Hello trid users,
some days ago i want to install a bridge stick that should send data of my
inverter getting energy from solar panels via WLAN in the cloud. Something was
not working.
In my desperation i try to connect to WLAN access point offered by that device
and run network scanning tool nmap or zenmap to see what ports are used on
that device. The reports can be saved. One format use XML as file names
suffix. That is expressed in new definition by line like:
<Ext>XML</Ext>
There exist other formats with GNMAP or NMAP suffix. Unfortunately there seems
to exist variants or name collisions with other formats. So in this session i
will handle only XML format.
It took some time to get some different samples. On an old SUSE system i get
samples with lowest version 6.47 dated about October 2014. I also compiled
newest version 7.94. I also run nmap on Windows system, Mint x64 and Rasbian
system. I have created such samples a long time ago, but i do not put all
samples in a known directory. So spend some time to find more old samples,
which is difficult because the XML suffix is also used by many other different
file formats.
So i run trid utility on my examples with XML suffix. The samples are
recognized and described with highest priority generic as "Generic XML
(ASCII)" by xml.trid.xml with mime type text/xml. Some older samples are also
described as "HyperText Markup Language" by html.trid.xml with mime type
text/html (see appended trid-v-old.txt in output).
When comparing such samples with GNMAP samples there exist a similar page
about that output format on nmap server. This is done by line like:
<RefURL>
https://nmap.org/book/output-formats-xml-output.html</RefURL>
For comparison reason i also run the file format identification utility DROID
(See
https://sourceforge.net/projects/droid/). Here the samples recognized and
described generic as "Extensible Markup Language" with version 1.0 by PUID
fmt/101. Here application/xml and text/xml are listed as mime types.
For comparison reason i also run file command (version 5.45) on such
samples. Here most samples are "recognized". These are here described generic
as "XML 1.0 document text". Some samples are also described as "exported SGML
document text" (see appended file-k-5.45.txt in output). Therefor here the
mime type text/xml is shown (see appended file-i-5.45.txt in output). Here no
file name suffix is shown (see appended file-ext-5.45.txt in output).
So i run tridscan on my samples to generate xml-nmap.trid.xml. Apparently the
characteristics inside Front Block section are triggered by first lines. These
can be show for example by command like:
head -3 *.gnmap
(see appended head-3.txt in output).
So the XML characteristic is expressed inside Front Block section similar to
xml.trid.xml by first and only XML construct. That looks like:
<Bytes>3C3F786D6C2076657273696F6E3D22312E3022</Bytes>
<ASCII> . ? x m l v e r s i o n = " 1 . 0 "</ASCII>
<Pos>0</Pos>
Triggered by XML nature are inside global strings section by lines like:
<String>XML-STYLESHEET HREF</String>
<String>XMLOUTPUTVERSION</String>
<String>XML VERSION</String>
<String>NMAP.XSL</String>
Starting with only few samples from Windows systems the mentioned and specific
XSL is located at "C:/Program Files (x86)/Nmap/". So i got more XML fragments
when starting. Furthermore newer nmap version has fragment with encoding
phrase as "iso-8859-1" "UTF-8" as last part on first line. So i got more XML
fragments at the beginning like:
<Bytes>3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D22</Bytes>
<ASCII> . ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = "</ASCII>
<Pos>0</Pos>
<Bytes>2D38</Bytes>
<ASCII> - 8</ASCII>
<Pos>33</Pos>
In output generated by older nmap version the encoding is missing. So the
above lines vanish when running tridscan with more older samples. An example
like nmap-output-error.xml without encoding hint and containing "strange"
characters is considered by file command as data. That means "binary" and not
text.
Then there exist inside global strings section nmap specific lines like:
<String>NMAP DONE</String>
<String>NMAPRUN S</String>
Them there lines are found with phrase used in context of network scanner
like:
<String>ADDRESS ADDR</String>
<String>IP ADDRESS</String>
<String>HOSTNAMES</String>
<String>ADDRTYPE</String>
<String>SCANNER</String>
<String>1 HOST</String>
<String>HOSTS</String>
<String>PORTS</String>
Then i got lines similar to gnmap.trid.xml. These are like:
<String>UP) SCANNED IN</String>
<String>SECONDS</String>
The samples are apparently text files in XML format. So the generic mime type
like text/xml is OK for such samples. I found no own mime type for such nmap
samples. So i choose this generic one. that is expressed by line like:
<Mime>text/xml</Mime>
With the new definition all my XML based nmap reports are now recognized and
described with correct suffix (see appended trid-v-new.txt in output).
TrID definitions, some samples and output are stored in archive
xml_nmap.zip. I hope that my definition can be used in future version of
triddefs. As mentioned there exist other output formats of nmap. I will try to
handle these in a future session.
With best wishes
J?rg Jenderek
