Nmap Development mailing list archives
Re: GSoC 2011: NSE Script Development
From: Gorjan Petrovski <mogi57 () gmail com>
Date: Wed, 6 Apr 2011 18:35:23 +0200
Thanks for the fast reply!
This means that the script will get executed whenever open udp port 31337 is discovered, but also if some other open udp port is identified as BackOrifice. Please verify the service name by doing nmap -sU -sV -p 31337 <target>, and see what nmap returns as the major service name.
The service name for 31337 is BackOrifice, port state "open | filtered".
The sample output is copied directly from console. As you can see the output is not formatted yet, however I've organized the script so that adding more commands, and formatting the output should be pretty simple (adding rows to the "cmds" table and a formatting function). I'm going to do this right after this mail is sent.There is a standard function that does the formatting. See netbus-info for example.
I'm already using that in the script, these are specific formatting functions for every command/category/field , a thing I learned exacly from netbus-info :-) Thanks!
Use case: The admin knows that port 80 is open in the company firewall. He suspects someone is running a hidden back orifice service on port 80. The admin runs backorifice-brute against udp port 80. The hacker used an easily guessable password like "123abc". bakcorifice-brute gets a response to a probe, and records version information. backorifice-info gets executed because of the version detection backorifice-brute did.
This really puts it into context, now it's much more clear.
I also wonder if it would make sense to send the default encrypted ping for no password as a version detection probe to some ports. What ports? I am not an expert on the version detection, so someone else might need to look at this.
The only port I can think of is the default port of BackOrifice = 31337, in order to fully verify it as "open" instead of "open | filtered" _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: BackOrifice service probe, (continued)
- Re: BackOrifice service probe Brandon Enright (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe David Fifield (Apr 06)
- Re: BackOrifice service probe Toni Ruottu (Apr 06)
- Re: BackOrifice service probe David Fifield (Apr 18)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 19)
- Re: BackOrifice service probe David Fifield (Apr 19)
- Re: BackOrifice service probe Gorjan Petrovski (Apr 20)
- Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 09)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
- Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
- Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)