Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BackOrifice service probe

From: David Fifield <david () bamsoftware com>
Date: Mon, 18 Apr 2011 19:30:07 -0700
On Thu, Apr 07, 2011 at 01:26:39AM +0200, Gorjan Petrovski wrote:

I've attached a file containing the updated BackOrifice with much more
information. I hope it's enough. I wasn't sure if I should include the
information in the mail or in the file. I've set the match rule to
recognize the server which I'm using at the moment. It uses the
maximum available characters which can be reliably used and using
those it recognizes version 1.20.


Thank you Gorjan, I have added this new probe.

The match line skips 9 bytes. The first four bytes are a length and the
next four are an ID. The ninth is an operation type--shouldn't we
include that as part of the match? What is that byte in the response
that your server sends?


A script would be much more flexible, since we could decrypt the whole
packages and get the hostname too which is included in the ping reply.
What do you guys think, should we use a script instead?


If you have a good script, then we can replace this service probe with
it.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: