Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: question about Network Associates ePolicy Orchestrator detection

Re: question about Network Associates ePolicy Orchestrator detection

From: Brandon Enright <bmenrigh_at_ucsd.edu>
Date: Wed, 30 May 2007 19:53:18 +0000

On Wed, 30 May 2007 13:43:49 -0500
"DePriest, Jason R." <jrdepriest_at_gmail.com> wrote:
<snip>
> My questions are:
> * can the existing fingerprint be updated to catch some of the other
> information?

From your data below, it looks like this is easy to do.

> * at what point does this become a job for NSE?

As long as the initial data comes back in one step and can be matched by a
regular language then never. As soon as interaction is required or the data
requires some computation to be done NSE will be needed.

>
> Here is an example of what you get now:
> Interesting ports on computer.domain.com (ww.xx.yy.zz):
> PORT STATE SERVICE VERSION
> 8081/tcp open http Network Associates ePolicy Orchestrator
> (Computername: COMPUTER)
>
> Without the stylesheet, the data returned from the ePO agent is just a
> long ugly line of XML.
>
> It starts like this:
> <ComputerName>COMPUTER</ComputerName><version>3.5.5.580</version><AgentGUID>{26E623DD-4ED7-4F93-87CD-C654A9AE7EB6}</AgentGUID><ePOServerName>SERVER</ePOServerName>

This is a pretty short snippit, and only one example, but assuming
<version /> always trails <ComputerName /> the patch attached should do the
job.

>
> So pulling out the version of the ePO agent and the server name should
> be trivial for someone other than me who knows how to write
> fingerprints / signatures.

Anyone familiar with regular expressions (perl syntax/PCRE) can start right
away.

>
> Anything else would probably need NSE to dig a bit deeper.

If there really is more interesting information available that we want to
get, send the full output and I'm sure someone will take a look.

>
> -Jason
>

Please give the attached patch a try and let me know if it works. It
currently relies on the new fingerprint to be before the old one which
probably isn't a great idea in the long run. If all versions of ePo match
the new fingerprint than the old one can be removed. Someone who knows
more about this than me should chime in with their thoughts.

Brandon 

-- 
Brandon Enright
Network Security Analyst
UCSD ACS/Network Operations
bmenrigh_at_ucsd.edu

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Received on May 30 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos