Nmap Development mailing list archives
Famatech RAdmin fingerprint probe and questions
From: Tom Sellers <nmap () fadedcode net>
Date: Thu, 03 Jan 2008 19:09:46 -0600
I have generated a Probe/Match combination for the RAdmin remote control software. Software: RAdmin Vendor: Famatech URL: www.radmin.com Description: Remote control software for MS Windows based hosts. Default Port: 4899 Configurable Port#: Yes I have some questions about the desired level of detail on service fingerprints. As far as I can tell, fingerprinting the RAdmin service will require probe line in order for it to generate a response. The software seems to respond differently to the initial probe depending on how the service authentication is configured. I have created a couple of different match lines for a couple of different software versions and scenarios. Which would be the best way to handle this: 1. Have a single match line that detects that RAdmin is running on the port. 2. Have 2 match lines that detect the RAdmin version family that is running (2.x or 3.x) 3. Have multiple match lines and/or lua scripts that detect the version and other details. 4. Some other option that I haven't considered. Here is a copy of a working generic probe/match combination that detects both 2.x and 3.x families of the RAdmin server software. Working: Probe TCP RAdmin q|\x01\x00\x00\x00\x01\x00\x00\x00\x08\x08| ports 4899 match radmin m|^\x01\x00\x00\x00\x25| p/RAdmin Remote Control Software/ o/Windows/ Tom _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Famatech RAdmin fingerprint probe and questions Tom Sellers (Jan 03)