Nmap Development mailing list archives
Re: BackOrifice service probe
From: Gorjan Petrovski <mogi57 () gmail com>
Date: Thu, 7 Apr 2011 01:26:39 +0200
I've attached a file containing the updated BackOrifice with much more information. I hope it's enough. I wasn't sure if I should include the information in the mail or in the file. I've set the match rule to recognize the server which I'm using at the moment. It uses the maximum available characters which can be reliably used and using those it recognizes version 1.20. A script would be much more flexible, since we could decrypt the whole packages and get the hostname too which is included in the ping reply. What do you guys think, should we use a script instead? On Wed, Apr 6, 2011 at 10:25 PM, Brandon Enright <bmenrigh () ucsd edu> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 6 Apr 2011 13:17:43 -0700 David Fifield <david () bamsoftware com> wrote:On Wed, Apr 06, 2011 at 09:44:47PM +0200, Gorjan Petrovski wrote:Here is a BackOrifice service probe, it is tested and it works.##############################NEXT PROBE############################## # BackOrifice service PING probe, encrypted, no password # Probe UDP BackOrifice q|\xCE\x63\xD1\xD2\x16\xE7\x13\xCF\x38\xA5\xA5\x86\xB2\x75\x4B\x99\xAA\x32\x58| match BackOrifice m|\xCE\x63\xD1\xD2\x16\xE7\x13\xCF| p/BackOrifice trojan/ o/Windows/ ports 1-65535 rarity 8In addition to David's comments, your match string can match your probe so any service that echos will match. Is there some other part of the response that you can match so that this doesn't false-positive on services that echo? Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk2czC0ACgkQqaGPzAsl94IJjACgnfsXbe+U/NxjZe2tlhbdQ6qo s1gAnieJGOnTppfSsTn49Oak/sbotnFv =8MdB -----END PGP SIGNATURE-----
Attachment:
backorifice-service-probe
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: GSoC 2011: NSE Script Development, (continued)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
- Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- Re: GSoC 2011: NSE Script Development David Fifield (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- BackOrifice service probe David Fifield (Apr 06)
- Re: BackOrifice service probe Brandon Enright (Apr 06)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe Brandon Enright (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe David Fifield (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe David Fifield (Apr 18)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 19)
- Re: BackOrifice service probe David Fifield (Apr 19)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 20)
- Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)