Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Trend Micro OfficeScan service fingerprint
From: doug () hcsw org
Date: Sun, 30 Dec 2007 13:04:52 -0800

Hi Tom,

On Sun, Dec 30, 2007 at 07:38:49AM -0600 or thereabouts, Tom Sellers wrote:
OfficeScan 6.x and 7.x listen on port 12345 so the probe should detect them.
OfficeScan 8.x uses a random port on the client.  What are the benefits of
limiting the fingerprint to port 12345?

The ports directive in a probe is more of a "commonly
seen ports" list. In this case, it will ensure that
the OfficeScan probe is applied second (after Help,
which also lists 12345) so hopefully the scan should
be faster. Also, I am under the impression that
OfficeScan is fairly rare meaning that we probably
don't want to apply this port against every service,
slowing down all scans. You can change this behaviour
by using "--version-intensity 9" to make sure that
every probe is applied to every service.

That is a shame that OfficeScan 8.x uses a random port...
Hopefully the NULL fallback will catch (some?) of those
clients.

Best,

Doug

Attachment: signature.asc
Description: Digital signature


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault