Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question about Network Associates ePolicy Orchestrator detection

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 30 May 2007 19:53:18 +0000
On Wed, 30 May 2007 13:43:49 -0500
"DePriest, Jason R." <jrdepriest () gmail com> wrote:
<snip>

My questions are:
* can the existing fingerprint be updated to catch some of the other
information?


From your data below, it looks like this is easy to do.


* at what point does this become a job for NSE?


As long as the initial data comes back in one step and can be matched by a
regular language then never. As soon as interaction is required or the data
requires some computation to be done NSE will be needed.



Here is an example of what you get now:
Interesting ports on computer.domain.com (ww.xx.yy.zz):
PORT     STATE         SERVICE VERSION
8081/tcp open          http    Network Associates ePolicy Orchestrator
(Computername: COMPUTER)

Without the stylesheet, the data returned from the ePO agent is just a
long ugly line of XML.

It starts like this:
<ComputerName>COMPUTER</ComputerName><version>3.5.5.580</version><AgentGUID>{26E623DD-4ED7-4F93-87CD-C654A9AE7EB6}</AgentGUID><ePOServerName>SERVER</ePOServerName>


This is a pretty short snippit, and only one example, but assuming
<version /> always trails <ComputerName /> the patch attached should do the
job.



So pulling out the version of the ePO agent and the server name should
be trivial for someone other than me who knows how to write
fingerprints / signatures.


Anyone familiar with regular expressions (perl syntax/PCRE) can start right
away.



Anything else would probably need NSE to dig a bit deeper.


If there really is more interesting information available that we want to
get, send the full output and I'm sure someone will take a look.



-Jason



Please give the attached patch a try and let me know if it works.  It
currently relies on the new fingerprint to be before the old one which
probably isn't a great idea in the long run.  If all versions of ePo match
the new fingerprint than the old one can be removed.  Someone who knows
more about this than me should chime in with their thoughts.

Brandon

-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh () ucsd edu

Attachment: epo.diff
Description:

Attachment: signature.asc
Description: 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: