question about Network Associates ePolicy Orchestrator detection

["DePriest, Jason R." <jrdepriest () gmail com>]

When nmap detects an ePO agent, it pulls in the computer name.

The HTML also includes the ePO agent version number and the name of
the ePO server the agent communicates with.

If you want to get fancy, it also includes log information about the
last time it got an update and what it got.

My questions are:
* can the existing fingerprint be updated to catch some of the other
information?
* at what point does this become a job for NSE?

Here is an example of what you get now:
Interesting ports on computer.domain.com (ww.xx.yy.zz):
PORT     STATE         SERVICE VERSION
8081/tcp open          http    Network Associates ePolicy Orchestrator
(Computername: COMPUTER)

Without the stylesheet, the data returned from the ePO agent is just a
long ugly line of XML.

It starts like this:
<ComputerName>COMPUTER</ComputerName><version>3.5.5.580</version><AgentGUID>{26E623DD-4ED7-4F93-87CD-C654A9AE7EB6}</AgentGUID><ePOServerName>SERVER</ePOServerName>

So pulling out the version of the ePO agent and the server name should
be trivial for someone other than me who knows how to write
fingerprints / signatures.

Anything else would probably need NSE to dig a bit deeper.

-Jason

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org