Nmap Development mailing list archives
Re: question about Network Associates ePolicy Orchestrator detection
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 30 May 2007 19:53:18 +0000
On Wed, 30 May 2007 13:43:49 -0500 "DePriest, Jason R." <jrdepriest () gmail com> wrote: <snip>
My questions are: * can the existing fingerprint be updated to catch some of the other information?
From your data below, it looks like this is easy to do.
* at what point does this become a job for NSE?
As long as the initial data comes back in one step and can be matched by a regular language then never. As soon as interaction is required or the data requires some computation to be done NSE will be needed.
Here is an example of what you get now: Interesting ports on computer.domain.com (ww.xx.yy.zz): PORT STATE SERVICE VERSION 8081/tcp open http Network Associates ePolicy Orchestrator (Computername: COMPUTER) Without the stylesheet, the data returned from the ePO agent is just a long ugly line of XML. It starts like this: <ComputerName>COMPUTER</ComputerName><version>3.5.5.580</version><AgentGUID>{26E623DD-4ED7-4F93-87CD-C654A9AE7EB6}</AgentGUID><ePOServerName>SERVER</ePOServerName>
This is a pretty short snippit, and only one example, but assuming <version /> always trails <ComputerName /> the patch attached should do the job.
So pulling out the version of the ePO agent and the server name should be trivial for someone other than me who knows how to write fingerprints / signatures.
Anyone familiar with regular expressions (perl syntax/PCRE) can start right away.
Anything else would probably need NSE to dig a bit deeper.
If there really is more interesting information available that we want to get, send the full output and I'm sure someone will take a look.
-Jason
Please give the attached patch a try and let me know if it works. It currently relies on the new fingerprint to be before the old one which probably isn't a great idea in the long run. If all versions of ePo match the new fingerprint than the old one can be removed. Someone who knows more about this than me should chime in with their thoughts. Brandon -- Brandon Enright Network Security Analyst UCSD ACS/Network Operations bmenrigh () ucsd edu
Attachment:
epo.diff
Description:
Attachment:
signature.asc
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- question about Network Associates ePolicy Orchestrator detection DePriest, Jason R. (May 30)
- Re: question about Network Associates ePolicy Orchestrator detection Brandon Enright (May 30)
- Re: question about Network Associates ePolicy Orchestrator detection DePriest, Jason R. (May 31)
- Re: question about Network Associates ePolicy Orchestrator detection Brandon Enright (May 30)