Nmap Development mailing list archives
Re: BackOrifice service probe
From: David Fifield <david () bamsoftware com>
Date: Tue, 19 Apr 2011 23:52:54 -0700
On Wed, Apr 20, 2011 at 01:46:03AM +0200, Gorjan Petrovski wrote:
Hi, Thanks for the reply.Thank you Gorjan, I have added this new probe. The match line skips 9 bytes. The first four bytes are a length and the next four are an ID. The ninth is an operation type--shouldn't we include that as part of the match? What is that byte in the response that your server sends?The usage of that byte when a command is sent from the client is to specify command type (ex. ping, process kill, process list, etc). According to the client source, when a packet is sent from the server as a reply, the type is only used to define whether the packet is a single packet or a stream of multiple packets. The probe sends a PING_TYPE packet, and the reply is nothing else but a single packet. However, since I have no access to the server source code I cannot reliably say whether the type that the server returns isn't combined with some other info, so I chose not to rely on it for identification.
Okay, but in my opinion the byte should be used for matching, or at least be documented. So what is it? Can you send me the hex of a server reply with all of the bytes? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- BackOrifice service probe, (continued)
- BackOrifice service probe David Fifield (Apr 06)
- Re: BackOrifice service probe Brandon Enright (Apr 06)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe Brandon Enright (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe David Fifield (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe David Fifield (Apr 18)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 19)
- Re: BackOrifice service probe David Fifield (Apr 19)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 20)
- Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 09)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)