Nmap Development mailing list archives
[PATCH] Beast Trojan service correction and probe
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 8 Mar 2008 00:45:24 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The last update to the service probes file saw the addition of a "Beast Trojan" detection: match backdoor m|^\r\n\r$| p/Beast Trojan/ i/**BACKDOOR**/ o/Windows/ Unfortunately, this match falls under the "Generic Lines" probe and only differs from it in that the last \n has been stripped off. Many services on campus have been triggering false positives because of this. Any service that echos your command without the last byte or the last newline (perl's chomp/chop for example) will be flagged. I always hate removing probes though and backdoor/compromised machine detection is the primary reason why I use Nmap... So, I got a hold of a few different version of Beast and gave them a whirl. Attached is a patch that will properly match Beast v2.x. The 1.x series can not be matched by -sV because two messages have to be sent before a response is received. My match line is somewhat verbose so go ahead and cut down v// to whatever feels right. This patch may not apply properly after yesterday's patches are applied. The text should be easy enough to move around though. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFH0eGvqaGPzAsl94IRAky/AKCb6wBU4vxQQ7mzOiAhkHaNwafl0QCdGECV zryfqZug85yt9U3csXX9wAo= =JNJ+ -----END PGP SIGNATURE-----
Attachment:
beast.diff
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Beast Trojan service correction and probe Brandon Enright (Mar 07)
- Re: [PATCH] Beast Trojan service correction and probe doug (Mar 07)