Nmap Development mailing list archives
Re: Trend Micro OfficeScan service fingerprint
From: doug () hcsw org
Date: Sun, 30 Dec 2007 13:04:52 -0800
Hi Tom, On Sun, Dec 30, 2007 at 07:38:49AM -0600 or thereabouts, Tom Sellers wrote:
OfficeScan 6.x and 7.x listen on port 12345 so the probe should detect them. OfficeScan 8.x uses a random port on the client. What are the benefits of limiting the fingerprint to port 12345?
The ports directive in a probe is more of a "commonly seen ports" list. In this case, it will ensure that the OfficeScan probe is applied second (after Help, which also lists 12345) so hopefully the scan should be faster. Also, I am under the impression that OfficeScan is fairly rare meaning that we probably don't want to apply this port against every service, slowing down all scans. You can change this behaviour by using "--version-intensity 9" to make sure that every probe is applied to every service. That is a shame that OfficeScan 8.x uses a random port... Hopefully the NULL fallback will catch (some?) of those clients. Best, Doug
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Trend Micro OfficeScan service fingerprint Tom Sellers (Dec 29)
- <Possible follow-ups>
- Trend Micro OfficeScan service fingerprint Tom Sellers (Dec 29)
- Re: Trend Micro OfficeScan service fingerprint doug (Dec 30)
- Re: Trend Micro OfficeScan service fingerprint Tom Sellers (Dec 30)
- Re: Trend Micro OfficeScan service fingerprint doug (Dec 30)
- Re: Trend Micro OfficeScan service fingerprint doug (Dec 30)