Re: BackOrifice service probe

[Gorjan Petrovski <mogi57 () gmail com>]

Hi,

Thanks for the reply.

> Thank you Gorjan, I have added this new probe.
>
> The match line skips 9 bytes. The first four bytes are a length and the
> next four are an ID. The ninth is an operation type--shouldn't we
> include that as part of the match? What is that byte in the response
> that your server sends?
The usage of that byte when a command is sent from the client is to
specify command type (ex. ping, process kill, process list, etc).
According to the client source, when a packet is sent from the server
as a reply, the type is only used to define whether the packet is a
single packet or a stream of multiple packets. The probe sends a
PING_TYPE packet, and the reply is nothing else but a single packet.
However, since I have no access to the server source code I cannot
reliably say whether the type that the server returns isn't combined
with some other info, so I chose not to rely on it for identification.

> If you have a good script, then we can replace this service probe with
> it.
I'll have the script soon.

Gorjan Petrovski
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/