[PATCH] Beast Trojan service correction and probe

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The last update to the service probes file saw the addition of a "Beast
Trojan" detection:

match backdoor m|^\r\n\r$| p/Beast Trojan/ i/**BACKDOOR**/ o/Windows/

Unfortunately, this match falls under the "Generic Lines" probe and
only differs from it in that the last \n has been stripped off.

Many services on campus have been triggering false positives because of
this.  Any service that echos your command without the last byte or the
last newline (perl's chomp/chop for example) will be flagged.

I always hate removing probes though and backdoor/compromised machine
detection is the primary reason why I use Nmap...  So, I got a hold of a
few different version of Beast and gave them a whirl.  Attached is a
patch that will properly match Beast v2.x.  The 1.x series can not be
matched by -sV because two messages have to be sent before a response
is received.

My match line is somewhat verbose so go ahead and cut down v// to
whatever feels right.

This patch may not apply properly after yesterday's patches are
applied.  The text should be easy enough to move around though.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFH0eGvqaGPzAsl94IRAky/AKCb6wBU4vxQQ7mzOiAhkHaNwafl0QCdGECV
zryfqZug85yt9U3csXX9wAo=
=JNJ+
-----END PGP SIGNATURE-----

Attachment: beast.diff
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org