Nmap Development mailing list archives

Re: GSoC 2011: NSE Script Development

From: Gorjan Petrovski <mogi57 () gmail com>
Date: Wed, 6 Apr 2011 18:35:23 +0200

Thanks for the fast reply!

This means that the script will get executed whenever open udp port
31337 is discovered, but also if some other open udp port is
identified as BackOrifice. Please verify the service name by doing
nmap -sU -sV -p 31337 <target>, and see what nmap returns as the major
service name.


The service name for 31337 is BackOrifice, port state "open | filtered".

The sample output is copied directly from console. As you can see the
output is not formatted yet, however I've organized the script so that
adding more commands, and formatting the output should be pretty
simple (adding rows to the "cmds" table and a formatting function).
I'm going to do this right after this mail is sent.


There is a standard function that does the formatting. See netbus-info
for example.


I'm already using that in the script, these are specific formatting
functions for every command/category/field , a thing I learned exacly
from netbus-info :-)  Thanks!

Use case:
The admin knows that port 80 is open in the company firewall. He
suspects someone is running a hidden back orifice service on port 80.
The admin runs backorifice-brute against udp port 80. The hacker used
an easily guessable password like "123abc". bakcorifice-brute gets a
response to a probe, and records version information. backorifice-info
gets executed because of the version detection backorifice-brute did.


This really puts it into context, now it's much more clear.

I also wonder if it would make sense to send the default encrypted
ping for no password as a version detection probe to some ports. What
ports? I am not an expert on the version detection, so someone else
might need to look at this.


The only port I can think of is the default port of BackOrifice =
31337, in order to fully verify it as "open" instead of "open |
filtered"
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: BackOrifice service probe, (continued)
- - - Re: BackOrifice service probe Brandon Enright (Apr 06)
    - Re: BackOrifice service probe Toni Ruottu (Apr 06)
    - Re: BackOrifice service probe David Fifield (Apr 06)
    - Re: BackOrifice service probe Toni Ruottu (Apr 06)
    - Re: BackOrifice service probe David Fifield (Apr 18)
    - Re: BackOrifice service probe Gorjan Petrovski (Apr 19)
    - Re: BackOrifice service probe David Fifield (Apr 19)
    - Re: BackOrifice service probe Gorjan Petrovski (Apr 20)
    - Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
    - Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 09)
    - Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
    - Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
    - Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)