# $Id: thcrut-os-fingerprints,v 1.5 2002/12/22 19:59:56 skyper Exp $
#
#       --------------------------------------
#        @@@@@@@@@@@    @@@     @@@    @@@@@@
#            @@@        @@@@@@@@@@@   @@@  
#            @@@        @@@     @@@    @@@@@@
#       --------------------------------------
#           HTTP://WWW.THEHACKERSCHOICE.COM  
#
# Perl-style regular expression and port characteristic database.
#
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# DONT ADD YOUR OWN TESTS. YOU WILL FUCK IT UP ANYWAY. USE
#    ----> http://www.thehackerschoice.com/thcrut <----
# AND WAIT FOR THE UPDATED FINGERPRINT FILE.
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#
# Credits:
# - jc/THC for lot's of fingerprints.
#
# This file contains THCRUT OS FINGERPRINT PORT CHARACTERISTICS/BANNERS.
# A banner can contain regular expressions (perl syntax!).
#
# It is quite simple to map Windows machienes and Routers, switches that way.
# It becomes more complicated with Unix derivates. They are are usually
# reconfigured by the admin.
#
# The matches dont need to be to specific. They are used to remove
# false positives from a nmap test which always follows the port-state
# and banner matching test.
#
# The field of operation is the INTRANET where we expect to have
# most ports unfirewalled.
#
# A port has 3 states: Open, Closed, Unknown (firewalled).
# Ports in state 'Unkown' are ignored.
#
# The result of these tests prioritize the results of the nmap tests.
# This means we discard all nmap results that do not match with these
# results. (we use these results as a kind of filter to filter out false
# positives).
#
# The file is organized upward-down: Earlier fingerprints have less
# priority than later ones. First name a generic tests line to identify
# the genre, then become more specific.
#
# The engine always launches all listed tests.
#
# --[ Port Characteristics test
#
#     The accuracy is incremented by 1 for every port test that matches and
# decremented by 1 if the test matches the opposite. The accuracy value is
# not changed if the port state is not listed in the test line (e.g. dont care).
# The port state test is ignored if no open port matches. The engine relies on
# the banner test in this case.
#
#     A match against a closed ports is primarily used to negate an earlier
# decission. For example has Samba 135T closed. This port on the other hand is
# open on Windows. All other ports are either for both systems closed or open.
# The 135T=Closed test is used here to remove the Windows choise from the
# decsisson matrix.
# 
#    A test line in which no Open port matches is discared. Other behavior
# would result in false positives. A host with all ports closed would otherwise
# match 50% of the Samba test line.
#
# --[ Banner test
#
#     The accuracy is incremented by 2 for every match and decremented by 1
# for every failed match. The accuracy value stays untouched if the banner
# could not be retrieved (firewalled, readtimeout, ...).
#
#     Banner tests is a perl style regular expression.
#
# --[ Legend:
#
# T  TCP sync test (O=Open, C=Closed, default is to ignore if no answer at all)
# W  Web 'Server:'
# B  Banner
# U  DCE BIND request (ALL windows 135U).
# S  SNMP 'public' GET-NEXT system.sysDescr.0
# N  NVT terminal banner test (telnetd banner)
#
# Notes:
# - Nice2know: NT 4.0 replies to an empty UDP packet on port 135, W2K not.
# - The telnetd banner is 'stripped': \x00 is removed, every \r is converted
#   to a \n and all multiple occurances of non alpha-char
#   (not inside 0x7F > x > 0x20) are reduced to one occurence. Some
#   telnet banners contain 1k of \x00 and multiple \r\n (hi AIX!) which
#   would exceed the storage space if we FP 1000 hosts in parallel.
# - Many Routers/Switches can be distinguished by the NVT negotiation
#   protocol messages. (We answer on ever Do with a Wont).
#
# --[ Structure
#
# ^Fingerprint:[0-15]{0,6}\s[a-zA-Z0-9]{0,80}[#[.*]]\n
# [%[\s\t]*[0-9]{1,5}[TUWBS][-]*[0..9]*=[OUC[".*"]]]*[#[.*]]\n
# ...
# where '%' is optional at the beginning of the test line.
# (not exactly, but you will get the point)
#
# The first line is called 'Class' or 'Fingerprint' line.
# The second line is called 'test line' as it contains one or many tests
# seperated by a '%'.
#
# The number following the ':' is the Class which categorizes the Fingerprint
# by a digital value. See below for the Class format structure.
# A class value is required for thcrut-os-fingerprints and optional for
# nmap-os-fingerprints.
#
# TUWBS are the different tests against that port. A number which
# is interpreted as the accuracy value follows (-20..20).
# The accuracy is computed for each test line.
# The accuracy is decremented by 1 for every test that fails within the
# current test line (negative judging).
#
#
# FIXME: This must be reworked.
# FIXME: use () constructs for speedup (matching).
# Class:
# A class is currently represendet as NUMBER. Later on you might want
# to change this into Names and translate them internally.
#
# Goal: Classes are introduced to catetogize hosts on the internet.
# Queries like 'WHERE Genre=Mainframe AND Vendor=IBM OR OS!=AIX' should
# be possible.
#
# GENRE.VENDOR.OS-GENRE[.OS.[DETAIL.DETAIL]]
# This is currently work in progress. BRAINDUMPS:
# 
# OS: (Unix(Solaris|SCO|..),Windows(NT,XP,..))
#
# Vendor: MS, SuSE, Cisco, 
# Type: Firewall, Router, Switch, Filesharing system, Printer, Workstation
#       PDC,
# 
# Both, Genre and Vendor tag can be ignored to recognize the OS.
# Genre and Vendor tag numbers are unique and assigned by THC.
# (wanna add a new Genre? please let us know!)
#
# Please check info-db.txt for the assigned numbers.
# ALso need some 'Special configuration' (ipsec enabled) tag etc.
#
# FIXME:
# sometimes it would be nice to negate/bail out if the string would have
# matched against antoher class (if match again 0.1.1 for example then
# bail out).


### HOST-> Microsoft ##########################################################
Fingerprint:0.1.1 Windows	# most likely a windows if _just_ this found.
	135T=O
	135U=U
	135T=O
	21B=" Microsoft "
	21B="for WinSock ready"
	21B="WarFTPd"
	22B="Windows"
	22B=" VShell"
	22B=" RemotelyAnywhere "	# "SSH-1.99-2.4.0 RemotelyAnywhere 4.10.284\n"
	80W="Lotus-Domino"
	25B="Microsoft "
	25B="Eudora Internet Mail Server"
	25B="P MAIL Service, Version:"
	25B="MDaemon "
	80W="\(Win32\)"
	80W="TinyWeb"
	80W="Microsoft"
	80W="\(Win32\)"
	80W=" OmniHTTPd/"	# " OmniHTTPd/2.10"
	80W=" Cougar"	# Cougar 4.1.0.3858 / Cougar/9.00
	161S="Windows"

# various FP's but missing OS/PLATFORM:
# 80W=".* Netscape-Enterprise/3.5.1"
# 80W=".* NetWare-Enterprise"
# 80W=".* Netware HTTP Stack"
# 80W=".* Novell-HTTP"
# 80W=".* WebSTAR"
# Raptor Firewall HTTP Proxy:
# 80W=".* Simple, Secure Web Server 1.1"
# Cisco PIX Firewall SMTP Proxy v4.x
# 25B=".* SMTP/cmap ready"
# Also check out http://www.hoobie.net/mingsweeper
# http://www.oueb.org/netexplorer/count_httpservers.html
# FAILED: 130.89.145.4
# POP MDaemon 6.5.2 ready 
# IMAP4rev1 MDaemon 6.5.2 ready
# What is:
# (UNIX_SV 2.1.3) 

# 70T=O%21T=O
Fingerprint:0.1.1.1 Windows 95/98/NT <=4.0
	139T=O%135T=O%445T=C

Fingerprint:0.1.1.2 Windows NT 4.0
	22T=C%139T=O%135T=O%445T=C%21B=" Microsoft FTP Service \(Version 2\.0\)"
	22T=C%139T=O%135T=O%445T=C%161S="Windows NT Version 4"
	22B="Secure Shell Windows NT"	# Secure Shell Windows NT Server
	22B=" F-Secure SSH Windows NT Server"

Fingerprint:0.1.1.3 Windows 2000
	139T=O%135U=U%445T=O
	21B=" Microsoft FTP Service \(Version 5\.0\)"
	80W="Win2000"
	161S4="Windows 2000"
	25B="Version: 4\.0\.2195\.5329"

# All DSL users in .at using w2k have this open :>
#Fingerprint:1.4 Windows 2000 with IPSEC
#	1723T=O%21B=".* Microsoft FTP Service \(Version 5.0\)"
#	1723T=O%80W="Win2000"
#	1723T=O%161S="Windows 2000"

### HOST -> Unix  ##############################################################
Fingerprint:0.0.2 Unix
	80W0="\(Win32\)"%80W="Apache"
	80W="thttpd/.*"
	80W="\(Unix\)"
	80W=" Squid"
	80W=" publicfile"
	21B=" FTP server \(Version wu-"
	21B="220 ProFTPD "
	#22B=".*-OpenSSH.*"
	22T=O      # Hopefully! Can also be some appliance that we dont recognize
	25B="220 .* Smail3\."
	25B=" Exim "
	25B=" ESMTP Postfix"
	25B=" Sendmail "

# Need to distinguish samba from windows. Take care.
#Fingerprint:0.0.2 Unix (Samba running)
	#%139T=O%135T=C%137T=C	# 3 points accuracy
	#139T=O%137T=C%445T=C	# 2 points accuracy

# What we check here is what follows the 'Server: ' statement.
# The first two characters are used for hashing.
Fingerprint:0.4.3 Linux SuSE
	80W="SuSE"		# (Linux/SuSE); (SuSE/Linux)
	21B="powered by SuSE Linux"
	25B="SuSE Linux"

Fingerprint:0.4.3.1 Linux SuSE 7.x
 	25B=".*SuSE Linux 7\."

Fingerprint:0.6.3 Linux Debian
	22B=" Debian"
	80W="Debian"
	21B="Server \(Debian\)"
	25B="Sendmail .*Debian"
	80W="Debian"%25B=" Debian"%22B=" Debian"

Fingerprint:0.6.3.1 Linux Debian 'Potato'
	22B="potato"		# Debian 1:3.4p1-0.0potato1

Fingerprint:0.6.3.2 Linux Debian 'Woody'
	22B="woody"		# Debian 1:3.4p1-0.0woody1

Fingerprint:0.5.3 Linux Redhat
	80W="Red\[- ]Hat"
	23N="Red\[- ]Hat "

Fingerprint:0.5.2.5.1 Linux Red Hat 5.1 (Manhattan)
	21B="Thu May 7 23:18:51 EDT 1998\) ready\.\r\n"
	23N="\(Manhattan\)"

Fingerprint:0.5.2.6 Linux Red Hat 6.0 (Hedwig)
	23N="\(Hedwig\)"

Fingerprint:0.5.3.6.1 Linux Red Hat 6.1 (Cartman)
	23N="\(Cartman\)"
# Identd test currently not implemented.
#	113I="pidentd 3\.0\.7 .* \(Sep 13 1999 20:16:57\)"

Fingerprint:0.5.3.7.3 Linux Red Hat 7.3 (Valhalla)
	23N="\(Valhalla\)"

Fingerprint:0.7.3 Turbo Linux
	80W="\(TurboLinux\)"

Fingerprint:0.8.3 Connectiva Linux
	80W="\(Connectiva/Linux\)"

Fingerprint:0.9.3 Linux Mandrake
	80W="\(Mandrake"

Fingerprint:0.10.3 Gentoo Linux
	80W="Gentoo"

Fingerprint:0.11.8 OpenBSD
	21B="OpenBSD,"	# (Version 6.5/OpenBSD, linux

Fingerprint:0.11.6 FreeBSD
	22B=" FreeBSD"
	80W=" FreeBSD"
	21B=" FTP server \(Version 6\.00LS\)"
	80W=" FreeBSD"%22B=" FreeBSD-"

Fingerprint:0.11.6.1 FreeBSD 4.7-RC2
	22B=" FreeBSD-20020702"

Fingerprint:0.11.7 NetBSD
	22B="NetBSD"		# NetBSD_Secfure_Shell-20020626

Fingerprint:0.2.9 Solaris
	21B=" \(SunOS"%22B="-Sun_"%25B="Sendmail .*\+Sun"%80W=" Sun_WebServer"
	21B=" \(SunOS"%22B="-Sun_"%25B="Sendmail .*\+Sun"%80W=" Sun Cobalt"
	# 22: Sun9 started shipping their boxes with this.
	# 25: Solaris 7 or later

Fingerprint:0.2.9 Solaris
	21B=" \(SunOS"%22B="-Sun_"%25B="Sendmail .*\+Sun"
		80W=" Sun_WebServer"
		80W=" Sun Cobalt"

Fingerprint:0.2.9.6 Solaris 6
	21B4=".* \(SunOS 5\.6\)"
	25B="-SVR4 ready"

Fingerprint:0.2.9.7 Solaris 7
	21B=".* \(SunOS 5\.7\)"%22B="SSH-1\.5-1\.2\.32"%25B="Sendmail .*\+Sun"%161S="SunOS .* 5\.7 Gen"

Fingerprint:0.2.9.8 Solaris 8
	21B=" \(SunOS 5\.8\)"%161S="SunOS .* 5\.8 Gen"


# FIXME: very sloppy. match version number directly. Need info here guys.
# some linuxes have this installed too
#Fingerprint:2.2 Solaris
#	22B=".* SSH Secure Shell \(non-commercial\)"

#Fingerprint:2.2.8 Solaris 8
#	22B="SSH-2.0-3.1.0 SSH Secure Shell \(non-commercial\)"

#Fingerprint:2.2.9 Solaris 8
#	22B="SSH-2.0-3.2.0 SSH Secure Shell \(non-commercial\)"

Fingerprint:0.12.10 Plan9 (2nd Edition)
	21B="220 Plan 9 FTP server"

Fingerprint:0.3.12 AIX
	161S="IBM PowerPC .* AIX"

# \xff\xfd\x18\xff\xfe\x18\xff\xfb\x01\xff\xfb\x03\xff\xfd\x1f\xff\xfc\xc8\xff\xfd\x01\ntelnet ()\nAIX Version 4\n(C) Copyrights by IBM a
Fingerprint:0.3.12.4 AIX 4
	161S="IBM PowerPC .* AIX version: 04"%21B="\(Version 4\.1 Mon Aug 21 10:34:44 CDT 1995\)"%23N="\nAIX Version 4"%25B=" AIX 4"	# Sendmail AIX 4.1/UCB 5.64/4.03 ready

Fingerprint:0.3.12.4.3 AIX 4.33
	161S="IBM PowerPC .* AIX version: 04\.03"  # AIX version: 04.03.0002

Fingerprint:0.3.13 OS/390 V5R0M0
	161S="SNMPv3 agent version 1\.0 with DPI version 2\.0"

Fingerprint:0.3.0 IBM
	21B="IBM "%25B="IBM "%80W="IBM-HTTP-Server"
	# IBM VM SMTP Level 310
	# IBM AS/400

Fingerprint:0.3.0.1 IBM VM (310?)
	21B=" IBM VM "%25B=" IBM VM "

Fingerprint:0.13.11 Apple Macintosh
	21B="Macintosh FTP"
	21B="220 NetPresenz v"	# NetPresenz v4.1 awaits your command.
	80W=" PersonalNetFinder/"	# " PersonalNetFinder/1.0 ID/ACGI"

Fingerprint:0.13.11.1 Mac OSX
	80W="MacOSX"
	80W="Mac OS X Server"
	80W="MacHTTP/"
	80W=" Web Sharing"
Fingerprint:0.13.11.2 MAC OS-9
#	23N="\nOS-9/"	# \xff\xfb\x01\nOS-9/68K V2.4 Quanterra Q4124 - 68030   102/12/21 21:45:34
	23N="\nOS-9/"%21B=" OS-9 ftp server ready"%80W="Msheer/"

# Holly shit, we categorized Novell under Unix!
Fingerprint:0.14.14 Novell NetWare
	161S="Novell NetWare"

Fingerprint:0.14.14.4.1 Novell 4.11 (NetWare)
	161S="Novell NetWare 4"

Fingerprint:0.14.14.5 Novell 5.00.09 (NetWare)
	161S="Novell Netware 5"

Fingerprint:0.14.14.6 Novell 6 (NetWare)
	161S="Novell NetWare 5\.60"   # Novell 5.60 = 6

Fingerprint:0.21.15 Compaq Tru64 UNIX
	21B="Compaq Tru64"
	22B=" Tru64 UNIX "	# SSH Secure Shell Tru64 UNIX V1.0

Fingerprint:0.21.15 Digital UNIX (now Compaq Tru64 UNIX)
	21B="Digital UNIX"
	21B=" server \(Version 5\.60\) ready\."
	23N="Digital UNIX "	# \xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd'\xff\xfd$\xff\xfb\x03\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x05\xff\xfd!\xff\xfb\x01\nDigi"

Fingerprint:0.21.16 Compaq OpenVMS (MultiNet)
	21B="MultiNet FTP Server"%25B=".*GIVEME2 "%22B=".*Process Software MultiNet"
	21B="MultiNet FTP Server"%25B=".*GIVEME2 "
	23N="OpenVMS"		# Welcome to OpenVMS Alpha (TM) Operating System, Version V6.2

Fingerprint:0.15.16 Compaq Alpha/VAX OpenVMS (MultiNet by Cisco)
	25B="CISCO MultiNet V"	# Cisco implements TCP/IP services for OpenVMS

Fingerprint:0.19.17 HP-UX
	23N="HP-UX "

Fingerprint:0.19.17.1 HP-UX B.10.20
	23N="HP-UX .* B\.10\.20"%21B="\(Version 1\.7\.212\.2 Tue Apr 21 12"

Fingerprint:0.22.18 Irix
	23N="IRIX "	# 
	25B=" SGI-"	# ESMTP Sendmail SGI-8.9.3/8.9.3;"

Fingerprint:0.22.18.6.5 Irix 6.5 Origin2
	23N="\xff\xfd\x18\xff\xfd \xff\xfd#\xff\xfd\$\xff\xfb\x03\xff\xfd\x01\xff\xfd\x1f\xff\xfb\x05\xff\xfd\!\xff\xfb\x01\nIRIX "


Fingerprint:0.29.19 Commodore C64
	21B=" C64\)"%25B=" Ultramile v\."
	23N20="\xff\xfd\x18\xff\xfd\x1f\xff\xfd#\xff\xfd'\xff\xfd\$\xff\xfe\x18\xff\xfe\x1f\xff\xfe#\xff\xfe'\xff\xfe\$"

### SWITCH ###################################################################
#
# 1 - Catalyst

# Allegro-Software-RomPager is an HTTP server used in network hardware
# (such as switches) to provide a web interface to remotly configure your
# hardware.
Fingerprint:2.0.0 generic Switch
	80W="Allegro-Software-RomPager"

# No known OS or Vendor (or not important enough)
Fingerprint:2.0.0.1 Omni Switch
	21B=" Omni Switch"

Fingerprint:2.15.0 Cisco switch
	2001T=O
	6001T=O  # this can also be X11 :/

Fingerprint:2.15.4.1.1 Cisco Catalyst 19XX switch
	23N="\nPassword required, but none set\n"
	23N="Catalyst 1900 Management Console"	# \x01\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\xff\xfe\x03

Fingerprint:2.15.4.1.2 Cisco Catalyst 2XXX switch
	161S4="Cisco .*\(C2[0-9]"  # Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(9)EA1, RELEASE SOFTWARE (fc1)
# This is already to specific
#Fingerprint:3.1.1.1 Cisco Catalyst 2900 switch
#	161S="Cisco .*\(C29"


Fingerprint:2.15.4.1.3 Cisco Catalyst 3XXX switch
	161S4="Cisco Catalyst 3"		# Cisco Catalyst 3900 HW Rev 002; SW Rev 4.1(1)

Fingerprint:2.15.4 Cisco switch (WS-CXXXX)
	161S4="Cisco Systems WS-C"	# Cisco Systems WS-C6509; Cisco Systems WS-C5500

#Fingerprint:3.1.1.11Cisco Catalyst 2950G switch
#	161S="Cisco .*\(C2950"  # Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(9)EA1, RELEASE SOFTWARE (fc1)
	
# 130.89.144.118
Fingerprint:2.16.0 3Com
	80W=" 3Com/v1\.0"
	23N="\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\n\xff\xfe\x03\nLogin"

Fingerprint:2.16.0.1 3Com SuperStack II, Switch 110
	23N="\xff\xfd\x03\xff\xfb\x03\xff\xfb\x01\nLogin: \xff\xfe\x03"
Fingerprint:2.16.0.2 3Com Linkbuilder or SuperStack II
	23N="q{40}"	# SuperStackII welcome grfx
	#23N="\x1b\[2J\x1b\(0\x1b\[01;00Hlqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk\x1b\[03;00Hqqqqqqqqqqqqqqqqqqqqqqqq"

Fingerprint:2.17.0 Lucent Cajun  # Avaya Firmware
	161S="Avaya Inc"	# Avaya Inc. - P330 Stackable Switch, SW version 3.11.0
	161S="Summit1i"		# Summit1i - Version 6.1.8 (Build 12) by"


Fingerprint:2.23.0 EntraSys switch
	23N="Vertical Horizon Local Management"	# Enerasys switch

Fingerprint:2.23.0.1 EntraSys VH-8TX1UM
	23N4="VH-8TX1UM"
Fingerprint:2.23.0.2 EntraSys VH-2402S
	23N4="VH-2402S"

Fingerprint:2.24.0 Cabletron switch
	23N="CABLETRON Systems"
	23N="CABLETRON Systems"%80W="Agranat-EmWeb"	# " Agranat-EmWeb/R4_02"
	23N0="Vertical Horizon"%23N=" Local Management\x1b"
Fingerprint:2.24.0.1 Cabletron 2H252-25R Smart Switch
	23N="2H252-25R"
	23N="2H252-25R"%80W="Agranat-EmWeb"

### ROUTERS ##################################################################

# generic router FP's (tell me if other routers use the telnet banner or
# if it is 100% cisco specific).
Fingerprint:1.0.0 Router
	23N="\nUser Access Verification"

Fingerprint:1.0.0 DSL Router
	23N="\xff\xfb\x01\xff\xfb\x03\xff\xfe\x01\nlogin"	# Some DSL router

# 1 - Cisco BGP
#
# This means even if port 137 is found open we consider it a Cisco.

Fingerprint:1.16.4 Cisco router
	22B="Cisco"
	80W="cisco-"  # cisco-ISO and cisco-CPA
	23N="\nUser Access Verification"
	23N="\[1mPress RETURN to activate console \. \. \."	# TACAS++ enabled?
	23N="CISCO "
	23N="^\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\n"

Fingerprint:1.16.4.1.3 Cisco 36XX BGP router
	161S4="Cisco .*\(C36"
	%23N="\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18\xff\xfd\x1f\n.*\nUser Access Verification\n.*: \xff\xfe\x18\xff\xfe\x1f\n"

Fingerprint:1.16.4.2 Cisco 72XX router
	23N="CISCO 72"

Fingerprint:1.18.0 BinTec Bianca/Brick XL router
	161S="BIANCA/BRICK-XL"

Fingerprint:1.0.0 Agranat ADSL router
	80W="Agranat-EmWeb"%21B="421 Session access restricted"

### ACCESS POINT / Dialup Router  ############################################################

Fingerprint:16.13.0 Apple Airport Base Station
	161S="Base Station V3"

Fingerprint:16.30.0 Shiva LanRover Dialup router
	23N="\xff\xfb\x01@ Userid: "

### PRINTERS #################################################################
Fingerprint:4.0.0 Printer
	21B="220 printer"
	21B=" Printer "
	23N="Print Server"	# "\xff\xfb\x01\xff\xfd\x03\xff\xfb\x03\nWelcome to Print Server\nPS>\xff\xfe\x03\nPS>\nPS>"
	80W=" Web Server/2\.0"
	80W=" PRINT_SERVER "	# " PRINT_SERVER WEB 1.0"

Fingerprint:4.19.0 HP Jetdirect Laserjet
	80W="HTTP/1\.0"%21B="220 JD FTP Server Ready"
	161S="JETDIRECT"	# HP ETHERNET MULTI-ENVIRONMENT,ROM G.08.21,JETDIRECT,JD33,EEPROM G.08.21
	21B="220 JD FTP Server Ready"%80W=" Agranat-EmWeb"
	21B="220 JD FTP Server Ready"%80W="  HP-ChaiServer"
	23N="\xff\xfc\x01\nPlease type \[Return] two times, to initialize telnet configuration\nFor HELP type "

Fingerprint:4.25.0 Epson Network Print Server
	23N="EPSON Network Print Server"	# "\xff\xfb\x01\n-> ***  EPSON Network Print Server (EPAEEFBC)  ***\n\x08        \nlogin:  "
	23N="\nSorry, this system is engaged\.\n"	# 2 TCP connection

Fingerprint:4.13.0 Apple LaserWriter
	23N="Apple Computer"	# \xff\xfb\x01\xff\xfb\x03\n\**\n  Apple Computer, Inc.\n LaserWriter 12/640 P"

Fingerprint:4.26.0 Axis Printer Server
	21B="FTP Printer Server V"	# NPS 5400 FTP Printer Server V5.58.08 Mar 17 2000 ready.
Fingerprint:4.26.0.1 Axis NPS 5400 Printer Server
	21B=" NPS 5400 FTP Printer"

Fingerprint:4.28.0 Lexmark LaserPrinter
	21B="Lexmark "	# "220 FTP server: Lexmark Optra LaserPrinter ready\r"

Fingerprint:4.28.0.1 Lexmark Optra T612 printer
	21B=" MarkNet Pro "	# "220 LXK257A09 MarkNet Pro 1 FTP Server 2.10.10 ready.\r"

### APPLIENCE ################################################################
Fingerprint:32.0.0 Canon WebCam
	80W=" Canon Http Server 1"

Fingerprint:32.20.0.1 Quantum PowerVault 508080 Filesharing System
	80W=" Quantum Corporation\./3\.4\.790"%21B="220 Service ready for new user\." #%139T=O%135T=C%137T=C

Fingerprint:32.0.0 unknown Embedded device
	80W="Digital Comet Embedded Server"
	80W=" Spyglass-MicroServer"
	80W="HP-ChaiServer"
	80W=" EHTTP/"	# Siemens EHTTP server module (java)
Fingerprint:32.0.0 Ethernet Board
	21B=" EthernetBoard"	# "220 EthernetBoard MLETB08 Ver 2.0.0 FTP server.\r\n"
	23N="EthernetBoard "	# "\xff\xfd\x03\xff\xfb\x01\xff\xfb\x03EthernetBoard MLETB08 Ver 2.0.0 TELNET server.\nlogin: \xff\xfe\x03\nlogin: "
	25B="^421 Service not available, closing transmission channel\r\n"
	80W=" JC-HTTPD/"	# " JC-HTTPD/1.3.7" EthernetBoard


### FIREWALL #################################################################
Fingerprint:8.15.4.1 Cisco PIX Firewall
	161S="Cisco Secure PIX Firewall"   # Cisco Secure PIX Firewall Version 5.3(2)

Fingerprint:8.0.0 Netscreen Firewall Management Console
	23N="NetScreen Remote Management Console\n"%80W=" NetScreen-100"
	# \xff\xfd\x18\xff\xfb\x01\xff\xfe\x01\xff\xfd\x03NetScreen Remote Management Console\n

