Famatech RAdmin fingerprint probe and questions

[Tom Sellers <nmap () fadedcode net>]

I have generated a Probe/Match combination for the RAdmin
remote control software.

Software:               RAdmin
Vendor:                 Famatech
URL:                    www.radmin.com

Description:            Remote control software for MS Windows
                        based hosts.

Default Port:           4899
Configurable Port#:     Yes

I have some questions about the desired level of detail
on service fingerprints.  As far as I can tell, fingerprinting
the RAdmin service will require probe line in order for it to
generate a response.  The software seems to respond differently
to the initial probe depending on how the service authentication
is configured.

I have created a couple of different match lines for a couple
of different software versions and scenarios.

Which would be the best way to handle this:

1.  Have a single match line that detects that RAdmin is running
     on the port.

2.  Have 2 match lines that detect the RAdmin version family
     that is running (2.x or 3.x)

3.  Have multiple match lines and/or lua scripts that detect the
     version and other details.

4.  Some other option that I haven't considered.

Here is a copy of a working generic probe/match combination that
detects both 2.x and 3.x families of the RAdmin server software.

Working:
Probe TCP RAdmin q|\x01\x00\x00\x00\x01\x00\x00\x00\x08\x08|
ports 4899
match radmin m|^\x01\x00\x00\x00\x25| p/RAdmin Remote Control Software/ o/Windows/



Tom

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org