Nmap Development mailing list archives
Re: BackOrifice service probe
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 6 Apr 2011 23:35:37 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 7 Apr 2011 01:26:39 +0200 Gorjan Petrovski <mogi57 () gmail com> wrote:
I've attached a file containing the updated BackOrifice with much more information. I hope it's enough. I wasn't sure if I should include the information in the mail or in the file. I've set the match rule to recognize the server which I'm using at the moment. It uses the maximum available characters which can be reliably used and using those it recognizes version 1.20. A script would be much more flexible, since we could decrypt the whole packages and get the hostname too which is included in the ping reply. What do you guys think, should we use a script instead?
Hi Gorjan, A script that can gather more info is always a nice thing to have. Looking at your new probe and match though:
Probe UDP BackOrifice q|\xCE\x63\xD1\xD2\x16\xE7\x13\xCF\x38\xA5\xA5\x86\xB2\x75\x4B\x99\xAA\x32\x58| # This matches the BackOrifice trojan version 1.20 # it recognizes the MAGIC string, skips 9 characters(bytes), and then matches this expression - " !PONG!1.20!" match BackOrifice m|^\xCE\x63\xD1\xD2\x16\xE7\x13\xCF.{9}\x12\x78\xC4\xE3\xD6\xA6\x65\x51\x75\x51\xEB\x2A\x3F| p/BackOrifice trojan/ o/Windows/ v/1.20/ ports 31337 rarity 8
That match could never false-positive now which is good. /.{9}/ can't match a newline char though which I assume is possible. You'll want to add 's' to the end of the PCRE expression like so: match BackOrifice m|^\xCE\x63\xD1\xD2\x16\xE7\x13\xCF.{9}\x12\x78\xC4\xE3\xD6\xA6\x65\x51\x75\x51\xEB\x2A\x3F|s p/BackOrifice trojan/ o/Windows/ v/1.20/ Are there other versions of BackOrifice other than 1.20? Can you add a few more with encrypted matchs for PONG!x.yz if they exist? I think this probe and match will make a nice addition. Of course, a service version script would be a bit better. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk2c+NkACgkQqaGPzAsl94LXIwCbBPdJY35rkc9GY/gkdmFU7XYU GowAn03h9NT5x6CZCvnnLgQwxJK5IfWl =ORL5 -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: GSoC 2011: NSE Script Development, (continued)
- Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- Re: GSoC 2011: NSE Script Development David Fifield (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- BackOrifice service probe David Fifield (Apr 06)
- Re: BackOrifice service probe Brandon Enright (Apr 06)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe Brandon Enright (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe David Fifield (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe David Fifield (Apr 18)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 19)
- Re: BackOrifice service probe David Fifield (Apr 19)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 20)
- Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 09)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)