|
Nmap Development
mailing list archives
Famatech RAdmin fingerprint probe and questions
From: Tom Sellers <nmap () fadedcode net>
Date: Thu, 03 Jan 2008 19:09:46 -0600
I have generated a Probe/Match combination for the RAdmin
remote control software.
Software: RAdmin
Vendor: Famatech
URL: www.radmin.com
Description: Remote control software for MS Windows
based hosts.
Default Port: 4899
Configurable Port#: Yes
I have some questions about the desired level of detail
on service fingerprints. As far as I can tell, fingerprinting
the RAdmin service will require probe line in order for it to
generate a response. The software seems to respond differently
to the initial probe depending on how the service authentication
is configured.
I have created a couple of different match lines for a couple
of different software versions and scenarios.
Which would be the best way to handle this:
1. Have a single match line that detects that RAdmin is running
on the port.
2. Have 2 match lines that detect the RAdmin version family
that is running (2.x or 3.x)
3. Have multiple match lines and/or lua scripts that detect the
version and other details.
4. Some other option that I haven't considered.
Here is a copy of a working generic probe/match combination that
detects both 2.x and 3.x families of the RAdmin server software.
Working:
Probe TCP RAdmin q|\x01\x00\x00\x00\x01\x00\x00\x00\x08\x08|
ports 4899
match radmin m|^\x01\x00\x00\x00\x25| p/RAdmin Remote Control Software/ o/Windows/
Tom
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
 By Date 
By Thread
Current thread:
- Famatech RAdmin fingerprint probe and questions Tom Sellers (Jan 03)
| 
Intro
