Nmap Development mailing list archives
question about Network Associates ePolicy Orchestrator detection
From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Wed, 30 May 2007 13:43:49 -0500
When nmap detects an ePO agent, it pulls in the computer name. The HTML also includes the ePO agent version number and the name of the ePO server the agent communicates with. If you want to get fancy, it also includes log information about the last time it got an update and what it got. My questions are: * can the existing fingerprint be updated to catch some of the other information? * at what point does this become a job for NSE? Here is an example of what you get now: Interesting ports on computer.domain.com (ww.xx.yy.zz): PORT STATE SERVICE VERSION 8081/tcp open http Network Associates ePolicy Orchestrator (Computername: COMPUTER) Without the stylesheet, the data returned from the ePO agent is just a long ugly line of XML. It starts like this: <ComputerName>COMPUTER</ComputerName><version>3.5.5.580</version><AgentGUID>{26E623DD-4ED7-4F93-87CD-C654A9AE7EB6}</AgentGUID><ePOServerName>SERVER</ePOServerName> So pulling out the version of the ePO agent and the server name should be trivial for someone other than me who knows how to write fingerprints / signatures. Anything else would probably need NSE to dig a bit deeper. -Jason _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- question about Network Associates ePolicy Orchestrator detection DePriest, Jason R. (May 30)
- Re: question about Network Associates ePolicy Orchestrator detection Brandon Enright (May 30)
- Re: question about Network Associates ePolicy Orchestrator detection DePriest, Jason R. (May 31)
- Re: question about Network Associates ePolicy Orchestrator detection Brandon Enright (May 30)