Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

BackOrifice service probe

From: David Fifield <david () bamsoftware com>
Date: Wed, 6 Apr 2011 13:17:43 -0700
On Wed, Apr 06, 2011 at 09:44:47PM +0200, Gorjan Petrovski wrote:

Here is a BackOrifice service probe, it is tested and it works.



##############################NEXT PROBE##############################
# BackOrifice service PING probe, encrypted, no password
#
Probe UDP BackOrifice q|\xCE\x63\xD1\xD2\x16\xE7\x13\xCF\x38\xA5\xA5\x86\xB2\x75\x4B\x99\xAA\x32\x58|
match BackOrifice     m|\xCE\x63\xD1\xD2\x16\xE7\x13\xCF| p/BackOrifice trojan/ o/Windows/
ports 1-65535
rarity 8


Please provide some more information about this probe. What does the
unencrypted form look like? What does the response mean? If the response
is meant to match only at the beginning, put a ^ at the beginning of the
pattern.

Is it possible to make a probe that distinguishes different versions of
the server?

Don't use "ports 1-65535". That's like saying "rarity 1" which is not
true for this service. Only use port 31337 and any other commonly used
port. If someone really wants to spend a long time with all probes, they
should use --version-all.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: