Nmap Development mailing list archives

Re: BackOrifice service probe

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 6 Apr 2011 20:25:09 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 6 Apr 2011 13:17:43 -0700
David Fifield <david () bamsoftware com> wrote:

On Wed, Apr 06, 2011 at 09:44:47PM +0200, Gorjan Petrovski wrote:

Here is a BackOrifice service probe, it is tested and it works.


##############################NEXT PROBE##############################
# BackOrifice service PING probe, encrypted, no password
#
Probe UDP BackOrifice q|\xCE\x63\xD1\xD2\x16\xE7\x13\xCF\x38\xA5\xA5\x86\xB2\x75\x4B\x99\xAA\x32\x58|
match BackOrifice     m|\xCE\x63\xD1\xD2\x16\xE7\x13\xCF| p/BackOrifice trojan/ o/Windows/
ports 1-65535
rarity 8


In addition to David's comments, your match string can match your probe
so any service that echos will match.  Is there some other part of the
response that you can match so that this doesn't false-positive on
services that echo?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAk2czC0ACgkQqaGPzAsl94IJjACgnfsXbe+U/NxjZe2tlhbdQ6qo
s1gAnieJGOnTppfSsTn49Oak/sbotnFv
=8MdB
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: GSoC 2011: NSE Script Development, (continued)
- - - Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 05)
    - Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
    - Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
    - Re: GSoC 2011: NSE Script Development Toni Ruottu (Apr 06)
    - Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
    - Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
    - Re: GSoC 2011: NSE Script Development David Fifield (Apr 06)
    - Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
    - Re: GSoC 2011: NSE Script Development Gorjan Petrovski (Apr 06)
    - BackOrifice service probe David Fifield (Apr 06)
    - Re: BackOrifice service probe Brandon Enright (Apr 06)
    - Re: BackOrifice service probe Gorjan Petrovski (Apr 06)
    - Re: BackOrifice service probe Toni Ruottu (Apr 06)
    - Re: BackOrifice service probe Brandon Enright (Apr 06)
    - Re: BackOrifice service probe Toni Ruottu (Apr 06)
    - Re: BackOrifice service probe David Fifield (Apr 06)
    - Re: BackOrifice service probe Toni Ruottu (Apr 06)
    - Re: BackOrifice service probe David Fifield (Apr 18)
    - Re: BackOrifice service probe Gorjan Petrovski (Apr 19)
    - Re: BackOrifice service probe David Fifield (Apr 19)
    - Re: BackOrifice service probe Gorjan Petrovski (Apr 20)

(Thread continues...)