Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Trend Micro OfficeScan service fingerprint

From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 29 Dec 2007 16:34:25 -0600
While working on some problems with Trend Micro's OfficeScan
antivirus I realized that I had never seen the associated
client network port identified by Nmap.  I saw that there are
two entries in nmap-service-probes but these did not seem
to work in my environment.  After some testing I found the
following:

1.  Random data and commands submitted to the port would eventually
    time out between 3 and 5 seconds after the last data.

2.  When it does time out it generates a HTTP 400 error.

It turns out that the problems that caused me to start looking
at the service originally are related to the fact that it
takes so long to timeout in response to invalid data.  I am
guessing that this is also the reason that nmap has not been
identifying the service.  I would imagine that 3 seconds
for each fingerprint probe adds up and the fingerprinting
process hits a timeout.

To address this I performed some packet captures and testing
and came up with the following.

1.  GET /?CAVIT HTTP/1.1 is a valid request and **returns
    immediately**.

2.  The result is a HTTP 200 response.

    HTTP/1.0 200 OK
    Server: OfficeScan Client
    Date: Fri, 28 Dec 2007 13:36:56 GMT
    Content-Type: text/html
    Accept-Ranges: bytes
    Content-Length: 410

    <snip data>

3.  OfficeScan client version 7 and below are on port 12345.
    Version 8 is on a random port.


The following nmap-service-probes entries successfully detected
Officescan 7.3 and 8 on every host I tested it against:

Probe TCP OfficeScan q|GET /?CAVIT HTTP/1.1\r\n\r\n|
match http m|^HTTP/1.0 200 OK\r\nServer: OfficeScan Client| p/Trend 
Micro OfficeScan Antivirus http config/

They should work against OfficeScan 6.x as well.

the p/ / strings were taken from the existing nmap-service-probes
file entries.

I think these should be added and the two existing lines (685 and
2984)should be removed.  The entries above should be added as early
as posible in the fingerprinting process in order to save time.


What do you folks think?

Tom


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: