id: vtun-server

info:
  name: VTUN Server - Detection
  author: pussycat0x
  severity: info
  description: |
    VTUN (Virtual Tunnel) server was detected.
  impact: |
    Discovery of VTUN server indicates a virtual tunneling service is running, which may be used for network bridging or VPN functionality.
  remediation: |
    Ensure VTUN server is properly configured with appropriate access controls and authentication if it's intended to be publicly accessible.
  reference:
    - https://vtun.sourceforge.net/
    - https://linux.die.net/man/8/vtund
  metadata:
    verified: true
    max-request: 1
    shodan-query: product:"Vtun Virtual Tunnel"
    fofa-query: server=="VTUN server"
  tags: network,vtun,detect,tcp,service

tcp:
  - inputs:
      - data: "\n"

    host:
      - "{{Hostname}}"
    port: 5001

    matchers:
      - type: word
        words:
          - "VTUN server"

    extractors:
      - type: regex
        regex:
          - '(VTUN server ver\s+[0-9A-Za-z.]+(?:\s+[0-9]{2}/[0-9]{2}/[0-9]{4})?)'
# digest: 490a00463044022014c0907eb08047ecf2fff5cd0c410ea69aef97164fc4abd7fe95992504849ef00220273d75db03ae5b0264dd04f10a61c8e75b8635bb191a7d4d669d0d42620f143e:922c64590222798bb761d5b6d8e72950