fox module false negatives

[dodsonmg]

I'm running the fox module against IPs that I am confident are running fox on port 1911 (based on timestamps from both Shodan and Censys).

About 90% of the time, ZGrab2 reports a failure, with output such as:

{"ip":"REDACTED",
"data":
{"fox":
{"status":"io-timeout",
"protocol":"fox",
"result":null,
"timestamp":"2019-04-05T13:22:19+01:00",
"error":"EOF"}}}

However, packet capture clearly shows the target responding with parsable information. Here's a rough ascii-encoded dump (slightly cleaned up) of the two TCP payloads returning from the target:

packet 1:

fox a 0 -1 fox hello
{
fox.version=s:1.0.1
id=i:198
hostName=s:192.168.0.124
hostAddress=s:192.168.0.124
app.name=s:Station
app.version=s:3.7.106.4
vm.name=s:Java HotSpot(TM) Client VM
vm.version=s:1.5.0_34-b28
os.name=s:QNX
os.version=s:6.4.1
station.name=s:Bldg_4
lang=s:en
timeZone=s:America/New_York;-18000000;3600000;02:00:00.000,wall,march,8,on or after,sunday,undefined;02:00:00.000,wall,november,1,on or after,sunday,undefined
hostId=s:Qnx-NPM6E-0000-16D4-F36C
vmUuid=s:11e8d189-83ed-916c-0000-00000000a551
brandId=s:WebsOpen
sysInfo=o:bog 61[<bog version="1.0">
<p m="b=baja" t="b:Facets" v=""/>
</bog>
]
authAgentTypeSpecs=s:fox:FoxUsernamePasswordAuthAgent
};;

packet 2

fox a 1 -1 fox rejected
{
};;

These are both in response to a single request packet from ZGrab.

Is it choking on the second packet and simply rejecting the whole response?

[dadrian]

@justinbastress Can you verify this?

[justinbastress]

Verified -- Just running a quick sampling from hosts returned by https://censys.io/ipv4?q=1911.fox.device_id.support%3A+true, it does look like zgrab classic is returning results while zgrab2 is timing out.