Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: BackOrifice service probe
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Wed, 6 Apr 2011 23:35:37 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 7 Apr 2011 01:26:39 +0200
Gorjan Petrovski <mogi57 () gmail com> wrote:

I've attached a file containing the updated BackOrifice with much more
information. I hope it's enough. I wasn't sure if I should include the
information in the mail or in the file. I've set the match rule to
recognize the server which I'm using at the moment. It uses the
maximum available characters which can be reliably used and using
those it recognizes version 1.20.

A script would be much more flexible, since we could decrypt the whole
packages and get the hostname too which is included in the ping reply.
What do you guys think, should we use a script instead?


Hi Gorjan,

A script that can gather more info is always a nice thing to have.

Looking at your new probe and match though:

Probe UDP BackOrifice q|\xCE\x63\xD1\xD2\x16\xE7\x13\xCF\x38\xA5\xA5\x86\xB2\x75\x4B\x99\xAA\x32\x58|

# This matches the BackOrifice trojan version 1.20
# it recognizes the MAGIC string, skips 9 characters(bytes), and then matches this expression - "  !PONG!1.20!"
match BackOrifice m|^\xCE\x63\xD1\xD2\x16\xE7\x13\xCF.{9}\x12\x78\xC4\xE3\xD6\xA6\x65\x51\x75\x51\xEB\x2A\x3F| 
p/BackOrifice trojan/ o/Windows/ v/1.20/
ports 31337
rarity 8

That match could never false-positive now which is good.  /.{9}/ can't
match a newline char though which I assume is possible.  You'll want to
add 's' to the end of the PCRE expression like so:

match BackOrifice m|^\xCE\x63\xD1\xD2\x16\xE7\x13\xCF.{9}\x12\x78\xC4\xE3\xD6\xA6\x65\x51\x75\x51\xEB\x2A\x3F|s 
p/BackOrifice trojan/ o/Windows/ v/1.20/

Are there other versions of BackOrifice other than 1.20?  Can you add a
few more with encrypted matchs for PONG!x.yz if they exist?

I think this probe and match will make a nice addition.  Of course, a
service version script would be a bit better.

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAk2c+NkACgkQqaGPzAsl94LXIwCbBPdJY35rkc9GY/gkdmFU7XYU
GowAn03h9NT5x6CZCvnnLgQwxJK5IfWl
=ORL5
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault