x04\0\x01\0\0\0\0'_i\?\0\x08\0\x0b\0\0\0\0WABO\x00437| v/Novell rconj/// match resvc m|^\{0000004c\} NODEINFO \(5\) \{38\}Version: (\d[-.\w ]+) Microsoft Routing Server ready\r\n | v/Microsoft Exchange routing server/$1// # RedHat 7.3 - rsync server version 2.5.4 protocol version 26 # Redhat Linux 7.1 # rsync 2.5.5-0.1 with custom banner on Debian Woody match rsync m|^@RSYNCD: (\d+)| v///protocol version $1/ match sdmsvc m|^[\xaa\xff]$| v/LANDesk Software Distribution//sdmsvc.exe/ # Tumbleweed SecureTransport 4.1.1 Transaction Manager Secure Port on Solaris match securetransport m|^\x15\x03\x01\0\x02\x01\0$| v/Tumbleweed SecureTransport Transaction Manager Secure Port/// # http://www.ietf.org/internet-drafts/draft-martin-managesieve-04.txt match sieve m|^NO Fatal error: Error initializing actions\r\n$| v|Cyrus timsieved||included w/cyrus imap| match sieve m|^\"IMPLEMENTATION\" \"Cyrus timsieved v(\d[-.\w]+)\"\r\n| v|Cyrus timsieved||included w/cyrus imap| match sftp m|^\+Shiva SFTP Service\0$| v/Shiva LanRover SFTP service/// # HP-UX B.11.00 A 9000/785 match shell m|^\x01remshd: getservbyname\n$| v/HP-UX Remshd/// match smtp m|^220 [-/.+\w]+ SMTP AnalogX Proxy (\d[-.\w]+) \(Release\) ready\r\n| v/AnalogX SMTP proxy/$1// match smtp m|^220 [-/.+\w]+ MailGate ready for ESMTP on | v/MailGate smtpd//Windows/ match smtp m|^220 [-/.+\w]+ SMTP ready to roll\r\n| v/Hotmail Popper hotmail to smtp gateway/// match smtp m|^220 [-/.+\w]+ AvMailGate-(\d[-.\w]+)\r\n| v/AvMailGate smtp anti-virus mail gateway/$1// match smtp m|^220 ([-/.+\w]+) Internet Rex ESMTP daemon at your service\.\r\n| v/Internet Rex smtpd/// match smtp m|^220 [-.+\w]+ ESMTP NetIQ MailMarshal \(v(\d[-.\w]+)\) Ready\r\n| v/MailMarshal/$1// # I think the revision number is different than the official product version number # Dots in Revision to prevent MY CVS from screwing it up match smtp m|^220 [-.+\w]+ Novonyx SMTP ready \$Re..sion: ([\d.]+) \$\r\n| v|Novonyx Novell NetMail smtpd||Revision $1| match smtp m|^554-[-.+\w]+\.us\r\n554 Access denied\r\n$| v/IronPort appliance mail rejector/// match smtp m|^220 eSafe@[-.+\w]+ Service ready\r\n| v/eSafe anti-virus mail gatewal/// match smtp m|^220 [-.+\w]+ ESMTP Merak (\d[-.\w]+);| v/Merak Mail Server smtpd/$1/Windows/ match smtp m|^220 MERCUR SMTP-Server \(v([^)]+)\) for ([-.\w ]+) ready at | v/LAN-ACES MERCUR smtp server/$1/$2/ match smtp m|^220 [-.+\w]+ MasqMail (\d[-.\w]+) ESMTP\r\n| v/MasqMail smtpd/$1// # Cisco NetWorks ESMTP server IOS (tm) 5300 Software (C5300-IS-M) on Cisco 5300 Access Server match smtp m|^220 [-.+\w]+ Cisco NetWorks ESMTP server\r\n| v/Cisco IOS NetWorks smtp server/// match smtp m|^220 [-.+\w]+ Mercury/32 v(\d[-.\w]+) ESMTP server ready\.\r\n| v|Mercury/32 smtpd|$1|Win32| # Canon ImageRunner SMTP server (network scanner/copier/printer) match smtp m|^220 Canon[-.\w]+ ESMTP Ready\r\n| v/Canon printer smtp server/// # Exim 3.36 on Linux 2.4 blocking the given IP match smtp m|^554 SMTP service not available\r\n$| v/Exim smtpd//Serviced refused (IP block)/ # Jana Server 1.45 on Win98 match smtp m|^220 Jana-Server Simple Mail Transfer Service ready\r\n| v/Jana mail server//Windows/ match smtp m|^220 <10\d+\.\d+@[-.\w]+> \[XMail (\d[-.\w]+) \(([-./\w]+)\) ESMTP Server\] service ready; | v/XMail SMTP server/$1/on $2/ match smtp m|^220 [-.\w]+ FirstClass ESMTP Mail Server v(\d[-.\w]+) ready\r\n| v/FirstClass SMTP server/$1// match smtp m|^220 [-.\w]+ AppleMailServer (\d[-.\w]+) SMTP Server Ready\r\n| v/AppleMailServer/$1// match smtp m|^220 [-.\w]+ ESMTP CommuniGate Pro (\d[-.\w]+)\r\n| v/Communigate Pro SMTP/$1// match smtp m|^220[- ][-.\w]+ MailSite ESMTP Receiver Version (\d[-.\w]+) Ready\r\n| v/Rockliffe MailSite/$1// match smtp m|^220 [-.\w]+ eXtremail V(\d[-.\w]+) release (\d+) ESMTP server ready \.\.\.\r\n| v/eXtremail smtpd/$1.$2// match smtp m|^220 Welcome to [-.\w]+ - VisNetic MailScan ESMTP Server BUILD (\d[-.\w]+)\r\n| v/VisNetic MailScan ESMTP server/$1// # HP Service Desk 4.5 SMTP Server match smtp m|^220 [-.\w]+ service desk (\d[-.\w]+) SMTP Service Ready for input\.\r\n| v/HP Service Desk SMTP server/$1// # VPOP3 SMTP server 2.0.0d match smtp m|^220 [-.\w]+ VPOP3 SMTP Server Ready\r\n| v/PSCS VPOP3 mail server/// # CommuniGate Pro 4.1.3 on Mac OS X 10.2.6 match smtp m|^220 [-.\w]+ ESMTP CommuniGate Pro (\d[-.\w]+) is glad to see you!\r\n| v/CommuniGate Pro mail server/$1// match smtp m|^220[ -][-.\w]+ ESMTP MDaemon (\d[-.\w]+); | v/Alt-N MDaemon mail server/$1// match smtp m/^220 [-.+\w]+ \(IMail ([^)]+)\) NT-ESMTP Server/ v/IMail NT-ESMTP/$1// match smtp m/^220 X1 NT-ESMTP Server [-.+\w]+ \(IMail ([^)]+)\)\r\n/ v/IMail NT-ESMTP/$1// match smtp m/^220-[-.+\w]+ Microsoft SMTP MAIL ready at.*Version: ([-\w.]+)\r\n/ v/Microsoft SMTP/$1// match smtp m/^220 [-.+\w]+ Microsoft ESMTP MAIL Service, Version: ([-\w.]+) ready/ v/Microsoft ESMTP/$1// match smtp m/^220 [-.+\w]+ ESMTP Server \(Microsoft Exchange Internet Mail Service ([-\w.]+)\) ready/ v/Microsoft Exchange/$1// match smtp m/^220 [-.+\w]+ ESMTP Sendmail (\d[^;]+);/ v/Sendmail/$1// match smtp m|^220 [-.+\w]+ SMTP Sendmail ([-/.+\w]+)\r\n| v/Sendmail/$1// match smtp m|^220 [-.+\w]+ Sendmail (SMI-\S+) ready at .*\r\n$| v/Sendmail/$1// match smtp m/^220[- ][-.+\w]+ ESMTP Exim (\d\S+)/ v/Exim smtpd/$1// match smtp m/Failed to open configuration file.*exim/ v/Exim smtpd/// match smtp m/^220 CheckPoint FireWall-1 secure ESMTP server\r\n$/ v/Checkpoint FireWall-1 smtpd/// match smtp m/^220 CheckPoint FireWall-1 secure SMTP server\r\n$/ v/Checkpoint FireWall-1 smtpd/// match smtp m|^220 [-.+\w]+ running IBM AS/400 SMTP V([\w]+)| v|IBM AS/400 smtpd|$1|| match smtp m/^220 Trend Micro ESMTP ([-.+\w]+) ready\.\r\n$/ v/Trend Micro ESMTP/$1// match smtp m|^220 [-.+\w]+ ESMTP MailEnable Service, Version: (\d[.\w]+)-- ready at | v/MailEnable smptd/$1// match smtp m/^220 [-.+\w]+ ESMTP Mail Enable SMTP Service, Version: (\d[\w.]+)-- ready at/ v/MailEnable smptd/$1// match smtp m/^220 [-.+\w]+ ESMTP CPMTA-([-.+\w]+) - NO UCE\r\n/ v/CPMTA/$1/qmail-derived/ match smtp m|^220 [-.+\w]+ SMTP/smap Ready\.\r\n| v/Smap//from firewall toolkit/ match smtp m|^220 [-.+\w]+ ESMTP service \(Netscape Messaging Server ([-.+ \w]+) \(built| v/Netscape Messaging Server/$1// match smtp m|^220-InterScan Version (\S+) .*Ready\r\n220 [-.+\w]+ NTMail \(v([-.+\w]+)/.* ready| v/Trend Micro InterScan/$1/on NTMail $2/ match smtp m|^220 [-.\w]+ InterScan VirusWall NT ESMTP (\d[-.\w]+) \(build (\d+)\) ready at | v/Trend Micro InterScan VirusWall SMTP/$1 build $2// match smtp m|^220 [-.+\w]+ GroupWise Internet Agent (\S+) .*Novell, Inc\..*Ready\r\n| v/Novell GroupWise/$1// match smtp m|^220 Matrix SMTP Mail Server v([\w.]+) on Simple Mail Transfer Service Ready\r\n| v/Matrix SMTP Mail Server/$1/on Matrix $2/ match smtp m|^220 Net_sec WebShield SMTP V(\S+) Network Associates, Inc\. Ready at| v/Network Associates WebShield/$1// match smtp m|^220 [-.+\w]+ ESMTP MailMasher ready to boogie\r\n| v/MailMasher smtpd/// # 220 example.com ESMTP Postfix (2.0.13) (Mandrake Linux) match smtp m|^220 [-.\w]+ ESMTP Postfix \(([-.\w]+)\) \(([-.\w ]+)\)| v/Postfix smtpd/$1/$2/ # postfix 1.1.11-0.woody2 match smtp m|^220 [-.\w]+ ESMTP Postfix| v/Postfix smtpd/// match smtp m|^220 \*{10,40}\r\n| v|Cisco PIX sanatized smtpd||| match smtp m|^220 ArGoSoft Mail Server Pro for WinNT/2000/XP, Version [-.\w]+ \(([-.\w]+)\)\r\n| v/ArGoSoft Mail Server Pro/$1// match smtp m|^220 [-.\w]+ ESMTP server \(Post.Office v([-.\w]+) release ([-.\w]+) ID# | v/Post.Office/$1 release $2// match smtp m|^220 [-.\w]+ ESMTP VisNetic.MailServer.v([-.\w]+); | v/VisNetic MailServer/$1// # CommuniGate Pro 4.0.5 match smtp m|^220 [-.\w]+ ESMTP Service. Welcome.\r\n$| v/CommuniGate Pro smtpd/// match smtp m|^220 [-.\w]+ Process Software ESMTP service V([-.\w]+) ready| v/Process Software smtpd/$1/on OpenVMS/ match smtp m|^220 [-.\w]+ Mercury (\d[-.\w]+) ESMTP server ready\.\r\n$| v/Mercury Mail smtpd/$1// match smtp m|^220 [-.\w]+ ESMTP Service \(Lotus Domino Release (\d[-.\w]+)\) ready at | v/Lotus Domino smtpd/$1// match smtp m|^relaylock: Error: PRODUCT_ROOT_D not defined\nrelaylock: Error: PRODUCT_ROOT_D not defined\n1\n$| v/Plesk relaylock smtp wrapper//broken/ match smtp m|^220 [-.\w]+ WebSTAR Mail Simple Mail Transfer Service Ready\r\n| v/WebSTAR SMTP server/// match smtp m|^220 [-.\w]+ Lotus SMTP MTA Service Ready\r\n$| v/Lotus Notes SMTP/// match smtp m|^220 [-.\w]+ SMTP NAVGW (\d[-.\w]+);| v/Norton Antivirus Gateway NAVGW/$1// softmatch smtp m|^220 [-.\w ]+SMTP.*\r\n| match snpp m|^220 [-.\w]+ SNPP server \(HylaFAX \(tm\) Version ([-.\w]+)\) ready.\r\n| v/HylaFAX SNPP/$1// match snpp m|^220 QuickPage v(\d[-.\w]+) SNPP server ready at | v/QuickPage SNPP/$1// match sourceoffice m|^200\r\nProtocol-Version:(\d[.\d]+)\r\nMessage-ID:\d+\r\nDatabase .*\r\nContent-Length:\d+\r\n\r\n(\w:\\.*ini)\r\n\r\n| v/Sourcegear SourceOffSite//Protocol $1; INI file: $2/ match ssh m|^\0\0\0\$\0\0\0\0\x01\0\0\0\x1bNo host key is configured!\n\r!\"v| v/Foundry Networks switch sshd//broken: No host key configured/ match ssh m|^SSH-(\d[\d.]+)-SSF-(\d[-.\w]+)\n| v/SSF French SSH/$2/protocol $1/ match ssh m|^SSH-(\d[\d.]+)-lshd_(\d[-.\w]+) lsh - a free ssh\r\n\0\0| v/lshd secure shell/$2/protocol $1/ match ssh m/^SSH-([.\d]+)-OpenSSH[_-](\S+)/ v/OpenSSH/$2/protocol $1/ match ssh m/^SSH-([.\d]+)-Sun_SSH_(\S+)/ v/SunSSH/$2/protocol $1/ match ssh m/^SSH-([.\d]+)-meow roototkt by rebel/ v/meow SSH ROOTKIT//protocol $1/ match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.\d+) SSH Secure Shell/ v/F-Secure SSH Secure Shell/$2/protocol $1/ match ssh m|^sshd: SSH Secure Shell (\d[-.\w]+) on ([-.\w]+)\nSSH-(\d[.\d]+)-| v/F-Secure SSH Secure Shell/$1/on $2; protocol $3/ match ssh m|^sshd: SSH Secure Shell (\d[-.\w]+) \(([^\r\n\)]+)\) on ([-.\w]+)\nSSH-(\d[.\d]+)-| v/F-Secure SSH Secure Shell/$1/$2; on $3; protocol $4/ match ssh m|^sshd2\[\d+\]: .*\r\nSSH-(\d[\d.]+)-(\d[-.\w]+) SSH Secure Shell \(([^\r\n\)]+)\)\r\n| v/F-Secure SSH Secure Shell/$2/protocol $1/ match ssh m/^SSH-([.\d]+)-(\d+\.\d+\.[-.\w]+)/ v/SSH/$2/protocol $1/ # Akamai hosted systems tend to run this - found on www.microsoft.com match ssh m|^SSH-(\d[.\d]*)-AKAMAI-I\n$| v/Akamai-I SSH//protocol $1/ match ssh m|^SSH-(\d[.\d]*)-Server-V\n$| v/Akamai-I SSH//protocol $1/ match ssh m|^SSH-(\d[.\d]*)-Server-VI\n$| v/Akamai-I SSH//protocol $1/ match ssh m|^SSH-(\d[.\d]+)-Cisco-(\d[.\d]+)\n$| v/Cisco SSH/$2/protocol $1/ match ssh m|^SSH-(\d[.\d]+)-SSH Protocol Compatible Server SCS (\d[-.\w]+)\n| v/NetScreen SCS sshd/$2/protocol $1/ match ssh m|^SSH-(\d[.\d]+)-VShell_(\d[._\d]+) VShell\r\n$| v/VanDyke VShell/$SUBST(2,"_",".")/protocol $1/ match ssh m/^SSH-([.\d]+)-(\d[-.\w]+) sshlib: WinSSHD (\d[-.\w]+)\r\n/ v/Bitvise WinSSHD/$3/protocol $1/ # Cisco VPN 3000 Concentrator # Cisco VPN Concentrator 3005 - Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.1.B Jun 20 2003 match ssh m/^SSH-([.\d]+)-OpenSSH\n$/ v/OpenSSH//protocol $1/ match ssh m/^SSH-([.\d]+)-([.\d]+) Radware\n$/ v/Radware Linkproof SSH/$2/protocol $1/ match ssh m|^SSH-1\.5-X\n| v/Cisco VPN Concentrator SSHd//protocol 1.5/ softmatch ssh m/^SSH-([.\d]+)-/ # Redhat Linux 7.1 - HAHAHAHAHAHA!!!! I love this service :) match systat m|^USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND\n| v/Linux systat/// # Draytek Vigor 2600 aDSL router match telnet m|^\xff\xfd\x18\xff\xfb\x01\n\r\n\rPassword: | v/Draytek Vigor aDSL router telnetd/// # IBM Infoprint 12 printer with JetDirect match telnet m|^\xff\xfc\x01\r\nPlease type \[Return\] two times, to initialize telnet configuration\r\nFor HELP type \"\?\"\r\n> | v/HP JetDirect printer telnetd/// # IBM High Performace Switch - Model 8275-416, Software version 1.1, Manufacturer IBM068 match telnet m|^\x1b\[1;1H\x1b\[2J\x1b\[8;38H\x1b\[1;1H\x1b\[2;1H\(C\) Copyright IBM Corp\. 1999\x1b\[3;1HAll Rights Reserved\.| v/IBM switch telnetd/// match telnet m|^\x1b\[H\x1b\[2JYou have connected to a FirstClass System\. Please login\.\.\.\r\nUserID: | v/FirstClass messaging system telnetd/// # Cisco Catalyst management console # 3Com 3Com SuperStack II Switch 3300 match telnet m|^\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01| v|||Usually a Cisco/3com switch| match telnet m|^\xff\xfb\x03\xff\xfb\x01\r\nSun\(tm\) Advanced Lights Out Manager (\d[-.\w]+) \(v(\d+)\)\r\n\r\nPlease login: | v/Sun Advanced Lights Out Manager/$1/on Sun v$2; for remote system control/ # Epson Stylus Color 900N telnet match telnet m|^\xff\xfb\x01\xff\xfb\x01Connected to [-/.+\w]+!\r\n\r\nPassword: | v/Epson printer telnetd/// # This one may not technically be considered telnet protocol, but you seem to use it via telnet match telnet m|^220 SL4NT viewer service ready\r\n250 Currently connected channels: | v/Netal SLANT viewer/// match telnet m|^\xff\xfb\x03\xff\xfb\0\xff\xfb\0\xff\xfd\0\xff.*\r\rFrontDoor (\d[-.\w]+)/|s v/FrontDoor FIDONet Mailer telnetd/$1// match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\nOK\r\n$| v/Motorola Vanguard router telnetd/// match telnet m|^\xff\xfb\x03\xff\xfd\x03\xff\xfc\x06.*\nPrecidia Technologies\r\n([-.+\w]+) Remote Configuration\r\n\nPassword\? |s v/Precidia serial2ethernet gateway telnetd//model $1/ match telnet m|^\xff\xfb\x01.*\n\rWelcome to the Xylan PizzaSwitch! Version (\d[-.\w]+)\n\rlogin : |s v/Xylan PizzaSwitch telnetd/$1// # Bay Networks Accelar 1100 (version 2.0.5.5) switch match telnet m|^\xff\xfb\x01\r\n\r\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\r\r\* Bay Networks,Inc\..*(Accelar [-.+\w]+).*Software Release (\d[-.\w]+) |s v/Bay Networks Accelar switch telnetd/$2/$1/ match telnet m|^\xff\xfb\x01\r\n\r\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\r\r\* Nortel Networks,Inc\..*\n\r\r\* Passport ([-.\w]+) .*\r\* Software Release (\d[-.\w]+) |s v/Nortel Networks Passport switch telnetd/$2/Passport $1/ # NCD Thinstar 300 running NCD Software 2.31 build 6 match telnet m|^\xff\xfb\x03\xff\xfd\x03\xff\xfb\x01WinCE/WBT Command Shell Version (\d[-.\w]+)\r\nSerial Number: (\w+) MAC Address: 0000(\w+)\r\nUUID: [-\w]+\r\nPassword: | v/NCD Thinster terminal command shell/$1/Serial# $2; MAC $3/ # Netopia 4542 aDSL router telnetd match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\x1b\[2J\x1b\[Hname:| v/Netopia aDSL router telnetd/// # NetportExpress PRO/100 3 port print server match telnet m|^\xff\xfb\x01\r\nNetportExpress\(tm\) ([-/.+\w]+)\r\n.*\r\n\r\nlogin: | v/Intel NetportExpress print server telnetd//Model $1/ # 3Com OfficeConnect 812 Router telnetd match telnet m|^login: \xff\xfd\x03\xff\xfb\x03\xff\xfb\x01| v/3Com OfficeConnect router telnetd/// # Nortel Networks Instant Internet 100 match telnet m|^\xff\xfb\x01\r\npassword: | v/Nortel Networks Instant Internet broadband router telnetd/// # Network Appliance ONTAP 6.3.3 telnet match telnet m|^\xff\xfb\x01\xff\xfd\x18\xff\xfd#| v/Network Appliance Ontap telnetd/// # Netgear RP114 broadband router match telnet m|^\xff\xfb\x03\xff\xfb\x01\r\nPassword: | v/Netgear broadband router admin telnetd/// match telnet m|\xff\xfd\x18\xff\xfb\x01\x1b\[2J\x1b\[\?7l\x1b.*HP ([-.\w]+) ProCurve Switch ([-.\w]+)\r\n\rFirmware revision ([-.\w]+)\r\n\r\r| v/HP ProCurve Switch telnetd//Model: $2; Firmware: $3/ match telnet m|^Check Point FireWall-1 Client Authentication Server running on [-.\w]+\r\n\r\xff\xfb\x01\xff\xfe\x01\xff\xfb\x03User: | v/Check Point FireWall-1 Client Authenticaton Server/// # Enterasys XP-8600 running E9.0.5.0 match telnet m|^\xff\xfb\x03\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x05\xff\xfd!| v/Enterasys XSR Security Router telnetd/// # Windows 2000 telnetd match telnet m|^\xff\xfd%\xff\xfb\x01\xff\xfd\x03\xff\xfd\x1f\xff\xfd\0\xff\xfb\0$| v/Microsoft Windows 2000 telnetd/// match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfd\x1f\xff\xfd\0\xff\xfb\0Microsoft \(R\) Windows \(TM\) Version (\d[-.\w]+) \(Build (\d+)\)\r\nWelcome to Microsoft Telnet Service \r\nTelnet Server Build (\d[-.\w]+)\n\rlogin: | v/Microsoft Windows telnetd/$3/OS version $1 build $2/ # Windows XP telnetd match telnet m|^\xff\xfd%\xff\xfb\x01\xff\xfb\x03\xff\xfd'\xff\xfd\x1f\xff\xfd\0\xff\xfb\0| v/Microsoft Windows XP telnetd/// # IRIX 6.5.18f telnetd match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd\$| v/IRIX telnetd/6.X// # OS 400 V4R4M0 # OS/400 V5R1M0 match telnet m|^\xff\xfd'\xff\xfd\x18$| v/IBM OS 400 telnetd/// # JetDirect Model: J4169A Firmware: L.21.11 match telnet m|^\xff\xfb\x03\xff\xfb\x01\x07HP JetDirect\r\nPassword is not set\r\n| v/HP JetDirect printer telnetd//No password/ # HP Jetdirect telnet with password protection match telnet m|^\xff\xfb\x03\xff\xfb\x01\x07HP JetDirect\r\n\r\nEnter username: | v/HP JetDirect printer telnetd/// # HP MPE/iX 5.5 on HP 3000 telnet service match telnet m|^\xff\xfd\x03\xff\xfb\x01\xff\xfd!| v|HP MPE/iX telnetd||| # Brother 1870N Printer match telnet m|^\x1b\[2J\x1b\[1;1f\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03| v/Brother printer telnetd/// # AIX 4.3.3.0 match telnet m|^\xff\xfe%\xff\xfd\x18$| v/AIX telnetd/// match telnet m|^\r\nEfficient ([-.\w ]+) Router \(([-.\d/]+)\) v(\d[-.\w]+) Ready\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\xff\xfe\x01Login: | v/Efficient router telnetd/$3/Model $1 - $2/ # http://mldonkey.berlios.de/ # mldonkey-2.5-3 telnet port match telnet m|^\xff\xfd\x1f\n\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\n Welcome to MLdonkey \n| v/MLdonkey multi-network P2P admin port/// match telnet m|^\r\nRaptor Firewall Secure Gateway\.\r\n| v/Symantec Raptor firewall secure gateway telnetd/// match telnet m|^\r\nSynchronet BBS for Win32 Version (\d[-.\w]+)\r\n| v/Synchronet BBS/$1/on Win32/ match telnet m|^\xff\xfb\x01\xff\xfb\x03\r\nlogin: $| v/Orinoco WAP telnetd/// match telnet m|^\xff\xfd\x03\xff\xfb\x01\xff\xfb\x03\x1b\[1;1H\x1b\[2K\x1b\[2;1H\x1b\[2K\x1b\[3;1H\x1b.*Nortel Networks.*BayStack ([-.\w]+).*Versions: ([.: \w]+)|s v/Nortel Networks telnetd//Baystack $1; Versions: $2/ match telnet m|^\xff\xfb\x01\n\r\n.*Bay Networks (Bay[-.: \w]+)\n\r|s v/Bay Networks telnetd//$1/ match telnet m/^Check Point FireWall-1 authenticated Telnet server running on/ v/Check Point Firewall-1 telnetd/// match telnet m/^\r\nSpeedStream ([^(\r\n]+) \(.*\) v(\S+) Ready\r\n\xff\xfb\x01\xff\xfb\x03\xff\xfd/ v/SpeedStream $1/$2// # SpeedTouch 510 ADSL router - Admin Interface, version 4.0.2.0.0 match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfb\x01\xff\xfb\x03Username : | v/SpeedTouch DSL router admin interface/// match telnet m/^\r\nRaptor Firewall Secure Gateway\.\r\n\r\nAccess denied\.\r\n/ v/Symantec Raptor Firewall Secure Gateway telnetd//Access Denied/ match telnet m/^\*\*\*\*\*\*\* System Image Boot \*\*\*\*\*\*\*\n\r\n\rVina Technologies (.*) \((\d[-.\w]+ build \d+)\)\n\r/ v/Vina Technologies $1 telnetd/$2// match telnet m/^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\x1b\[0m\x1b\[2J\x1b\[01;00H\r\0Gigalink ([-+ \w]+)/ v/Gigalink telnetd//on $1/ match telnet m/^\xff\xfb\x03\xff\xfb.*D-Link.*Telnet Console.*Model\s+: ([-+\w]+)/s v/D-Link telnetd//on $1/ match telnet m|^\xff\xfb\x01\x1b\[0m\x1b\[2J\x1b\[0m\x1b\[9;20HCopyright\(C\) 1995-99 D-Link Systems Inc\.\x1b\[13;30HUser Name\x1b\[14;30HPassword\x1b\[23;10HMAC Address:\x1b\[8;29H([-.\w]+) Console Program\x1b\[13;41H| v/D-Link switch admin interface//D-Link $1/ match telnet m/^\xff\xfa\x18\x01\xff\xf0\xff\xfb\x01\xff\xfb\x03Ambit Cable Router\r\n\r\nLogin: / v/Ambit Cable Router telnetd/// match telnet m|^\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPlease type \"?\" for HELP, or \"/\" for current settings\r\n> $| v/HP JetDirect telnetd/// match telnet m/^\n\rVina Technologies (.*) \((\d[-.\w]+ build \d+)\)/ v/Vina Technologies $1 telnetd/$2// match telnet m/^\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\x1b\[0m\x1b\[1;1H\x1b\[2J\rD\r \n\r (DES-.*) Command Line Interface\n\r\n/ v/D-Link $1 telnetd/// match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfc\x1f\n\r\n\rUser Access Verification\n\r\n\r\n\r\n\r\n\rShell version (\d\S+).*Maipu Communication Technology Co\./ v/Maipu Router//shell v$1/ match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\x1b.*Intel Corporation, ([-+. \w()]+)/s v/Intel telnetd//on $1/ match telnet m|^\r\nFlowPoint/(.*) Ready\r\n.*\xff\xfb\x01\xff\xfb| v/Flowpoint telnet//on $1/ match telnet m/Welcome to Tenor Multipath Switch Telnet Server.*Type: (\S+)/s v/Tenor telnetd/$1/on Multipath Switch/ match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\x0d\x0a\x0d\x0aCisco\x20Systems.*Console/Telnet Access of the ([-. \w]+) for Configuration Purposes|s v/Cisco $1 telnetd/// # Cisco 350 Series Wireless AP 11.05 match telnet m|^\xff\xfb\x01\n\r\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08 \x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08| v/Cisco WAP telnetd/// # Cisco 678 DSL router match telnet m|^\r\n\r\nUser Access Verification\r\nPassword:\xff\xfb\x01$| v/Cisco DSL router telnetd/// # Cisco 2900 Catalyst switch, IOS 12.0(5)XU # Cisco 3600 router running IOS 12.X # Cisco 2600 IOS 12.0 match telnet m/^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f.*User Access Verification\r\n\r\n(Username|Password): $/s v/Cisco telnetd//IOS 12.X/ # Cisco Pix 501 PIX IOS 6.3(1) telnet match telnet m/^\xff\xfb\x03\xff\xfb\x01\xff\xfb\x03\xff\xfb\x01.*\r\nUser Access Verification\r\n\r\nPassword: /s v/Cisco telnetd//IOS 6.X/ # Cisco Catalyst 6509 - WS-C6509 Software, Version NmpSW: 5.5(1) match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x01\r\n\r\nCisco Systems Console\r\n\r\n\r\n\r\n\r\nEnter password: | v/Cisco Catalyst switch telnetd/// match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\r\n\r\nPassword required, but none set\r\n| v/Cisco router telnetd//password required but not set/ match telnet m|^Access not permitted\. Closing connection\.\.\.\n$|s v/Cisco catalyst switch telnetd//access denied/ match telnet m|^\xff\xfd\x18$| v/Cisco microswitch telnetd/// # OpenBSD 2.3 # FreeBSD 5.1 match telnet m|^\xff\xfd%$| v/BSD-derived telnetd/// # Solaris 9 match telnet m|^\xff\xfd\x18\xff\xfd\x1f\xff\xfd#\xff\xfd'\xff\xfd\$$| v/Sun Solaris telnetd/// # Redhat Linux 7.3 telnet match telnet m|\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'$| v/Linux telnetd/// match telnet m|^\xff\xfb\x01\n\rUser Name : $| v/APC network management card telnetd/// match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x03\n\rUser Name : | v|APC telnetd||Power/UPS device| # G-Net BB0060 ADSL Modem match telnet m|^\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\n\r \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\n\r.*GlobespanVirata Inc\., Software Release ([-.\w]+)\n\r|s v/GlobespanVirata telnetd/$1/on broadbrand router/ # HP-UX B.11.00 A match telnet m|^\xff\xfd\$$| v/HP-UX telnetd/// # Cayman-DSL Model 3220-H, DMT-ADSL (Alcatel) OS version 6.3.0 match telnet m|^\xff\xfb\x01\xff\xfb\x03\xff\xfe\x01\n\rlogin: $| v/Cayman-DSL router telnetd/// # Blue Coat Port 80 Security Appliance Model: Blue Coat SG400 Software Version: SGOS 2.1.6044 Software Release id: 19480 Service Pack 4 # Maybe I should call this SGOS telnetd instead match telnet m|^\xff\xfb\x03\xff\xfb\x01\xff\xfd\x1f\r\n\r\nUsername: $| v/Blue Coat telnetd/// match telnet m|^\xff\xfb\x01@ Userid: | v/Shiva LanRover telnetd/// # Netscreen ScreenOS 4.0.1r1.0 telnetd on a netscreen 5XT running firmware 4.0.1r1.0 match telnet m|^\xff\xfd\x18\xff\xfb\x01\xff\xfe\x01Remote Management Console\r\n\r\nlogin: $| v/Netscreen ScreenOS telnetd/// # Note that openwall telnetd is derived from OpenBSD telnetd match telnet m|^\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd\$$| v|Openwall GNU/*/Linux telnetd||| match telnet m|^\xff\xfc\x01\r\nHP JetDirect\r\n\r\nPlease type \"\?\" for HELP, or \"/\" for current settings\r\n> $| v/HP Jet Direct printer telnetd/// # tinc 1.0.2-2 on Linux match tinc m|^0 \w+ 17\n| v/tinc vpn daemon/// match time m|^[\xc0-\xc5]...$| # Tiny Personal Firewall 2.0 match tinyfw m|^\x0f\0\n\0\x01\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xc0\x0ef7\xbb\x9bS\xfc\x86\xe4\x7f\x18\xb8\x97\x06 | v/Tiny Personal Firewall/2.0// # Kerio Personal Firewall 4.02 on Windows 2000, 4.0.11 on W2K SP4+ too (port 44xxx) match keriopfservice m|^\x12\0\x03\0\x04\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| v/Kerio PF 4 Service//maybe 4.0.2-11/ # Kerio PF 4.0.11 unregistered - GUI process (Port 1027-1200,44xxx? RPC?) on MS W2K SP4+ match keriopfgui m|^\x12\0\r\0\x03\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x9a\x20\xd0Z\x1e\x1b\xa3\*\xf2\xdd\xe2\(\xc3sp&\xda\xe4Yp\xdbET\xf9\x8cc\xc24\*Y\xbe\xb3\xba\xd6%\xf5\xb668\xad\xab>@D<\x01\xdd>\)\xdb\x18\xf55\xd1\xba\x96\x1c\x17\x17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\x01| v/Kerio PF 4 GUI//maybe 4.0.11/ # Kerio Personal Firewall 2.1.4 on Windows # Tiny Personal Firewall 2.0 # Kerio Personal Firewall, Firewall engine version 2.1.5 Driver version 3.0.0 on WinXP match tinyfw m|^\x0f\0\n\0\x01\0\0\0\0\x02\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| v/Kerio Personal Firewall/2.1.X/or Tiny Personal Firewall/ match ssl/vmware-auth m|^220 VMware Authentication Daemon Version (\d[-.\w]+): SSL Required\r\n| v/VMware Authentication Daemon/$1// match vnc m|^RFB 003.00(\d)\n$| v/VNC//protocol 3.$1/ match vtun m|^VTUN server ver (\d[-.\w /]+)\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| v/Vtun Virtual Tunnel/$1// match vtun m|^VTUN server ver \. (\d[-.\w /]+)\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0| v/Vtun Virtual Tunnel/$1// match winshell m/^Microsoft Windows ((2000)|(XP)|(NT 4\.0)) \[Version ([\d.]+)\]\r\n\(C\) Copyright 1985-20\d\d Microsoft Corp\.\r\n\r\n/ v/Microsoft Windows $1 $5 cmd.exe/// # CcXstream Media Server 1.0.15 on Linux - Uses XBMSP (X-Box Media Streaming Protocol) match xbmsp m|^XBMSP-1\.0 1\.0 CcXstream Media Server (\d[-.\w]+)\n| v/CcXstream Media Server/$1// # XFCE Desktop Version 3.99.4 From Gentoo 1.4 Ebuild on Linux 2.4.6 match xfce m|^\0\x01\0@\0\0\0\0| v/XFCE Desktop/// match zebra m|^\r\nHello, this is zebra \(version (\d[-.\w]+)\)\.\r\nCopyright 1996-20| v/GNU Zebra routing software/$1// match zebra m|^\r\nHello, this is zebra \(version (\d[-.\w]+)\)\.\r\nCopyright 200\d| v/GNU Zebra routing software/$1// match pcp m|^\0\0\0\x14\0\0p\0\0\0..\0\0\0\0\x02\x01\0\0| v/SGI Performance Co-Pilot/// match smtp m|^220 SPAM, we hates it.\r\n| v/Barracuda Spam firewall/// ##############################NEXT PROBE############################## Probe TCP GenericLines q|\r\n\r\n| ports 21,23,43,98,110,113,199,505,540,628,1040,1248,1467,1501,2010,3333,5432,5555,6112,6667-6670,11965,30444 # bnetd (PvPGN BnetD Mod version 1.5.0) on Debian GNU/Linux (sid) match bnetd m|^BOT or Telnet Connection from \[127\.0\.0\.1\]\r\n\r\nEnter your account name and password\.\r\nSorry, there is no guest account\.\r\n\r\nUsername: | v/PvPGN BnetD Mod/1.5.0// match bnetd m|^Username: $| v/bnetd open source Blizzard Battlenet server/// # bnetd server 0.4.25 on Linux # Cisco PIX 501 running PIX IOS 6.3(1) match ciscopsdm m|^\xc0\0\x01\0....\0\0\0\x03| v/Cisco PIX Secure Database Manager/// match crossmatchverifier m|^Idle\r\n$| v/Cross Match Technologies Verifier fingerprint capture control port/// # I think this type of eggdrop banner is only used when customized or such. match eggdrop m|^\r\nNickname\.\r\nSorry, that nickname format is invalid\.\r\n$| v/Eggdrop irc bot console/// # Alcatel Speedtouch ADSL Router match ftp m|^220 Inactivity timer = \d+ seconds\. Use 'site idle ' to change\.\r\n221 Goodbye \(badly formated command seen\)\. You uploaded 0 and downloaded 0 kbytes\.\r\n221 Goodbye \(badly formated command seen\)\. You uploaded 0 and downloaded 0 kbytes\.\r\n$| v/Alcatel Speedtouch aDSL router ftpd/// # bftpd 1.0.22 on Linux 2.4 match ftp m|^220 \r\n500 Unknown command: \"\"\r\n500 Unknown command: \"\"\r\n$| v/bftpd/// # Multitech MultiVoip 410 VoIP gateway match ftp m|^220 Service ready\r\n500 Unsupported command\r\n$| v/Multitech MultiVoip 410 VoIP gateway ftpd/// # NetportExpress PRO/100 3 port print server match ftp m|^220 FTP server ready\.\r\n530 access denied\.\r\n| v/Intel NetportExpress print server ftpd/// # D-Link Print Server internal FTP daemon (Firmware version 1.38) - D-Link Print Server DP-101 match ftp m|^220 FTP server ready\.\r\n501 Command not supported\.\r\n$| v/D-Link Printer Server ftpd/// match ftp m|^220 [-.\w]+ FTP server ready\.\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n$| v/Solaris ftpd/// # vsftpd (Very Secure FTP Daemon) 1.0.0 on linux with custom ftpd_banner # We'll have to see if this match is unique enough match ftp m|^220 .*\r\n530 Please login with USER and PASS\.\r\n530 Please login with USER and PASS\.\r\n|s v/vsFTPd/// match ftp m|^220 [-.\w]+ FTP Server ready \.\.\.\r\n530 \r : User not logged in\. Please login with USER and PASS first\.\r\n530 \r : User not logged in\. Please login with USER and PASS first\.\r\n$| v/Bulletproof ftp server//Windows/ # BulletProof FTP 2.21 on Windows 2000 Server match ftp m|^220 ftp\r\n$| v/Bulletproof ftp server//Windows/ # WarFTP Daemon 1.70 on Win2K match ftp m|^220 [-.+\w]+ FTP SERVICE ready\r\n500 Please enter a command\. Dunno how to interperet empty lines\.\.\.\r\n500 Please enter a command\. Dunno how to interperet empty lines\.\.\.\r\n$| v/WarFTPd//Windows/ # GKrellM System Monitor 2.1.15 on Linux match gkrellm m|^\nBad connect string!| v/GKrellM System Monitor/// # Some web servers don't gie a 'Server: ' line for the Get request, but do for this probe. match http m|^HTTP/1\.1 400 .*\r\nServer: Microsoft-IIS/(\d[-.\w]+)\r\n| v/Microsoft IIS webserver/$1// # Icecast version: 1.9+2.0alphasn match http m|^HTTP/1\.0 401 Authentication Required\r\nWWW-Authenticate: Basic realm=\"Icecast2 Server\"\r\n\r\nYou need to authenticate\r\n| v/Icecast streaming media server/// # Network Flight Recorder v3.2 on Solaris 8 (sparc) match http m|^HTTP/1\.0 400 Bad request\r\n\r\n$| v/Network Flight Recorder IDS/// # Cisco 350 Series 802.11 AP match http m|^HTTP/1\.0 400 Bad Request\r\nServer: thttpd/(\d[-.\w ]+)\r\n| v/thttpd/$1// match icecast m|^HTTP/1\.0 200 OK\r\nServer: icecast/(\d[-.\w]+)\r\n| v|Shoutcast/Icecast streaming audio|$1|| # slident 0.0.19 match ident m|^0, 0: ERROR: UNKNOWN-ERROR\n$| v/slident/// # mlidentd 1.1 on Linux match ident m|^0,0:ERROR:UNKNOWN-ERROR\r\n$| v/mlidentd/// # OpenBSD 3.2 identd # May apply to Linux too -- need to investigate further. match ident m|^0 , 0 : ERROR : UNKNOWN-ERROR\r\n$| v/OpenBSD identd/// # FreeBSD 4.8-RC inetd internal identd match ident m|^0 , 0 : ERROR : INVALID-PORT\r\n$| v/FreeBSD identd/// # pidentd-3.1a19-157 match ident m|^ : ERROR : UNKNOWN-ERROR\r\n$| v/pidentd/// match ident m|^0, 0 : ERROR : X-INVALID-REQUEST\r\n$| v/Minidentd/// # http://packages.debian.org/unstable/net/ident2.html match ident m|^0 , 0 : ERROR : INVALID-PORT\r\n0 , 0 : ERROR : INVALID-PORT\r\n$| v/Ident2/// # midentd 2.3.1 on Linux match ident m|^0, 0 : ERROR : INVALID-PORT\r\n| v/midentd/// #midentd 2.1 on Linux 2.4.21 match ident m|^0,0 : ERROR : INVALID-PORT\r\n| v/midentd/// # Broken inetd configuration # <27>Dec 19 17:37:37 inetd\[28433\]: execv /usr/openv/netbackup/bin/bpjava-msvc: No such file or directory match inetd m|^<\d+>[A-Z][a-z][a-z] +\d+ \d+:\d+:\d+ inetd\[\d+\]: execv (/[-.\\/\w]+): (\w[\s-\w.,]+)$| v/inetd//failed to exec $1: $2/ # Diverse IRC bot match ircbot m|^ \r\nSorry, that nickname format is invalid\.\r\r\n$| v/Diverse IRC bot/// # Part of Linux net-snmp-5.0.6-17 match linuxconf m|^500 access denied: Check networking/linuxconf network access\r\n$| v/Linuxconf//Access denied/ # Linuxconf 1.26r4 match linuxconf m|^500 access denied: Check config/networking/misc/linuxconf network access\r\n

\r\nBy default,| v/Linuxconf//Access denied/ # Netsaint Status Daemon 2.15 match netsaint m|^Unknown command\n$| v/Netsaint Status Daemon/// # NSClient - http://nsclient.ready2run.nl/ match nsclient m|^ERROR:Wrong password$| v/Netsaint Windows Client/// match omniback m|^HP OpenView OmniBack II ([-.\w]+): INET, | v/HP OpenView OmniBack/$1// # Mercury/32 3.32 PH Server module on Windows XP match ph-addressbook m|^598::Command not recognized\.\r\n598::Command not recognized\.\r\n$| v|Mercury/32 PH addressbook server||Win32| match pop3 m|^\+OK POP3 [-.+\w]+ v(\d[-.\w]+) server ready\r\n| v/ipop3d/$1// # iopd 2003debian0.0304182231-1 match pop3 m|^\+OK POP3 \[[-.\w]+\] v(200[-.\w]+) server ready\r\n-ERR Null command\r\n-ERR Null command\r\n| v/ipopd/$1// # Solid POP3d 0.15 match pop3 m|^\+OK Solid POP3 server ready\r\n-ERR unknown command\r\n-ERR unknown command\r\n$| v/Solid POP3d/// # OS 400 V4R4M0 match pop3 m|^\+OK POP3 server ready\r\n-ERR invalid command\r\n$| v/IBM OS 400 pop3d/// # mailgate v3.5.177 on Win2K match pop3 m|^\+OK pop server ready\r\n$| v/MailGate pop3d//Windows/ # Postgres 7.1.3 match postgresql m|^EInvalid packet length\0$| v/PostgreSQL DB/// # postgresql-7.2.3-5.73; linux 2.4.20-18.7 redhat 7.3 match postgresql m|^EFATAL 1: invalid length of startup packet\n\0| v/PostgreSQL DB/// # Postfix qmqpd on Linux 2.4 match qmqp m|^58:Dnetstring format error while receiving QMQP packet header,$| v/Postfix qmqpd//Quick Mail Queueing Protocol/ # Ximian Red Carpet Daemon 1.4.4 on RedHat Linux 9.0 match redcarpet m|^Status: 400 Bad Request\r\nContent-Length: 0\r\n\r\n| v/Ximian Red Carpet Daemon/// match smux m|^A\x01\x02$| v/Linux SNMP multiplexer/// # Solaris 9 match uucp m|^login: Please enter user name: Password: $| v/Solaris uucpd/// match ups m|^32\r $| v/Cyber Power PowerPanelPlus UPS Server//Windows/ match whois m|^% No entries found for the selected source\(s\)\.\n$| v/Merit IRRD whoisd/// match zebedee m|^\x02\x01$| v/Zebedee encrypted tunnel/// match bmc-perform-service m|^SDPACK$| v/BMC Perform Service Daemon/// ##############################NEXT PROBE############################## Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n| ports 70,79,80-85,88,113,139,143,280,497,515,540,554,631,783,993,995,1220,1503,2030,3052,3128,3372,3531,3689,5000,5432,5800,5900,6699,7070,8000-8010,8080-8085,8880-8888,9090,9999,10000,10005,11371,13722,15000,40193,4711 sslports 443 # Kerio PF 4.0.11 unregistered - Service process (Port 44xxx?) on MS W2K SP4+ match keriopfservice m|^(HTTP/1\.0) 200 OK\r\nServer: Kerio Personal Firewall\r\n| v/Kerio PF 4 Service//$1/ match backupexecra m|^\xf6\xff\xff\xff\x10\0\0\0\0\0\0\0\0\0\0\0$| v/Veritas BackupExec Remote Agent/// match dantzretrospect m|^\0\xca\0\0\0\0\0\x04\0\0\0\0$| v/Dantz Retrospect/6.0// match dnet-keyproxy m|^HTTP/1\.0 302 Found\r\nLocation: http://www\.distributed\.net/\r\n\r\n$| v/Distributed.Net HTTP Keyproxy/// # Digital UNIX 5.6 match finger m|^Login name: / \t\t\tIn real life: \?\?\?\r\n\r\nLogin name: GET \t\t\tIn real life: \?\?\?\r\n\r\nLogin name: HTTP/1\.0 \t\t\tIn real life: \?\?\?\r\n$| v/Digital UNIX fingerd/// # Internet Rex v2.67 Beta 1a match finger m|^No such user No such user N\n$| v/Internet Rex finger server/// # FreeBSD 4.9-STABLE /usr/libexec/fingerd/ match finger m|^finger: /: no such user\nfinger: GET: no such user\nfinger: HTTP/1\.0: no such user\n$| v/FreeBSD fingerd/// # Bay Networks Micro Annex Comm. Server R10.0 match finger m|^No such activity\.\r\n$| v/Bay Networks Micro Annex terminal server fingerd/// # Mercury/32 3.32 Finger Server module on Windows XP match finger m|^GET / HTTP/1\.0 is not known at this site\.\r\n$| v|Mercury/32 fingerd||Win32| # ffingerd 1.28 match finger m|^That user does not want to be fingered\.\n$| v/ffingerd/// # Finger 0.17 from debian linux (which is from Linux netkit I believe) # OpenBSD 2.3 match finger m|^finger: GET: no such user\.\nfinger: /: no such user\.\nfinger: HTTP/1\.0: no such user\.\n$| v|BSD/Linux fingerd||| # Linux port of in.fingerd from OpenBSD network tools - started with -w to show welcome banner match finger m|^\r\nWelcome to Linux version (\d[-.\w]+) at [-.\w]+ !\r\n\n.*(\d+) user.*\n\r\nfinger: GET: no such user\.\nfinger: /: no such user\.\nfinger: HTTP/1\.0: no such user\.\n| v/OpenBSD fingerd//ported to Linux; Linux version $1; $2 users logged in/ # Redhat Linux from finger-server-0.17-9 RPM match finger m|^finger: GET: no such user.\r\nfinger: /: no such user.\r\nfinger: HTTP/1.0: no such user.\r\n$| v/Linux fingerd/// # NetBSD 1.6ZA (berkeley fingerd 8.1 sibling) match finger m|^finger: GET: no such user\nfinger: /: no such user\nfinger: HTTP/1\.0: no such user\n$| v/NetBSD fingerd/// # Solaris 9 match finger m|^Login Name TTY Idle When Where\r\nGET \?\?\?\r\n/ \?\?\?\r\nHTTP/1\.0 \?\?\?\r\n$| v/Sun Solaris fingerd/// # mlfingerd 1.1 match finger m|^Information for user 'GET\+20\+2F\+20HTTP\+2F1\.0':\r\nUnknown user\.\r\n$| v/mlfingerd/// # SGI IRIX 6.5.18f finger match finger m|^Login name: GET \t\t\tIn real life: \?\?\?\r\n$| v/SGI IRIX fingerd/// match gnutella m|^HTTP/1\.[01] 404 Not Found\r\nServer: gtk-gnutella/(\d[-.\w]+) \(([^\)\r\n]+)\)\r\n| v/gtk-gnutella P2P client/$1/$2/ # LimeWire 3.5.8 on Suse Linux 8.1 match gnutella m|^HTTP/1\.1 406 Not Acceptable\r\n$| v/LimeWire Gnutella P2P client/// match gnutella m|^HTTP/1\.0 200\r\nServer: Mutella\r\n| v/Mutella Gnutella P2P client/// match gnutella m|^HTTP/1\.1 404 Not Found\r\nServer: giFT-Gnutella/(\d[-.\w]+)\r\n| v/GiFT P2P client gnutella module/$1// match gopher m|^HTTP/1\.0 200 Ok\r\nMIME-Version: 1\.0\r\nServer: GopherWEB/(\d[-.\w]+)\r\n| v/Internet Gopher Server//Gopher+ protocol; GopherWeb $1/ match http m|^HTTP/1\.0 401 Unauthorized\r\nPragma: no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: Basic realm=\"Login to the Router Web Configurator\"\r\n\r\n\n \n 401 Unauthorized\n \n\n\n

| v/Draytek Vigor aDSL router webadmin/// match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: webfs/(\d[-.\w]+)\r\n| v/WebFS httpd/$1// match http m|^HTTP/1\.0 200 OK\r\nConnection: Keep-Alive\r\nContent-Type: text/html\r\nContent-Length: \d+\r\n\r\n\n\n\n\n\n\n\n.*PhaserLink| v/Tektronix Phaser printer webadmin//Ebedded Spyglass MicroServer $1/ match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: 3Com/v(\d[-.\w]+)\r\nWWW-Authenticate:Basic realm=\"device\"\r\n| v/3Com switch webadmin/$1// match http m|^HTTP/1\.0 401 Unauthorized\nDate: .*\nServer: Acme\.Serve/v(\d[-.\w ]+)\nConnection: close\nExpires: .*\nWWW-Authenticate: Basic realm=\"PowerChute network shutdown\"\n|s v/APC Powerchute UPS web management//Embedded Acme.Serv $1/ match http m|^HTTP/1\.0 302 Found\r\nLocation: /index\.htm\r\n\r\n| v/Alcatal Speedtouch aDSL router webadmin/// match http m|^HTTP/1\.0 404 Not Found\r\nServer: pks_www/(\d[-.\w]+)\r\n| v/OpenPGP public key server/$1// match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: Apache/0\.6\.5\r\nPragma: no-cache\r\nContent-type: text/html\r\nWWW-Authenticate: Basic realm=\"System Setup\"\r\n| v/BenQ AWL wireless router webadmin/// # Orinoco bg-2000 Access Point match http m|^HTTP/1\.1 401 Unauthorized\r\nServer: Agranat-EmWeb/R5_2_6\r\nWWW-Authenticate: Basic realm=\"gateway\"\r\n| v/Orinoco WAP webadmin//Embedded webserver: Agranat-EmWeb 5.2.6/ # ORiNOCO AP-600 match http m|^HTTP/1\.1 401 Unauthorized\r\nServer: Virata-EmWeb/R5_3_0\r\nWWW-Authenticate: Basic realm=\"Access-Product\"\r\n| v/Orinoco WAP webadmin//Embedded webserver: Virata-EmWeb 5.3.0/ match http m|^HTTP/1\.0 200 OK\nServer: stats\.mod/(\d[-.\w]+)\n| v/Eggdrop stats.mod web statistics module/$1// match http m|^HTTP/1\.1 200 OK\r\nServer: PPR-httpd/(\d[-.\w]+)\r\n| v/PPR print spooling daemon ppradmin/$1// match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nServer: RAC_ONE_HTTP (\d[-.\w]+)\r\n| v/Dell Embedded Remote Access card webserver/$1// match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n\r\n<HTML>\r\n<HEAD>\r\n<TITLE>EpsonNet WebAssist Rev\.(\d[-.\w]+)| v/EpsonNet WebAssist printer configuration/$1// match http m|^HTTP/1\.0 200 OK\r\nContent-Type: text/html\r\n\r\n\r\nLexmark ([-/.+\w]+)| v/Lexmark printer webadmin//Lexmark $1/ match http m|^HTTP/1\.0 200 OK\nServer: III (\d[-.\w]+)\n| v/Innovative Interfaces Innopac httpd/$1// match http m|^HTTP/1\.0 401 Unauthorized\r\nContent-type: text/html\r\nWWW-Authenticate: Basic realm=\"CISCO_WEB\"\r\n| v/Cisco DSL router webadmin/// match http m|^HTTP/1\.0 \d\d\d .*\r\nRAKeepAliveHeader: \.\r\n| v/RemotelyAnywhere remote PC management webserver/// match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: Ipswitch-IMail/(\d[-.\w]+)\r\n| v/IPSwitch IMail web service/// match http m|^HTTP/1\.0 200 OK\r\nContent-type: text/html\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\nAuthentication Form

Client Authentication Remote Service| v/Check Point Firewall-1 Client Authentication webserver/// match http m|^HTTP/1\.0 404 Not Found\r\nDate: .*\r\nServer: Check Point SVN foundation\r\n| v/Check Point Firewall-1 SVN foundation service/// match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: HP-UX_Apache-based_Web_Server/(\d[-.\w]+) (.*)\r\n| v/HP-UX httpd/$1/Apache derived; $2/ match http m|^HTTP/1\.1 302 Moved\r\nContent-type: text/html\r\nConnection: close\r\nLocation: /1[012]\d{8}/l\r\n\r\n

Document| v/Novell NetMail ModWeb webmail/// match http m/^GIF89a\xa8\0-\0\xf7\0\0\x03\x03\x03\x83\x83\x83\xc4\xc4\xc4\xfe\x02\x02\xc9\x85c\x85|\xb5\xe2\xe2\xe2\xca\xa2\x8e\xd4RRCCC\xdeb\"\xa5\xa5\xa5\xe7\xc5/ v/Tweak XP web advertisement blocker/// # Management interface for Xerox Phaser 5400, a laser printer. match http m|^HTTP/1\.1 200 OK\r\nContent-Type: text/html\r\nDate: .*\r\nExpires: .*\r\nLast-Modified: .*\r\nPragma: no-cache\r\nServer: Allegro-Software-RomPager/(\d[-.\w]+)\r\n\r\n\n|s v/HP Web Jetwebadmin/$1/framework.ini: $2/ match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: HP Web Jetadmin/(\d[-.\w]+) (.*)\r\n| v/HP Web Jetadmin print server/$1/$2/ match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: HP-Web-JetAdmin-(\d[-.\w]+)\r\n| v/HP Web Jetadmin print server/$1// match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Tomcat Web Server/(\d[-.\w ]+) \( ([^)]+) \)\r\n|s v/Apache Tomcat webserver/$1/$2/ match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Tomcat Web Server/(\d[-.\w ]+)\r\n\r\n|s v/Apache Tomcat webserver/$1// match http m|^HTTP/1\.0 \d\d\d .*\r\nServlet-Engine: Tomcat Web Server/(\d[-.\w]+) \(([^\)]+)\)\r\n|s v/Apache Tomcat webserver/$1/$2/ match 3dm-http m|^HTTP/1\.0 200 OK\r\nServer: 3ware/(\d[-.\w]+)\r\n.*3ware 3DM - No remote access|s v/3Ware 3DM Raid Daemon/$1/Access denied/ match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: publicfile| v/publicfile httpd/// match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+) ([^\r\n]+)|s v/Apache httpd/$1/$2/ match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache/(\d[-.\w]+)\r\n.*X-Powered-By: ([^\r\n]+)\r\n|s v/Apache httpd/$1/$2/ match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache/(\d[-.\w]+)\r\n|s v/Apache httpd/$1// # apache 1.3.26-0woody3 or Apache 2.0.45 match http m|^HTTP/1\.[01] \d\d\d.*\r\nDate: .*\r\nServer: Apache\r\n| v/Apache httpd/// match http m|^HTTP/1\.[01] \d\d\d.*\r\nDate: .*\r\nServer: Apache +\(([^\r\n\)]+)\)\r\n| v/Apache httpd//$1/ match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: IBM_HTTP_Server/(\d[-.\w]+) (Apache/.*)\r\n| v/IBM HTTP Server/$1/Based on $2/ match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+) \(Mandrake Linux/[-.\w]+\) (.*)\r\n| v/Apache Advanced Extranet Server httpd/$1/Mandrake Linux; $2/ match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+) \(Mandrake Linux/[-.\w]+\)\r\n| v/Apache Advanced Extranet Server httpd/$1/Mandrake Linux/ match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+) \(Linux-Mandrake/[-.\w]+\)\r\n| v/Apache Advanced Extranet Server httpd/$1/Mandrake Linux/ match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Apache-AdvancedExtranetServer/(\d[-.\w]+)\r\n| v/Apache Advanced Extranet Server httpd/$1/Mandrake Linux/ match http m|^HTTP/1.[10] \d\d\d.*\r\nDate:.*\r\nServer: Stronghold/([-.\w]+) Apache/([-.\w]+)| v/Apache Stronghold httpd/$1/based on Apache $2/ match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apache Tomcat/(\d[-.\w]+)|s v/Apache Tomcat/$1// match http m|^HTTP/1\.1 \d\d\d.*\r\nServer: Apache[- ]Coyote/(\d[-\d.]+)\r\n|s v|Apache Tomcat/Coyote JSP engine|$1|| match http m|^HTTP/1\.1.*\r\nServer: Netscape-Enterprise/([-.\w]+)\r\n| v/Netscape Enterprise httpd/$1// match http m|^HTTP/1\.[01].*\r\nServer: Microsoft-IIS/([-.\w]+)\r\n|s v/Microsoft IIS webserver/$1// match http m|^HTTP/1\.0 200 OK\r\nDate: .+\r\nServer: Tomcat/([-.\w]+)\r\nContent-Type: text/html\r\nContent-Length: \d+\r\nServlet-Engine: Tomcat/[-.\w]+ \(Java ([-.\w]+); SunOS ([-.\w]+) (\w+); java\.vendor=Sun Microsystems Inc\.\)\r\n| v/Solaris management console server//SunOS $3 $4; Java $2; Tomcat $1/ match http m|^HTTP/1\.1 200 OK\r\n.+Server: CommuniGatePro/([-.\w]+)\r\n|s v/CommuniGate Pro httpd/$1// match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: DSS ([-.\w]+) Admin Server/([-.\w]+)| v/DarwinStreamingServer/$1/Admin Server $2/ match http m|^HTTP/1\.0 \d\d\d .*\r\nDate: .*\r\nServer: QTSS (\d[-.\w]+) Admin Server/(\d[-.\w]+)\r\n| v/Apple QTSS Admin Server/$2/from QTSS $2/ match http m|^HTTP/1\.0 200 OK\r\nServer: fnord/(\d[-.\w]+)\r\n| v/Fnord httpd/$1// match http m|^HTTP/1\.0 404 Not Found\r\nContent-Type: text/html\r\nConnection: close\r\n\r\nNot FoundThis host is not served here\.$| v/Fnord httpd/// match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: MiniServ/0.01\r\n|s v/Webmin httpd/// match http m|^HTTP/1.1 200 OK\r\nServer: NetWare-Enterprise-Web-Server/([-.\w]+)\r\n| v/Novell Netware enterprise web server/$1// match http m|^HTTP/1.1 302 Object Moved Temporarily\r\nServer: NetWare HTTP Stack\r\n| v/Novell Netware HTTP Stack//HTTPSTK.NLM/ match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: HTTPd-WASD/([-.\w]+) OpenVMS/VAX\r\n| v|HTTPd-WASD|$1|on OpenVMS/VAX)| match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Lotus-Domino/Release-(\d[-.\w]+)\r\n| v/Lotus Domino httpd/$1// match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Lotus-Domino/(\d[-.\w]+)\r\n| v/Lotus Domino httpd/$1// match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Lotus-Domino(/0)?\r\n| v/Lotus Domino httpd/// # G-Net BB0060 ADSL Modem (I'm not sure this is GlobespanVirata, but that is # what the telnetd on this device said). match http m|^HTTP/1.1 302 Document Follows\r\nLocation: /hag/pages/home.ssi\r\n\r\n$| v/GlobespanVirata httpd//on broadband router/ match http m|^HTTP/1.0 200 OK\r\nServer:HTTP/1.0\r\n.*Hewlett Packard|s v/HP Jetdirect httpd/// match http m|^HTTP/1\.0 401 Unauthorized\r\nServer: EHTTP/([.\d]+)\r\nWWW-Authenticate: Basic realm=\"HP ([-.\w]+)\"\r\n| v/HP printer EHTTP admin server/$1/HP $2 printer/ match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Virata-EmWeb/([-.\w]+)\r\n.*\r\n\r\n\n